Thanks for your reply.
>>> You can find a few things to check in
>>> https://www.freeipa.org/page/Troubleshooting/Directory_Server#Replication...
]# ldapsearch -Y GSSAPI -h ipa1.sj.bps -b "" -s base
SASL/GSSAPI authentication started
SASL username: ldap/ipa2.sj.bps@IPA.<MY COMPANY>.COM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
objectClass: top
namingContexts: cn=changelog
namingContexts: dc=ipa,dc=<my company>,dc=com
namingContexts: o=ipaca
defaultnamingcontext: dc=ipa,dc=<my company>,dc=com
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 2.16.840.1.113730.3.5.10
supportedExtension: 2.16.840.1.113730.3.8.10.3
supportedExtension: 2.16.840.1.113730.3.8.10.4
supportedExtension: 2.16.840.1.113730.3.8.10.4.1
supportedExtension: 2.16.840.1.113730.3.8.10.4.2
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 2.16.840.1.113730.3.8.10.1
supportedExtension: 2.16.840.1.113730.3.8.10.5
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.12
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.9
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 2.16.840.1.113730.3.6.5
supportedExtension: 2.16.840.1.113730.3.6.6
supportedExtension: 2.16.840.1.113730.3.6.7
supportedExtension: 2.16.840.1.113730.3.6.8
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 1.3.6.1.4.1.4203.666.5.16
supportedControl: 2.16.840.1.113730.3.8.10.6
supportedControl: 2.16.840.1.113730.3.8.10.7
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 2.16.840.1.113730.3.4.20
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: 389 Project
vendorVersion: 389-Directory/1.3.10.2 B2022.179.1527
dataversion: 020220830001452020220830001452020220830001452
netscapemdsuffix: cn=ldap://dc=ipa1,dc=sj,dc=bps:389
lastusn: 1222591
changeLog: cn=changelog
firstchangenumber: 151
lastchangenumber: 153
ipatopologypluginversion: 1.0
ipatopologyismanaged: on
ipaDomainLevel: 1
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
>>> If they are configured as DNS servers, is there a forwarder configured?
Yes:
]# ipa dnsserver-show ipa1.sj.bps
Server name: ipa1.sj.bps
SOA mname override: ipa1.sj.bps.
Forwarders: 192.168.254.10, 192.168.254.2
Forward policy: only
[root@ipa1 ~]# ipa dnsserver-show ipa2.sj.bps
Server name: ipa2.sj.bps
SOA mname override: ipa2.sj.bps.
Forwarders: 192.168.254.2
Forward policy: only
The lack of 192.168.254.10 for ipa2 should not matter since this is a secondary/slave nameserver on the network.
>>> Are there any errors related to replication in
>>> /var/log/dirsrv/slapd-<YOUR-DOMAIN>/errors?
I see these errors.
[29/Aug/2022:19:12:53.869825394 -0400] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup!
[29/Aug/2022:19:12:54.686756883 -0400] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ipa,dc=<my company>,dc=com--no CoS Templates found, which should be added before the CoS Definition.
[29/Aug/2022:19:12:54.870607368 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa2.sj.bps@IPA.<MY COMPANY>.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[29/Aug/2022:19:12:55.002346083 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
[29/Aug/2022:19:12:55.058525909 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=caToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
[29/Aug/2022:19:12:55.116643453 -0400] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds!
[29/Aug/2022:19:13:00.254585526 -0400] - ERR - schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=ipa,dc=<my company>,dc=com
[29/Aug/2022:19:13:00.325746557 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=ipa,dc=<my company>,dc=com
[29/Aug/2022:19:13:00.625350394 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ipa,dc=<my company>,dc=com
[29/Aug/2022:19:13:00.747736017 -0400] - ERR - schema-compat-plugin - Finished plugin initialization.
[29/Aug/2022:19:19:26.447086663 -0400] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ipa,dc=<my company>,dc=com--no CoS Templates found, which should be added before the CoS Definition.
[29/Aug/2022:19:19:26.616760756 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa2.sj.bps@IPA.<MY COMPANY>.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
[29/Aug/2022:19:19:26.652053902 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
[29/Aug/2022:19:19:26.705855975 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa2.sj.bps@IPA.<MY COMPANY>.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
[29/Aug/2022:19:19:26.732413212 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=caToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
[29/Aug/2022:19:19:29.093106968 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa2.sj.bps@IPA.<MY COMPANY>.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
....
[30/Aug/2022:13:14:58.254029634 -0400] - ERR - agmt="cn=meToipa1.sj.bps" (ipa1:389) - clcache_load_buffer - Can't locate CSN 620693cb000200050000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized.
[30/Aug/2022:13:14:58.285772035 -0400] - ERR - NSMMReplicationPlugin - changelog program - repl_plugin_name_cl - agmt="cn=meToipa1.sj.bps" (ipa1:389): CSN 620693cb000200050000 not found, we aren't as up to date, or we purged
[30/Aug/2022:13:14:58.302465482 -0400] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=meToipa1.sj.bps" (ipa1:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized.
[30/Aug/2022:13:15:01.355096020 -0400] - ERR - agmt="cn=meToipa1.sj.bps" (ipa1:389) - clcache_load_buffer - Can't locate CSN 620693cb000200050000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized.
[30/Aug/2022:13:15:01.393991242 -0400] - ERR - NSMMReplicationPlugin - changelog program - repl_plugin_name_cl - agmt="cn=meToipa1.sj.bps" (ipa1:389): CSN 620693cb000200050000 not found, we aren't as up to date, or we purged
[30/Aug/2022:13:15:01.410581481 -0400] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=meToipa1.sj.bps" (ipa1:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized.
It looks like the replication was broken (or stopped) for too long, the changelog got purged and lost part of the updates that should be replicated. If you want to understand about the changelog and purge concepts, please refer to [1].
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue