7:42 p.m.
Some time back I set up an IPA replica. The initial setup was successful, but now I see
that it is not syncing. It's possible that it has never successfully synced. I suspect
that something related to DNS may not be working properly. Advice on debugging and fixing
this would be appreciated.
# ipa-replica-manage list -v ipa2.sj.bps
ipa1.sj.bps: replica
last update status: Error (18) Replication error acquiring replica: Incremental update
transient warning. Backing off, will retry update later. (transient warning)
last update ended: 1970-01-01 00:00:00+00:00
I think that something related to DNS is not working correctly on my replica. My IPA
domain is "ipa.<mycompany>.com". However, the DNS domain used on the
network is "sj.bps" and the primary nameserver is not ether of the IPA servers.
Both the primary and replica have DNS that works for the "sj.bps" domain to an
extent. I can ping using names in the "sj.bps" domain on the replica (ipa2):
[root@ipa2 ~]# ping ipa1.sj.bps.
PING ipa1.sj.bps (192.168.254.18) 56(84) bytes of data.
64 bytes from ipa1.sj.bps (192.168.254.18): icmp_seq=1 ttl=64 time=0.451 ms
^C
--- ipa1.sj.bps ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.451/0.451/0.451/0.000 ms
But a local lookup doesn't work:
[root@ipa2 ~]# dig @localhost ipa1.sj.bps.
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost
ipa1.sj.bps.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34740
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipa1.sj.bps. IN A
;; Query time: 5 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Aug 29 20:37:37 EDT 2022
;; MSG SIZE rcvd: 40
A similar dig command on the primary works:
[root@ipa1 ~]# dig @localhost ipa1.sj.bps.
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost
ipa1.sj.bps.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63201
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipa1.sj.bps. IN A
;; ANSWER SECTION:
ipa1.sj.bps. 2222 IN A 192.168.254.18
;; AUTHORITY SECTION:
sj.bps. 2222 IN NS ns.bps.
;; ADDITIONAL SECTION:
ns.bps. 2222 IN A 192.168.254.2
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Aug 29 20:38:34 EDT 2022
;; MSG SIZE rcvd: 89
1:56 a.m.
Hi,
Are ipa1 and ipa2 configured as DNS servers? This can be checked with
kinit admin
ipa server-role-find --role 'DNS server'
(since the replication doesn't seem to be working, please check the
commands on each server).
If they are configured as DNS servers, is there a forwarder configured?
kinit admin
ipa dnsconfig-show
ipa dnsserver-show ipa1.sj.bps
ipa dnsserver-show ipa2.sj.bps
If they are not DNS servers, what is their DNS client configuration?
Are there any errors related to replication in
/var/log/dirsrv/slapd-<YOUR-DOMAIN>/errors?
You can find a few things to check in
https://www.freeipa.org/page/Troubleshooting/Directory_Server#Replication...
flo
On Tue, Aug 30, 2022 at 2:42 AM Simon Matthews via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Some time back I set up an IPA replica. The initial setup was
successful,
but now I see that it is not syncing. It's possible that it has never
successfully synced. I suspect that something related to DNS may not be
working properly. Advice on debugging and fixing this would be appreciated.
# ipa-replica-manage list -v ipa2.sj.bps
ipa1.sj.bps: replica
last update status: Error (18) Replication error acquiring replica:
Incremental update transient warning. Backing off, will retry update
later. (transient warning)
last update ended: 1970-01-01 00:00:00+00:00
I think that something related to DNS is not working correctly on my
replica. My IPA domain is "ipa.<mycompany>.com". However, the DNS domain
used on the network is "sj.bps" and the primary nameserver is not ether of
the IPA servers.
Both the primary and replica have DNS that works for the "sj.bps" domain
to an extent. I can ping using names in the "sj.bps" domain on the replica
(ipa2):
[root@ipa2 ~]# ping ipa1.sj.bps.
PING ipa1.sj.bps (192.168.254.18) 56(84) bytes of data.
64 bytes from ipa1.sj.bps (192.168.254.18): icmp_seq=1 ttl=64 time=0.451 ms
^C
--- ipa1.sj.bps ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.451/0.451/0.451/0.000 ms
But a local lookup doesn't work:
[root@ipa2 ~]# dig @localhost ipa1.sj.bps.
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost
ipa1.sj.bps.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34740
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipa1.sj.bps. IN A
;; Query time: 5 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Aug 29 20:37:37 EDT 2022
;; MSG SIZE rcvd: 40
A similar dig command on the primary works:
[root@ipa1 ~]# dig @localhost ipa1.sj.bps.
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost
ipa1.sj.bps.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63201
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipa1.sj.bps. IN A
;; ANSWER SECTION:
ipa1.sj.bps. 2222 IN A 192.168.254.18
;; AUTHORITY SECTION:
sj.bps. 2222 IN NS ns.bps.
;; ADDITIONAL SECTION:
ns.bps. 2222 IN A 192.168.254.2
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Aug 29 20:38:34 EDT 2022
;; MSG SIZE rcvd: 89
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
12:32 p.m.
Thanks for your reply.
>> You can find a few things to check in
>> https://www.freeipa.org/page/Troubleshooting/Directory_Server#Replication...
]# ldapsearch -Y GSSAPI -h ipa1.sj.bps -b "" -s base
SASL/GSSAPI authentication started
SASL username: ldap/ipa2.sj.bps(a)IPA.<MY COMPANY>.COM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
objectClass: top
namingContexts: cn=changelog
namingContexts: dc=ipa,dc=<my company>,dc=com
namingContexts: o=ipaca
defaultnamingcontext: dc=ipa,dc=<my company>,dc=com
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 2.16.840.1.113730.3.5.10
supportedExtension: 2.16.840.1.113730.3.8.10.3
supportedExtension: 2.16.840.1.113730.3.8.10.4
supportedExtension: 2.16.840.1.113730.3.8.10.4.1
supportedExtension: 2.16.840.1.113730.3.8.10.4.2
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 2.16.840.1.113730.3.8.10.1
supportedExtension: 2.16.840.1.113730.3.8.10.5
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.12
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.9
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 2.16.840.1.113730.3.6.5
supportedExtension: 2.16.840.1.113730.3.6.6
supportedExtension: 2.16.840.1.113730.3.6.7
supportedExtension: 2.16.840.1.113730.3.6.8
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 1.3.6.1.4.1.4203.666.5.16
supportedControl: 2.16.840.1.113730.3.8.10.6
supportedControl: 2.16.840.1.113730.3.8.10.7
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 2.16.840.1.113730.3.4.20
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: 389 Project
vendorVersion: 389-Directory/1.3.10.2 B2022.179.1527
dataversion: 020220830001452020220830001452020220830001452
netscapemdsuffix: cn=ldap://dc=ipa1,dc=sj,dc=bps:389
lastusn: 1222591
changeLog: cn=changelog
firstchangenumber: 151
lastchangenumber: 153
ipatopologypluginversion: 1.0
ipatopologyismanaged: on
ipaDomainLevel: 1
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
>> If they are configured as DNS servers, is there a forwarder
configured?
Yes:
]# ipa dnsserver-show ipa1.sj.bps
Server name: ipa1.sj.bps
SOA mname override: ipa1.sj.bps.
Forwarders: 192.168.254.10, 192.168.254.2
Forward policy: only
[root@ipa1 ~]# ipa dnsserver-show ipa2.sj.bps
Server name: ipa2.sj.bps
SOA mname override: ipa2.sj.bps.
Forwarders: 192.168.254.2
Forward policy: only
The lack of 192.168.254.10 for ipa2 should not matter since this is a secondary/slave
nameserver on the network.
>> Are there any errors related to replication in
>> /var/log/dirsrv/slapd-<YOUR-DOMAIN>/errors?
I see these errors.
[29/Aug/2022:19:12:53.869825394 -0400] - ERR - schema-compat-plugin - scheduled
schema-compat-plugin tree scan in about 5 seconds after the server startup!
[29/Aug/2022:19:12:54.686756883 -0400] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS
Definition cn=Password Policy,cn=accounts,dc=ipa,dc=<my company>,dc=com--no CoS
Templates found, which should be added before the CoS Definition.
[29/Aug/2022:19:12:54.870607368 -0400] - ERR - set_krb5_creds - Could not get initial
credentials for principal [ldap/ipa2.sj.bps(a)IPA.<MY COMPANY>.COM] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[29/Aug/2022:19:12:55.002346083 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp
- agmt="cn=meToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth
failed: LDAP error -1 (Can't contact LDAP server) ()
[29/Aug/2022:19:12:55.058525909 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp
- agmt="cn=caToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth
failed: LDAP error -1 (Can't contact LDAP server) ()
[29/Aug/2022:19:12:55.116643453 -0400] - ERR - schema-compat-plugin - schema-compat-plugin
tree scan will start in about 5 seconds!
[29/Aug/2022:19:13:00.254585526 -0400] - ERR - schema-compat-plugin - warning: no entries
set up under ou=sudoers,dc=ipa,dc=<my company>,dc=com
[29/Aug/2022:19:13:00.325746557 -0400] - ERR - schema-compat-plugin - warning: no entries
set up under cn=ng, cn=compat,dc=ipa,dc=<my company>,dc=com
[29/Aug/2022:19:13:00.625350394 -0400] - ERR - schema-compat-plugin - warning: no entries
set up under cn=computers, cn=compat,dc=ipa,dc=<my company>,dc=com
[29/Aug/2022:19:13:00.747736017 -0400] - ERR - schema-compat-plugin - Finished plugin
initialization.
[29/Aug/2022:19:19:26.447086663 -0400] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS
Definition cn=Password Policy,cn=accounts,dc=ipa,dc=<my company>,dc=com--no CoS
Templates found, which should be added before the CoS Definition.
[29/Aug/2022:19:19:26.616760756 -0400] - ERR - set_krb5_creds - Could not get initial
credentials for principal [ldap/ipa2.sj.bps(a)IPA.<MY COMPANY>.COM] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
[29/Aug/2022:19:19:26.652053902 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp
- agmt="cn=meToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth
failed: LDAP error -1 (Can't contact LDAP server) ()
[29/Aug/2022:19:19:26.705855975 -0400] - ERR - set_krb5_creds - Could not get initial
credentials for principal [ldap/ipa2.sj.bps(a)IPA.<MY COMPANY>.COM] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
[29/Aug/2022:19:19:26.732413212 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp
- agmt="cn=caToipa1.sj.bps" (ipa1:389) - Replication bind with GSSAPI auth
failed: LDAP error -1 (Can't contact LDAP server) ()
[29/Aug/2022:19:19:29.093106968 -0400] - ERR - set_krb5_creds - Could not get initial
credentials for principal [ldap/ipa2.sj.bps(a)IPA.<MY COMPANY>.COM] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
....
[30/Aug/2022:13:14:58.254029634 -0400] - ERR - agmt="cn=meToipa1.sj.bps"
(ipa1:389) - clcache_load_buffer - Can't locate CSN 620693cb000200050000 in the
changelog (DB rc=-30988). If replication stops, the consumer may need to be
reinitialized.
[30/Aug/2022:13:14:58.285772035 -0400] - ERR - NSMMReplicationPlugin - changelog program -
repl_plugin_name_cl - agmt="cn=meToipa1.sj.bps" (ipa1:389): CSN
620693cb000200050000 not found, we aren't as up to date, or we purged
[30/Aug/2022:13:14:58.302465482 -0400] - ERR - NSMMReplicationPlugin - send_updates -
agmt="cn=meToipa1.sj.bps" (ipa1:389): Data required to update replica has been
purged from the changelog. If the error persists the replica must be reinitialized.
[30/Aug/2022:13:15:01.355096020 -0400] - ERR - agmt="cn=meToipa1.sj.bps"
(ipa1:389) - clcache_load_buffer - Can't locate CSN 620693cb000200050000 in the
changelog (DB rc=-30988). If replication stops, the consumer may need to be
reinitialized.
[30/Aug/2022:13:15:01.393991242 -0400] - ERR - NSMMReplicationPlugin - changelog program -
repl_plugin_name_cl - agmt="cn=meToipa1.sj.bps" (ipa1:389): CSN
620693cb000200050000 not found, we aren't as up to date, or we purged
[30/Aug/2022:13:15:01.410581481 -0400] - ERR - NSMMReplicationPlugin - send_updates -
agmt="cn=meToipa1.sj.bps" (ipa1:389): Data required to update replica has been
purged from the changelog. If the error persists the replica must be reinitialized.
5:32 p.m.
I tried running "ipa-dns-install" again, and it failed with this:
# ipa-dns-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup DNS for the IPA Server.
This includes:
* Configure DNS (bind)
* Configure SoftHSM (required by DNSSEC)
* Configure ipa-dnskeysyncd (required by DNSSEC)
NOTE: DNSSEC zone signing is not enabled by default
To accept the default shown in brackets, press the Enter key.
Do you want to configure DNS forwarders? [yes]:
Following DNS servers are configured in /etc/resolv.conf: 192.168.254.2
Do you want to configure these servers as DNS forwarders? [yes]: no
Enter an IP address for a DNS forwarder, or press Enter to skip: 192.168.254.2
DNS forwarder 192.168.254.2 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip: 192.168.254.10
DNS forwarder 192.168.254.10 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]:
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring DNS (named)
[1/8]: generating rndc key file
[2/8]: setting up our own record
[3/8]: adding NS record to the zones
[4/8]: setting up kerberos principal
[5/8]: setting up named.conf
[6/8]: setting up server configuration
[7/8]: configuring named to start on boot
[8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
ipapython.dnsutil: ERROR DNS query for ipa1.sj.bps. 1 failed: All nameservers failed to
answer the query ipa1.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa1.sj.bps. 1 failed: All nameservers failed to
answer the query ipa1.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa1.sj.bps. 1 failed: All nameservers failed to
answer the query ipa1.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa1.sj.bps. 1 failed: All nameservers failed to
answer the query ipa1.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa1.sj.bps. 1 failed: All nameservers failed to
answer the query ipa1.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa1.sj.bps. 1 failed: All nameservers failed to
answer the query ipa1.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipaserver.dns_data_management: ERROR unable to resolve host name ipa1.sj.bps. to IP
address, ipa-ca DNS record will be incomplete
ipapython.dnsutil: ERROR DNS query for ipa2.sj.bps. 1 failed: All nameservers failed to
answer the query ipa2.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa2.sj.bps. 1 failed: All nameservers failed to
answer the query ipa2.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa2.sj.bps. 1 failed: All nameservers failed to
answer the query ipa2.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa2.sj.bps. 1 failed: All nameservers failed to
answer the query ipa2.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa2.sj.bps. 1 failed: All nameservers failed to
answer the query ipa2.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa2.sj.bps. 1 failed: All nameservers failed to
answer the query ipa2.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipaserver.dns_data_management: ERROR unable to resolve host name ipa2.sj.bps. to IP
address, ipa-ca DNS record will be incomplete
==============================================================================
Setup complete
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files
You must make sure these network ports are open:
TCP Ports:
* 53: bind
UDP Ports:
* 53: bind
I checked to see if it could be a firewall issue:
[root@ipa2 ~]# iptables --list -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
The DNS server resolves external names:
[root@ipa2 ~]# dig @localhost google.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost
google.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34000
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 300 IN A 142.250.188.238
;; Query time: 52 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Aug 30 18:31:15 EDT 2022
;; MSG SIZE rcvd: 55
But not the sj.bps domain:
[root@ipa2 ~]# dig @localhost ipa1.sj.bps
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost
ipa1.sj.bps
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7731
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipa1.sj.bps. IN A
;; Query time: 6 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Aug 30 18:31:58 EDT 2022
;; MSG SIZE rcvd: 40
2:13 p.m.
Hi,
On Tue, Aug 30, 2022 at 7:32 PM Simon Matthews via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Thanks for your reply.
>>> You can find a few things to check in
>>>
https://www.freeipa.org/page/Troubleshooting/Directory_Server#Replication.
..
]# ldapsearch -Y GSSAPI -h ipa1.sj.bps -b "" -s base
SASL/GSSAPI authentication started
SASL username: ldap/ipa2.sj.bps(a)IPA.<MY COMPANY>.COM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
objectClass: top
namingContexts: cn=changelog
namingContexts: dc=ipa,dc=<my company>,dc=com
namingContexts: o=ipaca
defaultnamingcontext: dc=ipa,dc=<my company>,dc=com
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 2.16.840.1.113730.3.5.10
supportedExtension: 2.16.840.1.113730.3.8.10.3
supportedExtension: 2.16.840.1.113730.3.8.10.4
supportedExtension: 2.16.840.1.113730.3.8.10.4.1
supportedExtension: 2.16.840.1.113730.3.8.10.4.2
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 2.16.840.1.113730.3.8.10.1
supportedExtension: 2.16.840.1.113730.3.8.10.5
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.12
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.9
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 2.16.840.1.113730.3.6.5
supportedExtension: 2.16.840.1.113730.3.6.6
supportedExtension: 2.16.840.1.113730.3.6.7
supportedExtension: 2.16.840.1.113730.3.6.8
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 1.3.6.1.4.1.4203.666.5.16
supportedControl: 2.16.840.1.113730.3.8.10.6
supportedControl: 2.16.840.1.113730.3.8.10.7
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 2.16.840.1.113730.3.4.20
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: 389 Project
vendorVersion: 389-Directory/1.3.10.2 B2022.179.1527
dataversion: 020220830001452020220830001452020220830001452
netscapemdsuffix: cn=ldap://dc=ipa1,dc=sj,dc=bps:389
lastusn: 1222591
changeLog: cn=changelog
firstchangenumber: 151
lastchangenumber: 153
ipatopologypluginversion: 1.0
ipatopologyismanaged: on
ipaDomainLevel: 1
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
>>> If they are configured as DNS servers, is there a forwarder configured?
Yes:
]# ipa dnsserver-show ipa1.sj.bps
Server name: ipa1.sj.bps
SOA mname override: ipa1.sj.bps.
Forwarders: 192.168.254.10, 192.168.254.2
Forward policy: only
[root@ipa1 ~]# ipa dnsserver-show ipa2.sj.bps
Server name: ipa2.sj.bps
SOA mname override: ipa2.sj.bps.
Forwarders: 192.168.254.2
Forward policy: only
The lack of 192.168.254.10 for ipa2 should not matter since this is a
secondary/slave nameserver on the network.
>>> Are there any errors related to replication in
>>> /var/log/dirsrv/slapd-<YOUR-DOMAIN>/errors?
I see these errors.
[29/Aug/2022:19:12:53.869825394 -0400] - ERR - schema-compat-plugin -
scheduled schema-compat-plugin tree scan in about 5 seconds after the
server startup!
[29/Aug/2022:19:12:54.686756883 -0400] - ERR - cos-plugin - cos_dn_defs_cb
- Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ipa,dc=<my
company>,dc=com--no CoS Templates found, which should be added before the
CoS Definition.
[29/Aug/2022:19:12:54.870607368 -0400] - ERR - set_krb5_creds - Could not
get initial credentials for principal [ldap/ipa2.sj.bps(a)IPA.<MY
COMPANY>.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic
error (see e-text))
[29/Aug/2022:19:12:55.002346083 -0400] - ERR - NSMMReplicationPlugin -
bind_and_check_pwp - agmt="cn=meToipa1.sj.bps" (ipa1:389) - Replication
bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
[29/Aug/2022:19:12:55.058525909 -0400] - ERR - NSMMReplicationPlugin -
bind_and_check_pwp - agmt="cn=caToipa1.sj.bps" (ipa1:389) - Replication
bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
[29/Aug/2022:19:12:55.116643453 -0400] - ERR - schema-compat-plugin -
schema-compat-plugin tree scan will start in about 5 seconds!
[29/Aug/2022:19:13:00.254585526 -0400] - ERR - schema-compat-plugin -
warning: no entries set up under ou=sudoers,dc=ipa,dc=<my company>,dc=com
[29/Aug/2022:19:13:00.325746557 -0400] - ERR - schema-compat-plugin -
warning: no entries set up under cn=ng, cn=compat,dc=ipa,dc=<my
company>,dc=com
[29/Aug/2022:19:13:00.625350394 -0400] - ERR - schema-compat-plugin -
warning: no entries set up under cn=computers, cn=compat,dc=ipa,dc=<my
company>,dc=com
[29/Aug/2022:19:13:00.747736017 -0400] - ERR - schema-compat-plugin -
Finished plugin initialization.
[29/Aug/2022:19:19:26.447086663 -0400] - ERR - cos-plugin - cos_dn_defs_cb
- Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ipa,dc=<my
company>,dc=com--no CoS Templates found, which should be added before the
CoS Definition.
[29/Aug/2022:19:19:26.616760756 -0400] - ERR - set_krb5_creds - Could not
get initial credentials for principal [ldap/ipa2.sj.bps(a)IPA.<MY
COMPANY>.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot
contact any KDC for requested realm)
[29/Aug/2022:19:19:26.652053902 -0400] - ERR - NSMMReplicationPlugin -
bind_and_check_pwp - agmt="cn=meToipa1.sj.bps" (ipa1:389) - Replication
bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
[29/Aug/2022:19:19:26.705855975 -0400] - ERR - set_krb5_creds - Could not
get initial credentials for principal [ldap/ipa2.sj.bps(a)IPA.<MY
COMPANY>.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot
contact any KDC for requested realm)
[29/Aug/2022:19:19:26.732413212 -0400] - ERR - NSMMReplicationPlugin -
bind_and_check_pwp - agmt="cn=caToipa1.sj.bps" (ipa1:389) - Replication
bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
[29/Aug/2022:19:19:29.093106968 -0400] - ERR - set_krb5_creds - Could not
get initial credentials for principal [ldap/ipa2.sj.bps(a)IPA.<MY
COMPANY>.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot
contact any KDC for requested realm)
....
[30/Aug/2022:13:14:58.254029634 -0400] - ERR - agmt="cn=meToipa1.sj.bps"
(ipa1:389) - clcache_load_buffer - Can't locate CSN 620693cb000200050000 in
the changelog (DB rc=-30988). If replication stops, the consumer may need
to be reinitialized.
[30/Aug/2022:13:14:58.285772035 -0400] - ERR - NSMMReplicationPlugin -
changelog program - repl_plugin_name_cl - agmt="cn=meToipa1.sj.bps"
(ipa1:389): CSN 620693cb000200050000 not found, we aren't as up to date, or
we purged
[30/Aug/2022:13:14:58.302465482 -0400] - ERR - NSMMReplicationPlugin -
send_updates - agmt="cn=meToipa1.sj.bps" (ipa1:389): Data required to
update replica has been purged from the changelog. If the error persists
the replica must be reinitialized.
[30/Aug/2022:13:15:01.355096020 -0400] - ERR - agmt="cn=meToipa1.sj.bps"
(ipa1:389) - clcache_load_buffer - Can't locate CSN 620693cb000200050000 in
the changelog (DB rc=-30988). If replication stops, the consumer may need
to be reinitialized.
[30/Aug/2022:13:15:01.393991242 -0400] - ERR - NSMMReplicationPlugin -
changelog program - repl_plugin_name_cl - agmt="cn=meToipa1.sj.bps"
(ipa1:389): CSN 620693cb000200050000 not found, we aren't as up to date, or
we purged
[30/Aug/2022:13:15:01.410581481 -0400] - ERR - NSMMReplicationPlugin -
send_updates - agmt="cn=meToipa1.sj.bps" (ipa1:389): Data required to
update replica has been purged from the changelog. If the error persists
the replica must be reinitialized.
It looks like the replication was broken (or stopped) for too long, the
changelog got purged and lost part of the updates that should be
replicated. If you want to understand about the changelog and purge
concepts, please refer to [1].
Depending on your domain level, you can use either
- ipa-replica-manage re-initialize and ipa-csreplica-manage reinitialize
(domain-level 0) [2]
or
- ipa topologysegment-reinitialize (domain level 1). For more
information refer to "ipa help topologysegment-reinitialize".
The command "ipa domainlevel-get" will provide you with the current
domain level. The reinitialize command forces a full synchronization of
the content from the specified source to the replica.
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_directory_server/12...
[2]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
606
days inactive
607
days old
freeipa-users@lists.fedorahosted.org
4 comments
2 participants
participants (2)
-
Florence Blanc-Renaud -
Simon Matthews