Hi,
Are ipa1 and ipa2 configured as DNS servers? This can be checked with
kinit admin
ipa server-role-find --role 'DNS server'
(since the replication doesn't seem to be working, please check the
commands on each server).
If they are configured as DNS servers, is there a forwarder configured?
kinit admin
ipa dnsconfig-show
ipa dnsserver-show ipa1.sj.bps
ipa dnsserver-show ipa2.sj.bps
If they are not DNS servers, what is their DNS client configuration?
Are there any errors related to replication in
/var/log/dirsrv/slapd-<YOUR-DOMAIN>/errors?
You can find a few things to check in
https://www.freeipa.org/page/Troubleshooting/Directory_Server#Replication...
flo
On Tue, Aug 30, 2022 at 2:42 AM Simon Matthews via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Some time back I set up an IPA replica. The initial setup was
successful,
but now I see that it is not syncing. It's possible that it has never
successfully synced. I suspect that something related to DNS may not be
working properly. Advice on debugging and fixing this would be appreciated.
# ipa-replica-manage list -v ipa2.sj.bps
ipa1.sj.bps: replica
last update status: Error (18) Replication error acquiring replica:
Incremental update transient warning. Backing off, will retry update
later. (transient warning)
last update ended: 1970-01-01 00:00:00+00:00
I think that something related to DNS is not working correctly on my
replica. My IPA domain is "ipa.<mycompany>.com". However, the DNS domain
used on the network is "sj.bps" and the primary nameserver is not ether of
the IPA servers.
Both the primary and replica have DNS that works for the "sj.bps" domain
to an extent. I can ping using names in the "sj.bps" domain on the replica
(ipa2):
[root@ipa2 ~]# ping ipa1.sj.bps.
PING ipa1.sj.bps (192.168.254.18) 56(84) bytes of data.
64 bytes from ipa1.sj.bps (192.168.254.18): icmp_seq=1 ttl=64 time=0.451 ms
^C
--- ipa1.sj.bps ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.451/0.451/0.451/0.000 ms
But a local lookup doesn't work:
[root@ipa2 ~]# dig @localhost ipa1.sj.bps.
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost
ipa1.sj.bps.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34740
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipa1.sj.bps. IN A
;; Query time: 5 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Aug 29 20:37:37 EDT 2022
;; MSG SIZE rcvd: 40
A similar dig command on the primary works:
[root@ipa1 ~]# dig @localhost ipa1.sj.bps.
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost
ipa1.sj.bps.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63201
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipa1.sj.bps. IN A
;; ANSWER SECTION:
ipa1.sj.bps. 2222 IN A 192.168.254.18
;; AUTHORITY SECTION:
sj.bps. 2222 IN NS ns.bps.
;; ADDITIONAL SECTION:
ns.bps. 2222 IN A 192.168.254.2
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Aug 29 20:38:34 EDT 2022
;; MSG SIZE rcvd: 89
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue