Hi,
During the installation of one of our FreeIPA replica (with ipa-replica-install), the
process hangs on "No status yet".
Our domain is in domain level 1.
It seems that the script is waiting for an attribute nsds5ReplicaLastInitStatus.
The master server is up & running and we want to have a multimaster environment.
We don't find any error related to the replication process in the log.
The version installed: 4.6.5-11.0.1.el7_7.3
First, the ipa client is correctly installed on the server. Then we use the comment
ipa-replica-install to promote it as IPA server with:
ipa-replica-install -U --principal admin --admin-password $admin_password --domain
domain.com --server
server2.domain.com --setup-ca --setup-dns --no-forwarders
--forward-policy=first --no-dnssec-validation --allow-zone-overlap
--reverse-zone=xx.xx.in-addr.arpa --mkhomedir --force-join
In the ipareplica-install.log we just have this:
…
2020-01-17T10:25:46Z DEBUG [28/41]: setting up initial replication
2020-01-17T10:25:46Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2c94db6248>
2020-01-17T10:25:47Z DEBUG Destroyed connection context.ldap2_139829518113296
2020-01-17T10:25:47Z DEBUG Starting external process
2020-01-17T10:25:47Z DEBUG args=/bin/systemctl --system daemon-reload
2020-01-17T10:25:47Z DEBUG Process finished, return code=0
2020-01-17T10:25:47Z DEBUG stdout=
2020-01-17T10:25:47Z DEBUG stderr=
2020-01-17T10:25:47Z DEBUG Starting external process
2020-01-17T10:25:47Z DEBUG args=/bin/systemctl restart dirsrv(a)DOMAIN-COM.service
2020-01-17T10:25:53Z DEBUG Process finished, return code=0
2020-01-17T10:25:53Z DEBUG stdout=
2020-01-17T10:25:53Z DEBUG stderr=
2020-01-17T10:25:53Z DEBUG Restart of dirsrv(a)HS2-VDC-CORP-HOMESEND-COM.service complete
2020-01-17T10:25:53Z DEBUG Created connection context.ldap2_139829518113296
2020-01-17T10:25:53Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]
2020-01-17T10:25:53Z DEBUG retrieving schema for SchemaCache
url=ldap://server2.domain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at
0x7f2c95da8320>
2020-01-17T10:25:54Z DEBUG Successfully updated nsDS5ReplicaId.
2020-01-17T10:25:54Z DEBUG Add or update replica config
cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config
2020-01-17T10:25:54Z DEBUG Added replica config
cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config
2020-01-17T10:25:54Z DEBUG Add or update replica config
cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config
2020-01-17T10:25:54Z DEBUG No update to cn=replica,cn=dc\=domain\,dc\=com,cn=mapping
tree,cn=config necessary
2020-01-17T10:25:54Z DEBUG Waiting for replication
(ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket)
cn=meToserver2.domain.com,cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config
(objectclass=*)
2020-01-17T10:25:54Z DEBUG Entry found
[LDAPEntry(ipapython.dn.DN('cn=meToserver2.domain.com,cn=replica,cn=dc\=domain\,dc\=com,cn=mapping
tree,cn=config'), {u'nsds5replicaLastInitStart': ['19700101000000Z'],
u'nsds5replicaUpdateInProgress': ['FALSE'], u'cn':
['meToserver2.domain.com'], u'objectClass':
['nsds5replicationagreement', 'top'],
u'nsds5replicaLastUpdateEnd': ['19700101000000Z'],
u'nsDS5ReplicaRoot': ['dc=domain,dc=com'], u'nsDS5ReplicaHost':
['server2.domain.com'], u'nsds5replicaLastUpdateStatus': ['Error (0)
No replication sessions started since server startup'],
u'nsDS5ReplicaBindMethod': ['SASL/GSSAPI'],
u'nsds5ReplicaStripAttrs': ['modifiersName modifyTimestamp
internalModifiersName internalModifyTimestamp'],
u'nsds5replicaLastUpdateStart': ['19700101000000Z'],
u'nsDS5ReplicaPort': ['389'], u'nsDS5ReplicaTransportInfo':
['LDAP'], u'description': ['me to server2.domain.com'],
u'nsds5replicareapactive': ['0'],
u'nsds5replicaChangesSentSinceStartup': [''],
u'nsds5replicaTimeout': ['120'], u'nsDS5ReplicatedAttributeList':
['(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth
krblastfailedauth krbloginfailedcount'], u'nsds5replicaLastInitEnd':
['19700101000000Z'], u'nsDS5ReplicatedAttributeListTotal':
['(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth
krbloginfailedcount']})]
On the live master, there is a strange behavior also:
It seems the ldap is like in read only mode. For exemple, if I reset the password of an
account, I don’t have any error but nothing happened.
I have also those errors on this server:
Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.102642397 +0100] - ERR -
csngen_adjust_time - Adjustment limit exceeded; value - 2711289715, limit - 86400
Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.110464100 +0100] - WARN -
NSMMReplicationPlugin - replica_generate_next_csn - opcsn=5e21d27e000000050000 <=
basecsn=ffbcd1f1522600040000, adjusted opcsn=5e21d27e522700050000
But we don’t have any replication because no other servers:
# ipa-replica-manage list
server2.domain.com: master
# ipa-replica-manage list-ruv
Directory Manager password:
Replica Update Vectors:
server2.domain.com:389: 5
Certificate Server Replica Update Vectors:
server2.domain.com:389: 6
# ipa topologysuffix-find
---------------------------
2 topology suffixes matched
---------------------------
Suffix name: ca
Managed LDAP suffix DN: o=ipaca
Suffix name: domain
Managed LDAP suffix DN: dc=domain,dc=com
----------------------------
Number of entries returned 2
----------------------------
# ipa topologysegment-find
Suffix name: domain
------------------
0 segments matched
------------------
----------------------------
Number of entries returned 0
----------------------------
I really don’t know what happened here. Could you help us on that ?
Best regards,
Damien