Some time back I set up an IPA replica. The initial setup was successful, but now I see that it is not syncing. It's possible that it has never successfully synced. I suspect that something related to DNS may not be working properly. Advice on debugging and fixing this would be appreciated.
# ipa-replica-manage list -v ipa2.sj.bps ipa1.sj.bps: replica last update status: Error (18) Replication error acquiring replica: Incremental update transient warning. Backing off, will retry update later. (transient warning) last update ended: 1970-01-01 00:00:00+00:00
I think that something related to DNS is not working correctly on my replica. My IPA domain is "ipa.<mycompany>.com". However, the DNS domain used on the network is "sj.bps" and the primary nameserver is not ether of the IPA servers.
Both the primary and replica have DNS that works for the "sj.bps" domain to an extent. I can ping using names in the "sj.bps" domain on the replica (ipa2):
[root@ipa2 ~]# ping ipa1.sj.bps. PING ipa1.sj.bps (192.168.254.18) 56(84) bytes of data. 64 bytes from ipa1.sj.bps (192.168.254.18): icmp_seq=1 ttl=64 time=0.451 ms ^C --- ipa1.sj.bps ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.451/0.451/0.451/0.000 ms
But a local lookup doesn't work:
[root@ipa2 ~]# dig @localhost ipa1.sj.bps.
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost ipa1.sj.bps. ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34740 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ipa1.sj.bps. IN A
;; Query time: 5 msec ;; SERVER: ::1#53(::1) ;; WHEN: Mon Aug 29 20:37:37 EDT 2022 ;; MSG SIZE rcvd: 40
A similar dig command on the primary works: [root@ipa1 ~]# dig @localhost ipa1.sj.bps.
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost ipa1.sj.bps. ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63201 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ipa1.sj.bps. IN A
;; ANSWER SECTION: ipa1.sj.bps. 2222 IN A 192.168.254.18
;; AUTHORITY SECTION: sj.bps. 2222 IN NS ns.bps.
;; ADDITIONAL SECTION: ns.bps. 2222 IN A 192.168.254.2
;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Mon Aug 29 20:38:34 EDT 2022 ;; MSG SIZE rcvd: 89
Hi,
Are ipa1 and ipa2 configured as DNS servers? This can be checked with kinit admin ipa server-role-find --role 'DNS server' (since the replication doesn't seem to be working, please check the commands on each server).
If they are configured as DNS servers, is there a forwarder configured? kinit admin ipa dnsconfig-show ipa dnsserver-show ipa1.sj.bps ipa dnsserver-show ipa2.sj.bps
If they are not DNS servers, what is their DNS client configuration?
Are there any errors related to replication in /var/log/dirsrv/slapd-<YOUR-DOMAIN>/errors?
You can find a few things to check in https://www.freeipa.org/page/Troubleshooting/Directory_Server#Replication_is...
flo
On Tue, Aug 30, 2022 at 2:42 AM Simon Matthews via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Some time back I set up an IPA replica. The initial setup was successful, but now I see that it is not syncing. It's possible that it has never successfully synced. I suspect that something related to DNS may not be working properly. Advice on debugging and fixing this would be appreciated.
# ipa-replica-manage list -v ipa2.sj.bps ipa1.sj.bps: replica last update status: Error (18) Replication error acquiring replica: Incremental update transient warning. Backing off, will retry update later. (transient warning) last update ended: 1970-01-01 00:00:00+00:00
I think that something related to DNS is not working correctly on my replica. My IPA domain is "ipa.<mycompany>.com". However, the DNS domain used on the network is "sj.bps" and the primary nameserver is not ether of the IPA servers.
Both the primary and replica have DNS that works for the "sj.bps" domain to an extent. I can ping using names in the "sj.bps" domain on the replica (ipa2):
[root@ipa2 ~]# ping ipa1.sj.bps. PING ipa1.sj.bps (192.168.254.18) 56(84) bytes of data. 64 bytes from ipa1.sj.bps (192.168.254.18): icmp_seq=1 ttl=64 time=0.451 ms ^C --- ipa1.sj.bps ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.451/0.451/0.451/0.000 ms
But a local lookup doesn't work:
[root@ipa2 ~]# dig @localhost ipa1.sj.bps.
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost ipa1.sj.bps. ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34740 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ipa1.sj.bps. IN A
;; Query time: 5 msec ;; SERVER: ::1#53(::1) ;; WHEN: Mon Aug 29 20:37:37 EDT 2022 ;; MSG SIZE rcvd: 40
A similar dig command on the primary works: [root@ipa1 ~]# dig @localhost ipa1.sj.bps.
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost ipa1.sj.bps. ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63201 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ipa1.sj.bps. IN A
;; ANSWER SECTION: ipa1.sj.bps. 2222 IN A 192.168.254.18
;; AUTHORITY SECTION: sj.bps. 2222 IN NS ns.bps.
;; ADDITIONAL SECTION: ns.bps. 2222 IN A 192.168.254.2
;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Mon Aug 29 20:38:34 EDT 2022 ;; MSG SIZE rcvd: 89
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Thanks for your reply.
You can find a few things to check in https://www.freeipa.org/page/Troubleshooting/Directory_Server#Replication...
]# ldapsearch -Y GSSAPI -h ipa1.sj.bps -b "" -s base SASL/GSSAPI authentication started SASL username: ldap/ipa2.sj.bps@IPA.<MY COMPANY>.COM SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: ALL #
# dn: objectClass: top namingContexts: cn=changelog namingContexts: dc=ipa,dc=<my company>,dc=com namingContexts: o=ipaca defaultnamingcontext: dc=ipa,dc=<my company>,dc=com supportedExtension: 2.16.840.1.113730.3.5.7 supportedExtension: 2.16.840.1.113730.3.5.8 supportedExtension: 2.16.840.1.113730.3.5.10 supportedExtension: 2.16.840.1.113730.3.8.10.3 supportedExtension: 2.16.840.1.113730.3.8.10.4 supportedExtension: 2.16.840.1.113730.3.8.10.4.1 supportedExtension: 2.16.840.1.113730.3.8.10.4.2 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 2.16.840.1.113730.3.8.10.1 supportedExtension: 2.16.840.1.113730.3.8.10.5 supportedExtension: 2.16.840.1.113730.3.5.3 supportedExtension: 2.16.840.1.113730.3.5.12 supportedExtension: 2.16.840.1.113730.3.5.5 supportedExtension: 2.16.840.1.113730.3.5.6 supportedExtension: 2.16.840.1.113730.3.5.9 supportedExtension: 2.16.840.1.113730.3.5.4 supportedExtension: 2.16.840.1.113730.3.6.5 supportedExtension: 2.16.840.1.113730.3.6.6 supportedExtension: 2.16.840.1.113730.3.6.7 supportedExtension: 2.16.840.1.113730.3.6.8 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 2.16.840.1.113730.3.4.3 supportedControl: 2.16.840.1.113730.3.4.4 supportedControl: 2.16.840.1.113730.3.4.5 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.16 supportedControl: 2.16.840.1.113730.3.4.15 supportedControl: 2.16.840.1.113730.3.4.17 supportedControl: 2.16.840.1.113730.3.4.19 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8 supportedControl: 1.3.6.1.4.1.4203.666.5.16 supportedControl: 2.16.840.1.113730.3.8.10.6 supportedControl: 2.16.840.1.113730.3.8.10.7 supportedControl: 2.16.840.1.113730.3.4.14 supportedControl: 2.16.840.1.113730.3.4.20 supportedControl: 1.3.6.1.4.1.1466.29539.12 supportedControl: 2.16.840.1.113730.3.4.12 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.13 supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS supportedLDAPVersion: 2 supportedLDAPVersion: 3 vendorName: 389 Project vendorVersion: 389-Directory/1.3.10.2 B2022.179.1527 dataversion: 020220830001452020220830001452020220830001452 netscapemdsuffix: cn=ldap://dc=ipa1,dc=sj,dc=bps:389 lastusn: 1222591 changeLog: cn=changelog firstchangenumber: 151 lastchangenumber: 153 ipatopologypluginversion: 1.0 ipatopologyismanaged: on ipaDomainLevel: 1
# search result search: 4 result: 0 Success
# numResponses: 2 # numEntries: 1
If they are configured as DNS servers, is there a forwarder configured?
Yes: ]# ipa dnsserver-show ipa1.sj.bps Server name: ipa1.sj.bps SOA mname override: ipa1.sj.bps. Forwarders: 192.168.254.10, 192.168.254.2 Forward policy: only [root@ipa1 ~]# ipa dnsserver-show ipa2.sj.bps Server name: ipa2.sj.bps SOA mname override: ipa2.sj.bps. Forwarders: 192.168.254.2 Forward policy: only
The lack of 192.168.254.10 for ipa2 should not matter since this is a secondary/slave nameserver on the network.
Are there any errors related to replication in /var/log/dirsrv/slapd-<YOUR-DOMAIN>/errors?
I see these errors.
[29/Aug/2022:19:12:53.869825394 -0400] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [29/Aug/2022:19:12:54.686756883 -0400] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ipa,dc=<my company>,dc=com--no CoS Templates found, which should be added before the CoS Definition. [29/Aug/2022:19:12:54.870607368 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa2.sj.bps@IPA.<MY COMPANY>.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [29/Aug/2022:19:12:55.002346083 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [29/Aug/2022:19:12:55.058525909 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=caToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [29/Aug/2022:19:12:55.116643453 -0400] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [29/Aug/2022:19:13:00.254585526 -0400] - ERR - schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=ipa,dc=<my company>,dc=com [29/Aug/2022:19:13:00.325746557 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=ipa,dc=<my company>,dc=com [29/Aug/2022:19:13:00.625350394 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ipa,dc=<my company>,dc=com [29/Aug/2022:19:13:00.747736017 -0400] - ERR - schema-compat-plugin - Finished plugin initialization. [29/Aug/2022:19:19:26.447086663 -0400] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ipa,dc=<my company>,dc=com--no CoS Templates found, which should be added before the CoS Definition. [29/Aug/2022:19:19:26.616760756 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa2.sj.bps@IPA.<MY COMPANY>.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [29/Aug/2022:19:19:26.652053902 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [29/Aug/2022:19:19:26.705855975 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa2.sj.bps@IPA.<MY COMPANY>.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [29/Aug/2022:19:19:26.732413212 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=caToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [29/Aug/2022:19:19:29.093106968 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa2.sj.bps@IPA.<MY COMPANY>.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) .... [30/Aug/2022:13:14:58.254029634 -0400] - ERR - agmt="cn=meToipa1.sj.bps" (ipa1:389) - clcache_load_buffer - Can't locate CSN 620693cb000200050000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [30/Aug/2022:13:14:58.285772035 -0400] - ERR - NSMMReplicationPlugin - changelog program - repl_plugin_name_cl - agmt="cn=meToipa1.sj.bps" (ipa1:389): CSN 620693cb000200050000 not found, we aren't as up to date, or we purged [30/Aug/2022:13:14:58.302465482 -0400] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=meToipa1.sj.bps" (ipa1:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. [30/Aug/2022:13:15:01.355096020 -0400] - ERR - agmt="cn=meToipa1.sj.bps" (ipa1:389) - clcache_load_buffer - Can't locate CSN 620693cb000200050000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [30/Aug/2022:13:15:01.393991242 -0400] - ERR - NSMMReplicationPlugin - changelog program - repl_plugin_name_cl - agmt="cn=meToipa1.sj.bps" (ipa1:389): CSN 620693cb000200050000 not found, we aren't as up to date, or we purged [30/Aug/2022:13:15:01.410581481 -0400] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=meToipa1.sj.bps" (ipa1:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized.
I tried running "ipa-dns-install" again, and it failed with this: # ipa-dns-install
The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup DNS for the IPA Server.
This includes: * Configure DNS (bind) * Configure SoftHSM (required by DNSSEC) * Configure ipa-dnskeysyncd (required by DNSSEC)
NOTE: DNSSEC zone signing is not enabled by default
To accept the default shown in brackets, press the Enter key.
Do you want to configure DNS forwarders? [yes]: Following DNS servers are configured in /etc/resolv.conf: 192.168.254.2 Do you want to configure these servers as DNS forwarders? [yes]: no Enter an IP address for a DNS forwarder, or press Enter to skip: 192.168.254.2 DNS forwarder 192.168.254.2 added. You may add another. Enter an IP address for a DNS forwarder, or press Enter to skip: 192.168.254.10 DNS forwarder 192.168.254.10 added. You may add another. Enter an IP address for a DNS forwarder, or press Enter to skip: Checking DNS forwarders, please wait ... Do you want to search for missing reverse zones? [yes]:
The following operations may take some minutes to complete. Please wait until the prompt is returned.
Configuring DNS (named) [1/8]: generating rndc key file [2/8]: setting up our own record [3/8]: adding NS record to the zones [4/8]: setting up kerberos principal [5/8]: setting up named.conf [6/8]: setting up server configuration [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records ipapython.dnsutil: ERROR DNS query for ipa1.sj.bps. 1 failed: All nameservers failed to answer the query ipa1.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL ipapython.dnsutil: ERROR DNS query for ipa1.sj.bps. 1 failed: All nameservers failed to answer the query ipa1.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL ipapython.dnsutil: ERROR DNS query for ipa1.sj.bps. 1 failed: All nameservers failed to answer the query ipa1.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL ipapython.dnsutil: ERROR DNS query for ipa1.sj.bps. 1 failed: All nameservers failed to answer the query ipa1.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL ipapython.dnsutil: ERROR DNS query for ipa1.sj.bps. 1 failed: All nameservers failed to answer the query ipa1.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL ipapython.dnsutil: ERROR DNS query for ipa1.sj.bps. 1 failed: All nameservers failed to answer the query ipa1.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL ipaserver.dns_data_management: ERROR unable to resolve host name ipa1.sj.bps. to IP address, ipa-ca DNS record will be incomplete ipapython.dnsutil: ERROR DNS query for ipa2.sj.bps. 1 failed: All nameservers failed to answer the query ipa2.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL ipapython.dnsutil: ERROR DNS query for ipa2.sj.bps. 1 failed: All nameservers failed to answer the query ipa2.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL ipapython.dnsutil: ERROR DNS query for ipa2.sj.bps. 1 failed: All nameservers failed to answer the query ipa2.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL ipapython.dnsutil: ERROR DNS query for ipa2.sj.bps. 1 failed: All nameservers failed to answer the query ipa2.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL ipapython.dnsutil: ERROR DNS query for ipa2.sj.bps. 1 failed: All nameservers failed to answer the query ipa2.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL ipapython.dnsutil: ERROR DNS query for ipa2.sj.bps. 1 failed: All nameservers failed to answer the query ipa2.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL ipaserver.dns_data_management: ERROR unable to resolve host name ipa2.sj.bps. to IP address, ipa-ca DNS record will be incomplete ============================================================================== Setup complete
Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files
You must make sure these network ports are open: TCP Ports: * 53: bind UDP Ports: * 53: bind
I checked to see if it could be a firewall issue:
[root@ipa2 ~]# iptables --list -n Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
The DNS server resolves external names: [root@ipa2 ~]# dig @localhost google.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost google.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34000 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;google.com. IN A
;; ANSWER SECTION: google.com. 300 IN A 142.250.188.238
;; Query time: 52 msec ;; SERVER: ::1#53(::1) ;; WHEN: Tue Aug 30 18:31:15 EDT 2022 ;; MSG SIZE rcvd: 55
But not the sj.bps domain: [root@ipa2 ~]# dig @localhost ipa1.sj.bps
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost ipa1.sj.bps ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7731 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ipa1.sj.bps. IN A
;; Query time: 6 msec ;; SERVER: ::1#53(::1) ;; WHEN: Tue Aug 30 18:31:58 EDT 2022 ;; MSG SIZE rcvd: 40
Hi,
On Tue, Aug 30, 2022 at 7:32 PM Simon Matthews via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Thanks for your reply.
You can find a few things to check in
https://www.freeipa.org/page/Troubleshooting/Directory_Server#Replication. .. ]# ldapsearch -Y GSSAPI -h ipa1.sj.bps -b "" -s base SASL/GSSAPI authentication started SASL username: ldap/ipa2.sj.bps@IPA.<MY COMPANY>.COM SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: ALL #
# dn: objectClass: top namingContexts: cn=changelog namingContexts: dc=ipa,dc=<my company>,dc=com namingContexts: o=ipaca defaultnamingcontext: dc=ipa,dc=<my company>,dc=com supportedExtension: 2.16.840.1.113730.3.5.7 supportedExtension: 2.16.840.1.113730.3.5.8 supportedExtension: 2.16.840.1.113730.3.5.10 supportedExtension: 2.16.840.1.113730.3.8.10.3 supportedExtension: 2.16.840.1.113730.3.8.10.4 supportedExtension: 2.16.840.1.113730.3.8.10.4.1 supportedExtension: 2.16.840.1.113730.3.8.10.4.2 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 2.16.840.1.113730.3.8.10.1 supportedExtension: 2.16.840.1.113730.3.8.10.5 supportedExtension: 2.16.840.1.113730.3.5.3 supportedExtension: 2.16.840.1.113730.3.5.12 supportedExtension: 2.16.840.1.113730.3.5.5 supportedExtension: 2.16.840.1.113730.3.5.6 supportedExtension: 2.16.840.1.113730.3.5.9 supportedExtension: 2.16.840.1.113730.3.5.4 supportedExtension: 2.16.840.1.113730.3.6.5 supportedExtension: 2.16.840.1.113730.3.6.6 supportedExtension: 2.16.840.1.113730.3.6.7 supportedExtension: 2.16.840.1.113730.3.6.8 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 2.16.840.1.113730.3.4.3 supportedControl: 2.16.840.1.113730.3.4.4 supportedControl: 2.16.840.1.113730.3.4.5 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.16 supportedControl: 2.16.840.1.113730.3.4.15 supportedControl: 2.16.840.1.113730.3.4.17 supportedControl: 2.16.840.1.113730.3.4.19 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8 supportedControl: 1.3.6.1.4.1.4203.666.5.16 supportedControl: 2.16.840.1.113730.3.8.10.6 supportedControl: 2.16.840.1.113730.3.8.10.7 supportedControl: 2.16.840.1.113730.3.4.14 supportedControl: 2.16.840.1.113730.3.4.20 supportedControl: 1.3.6.1.4.1.1466.29539.12 supportedControl: 2.16.840.1.113730.3.4.12 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.13 supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS supportedLDAPVersion: 2 supportedLDAPVersion: 3 vendorName: 389 Project vendorVersion: 389-Directory/1.3.10.2 B2022.179.1527 dataversion: 020220830001452020220830001452020220830001452 netscapemdsuffix: cn=ldap://dc=ipa1,dc=sj,dc=bps:389 lastusn: 1222591 changeLog: cn=changelog firstchangenumber: 151 lastchangenumber: 153 ipatopologypluginversion: 1.0 ipatopologyismanaged: on ipaDomainLevel: 1
# search result search: 4 result: 0 Success
# numResponses: 2 # numEntries: 1
If they are configured as DNS servers, is there a forwarder configured?
Yes: ]# ipa dnsserver-show ipa1.sj.bps Server name: ipa1.sj.bps SOA mname override: ipa1.sj.bps. Forwarders: 192.168.254.10, 192.168.254.2 Forward policy: only [root@ipa1 ~]# ipa dnsserver-show ipa2.sj.bps Server name: ipa2.sj.bps SOA mname override: ipa2.sj.bps. Forwarders: 192.168.254.2 Forward policy: only
The lack of 192.168.254.10 for ipa2 should not matter since this is a secondary/slave nameserver on the network.
Are there any errors related to replication in /var/log/dirsrv/slapd-<YOUR-DOMAIN>/errors?
I see these errors.
[29/Aug/2022:19:12:53.869825394 -0400] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [29/Aug/2022:19:12:54.686756883 -0400] - ERR - cos-plugin - cos_dn_defs_cb
- Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ipa,dc=<my
company>,dc=com--no CoS Templates found, which should be added before the CoS Definition. [29/Aug/2022:19:12:54.870607368 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa2.sj.bps@IPA.<MY COMPANY>.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [29/Aug/2022:19:12:55.002346083 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [29/Aug/2022:19:12:55.058525909 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=caToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [29/Aug/2022:19:12:55.116643453 -0400] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [29/Aug/2022:19:13:00.254585526 -0400] - ERR - schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=ipa,dc=<my company>,dc=com [29/Aug/2022:19:13:00.325746557 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=ipa,dc=<my company>,dc=com [29/Aug/2022:19:13:00.625350394 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ipa,dc=<my company>,dc=com [29/Aug/2022:19:13:00.747736017 -0400] - ERR - schema-compat-plugin - Finished plugin initialization. [29/Aug/2022:19:19:26.447086663 -0400] - ERR - cos-plugin - cos_dn_defs_cb
- Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ipa,dc=<my
company>,dc=com--no CoS Templates found, which should be added before the CoS Definition. [29/Aug/2022:19:19:26.616760756 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa2.sj.bps@IPA.<MY COMPANY>.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [29/Aug/2022:19:19:26.652053902 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [29/Aug/2022:19:19:26.705855975 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa2.sj.bps@IPA.<MY COMPANY>.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [29/Aug/2022:19:19:26.732413212 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=caToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [29/Aug/2022:19:19:29.093106968 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa2.sj.bps@IPA.<MY COMPANY>.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) .... [30/Aug/2022:13:14:58.254029634 -0400] - ERR - agmt="cn=meToipa1.sj.bps" (ipa1:389) - clcache_load_buffer - Can't locate CSN 620693cb000200050000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [30/Aug/2022:13:14:58.285772035 -0400] - ERR - NSMMReplicationPlugin - changelog program - repl_plugin_name_cl - agmt="cn=meToipa1.sj.bps" (ipa1:389): CSN 620693cb000200050000 not found, we aren't as up to date, or we purged [30/Aug/2022:13:14:58.302465482 -0400] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=meToipa1.sj.bps" (ipa1:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. [30/Aug/2022:13:15:01.355096020 -0400] - ERR - agmt="cn=meToipa1.sj.bps" (ipa1:389) - clcache_load_buffer - Can't locate CSN 620693cb000200050000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [30/Aug/2022:13:15:01.393991242 -0400] - ERR - NSMMReplicationPlugin - changelog program - repl_plugin_name_cl - agmt="cn=meToipa1.sj.bps" (ipa1:389): CSN 620693cb000200050000 not found, we aren't as up to date, or we purged [30/Aug/2022:13:15:01.410581481 -0400] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=meToipa1.sj.bps" (ipa1:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized.
It looks like the replication was broken (or stopped) for too long, the changelog got purged and lost part of the updates that should be replicated. If you want to understand about the changelog and purge concepts, please refer to [1].
Depending on your domain level, you can use either - ipa-replica-manage re-initialize and ipa-csreplica-manage reinitialize (domain-level 0) [2] or - ipa topologysegment-reinitialize (domain level 1). For more information refer to "ipa help topologysegment-reinitialize".
The command "ipa domainlevel-get" will provide you with the current domain level. The reinitialize command forces a full synchronization of the content from the specified source to the replica.
HTH, flo
[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/12/ht... [2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org