On 09/04/2014 05:11 PM, Guillermo Fuentes wrote: > Hello list, > > We’re running FreeIPA with a master and 3 replicas. The replication > stopped working and currently we’re adding resources only to the > master. This is the environment we have: > m1: > OS: CentOS release 6.5 > FreeIPA: 3.0.0-37 > CA: pki-ca-9.0.3 > > > # ipa-replica-manage list -v `hostname` > m2.example.com: replica > last init status: None > last init ended: None > last update status: 49 - LDAP error: Invalid credentials > last update ended: None > m3.example.com: replica > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental > update succeeded > last update ended: 2014-09-04 14:28:44+00:00 > m4.example.com: replica > last init status: None > last init ended: None > last update status: -2 - LDAP error: Local error > last update ended: None > > m2: > OS: CentOS release 6.5 > FreeIPA: 3.0.0-37 > > # ipa-replica-manage list -v `hostname` > m1.example.com: replica > last init status: None > last init ended: None > last update status: -1 Incremental update has failed and requires > administrator actionLDAP error: Can't contact LDAP server > last update ended: 2014-09-03 22:53:21+00:00 > > m3: > OS: CentOS release 6.5 > FreeIPA: 3.0.0-37 > > # ipa-replica-manage list -v `hostname` > m1.example.com: replica > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental > update succeeded > last update ended: 2014-09-04 14:31:51+00:00 > > m4: > OS: CentOS release 6.5 > FreeIPA: 3.3.3-28 > > # ipa-replica-manage list -v `hostname` > m1.example.com: replica > last init status: None > last init ended: None > last update status: 49 Unable to acquire replicaLDAP error: Invalid > credentials > last update ended: None > > > Note that although m3 reports “Incremental update succeeded”, users > created on m1 are not replicated to m3, and users created on m3 are > not replicated back to m1. > > We’ve tried different things including re-initializing m2. > > Can somebody point me in the right direction to get replication going again? > > Thanks in advance! > > Guillermo
Hello, I think we would need more troubleshooting information that are available in /var/log/dirsrv/slapd-EXAMPLE-COM/errors, especially on m2, m3, m4. Few pointers what I would try myself: 1) Check that all masters have time synced (difference in matter of seconds is OK) 2) Check that DNS is all right - all replicas can resolve master's forward and reverse address. Master can resolve all replicas forward and reverse address. This is common source of replication/Kerberos errors (http://www.freeipa.org/page/Troubleshooting#Kerberos_does_not_work) The error "Can't contact LDAP server" may point to DNS issues. 3) Check that you can do plain ldapsearch from replica to master. Ideally even authenticated with keytab from /etc/dirsrv/ds.keytab HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
