Hello there,

Something went wrong after recent yum update (CentOS 7)
The current version is 4.6.8-5.el7.centos.9

I have two FreeIPA replicas  and one Active Directory agreement (winsync)

Here what i'm getting from cn=replica....cn=mapping tree,cn=config

nsds5replicaLastUpdateStart: 19700101000000Z
nsds5replicaLastUpdateEnd: 19700101000000Z

nsds5replicaLastInitStart: 19700101000000Z
nsds5replicaLastInitEnd: 19700101000000Z

This is  for both agreements, however winsync is still alive somehow.
Replication to the second FreeIPA node no longer works, and
when trying to re-initialize, here's what i'm getting:

ipa-replica-manage re-initialize --from=<node0> --verbose

Traceback (most recent call last):
  File "/sbin/ipa-replica-manage", line 1624, in <module>
    main(options, args)
  File "/sbin/ipa-replica-manage", line 1567, in main
    options.nolookup)
  File "/sbin/ipa-replica-manage", line 1220, in re_initialize
    repl.initialize_replication(agreement.dn, repl.conn)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1358, in initialize_replication
    conn.modify_s(dn, mod)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 792, in modify_s
    return self.conn.modify_s(dn, modlist)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 357, in modify_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 458, in result
    resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 462, in result2
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 469, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 476, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
    result = func(*args,**kwargs)
TYPE_OR_VALUE_EXISTS: {'desc': 'Type or value exists'}
Unexpected error: {'desc': 'Type or value exists'}


I feel that the exception is related to time set to 19700101000000Z or some other cn=config parameter.

Another suspicious thing which may be related is:

Running on node0:

ipa-replica-manage list -v <node1>

Failed to get data from 'node1': Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server krbtgt/<something unknown here> not found in Kerberos database)

Any advice on how to fix without rebuilding everything ?

Thank you