[Freeipa-users] Re: replica install fails

14 Apr 2020


      Hi Mark
This is what I have on the master error log during replica install:
[14/Apr/2020:11:21:00.257655895 +0000] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipareplica01.example.com" (ipareplica01:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
[14/Apr/2020:11:21:21.285497624 +0000] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipareplica01.example.com" (ipareplica01:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
[14/Apr/2020:11:21:27.293626669 +0000] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipareplica01.example.com" (ipareplica01:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
[14/Apr/2020:11:21:37.327494957 +0000] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying in 1 seconds.
[14/Apr/2020:11:21:38.385987336 +0000] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying in 2 seconds.
[14/Apr/2020:11:21:40.398179033 +0000] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying in 3 seconds.
[14/Apr/2020:11:21:43.407848477 +0000] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying in 4 seconds.
[14/Apr/2020:11:21:47.419790763 +0000] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying in 5 seconds.
on the replica error log there are no ERR logs only INFO and WARN and the logs ends with :
[14/Apr/2020:11:21:34.981330893 +0000] - INFO - main - 389-Directory/1.4.1.3 B2019.323.229 starting up
[14/Apr/2020:11:21:35.022977416 +0000] - INFO - main - Setting the maximum file descriptor limit to: 4096
[14/Apr/2020:11:21:35.803769888 +0000] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds
[14/Apr/2020:11:21:35.874697893 +0000] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
[14/Apr/2020:11:21:35.927003711 +0000] - NOTICE - ldbm_back_start - found 12128704k physical memory
[14/Apr/2020:11:21:36.006415484 +0000] - NOTICE - ldbm_back_start - found 11445168k available
[14/Apr/2020:11:21:36.048090360 +0000] - NOTICE - ldbm_back_start - cache autosizing: db cache: 303217k
[14/Apr/2020:11:21:36.123061153 +0000] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (1 total): 851968k
[14/Apr/2020:11:21:36.350166036 +0000] - NOTICE - ldbm_back_start - cache autosizing: userRoot dn cache (1 total): 131072k
[14/Apr/2020:11:21:36.599188174 +0000] - NOTICE - ldbm_back_start - total cache size: 1255028817 B;
[14/Apr/2020:11:21:36.745618576 +0000] - INFO - slapd_daemon - slapd started.  Listening on All Interfaces port 389 for LDAP requests
[14/Apr/2020:11:21:36.781112735 +0000] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests
[14/Apr/2020:11:21:36.806422732 +0000] - INFO - slapd_daemon - Listening on /var/run/slapd-IPAMASTER01-EXAMPLE-COM.socket for LDAPI requests
[14/Apr/2020:11:21:37.309999728 +0000] - WARN - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=meToipamaster01.example.com" (ipamaster01:389): The remote replica has a different database generation ID than the local database.  You may have to reinitialize the remote replica, or the local replica.
But the interesting part is on master :
KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -h ipareplica01.example.com -b "" -s base
SASL/GSSAPI authentication started
[14335] 1586874293.284426: ccselect can't find appropriate cache for server principal ldap/ipareplica01.example.com@EXAMPLE.COM
[14335] 1586874293.284427: Getting credentials admin@IPAMASTER01.EXAMPLE.COM -> ldap/ipareplica01.example.com@EXAMPLE.COM using ccache KCM:0
[14335] 1586874293.284428: Retrieving admin@IPAMASTER01.EXAMPLE.COM -> ldap/ipareplica01.example.com@EXAMPLE.COM from KCM:0 with result: -1765328243/Matching credential not found
[14335] 1586874293.284429: Retrieving admin@IPAMASTER01.EXAMPLE.COM -> krbtgt/EXAMPLE.COM@EXAMPLE.COM from KCM:0 with result: -1765328243/Matching credential not found
[14335] 1586874293.284430: Retrieving admin@IPAMASTER01.EXAMPLE.COM -> krbtgt/IPAMASTER01.EXAMPLE.COM@IPAMASTER01.EXAMPLE.COM from KCM:0 with result: 0/Success
[14335] 1586874293.284431: Starting with TGT for client realm: admin@IPAMASTER01.EXAMPLE.COM -> krbtgt/IPAMASTER01.EXAMPLE.COM@IPAMASTER01.EXAMPLE.COM
[14335] 1586874293.284432: Retrieving admin@IPAMASTER01.EXAMPLE.COM -> krbtgt/EXAMPLE.COM@EXAMPLE.COM from KCM:0 with result: -1765328243/Matching credential not found
[14335] 1586874293.284433: Requesting TGT krbtgt/EXAMPLE.COM@IPAMASTER01.EXAMPLE.COM using TGT krbtgt/IPAMASTER01.EXAMPLE.COM@IPAMASTER01.EXAMPLE.COM
[14335] 1586874293.284434: Generated subkey for TGS request: aes256-cts/8B0E
[14335] 1586874293.284435: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[14335] 1586874293.284437: Encoding request body and padata into FAST request
[14335] 1586874293.284438: Sending request (1569 bytes) to IPAMASTER01.EXAMPLE.COM
[14335] 1586874293.284439: Initiating TCP connection to stream 192.168.200.107:88
[14335] 1586874293.284440: Sending TCP request to stream 192.168.200.107:88
[14335] 1586874293.284441: Received answer (461 bytes) from stream 192.168.200.107:88
[14335] 1586874293.284442: Terminating TCP connection to stream 192.168.200.107:88
[14335] 1586874293.284443: Response was from master KDC
[14335] 1586874293.284444: Decoding FAST response
[14335] 1586874293.284445: TGS request result: -1765328377/Server krbtgt/EXAMPLE.COM@IPAMASTER01.EXAMPLE.COM not found in Kerberos database
[14335] 1586874293.284446: Trying next closer realm in path: EXAMPLE.COM
[14335] 1586874293.284447: Retrieving admin@IPAMASTER01.EXAMPLE.COM -> krbtgt/EXAMPLE.COM@EXAMPLE.COM from KCM:0 with result: -1765328243/Matching credential not found
[14335] 1586874293.284448: Requesting TGT krbtgt/EXAMPLE.COM@IPAMASTER01.EXAMPLE.COM using TGT krbtgt/IPAMASTER01.EXAMPLE.COM@IPAMASTER01.EXAMPLE.COM
[14335] 1586874293.284449: Generated subkey for TGS request: aes256-cts/E193
[14335] 1586874293.284450: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[14335] 1586874293.284452: Encoding request body and padata into FAST request
[14335] 1586874293.284453: Sending request (1569 bytes) to IPAMASTER01.EXAMPLE.COM
[14335] 1586874293.284454: Initiating TCP connection to stream 192.168.200.107:88
[14335] 1586874293.284455: Sending TCP request to stream 192.168.200.107:88
[14335] 1586874293.284456: Received answer (461 bytes) from stream 192.168.200.107:88
[14335] 1586874293.284457: Terminating TCP connection to stream 192.168.200.107:88
[14335] 1586874293.284458: Response was from master KDC
[14335] 1586874293.284459: Decoding FAST response
[14335] 1586874293.284460: TGS request result: -1765328377/Server krbtgt/EXAMPLE.COM@IPAMASTER01.EXAMPLE.COM not found in Kerberos database
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server krbtgt/EXAMPLE.COM@IPAMASTER01.EXAMPLE.COM not found in Kerberos database)
and on replica:
KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -h ipareplica01.example.com -b "" -s base
SASL/GSSAPI authentication started
[6124] 1586874420.464854: ccselect module realm chose cache KCM:0 with client principal admin@IPAMASTER01.EXAMPLE.COM for server principal ldap/ipareplica01.example.com@IPAMASTER01.EXAMPLE.COM
[6124] 1586874420.464855: Getting credentials admin@IPAMASTER01.EXAMPLE.COM -> ldap/ipareplica01.example.com@IPAMASTER01.EXAMPLE.COM using ccache KCM:0
[6124] 1586874420.464856: Retrieving admin@IPAMASTER01.EXAMPLE.COM -> ldap/ipareplica01.example.com@IPAMASTER01.EXAMPLE.COM from KCM:0 with result: 0/Success
[6124] 1586874420.464858: Creating authenticator for admin@IPAMASTER01.EXAMPLE.COM -> ldap/ipareplica01.example.com@IPAMASTER01.EXAMPLE.COM, seqnum 602124589, subkey aes256-cts/EDE8, session key aes256-cts/8C19
[6124] 1586874420.464863: Read AP-REP, time 1586874420.464859, subkey aes256-cts/57FE, seqnum 837693153
ldap_sasl_interactive_bind_s: Invalid credentials (49)
Best
Alex

2025

2024

2023

2022

2021

2020

2019

2018

2017

[Freeipa-users] Re: replica install fails