Hi,

 

During the installation of one of our FreeIPA replica (with ipa-replica-install), the process hangs on "No status yet".

 

Our domain is in domain level 1.

It seems that the script is waiting for an attribute nsds5ReplicaLastInitStatus.

 

The master server is up & running and we want to have a multimaster environment.

 

We don't find any error related to the replication process in the log.

 

The version installed: 4.6.5-11.0.1.el7_7.3

 

First, the ipa client is correctly installed on the server. Then we use the comment ipa-replica-install to promote it as IPA server with:

ipa-replica-install -U --principal admin --admin-password $admin_password --domain domain.com --server server2.domain.com --setup-ca --setup-dns --no-forwarders --forward-policy=first --no-dnssec-validation --allow-zone-overlap --reverse-zone=xx.xx.in-addr.arpa --mkhomedir --force-join

 

In the ipareplica-install.log we just have this:

…

2020-01-17T10:25:46Z DEBUG   [28/41]: setting up initial replication

2020-01-17T10:25:46Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2c94db6248>

2020-01-17T10:25:47Z DEBUG Destroyed connection context.ldap2_139829518113296

2020-01-17T10:25:47Z DEBUG Starting external process

2020-01-17T10:25:47Z DEBUG args=/bin/systemctl --system daemon-reload

2020-01-17T10:25:47Z DEBUG Process finished, return code=0

2020-01-17T10:25:47Z DEBUG stdout=

2020-01-17T10:25:47Z DEBUG stderr=

2020-01-17T10:25:47Z DEBUG Starting external process

2020-01-17T10:25:47Z DEBUG args=/bin/systemctl restart dirsrv@DOMAIN-COM.service

2020-01-17T10:25:53Z DEBUG Process finished, return code=0

2020-01-17T10:25:53Z DEBUG stdout=

2020-01-17T10:25:53Z DEBUG stderr=

2020-01-17T10:25:53Z DEBUG Restart of dirsrv@HS2-VDC-CORP-HOMESEND-COM.service complete

2020-01-17T10:25:53Z DEBUG Created connection context.ldap2_139829518113296

2020-01-17T10:25:53Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]

2020-01-17T10:25:53Z DEBUG retrieving schema for SchemaCache url=ldap://server2.domain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2c95da8320>

2020-01-17T10:25:54Z DEBUG Successfully updated nsDS5ReplicaId.

2020-01-17T10:25:54Z DEBUG Add or update replica config cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config

2020-01-17T10:25:54Z DEBUG Added replica config cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config

2020-01-17T10:25:54Z DEBUG Add or update replica config cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config

2020-01-17T10:25:54Z DEBUG No update to cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config necessary

2020-01-17T10:25:54Z DEBUG Waiting for replication (ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket) cn=meToserver2.domain.com,cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config (objectclass=*)

2020-01-17T10:25:54Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn=meToserver2.domain.com,cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config'), {u'nsds5replicaLastInitStart': ['19700101000000Z'], u'nsds5replicaUpdateInProgress': ['FALSE'], u'cn': ['meToserver2.domain.com'], u'objectClass': ['nsds5replicationagreement', 'top'], u'nsds5replicaLastUpdateEnd': ['19700101000000Z'], u'nsDS5ReplicaRoot': ['dc=domain,dc=com'], u'nsDS5ReplicaHost': ['server2.domain.com'], u'nsds5replicaLastUpdateStatus': ['Error (0) No replication sessions started since server startup'], u'nsDS5ReplicaBindMethod': ['SASL/GSSAPI'], u'nsds5ReplicaStripAttrs': ['modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp'], u'nsds5replicaLastUpdateStart': ['19700101000000Z'], u'nsDS5ReplicaPort': ['389'], u'nsDS5ReplicaTransportInfo': ['LDAP'], u'description': ['me to server2.domain.com'], u'nsds5replicareapactive': ['0'], u'nsds5replicaChangesSentSinceStartup': [''], u'nsds5replicaTimeout': ['120'], u'nsDS5ReplicatedAttributeList': ['(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], u'nsds5replicaLastInitEnd': ['19700101000000Z'], u'nsDS5ReplicatedAttributeListTotal': ['(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount']})]

 

On the live master, there is a strange behavior also:

It seems the ldap is like in read only mode. For exemple, if I reset the password of an account, I don’t have any error but nothing happened.

I have also those errors on this server:

Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.102642397 +0100] - ERR - csngen_adjust_time - Adjustment limit exceeded; value - 2711289715, limit - 86400

Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.110464100 +0100] - WARN - NSMMReplicationPlugin - replica_generate_next_csn - opcsn=5e21d27e000000050000 <= basecsn=ffbcd1f1522600040000, adjusted opcsn=5e21d27e522700050000

 

But we don’t have any replication because no other servers:

# ipa-replica-manage list

server2.domain.com: master

# ipa-replica-manage list-ruv

Directory Manager password:

 

Replica Update Vectors:

                server2.domain.com:389: 5

Certificate Server Replica Update Vectors:

                server2.domain.com:389: 6

# ipa topologysuffix-find

---------------------------

2 topology suffixes matched

---------------------------

  Suffix name: ca

  Managed LDAP suffix DN: o=ipaca

 

  Suffix name: domain

  Managed LDAP suffix DN: dc=domain,dc=com

----------------------------

Number of entries returned 2

----------------------------

# ipa topologysegment-find

Suffix name: domain

------------------

0 segments matched

------------------

----------------------------

Number of entries returned 0

----------------------------

 

I really don’t know what happened here. Could you help us on that ?

 

Best regards,

Damien