Hi folks,
I have almost completed the FreeIPA migration from CentOS7 to Rocky8 (FreeIPA 4.9.11). Domain replications seems to be fine, but I get a replication error for ca:
[root@ipa2 ~]# ipa-csreplica-manage -v list ipaca8.example.com Directory Manager password:
ipa2.example.com last init status: Error (0) Total update succeeded last init ended: 2023-07-08 14:35:09+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2023-07-08 16:20:37+00:00 ipabak.ac.example.com last init status: Error (0) Total update succeeded last init ended: 2023-07-08 16:06:05+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2023-07-08 16:20:37+00:00 ipa0.example.com last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2023-07-08 16:20:37+00:00
[root@ipa2 ~]# ipa-csreplica-manage -v list ipa2.example.com Directory Manager password:
ipaca8.example.com last update status: Error (11) Replication error acquiring replica: Unable to acquire replica: the replica has the same Replica ID as this one. Replication is aborting. (duplicate replica ID detected) last update ended: 2023-07-08 15:03:47+00:00 ipa1.example.com last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2023-07-08 16:20:40+00:00
Obviously replication between ipaca8 (the CA) amd ipa2 is bad. Here is the topology for ca:
[root@ipa2 ~]# ipa topologysegment-find ca | sed s/aixigo.de/example.com/g
------------------ 5 segments matched ------------------ Segment name: ipa0.example.com-to-ipa1.example.com Left node: ipa0.example.com Right node: ipa1.example.com Connectivity: both
Segment name: ipa0.example.com-to-ipaca8.example.com Left node: ipa0.example.com Right node: ipaca8.example.com Connectivity: both
Segment name: ipa1.example.com-to-ipa2.example.com Left node: ipa1.example.com Right node: ipa2.example.com Connectivity: both
Segment name: ipa2.example.com-to-ipaca8.example.com Left node: ipa2.example.com Right node: ipaca8.example.com Connectivity: both
Segment name: ipabak.ac.example.com-to-ipaca8.example.com Left node: ipabak.ac.example.com Right node: ipaca8.example.com Connectivity: both ---------------------------- Number of entries returned 5 ----------------------------
Every helpful hint is highly appreciated Harri
Harald Dunkel via FreeIPA-users wrote:
Hi folks,
I have almost completed the FreeIPA migration from CentOS7 to Rocky8 (FreeIPA 4.9.11). Domain replications seems to be fine, but I get a replication error for ca:
[root@ipa2 ~]# ipa-csreplica-manage -v list ipaca8.example.com Directory Manager password:
ipa2.example.com last init status: Error (0) Total update succeeded last init ended: 2023-07-08 14:35:09+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2023-07-08 16:20:37+00:00 ipabak.ac.example.com last init status: Error (0) Total update succeeded last init ended: 2023-07-08 16:06:05+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2023-07-08 16:20:37+00:00 ipa0.example.com last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2023-07-08 16:20:37+00:00
[root@ipa2 ~]# ipa-csreplica-manage -v list ipa2.example.com Directory Manager password:
ipaca8.example.com last update status: Error (11) Replication error acquiring replica: Unable to acquire replica: the replica has the same Replica ID as this one. Replication is aborting. (duplicate replica ID detected) last update ended: 2023-07-08 15:03:47+00:00 ipa1.example.com last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2023-07-08 16:20:40+00:00
Obviously replication between ipaca8 (the CA) amd ipa2 is bad. Here is the topology for ca:
[root@ipa2 ~]# ipa topologysegment-find ca | sed s/aixigo.de/example.com/g
5 segments matched
Segment name: ipa0.example.com-to-ipa1.example.com Left node: ipa0.example.com Right node: ipa1.example.com Connectivity: both
Segment name: ipa0.example.com-to-ipaca8.example.com Left node: ipa0.example.com Right node: ipaca8.example.com Connectivity: both
Segment name: ipa1.example.com-to-ipa2.example.com Left node: ipa1.example.com Right node: ipa2.example.com Connectivity: both
Segment name: ipa2.example.com-to-ipaca8.example.com Left node: ipa2.example.com Right node: ipaca8.example.com Connectivity: both
Segment name: ipabak.ac.example.com-to-ipaca8.example.com Left node: ipabak.ac.example.com Right node: ipaca8.example.com Connectivity: both
Number of entries returned 5
The ipa-replica-manage list-ruv command may provide confirmation but I assume 389-ds has it right and there are duplicate replica ids.
I'd first check ipabak to see if it is up-to-date. Since ipa8 has multiple replication connections it should be ok but I'd start there.
If that's fine then I'd delete the bad connection and re-create it using the topology commands in the UI or CLI.
rob
Hi Rob,
I highly appreciate your reply. Apparently the problem for cs went away on its own. "ipa-csreplica-manage -v list" doesn't show "duplicate replica ID detected" anymore.
But I do have a replication problem for domain. list-ruv shows on ipa0 and ipa1 (sorted)
Replica Update Vectors: ipa0.example.com:389: 26 ipa0.example.com:389: 36 ipa1.example.com:389: 38 ipa1.example.com:389: 4 ipa2.example.com:389: 40 ipa3.example.com:389: 42 ipa4.example.com:389: 43 ipa5.example.com:389: 44 ipabak.ac.example.com:389: 45 ipaca8.example.com:389: 34 Certificate Server Replica Update Vectors: ipa0.example.com:389: 37 ipa1.example.com:389: 39 ipa2.example.com:389: 41 ipabak.ac.example.com:389: 46 ipaca8.example.com:389: 35
Please note the double entries for ipa0 and ipa1. On the other ipa servers there is no line with ID 26. On all hosts I can find 2 entries for ipa1 (4 and 38).
AFAIU I have to run ipa-replica-manage clean-ruv for ID 4 and ID 26 on either ipa0 or ipa1. Is this correct?
Regards
Harri
Harald Dunkel wrote:
Hi Rob,
I highly appreciate your reply. Apparently the problem for cs went away on its own. "ipa-csreplica-manage -v list" doesn't show "duplicate replica ID detected" anymore.
But I do have a replication problem for domain. list-ruv shows on ipa0 and ipa1 (sorted)
Replica Update Vectors: ipa0.example.com:389: 26 ipa0.example.com:389: 36 ipa1.example.com:389: 38 ipa1.example.com:389: 4 ipa2.example.com:389: 40 ipa3.example.com:389: 42 ipa4.example.com:389: 43 ipa5.example.com:389: 44 ipabak.ac.example.com:389: 45 ipaca8.example.com:389: 34 Certificate Server Replica Update Vectors: ipa0.example.com:389: 37 ipa1.example.com:389: 39 ipa2.example.com:389: 41 ipabak.ac.example.com:389: 46 ipaca8.example.com:389: 35
Please note the double entries for ipa0 and ipa1. On the other ipa servers there is no line with ID 26. On all hosts I can find 2 entries for ipa1 (4 and 38).
AFAIU I have to run ipa-replica-manage clean-ruv for ID 4 and ID 26 on either ipa0 or ipa1. Is this correct?
Correct.
rob
freeipa-users@lists.fedorahosted.org