Hmmm..
Well, in my case specifically, the failed ipa-replica-install does in
fact have the nsslapd-rootpw entry, however, changing this in a
recovery process does no good during an ipa-replica-install.
Eric
-----Original Message-----
Date: Tue, 13 Jun 2017 10:51:13 -0400
Subject: [Freeipa-users] Re: replication problem
Cc: Eric Renfro <psi-jack(a)linux-help.org>, Adrian HY <ayeja153(a)gmail.co
m>, Mark Reynolds <mareynol(a)redhat.com>
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Reply-to: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
From: Mark Reynolds via FreeIPA-users <freeipa-users(a)lists.fedorahosted
.org>
On 06/13/2017 10:34 AM, Eric Renfro via
FreeIPA-users wrote:
Huh.. Well, who'da thunk it. I just literally reported the
same
kind of
trouble I was having, which looks like it matches this same
situation,
with the ipa-replica-install failing to initiate replication because
of
Invalid password, because the password for some reason does not seem
to
be being set.
Sorry, replication does not use the Directory Manager account.
Typically some type of "replication manager" entry is used, and in
IPA I'm pretty sure this account uses kerberos credentials (not a
password).
Going back to the Directory Manager.... To confirm if the
password
is set, look in /etc/dirsv/slapd-INSTANCE/dse.ldif, and under
cn=config look for "nsslapd-rootpw" if this attribute is missing
then it truly is not set. If your directory manager account does
not have a password, or there is a password but you don't know what
it is, then you can reset it following this doc:
http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.h
tml
Eric
-----Original Message-----
Date: Tue, 13 Jun 2017 09:49:40 -0400
Subject: [Freeipa-users] Re: replication problem
Cc: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>, Adrian
HY <ayeja153(a)gmail.com>
To: Mark Reynolds <mareynol(a)redhat.com>
Reply-to: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
From: Adrian HY via FreeIPA-users <freeipa-users(a)lists.fedorahosted.o
rg
>
>
Hi Mark, my problem is during the replica installation. I can't
use
ldapmodify because cn=directory manager does not have the password
assigned.
Regards.
On Mon, Jun 12, 2017 at 1:38 PM, Mark Reynolds <mareynol(a)redhat.com>
wrote:
> On 06/11/2017 01:49 PM, Adrian HY via FreeIPA-users wrote:
>
>
> > I think I detected the problem. The error log in the
> > replica
> > writes:
> >
> > [11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet
> > length
> > exceeds maximum allowed limit (length=2483849, limit=2097152).
> > Change the nsslapd-maxsasliosize attribute in cn=config to
> > increase
> > limit.
> > [11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import
> > abandoned
> >
> > According this: (
https://access.redhat.com/documentation/en-US/Re
> > d_
> > Hat_Directory_Server/8.2/pdf/Configuration_and_Command-
> > Line_Tool_Reference/Red_Hat_Directory_Server-8.2-
> > Configuration_and_Command-Line_Tool_Reference-en-US.pdf)
> >
> > "When an incoming SASL IO packet is larger than the nsslapd-
> > maxsasliosize limit, the server immediately disconnects the
> > client
> > and logs a message to the error log, so that an administrator can
> > adjust the setting if necessary"
> >
> > The problem now is how can I change the value of the attribute
> > during replication.
> >
> >
>
> You just use ldapmodify to change the value on each
> replica:
>
> # ldapmodify -D "cn=directory manager" -W
> dn: cn=config
> changetype: modify
> replace: nsslapd-maxsasliosize
> nsslapd-maxsasliosize: YOUR_NEW_VALUE
>
>
>
> > Regards.
> >
> > On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY <ayeja153(a)gmail.com>
> > wrote:
> >
> >
> > > Hi folks, I had a problem with replication and I
> > > tried to add the
> > > slave back to the replica. The process stops in the initial
> > > replication phase.
> > >
> > > The firewall and selinux are down and both servers are
> > > synchronized with the time.
> > >
> > > Centos 7.3
> > > Freeipa 4.4.0-14
> > >
> > > Master error log:
> > >
> > > 11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin -
> > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > replica:389): Replication bind with GSSAPI auth failed: LDAP
> > > error 49 (Invalid credentials) ()
> > > [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin -
> > > Warning: unable to acquire replica for total update, error: 49,
> > > retrying in 1 seconds.
> > > [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin -
> > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > replica:389): Replication bind with GSSAPI auth resumed
> > > [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin -
> > > Beginning total update of replica "agmt="cn=meTousuarios-
> > > replica.ipa.server.com" (usuarios-replica:389)".
> > > [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin -
> > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > replica:389): Failed to send extended operation: LDAP error -1
> > > (Can't contact LDAP server)
> > > [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin -
> > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > replica:389): Received error -1 (Can't contact LDAP server):
> > > for
> > > total updat
> > > e operation
> > > [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin -
> > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > replica:389): Warning: unable to send endReplication extended
> > > operation (Can'
> > > t contact LDAP server)
> > > [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin -
> > > Total update failed for replica "agmt="cn=meTousuarios-
> > > replica.ipa.server.com" (usuarios-replica:389)", error (-11)
> > > [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin -
> > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > replica:389): Replication bind with GSSAPI auth resumed
> > > [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin -
> > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > replica:389): The remote replica has a different database
> > > generation ID than
> > > the local database. You may have to reinitialize the remote
> > > replica, or the local replica.
> > > [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin -
> > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > replica:389): The remote replica has a different database
> > > generation ID than
> > > the local database. You may have to reinitialize the remote
> > > replica, or the local replica.
> > >
> > > Client ipareplica-install.log:
> > >
> > > 2017-06-11T05:24:24Z DEBUG stderr=
> > > 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389]
> > > timeout 300
> > > 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master
> > > [attempt 1/5]
> > > 2017-06-11T05:24:24Z DEBUG flushing
> > > ldap://usuarios.ipa.server.com:389 from SchemaCache
> > > 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache
> > > url=ldap://usuarios.ipa.server.com:389
> > > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0>
> > > 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId.
> > > 2017-06-11T05:24:24Z DEBUG flushing
> > > ldapi://%2fvar%2frun%2fslapd-
> > > IPA.SERVER.COM.socket from SchemaCache
> > > 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache
> > > url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket
> > > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440>
> > > 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last):
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/service.py", line 449, in
> > > start_creation
> > > run_step(full_msg, method)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/service.py", line 439, in run_step
> > > method()
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/dsinstance.py", line 416, in
> > > __setup_replica
> > > repl.setup_promote_replication(self.master_fqdn)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/replication.py", line 1643, in
> > > setup_promote_replication
> > > raise RuntimeError("Failed to start replication")
> > > RuntimeError: Failed to start replication
> > >
> > > 2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to
> > > start replication
> > > 2017-06-11T05:24:46Z DEBUG Destroyed connection
> > > context.ldap2_101192976
> > > 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site-
> > > packages/ipapython/admintool.py", line 171, in execute
> > > return_value = self.run()
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/cli.py", line 318, in run
> > > cfgr.run()
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 310, in run
> > > self.execute()
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 332, in execute
> > > for nothing in self._executor():
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 372, in __runner
> > > self._handle_exception(exc_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 394, in
> > > _handle_exception
> > > six.reraise(*exc_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 362, in __runner
> > > step()
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 359, in <lambda>
> > > step = lambda: next(self.__gen)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/util.py", line 81, in
> > > run_generator_with_yield_from
> > > six.reraise(*exc_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/util.py", line 59, in
> > > run_generator_with_yield_from
> > > value = gen.send(prev_value)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 586, in _configure
> > > next(executor)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 372, in __runner
> > > self._handle_exception(exc_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 449, in
> > > _handle_exception
> > > self.__parent._handle_exception(exc_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 394, in
> > > _handle_exception
> > > six.reraise(*exc_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 446, in
> > > _handle_exception
> > > super(ComponentBase, self)._handle_exception(exc_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 394, in
> > > _handle_exception
> > > six.reraise(*exc_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 362, in __runner
> > > step()
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 359, in <lambda>
> > > step = lambda: next(self.__gen)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/util.py", line 81, in
> > > run_generator_with_yield_from
> > > six.reraise(*exc_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/util.py", line 59, in
> > > run_generator_with_yield_from
> > > value = gen.send(prev_value)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/common.py", line 63, in _install
> > > for nothing in self._installer(self.parent):
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/server/replicainstall.py", line
> > > 1722,
> > > in main
> > > promote(self)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/server/replicainstall.py", line 372,
> > > in decorated
> > > func(installer)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/server/replicainstall.py", line
> > > 1423,
> > > in promote
> > > promote=True, pkcs12_info=dirsrv_pkcs12_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/server/replicainstall.py", line 135,
> > > in install_replica_ds
> > > api=remote_api,
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/dsinstance.py", line 401, in
> > > create_replica
> > > self.start_creation(runtime=60)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/service.py", line 449, in
> > > start_creation
> > > run_step(full_msg, method)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/service.py", line 439, in run_step
> > > method()
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/dsinstance.py", line 416, in
> > > __setup_replica
> > > repl.setup_promote_replication(self.master_fqdn)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/replication.py", line 1643, in
> > > setup_promote_replication
> > > raise RuntimeError("Failed to start replication")
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.or
> > g
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorah
> > os
> >
ted.org
> >
> >
>
>
>
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahoste
d.
org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahoste
d.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.
org