Huh.. Well, who'da thunk it. I just literally reported the same kind of
trouble I was having, which looks like it matches this same situation,
with the ipa-replica-install failing to initiate replication because of
Invalid password, because the password for some reason does not seem to
be being set.
Eric
-----Original Message-----
Date: Tue, 13 Jun 2017 09:49:40 -0400
Subject: [Freeipa-users] Re: replication problem
Cc: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>, Adrian
HY <ayeja153(a)gmail.com
To: Mark Reynolds
<mareynol(a)redhat.com
Reply-to: FreeIPA users list
<freeipa-users(a)lists.fedorahosted.org
From:
Adrian HY via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org
Hi Mark, my problem is during the replica installation. I
can't use
ldapmodify because cn=directory manager does not have the password
assigned.
Regards.
On Mon, Jun 12, 2017 at 1:38 PM, Mark Reynolds <mareynol(a)redhat.com
wrote:
>
> On 06/11/2017 01:49 PM, Adrian HY via FreeIPA-users wrote:
> > I think I detected the problem. The error log in the replica
> > writes:
> >
> > [11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length
> > exceeds maximum allowed limit (length=2483849, limit=2097152).
> > Change the nsslapd-maxsasliosize attribute in cn=config to increase
> > limit.
> > [11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import abandoned
> >
> > According this: (
https://access.redhat.com/documentation/en-US/Red_
> > Hat_Directory_Server/8.2/pdf/Configuration_and_Command-
> > Line_Tool_Reference/Red_Hat_Directory_Server-8.2-
> > Configuration_and_Command-Line_Tool_Reference-en-US.pdf)
> >
> > "When an incoming SASL IO packet is larger than the nsslapd-
> > maxsasliosize limit, the server immediately disconnects the client
> > and logs a message to the error log, so that an administrator can
> > adjust the setting if necessary"
> >
> > The problem now is how can I change the value of the attribute
> > during replication.
> You just use ldapmodify to change the value on each replica:
>
> # ldapmodify -D "cn=directory manager" -W
> dn: cn=config
> changetype: modify
> replace: nsslapd-maxsasliosize
> nsslapd-maxsasliosize: YOUR_NEW_VALUE
>
> > Regards.
> >
> > On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY <ayeja153(a)gmail.com
> > wrote:
> > > Hi folks, I had a problem with replication and I tried to add the
> > > slave back to the replica. The process stops in the initial
> > > replication phase.
> > >
> > > The firewall and selinux are down and both servers are
> > > synchronized with the time.
> > >
> > > Centos 7.3
> > > Freeipa 4.4.0-14
> > >
> > > Master error log:
> > >
> > > 11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin -
> > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > replica:389): Replication bind with GSSAPI auth failed: LDAP
> > > error 49 (Invalid credentials) ()
> > > [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin -
> > > Warning: unable to acquire replica for total update, error: 49,
> > > retrying in 1 seconds.
> > > [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin -
> > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > replica:389): Replication bind with GSSAPI auth resumed
> > > [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin -
> > > Beginning total update of replica "agmt="cn=meTousuarios-
> > > replica.ipa.server.com" (usuarios-replica:389)".
> > > [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin -
> > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > replica:389): Failed to send extended operation: LDAP error -1
> > > (Can't contact LDAP server)
> > > [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin -
> > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > replica:389): Received error -1 (Can't contact LDAP server): for
> > > total updat
> > > e operation
> > > [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin -
> > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > replica:389): Warning: unable to send endReplication extended
> > > operation (Can'
> > > t contact LDAP server)
> > > [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin -
> > > Total update failed for replica "agmt="cn=meTousuarios-
> > > replica.ipa.server.com" (usuarios-replica:389)", error (-11)
> > > [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin -
> > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > replica:389): Replication bind with GSSAPI auth resumed
> > > [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin -
> > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > replica:389): The remote replica has a different database
> > > generation ID than
> > > the local database. You may have to reinitialize the remote
> > > replica, or the local replica.
> > > [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin -
> > > agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios-
> > > replica:389): The remote replica has a different database
> > > generation ID than
> > > the local database. You may have to reinitialize the remote
> > > replica, or the local replica.
> > >
> > > Client ipareplica-install.log:
> > >
> > > 2017-06-11T05:24:24Z DEBUG stderr=
> > > 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389]
> > > timeout 300
> > > 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master
> > > [attempt 1/5]
> > > 2017-06-11T05:24:24Z DEBUG flushing
> > > ldap://usuarios.ipa.server.com:389 from SchemaCache
> > > 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache
> > > url=ldap://usuarios.ipa.server.com:389
> > > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0
> > > 2017-06-11T05:24:24Z DEBUG Successfully updated
nsDS5ReplicaId.
> > > 2017-06-11T05:24:24Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-
> > > IPA.SERVER.COM.socket from SchemaCache
> > > 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache
> > > url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket
> > > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440
> > > 2017-06-11T05:24:46Z DEBUG Traceback (most
recent call last):
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/service.py", line 449, in
> > > start_creation
> > > run_step(full_msg, method)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/service.py", line 439, in run_step
> > > method()
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/dsinstance.py", line 416, in
> > > __setup_replica
> > > repl.setup_promote_replication(self.master_fqdn)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/replication.py", line 1643, in
> > > setup_promote_replication
> > > raise RuntimeError("Failed to start replication")
> > > RuntimeError: Failed to start replication
> > >
> > > 2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to
> > > start replication
> > > 2017-06-11T05:24:46Z DEBUG Destroyed connection
> > > context.ldap2_101192976
> > > 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site-
> > > packages/ipapython/admintool.py", line 171, in execute
> > > return_value = self.run()
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/cli.py", line 318, in run
> > > cfgr.run()
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 310, in run
> > > self.execute()
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 332, in execute
> > > for nothing in self._executor():
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 372, in __runner
> > > self._handle_exception(exc_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 394, in
> > > _handle_exception
> > > six.reraise(*exc_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 362, in __runner
> > > step()
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 359, in <lambda
> > > step = lambda: next(self.__gen)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/util.py", line 81, in
> > > run_generator_with_yield_from
> > > six.reraise(*exc_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/util.py", line 59, in
> > > run_generator_with_yield_from
> > > value = gen.send(prev_value)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 586, in _configure
> > > next(executor)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 372, in __runner
> > > self._handle_exception(exc_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 449, in
> > > _handle_exception
> > > self.__parent._handle_exception(exc_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 394, in
> > > _handle_exception
> > > six.reraise(*exc_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 446, in
> > > _handle_exception
> > > super(ComponentBase, self)._handle_exception(exc_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 394, in
> > > _handle_exception
> > > six.reraise(*exc_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 362, in __runner
> > > step()
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/core.py", line 359, in <lambda
> > > step = lambda: next(self.__gen)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/util.py", line 81, in
> > > run_generator_with_yield_from
> > > six.reraise(*exc_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/util.py", line 59, in
> > > run_generator_with_yield_from
> > > value = gen.send(prev_value)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipapython/install/common.py", line 63, in _install
> > > for nothing in self._installer(self.parent):
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/server/replicainstall.py", line 1722,
> > > in main
> > > promote(self)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/server/replicainstall.py", line 372,
> > > in decorated
> > > func(installer)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/server/replicainstall.py", line 1423,
> > > in promote
> > > promote=True, pkcs12_info=dirsrv_pkcs12_info)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/server/replicainstall.py", line 135,
> > > in install_replica_ds
> > > api=remote_api,
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/dsinstance.py", line 401, in
> > > create_replica
> > > self.start_creation(runtime=60)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/service.py", line 449, in
> > > start_creation
> > > run_step(full_msg, method)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/service.py", line 439, in run_step
> > > method()
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/dsinstance.py", line 416, in
> > > __setup_replica
> > > repl.setup_promote_replication(self.master_fqdn)
> > > File "/usr/lib/python2.7/site-
> > > packages/ipaserver/install/replication.py", line 1643, in
> > > setup_promote_replication
> > > raise RuntimeError("Failed to start replication")
> > >
> > >
> >
> >
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahos
> >
ted.org
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.
org