10:07 a.m.
On 1/17/20 4:32 PM, Damien Bras via FreeIPA-users wrote:
Hi,
During the installation of one of our FreeIPA replica (with
ipa-replica-install), the process hangs on "No status yet".
Our domain is in domain level 1.
It seems that the script is waiting for an attribute
nsds5ReplicaLastInitStatus.
The master server is up & running and we want to have a multimaster
environment.
We don't find any error related to the replication process in the log.
The version installed: 4.6.5-11.0.1.el7_7.3
First, the ipa client is correctly installed on the server. Then we use
the comment ipa-replica-install to promote it as IPA server with:
ipa-replica-install -U --principal admin --admin-password
$admin_password --domain domain.com --server server2.domain.com
--setup-ca --setup-dns --no-forwarders --forward-policy=first
--no-dnssec-validation --allow-zone-overlap
--reverse-zone=xx.xx.in-addr.arpa --mkhomedir --force-join
In the ipareplica-install.log we just have this:
…
2020-01-17T10:25:46Z DEBUG [28/41]: setting up initial replication
2020-01-17T10:25:46Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2c94db6248>
2020-01-17T10:25:47Z DEBUG Destroyed connection
context.ldap2_139829518113296
2020-01-17T10:25:47Z DEBUG Starting external process
2020-01-17T10:25:47Z DEBUG args=/bin/systemctl --system daemon-reload
2020-01-17T10:25:47Z DEBUG Process finished, return code=0
2020-01-17T10:25:47Z DEBUG stdout=
2020-01-17T10:25:47Z DEBUG stderr=
2020-01-17T10:25:47Z DEBUG Starting external process
2020-01-17T10:25:47Z DEBUG args=/bin/systemctl restart
dirsrv(a)DOMAIN-COM.service
2020-01-17T10:25:53Z DEBUG Process finished, return code=0
2020-01-17T10:25:53Z DEBUG stdout=
2020-01-17T10:25:53Z DEBUG stderr=
2020-01-17T10:25:53Z DEBUG Restart of
dirsrv(a)HS2-VDC-CORP-HOMESEND-COM.service complete
2020-01-17T10:25:53Z DEBUG Created connection context.ldap2_139829518113296
2020-01-17T10:25:53Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]
2020-01-17T10:25:53Z DEBUG retrieving schema for SchemaCache
url=ldap://server2.domain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject
instance at 0x7f2c95da8320>
2020-01-17T10:25:54Z DEBUG Successfully updated nsDS5ReplicaId.
2020-01-17T10:25:54Z DEBUG Add or update replica config
cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config
2020-01-17T10:25:54Z DEBUG Added replica config
cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config
2020-01-17T10:25:54Z DEBUG Add or update replica config
cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config
2020-01-17T10:25:54Z DEBUG No update to
cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config necessary
2020-01-17T10:25:54Z DEBUG Waiting for replication
(ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket)
cn=meToserver2.domain.com,cn=replica,cn=dc\=domain\,dc\=com,cn=mapping
tree,cn=config (objectclass=*)
2020-01-17T10:25:54Z DEBUG Entry found
[LDAPEntry(ipapython.dn.DN('cn=meToserver2.domain.com,cn=replica,cn=dc\=domain\,dc\=com,cn=mapping
tree,cn=config'), {u'nsds5replicaLastInitStart': ['19700101000000Z'],
u'nsds5replicaUpdateInProgress': ['FALSE'], u'cn':
['meToserver2.domain.com'], u'objectClass':
['nsds5replicationagreement', 'top'],
u'nsds5replicaLastUpdateEnd':
['19700101000000Z'], u'nsDS5ReplicaRoot': ['dc=domain,dc=com'],
u'nsDS5ReplicaHost': ['server2.domain.com'],
u'nsds5replicaLastUpdateStatus': ['Error (0) No replication sessions
started since server startup'], u'nsDS5ReplicaBindMethod':
['SASL/GSSAPI'], u'nsds5ReplicaStripAttrs': ['modifiersName
modifyTimestamp internalModifiersName internalModifyTimestamp'],
u'nsds5replicaLastUpdateStart': ['19700101000000Z'],
u'nsDS5ReplicaPort': ['389'], u'nsDS5ReplicaTransportInfo':
['LDAP'],
u'description': ['me to server2.domain.com'],
u'nsds5replicareapactive':
['0'], u'nsds5replicaChangesSentSinceStartup': [''],
u'nsds5replicaTimeout': ['120'], u'nsDS5ReplicatedAttributeList':
['(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn
krblastsuccessfulauth krblastfailedauth krbloginfailedcount'],
u'nsds5replicaLastInitEnd': ['19700101000000Z'],
u'nsDS5ReplicatedAttributeListTotal': ['(objectclass=*) $ EXCLUDE
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount']})]
Hi,
can you also paste the lines that contain the install error?
On the live master, there is a strange behavior also:
It seems the ldap is like in read only mode. For exemple, if I reset the
password of an account, I don’t have any error but nothing happened.
I have also those errors on this server:
Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.102642397
+0100] - ERR - csngen_adjust_time - Adjustment limit exceeded; value -
2711289715, limit - 86400
Are your servers synchronized (either with ntpd or chronyd)? Maybe the
time is different and prevents correct replication.
flo
Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.110464100
+0100] - WARN - NSMMReplicationPlugin - replica_generate_next_csn -
opcsn=5e21d27e000000050000 <= basecsn=ffbcd1f1522600040000, adjusted
opcsn=5e21d27e522700050000
But we don’t have any replication because no other servers:
# ipa-replica-manage list
server2.domain.com: master
# ipa-replica-manage list-ruv
Directory Manager password:
Replica Update Vectors:
server2.domain.com:389: 5
Certificate Server Replica Update Vectors:
server2.domain.com:389: 6
# ipa topologysuffix-find
---------------------------
2 topology suffixes matched
---------------------------
Suffix name: ca
Managed LDAP suffix DN: o=ipaca
Suffix name: domain
Managed LDAP suffix DN: dc=domain,dc=com
----------------------------
Number of entries returned 2
----------------------------
# ipa topologysegment-find
Suffix name: domain
------------------
0 segments matched
------------------
----------------------------
Number of entries returned 0
----------------------------
I really don’t know what happened here. Could you help us on that ?
Best regards,
Damien
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
7:31 a.m.
New subject: FreeIPA ipa-replica-install hangs on "No status yet" during the first replication
> can you also paste the lines that contain the install error?
The command I typed is this one:
ipa-replica-install -U --principal admin --admin-password $admin_password --domain
domain.com --server server2.domain.com --setup-ca --setup-dns --no-forwarders
--forward-policy=first --no-dnssec-validation --allow-zone-overlap
--reverse-zone=xx.xx.in-addr.arpa --mkhomedir --force-join
> Are your servers synchronized (either with ntpd or chronyd)?
Yes they are correctly synchronized to 2 another ntp servers in our platform that
are synchronized to the external ntp servers.
Damien
-----Original Message-----
From: Florence Blanc-Renaud <flo(a)redhat.com>
Sent: vendredi 17 janvier 2020 17:08
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Damien Bras <damien.bras(a)homesend.com>
Subject: Re: [Freeipa-users] FreeIPA ipa-replica-install hangs on "No status
yet" during the first replication
On 1/17/20 4:32 PM, Damien Bras via FreeIPA-users wrote:
Hi,
During the installation of one of our FreeIPA replica (with
ipa-replica-install), the process hangs on "No status yet".
Our domain is in domain level 1.
It seems that the script is waiting for an attribute
nsds5ReplicaLastInitStatus.
The master server is up & running and we want to have a multimaster
environment.
We don't find any error related to the replication process in the log.
The version installed: 4.6.5-11.0.1.el7_7.3
First, the ipa client is correctly installed on the server. Then we
use the comment ipa-replica-install to promote it as IPA server with:
ipa-replica-install -U --principal admin --admin-password
$admin_password --domain domain.com --server server2.domain.com
--setup-ca --setup-dns --no-forwarders --forward-policy=first
--no-dnssec-validation --allow-zone-overlap
--reverse-zone=xx.xx.in-addr.arpa --mkhomedir --force-join
In the ipareplica-install.log we just have this:
…
2020-01-17T10:25:46Z DEBUG [28/41]: setting up initial replication
2020-01-17T10:25:46Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2c94db6248>
2020-01-17T10:25:47Z DEBUG Destroyed connection
context.ldap2_139829518113296
2020-01-17T10:25:47Z DEBUG Starting external process
2020-01-17T10:25:47Z DEBUG args=/bin/systemctl --system daemon-reload
2020-01-17T10:25:47Z DEBUG Process finished, return code=0
2020-01-17T10:25:47Z DEBUG stdout=
2020-01-17T10:25:47Z DEBUG stderr=
2020-01-17T10:25:47Z DEBUG Starting external process
2020-01-17T10:25:47Z DEBUG args=/bin/systemctl restart
dirsrv(a)DOMAIN-COM.service
2020-01-17T10:25:53Z DEBUG Process finished, return code=0
2020-01-17T10:25:53Z DEBUG stdout=
2020-01-17T10:25:53Z DEBUG stderr=
2020-01-17T10:25:53Z DEBUG Restart of
dirsrv(a)HS2-VDC-CORP-HOMESEND-COM.service complete
2020-01-17T10:25:53Z DEBUG Created connection
context.ldap2_139829518113296
2020-01-17T10:25:53Z DEBUG Fetching nsDS5ReplicaId from master
[attempt 1/5]
2020-01-17T10:25:53Z DEBUG retrieving schema for SchemaCache
url=ldap://server2.domain.com:389
conn=<ldap.ldapobject.SimpleLDAPObject
instance at 0x7f2c95da8320>
2020-01-17T10:25:54Z DEBUG Successfully updated nsDS5ReplicaId.
2020-01-17T10:25:54Z DEBUG Add or update replica config
cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config
2020-01-17T10:25:54Z DEBUG Added replica config
cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config
2020-01-17T10:25:54Z DEBUG Add or update replica config
cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config
2020-01-17T10:25:54Z DEBUG No update to
cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config necessary
2020-01-17T10:25:54Z DEBUG Waiting for replication
(ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket)
cn=meToserver2.domain.com,cn=replica,cn=dc\=domain\,dc\=com,cn=mapping
tree,cn=config (objectclass=*)
2020-01-17T10:25:54Z DEBUG Entry found
[LDAPEntry(ipapython.dn.DN('cn=meToserver2.domain.com,cn=replica,cn=dc
\=domain\,dc\=com,cn=mapping tree,cn=config'),
{u'nsds5replicaLastInitStart': ['19700101000000Z'],
u'nsds5replicaUpdateInProgress': ['FALSE'], u'cn':
['meToserver2.domain.com'], u'objectClass':
['nsds5replicationagreement', 'top'],
u'nsds5replicaLastUpdateEnd':
['19700101000000Z'], u'nsDS5ReplicaRoot': ['dc=domain,dc=com'],
u'nsDS5ReplicaHost': ['server2.domain.com'],
u'nsds5replicaLastUpdateStatus': ['Error (0) No replication sessions
started since server startup'], u'nsDS5ReplicaBindMethod':
['SASL/GSSAPI'], u'nsds5ReplicaStripAttrs': ['modifiersName
modifyTimestamp internalModifiersName internalModifyTimestamp'],
u'nsds5replicaLastUpdateStart': ['19700101000000Z'],
u'nsDS5ReplicaPort': ['389'], u'nsDS5ReplicaTransportInfo':
['LDAP'],
u'description': ['me to server2.domain.com'],
u'nsds5replicareapactive':
['0'], u'nsds5replicaChangesSentSinceStartup': [''],
u'nsds5replicaTimeout': ['120'], u'nsDS5ReplicatedAttributeList':
['(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn
krblastsuccessfulauth krblastfailedauth krbloginfailedcount'],
u'nsds5replicaLastInitEnd': ['19700101000000Z'],
u'nsDS5ReplicatedAttributeListTotal': ['(objectclass=*) $ EXCLUDE
entryusn krblastsuccessfulauth krblastfailedauth
krbloginfailedcount']})]
Hi,
can you also paste the lines that contain the install error?
On the live master, there is a strange behavior also:
It seems the ldap is like in read only mode. For exemple, if I reset
the password of an account, I don’t have any error but nothing happened.
I have also those errors on this server:
Jan 17 16:27:57 hs2-man-idm-02 ns-slapd:
[17/Jan/2020:16:27:57.102642397
+0100] - ERR - csngen_adjust_time - Adjustment limit exceeded; value -
2711289715, limit - 86400
Are your servers synchronized (either with ntpd or chronyd)? Maybe the
time is different and prevents correct replication.
flo
Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.110464100
+0100] - WARN - NSMMReplicationPlugin - replica_generate_next_csn -
opcsn=5e21d27e000000050000 <= basecsn=ffbcd1f1522600040000, adjusted
opcsn=5e21d27e522700050000
But we don’t have any replication because no other servers:
# ipa-replica-manage list
server2.domain.com: master
# ipa-replica-manage list-ruv
Directory Manager password:
Replica Update Vectors:
server2.domain.com:389: 5
Certificate Server Replica Update Vectors:
server2.domain.com:389: 6
# ipa topologysuffix-find
---------------------------
2 topology suffixes matched
---------------------------
Suffix name: ca
Managed LDAP suffix DN: o=ipaca
Suffix name: domain
Managed LDAP suffix DN: dc=domain,dc=com
----------------------------
Number of entries returned 2
----------------------------
# ipa topologysegment-find
Suffix name: domain
------------------
0 segments matched
------------------
----------------------------
Number of entries returned 0
----------------------------
I really don’t know what happened here. Could you help us on that ?
Best regards,
Damien
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe...
List Guidelines:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap...
List Archives:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f...
1558
days inactive
1560
days old
freeipa-users@lists.fedorahosted.org
1 comments
2 participants
participants (2)
-
Damien Bras -
Florence Blanc-Renaud