On 06/07/2017 10:58 AM, Nick Campion via FreeIPA-users wrote:

Hi all,

 

We have a 3 master setup that is failing to replicate changes from a particular node to the other IPA instances. The replication status says it's all fine, however the record hasn't been changed on the other servers. We've seen this on user password changes, adding hosts and services. The only thing we've found that seems to fix this temporarily is to re-initialize from the master with the changed record. A force-sync doesn't pick up the changed record.

What is the change you making, what attribute are you updating?  Could it be possible that its being excluded by fractional replication?  Or is it all changes?

Any errors in the logs on the nodes(good and bad):  /var/log/dirsrv/slapd-INSTANCE/errors

Do you see replication sessions starting between the bad node and good ones?  Are they talking?  Check the access log ( /var/log/dirsrv/slapd-INSTANCE/access) on a good node and look for "connection from <BAD NODE IP address>"

Next would be to enable replication logging on the bad node and reproduce the problem (then disable repl logging right away), then send us the logs to look at.  See  https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-troubleshooting_replication_related_problems

Regards,
Mark

Not sure what logs would be helpful to diagnose what is happening in this setup. 

# ipa-replica-manage -v list `hostname`
freeipa03.mgmt.example.com: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully: Incremental update succeeded
last update ended: 2017-06-07 14:43:53+00:00
freeipa02.mgmt.example.com: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully: Incremental update succeeded
last update ended: 2017-06-07 14:43:53+00:00

# ldapsearch -W -x -D "cn=directory manager" -b "cn=users,cn=accounts,dc=ipa,dc=example,dc=com" "nsds5ReplConflict=*" \* nsds5ReplConflict
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=users,cn=accounts,dc=ipa,dc=example,dc=com> with scope subtree
# filter: nsds5ReplConflict=*
# requesting: * nsds5ReplConflict
#

# search result
search: 2
result: 0 Success

# numResponses: 1

Any help in what else can be checked or what logs would be helpful would be appreciated.

Thanks

Nick



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org