After some trial and error I was finally able to get a new replica + CA (RHEL7.4 and ipa-server 4.5) added to our existing mixed (RHEL 6 and ipa server 3.0 - 4.x) and the ipa-replica-install command completed successfully but now when I run the ipa-manage-replica -v list <host> command I see this:
# ipa-replica-manage -v list ipa5.domain.tld Directory Manager password:
ipa1.domain.tld: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (3) Replication error acquiring replica: Unable to acquire replica: permission denied. The bind dn does not have permission to supply replication updates to the replica. Will retry later. (permission denied) last update ended: 1970-01-01 00:00:00+00:00
I ran the ipa-replica-manage re-initialize and it runs successfully and the above permission denied error goes away but the host can not be connected to any other replicas, it no longer sees itself as a replica or csreplica. I assume this is due to the re-init. I'm leery of trying to force it to try and join and potentially cause more issues. I would appreciate any helpful suggestions.
I tried a fresh install with the same result. The new replica install process completes successfully but it does not register as a master. When I look at the replication status via ipa-replica-manage it shows this:
# ipa-replica-manage list -v ipa8.domain.tld Directory Manager password:
ipa1.domain.tld: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (3) Replication error acquiring replica: Unable to acquire replica: permission denied. The bind dn does not have permission to supply replication updates to the replica. Will retry later. (permission denied) last update ended: 1970-01-01 00:00:00+00:00
When I try to create a new replication agreement via ipa-replica-manage connect I get this message:
# ipa-replica-manage connect ipa4.domain.tld Directory Manager password:
Connection unsuccessful: ipa4.domain.tld is an IPA Server, but it might be unknown, foreign or previously deleted one.
I saw this article: https://access.redhat.com/solutions/2988311
I checked all my replicas and they show: $ ldapsearch -o ldif-wrap=no -D "cn=directory manager" -W -b "cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# replication managers, sysaccounts, etc, domain.tld dn: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld member: krbprincipalname=ldap/ipa2.domain.tld@DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa4.domain.tld@DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa7.domain.tld@DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa3.domain.tld@DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa5.domain.tld@DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa6.domain.tld@DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa1.domain.tld@DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa8.domain.tld@DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
I also checked this on the new server:
# ldapsearch -xLLL -D "cn=directory manager" -W -b "cn=config" "(cn=replica)" nsds5replicabinddngroup nsds5replicabinddngroupcheckinterval Enter LDAP Password: dn: cn=replica,cn=dc\3Ddomain\2Cdc\3Dtld,cn=mapping tree,cn=config nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld nsds5replicabinddngroupcheckinterval: 60
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld nsds5replicabinddngroupcheckinterval: 60
On the other 4.x IPA servers (all non CA replicas) it showed the first stanza like above and on the 3.x servers it only had: $ ldapsearch -o ldif-wrap=no -xLLL -D "cn=directory manager" -W -b "cn=config" "(cn=replica)" nsds5replicabinddngroup nsds5replicabinddngroupcheckinterval Enter LDAP Password: dn: cn=replica,cn=dc\3Ddomain\2Cdc\3Dtld,cn=mapping tree,cn=config
Anything else I should verify as well that might lead to a solution?
Thanks!
After some trial and error I was finally able to get a new replica + CA (RHEL7.4 and ipa-server 4.5) added to our existing mixed (RHEL 6 and ipa server 3.0 - 4.x) and the ipa-replica-install command completed successfully but now when I run the ipa-manage-replica -v list <host> command I see this:
# ipa-replica-manage -v list ipa5.domain.tld Directory Manager password:
ipa1.domain.tld: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (3) Replication error acquiring replica: Unable to acquire replica: permission denied. The bind dn does not have permission to supply replication updates to the replica. Will retry later. (permission denied) last update ended: 1970-01-01 00:00:00+00:00
I ran the ipa-replica-manage re-initialize and it runs successfully and the above permission denied error goes away but the host can not be connected to any other replicas, it no longer sees itself as a replica or csreplica. I assume this is due to the re-init. I'm leery of trying to force it to try and join and potentially cause more issues. I would appreciate any helpful suggestions.
As a side question to this issue, might it be possible to use this non-replicating essentially standalone new replica as a basis to rebuild the entire IPA environment since it did complete successfully during the replica install?
The whole drive behind trying to get a new CA server in the environment is because I would like to eventually retire all 3.x IPA servers to take advantage of some of the newer features.
I tried a fresh install with the same result. The new replica install process completes successfully but it does not register as a master. When I look at the replication status via ipa-replica-manage it shows this:
# ipa-replica-manage list -v ipa8.domain.tld Directory Manager password:
ipa1.domain.tld: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (3) Replication error acquiring replica: Unable to acquire replica: permission denied. The bind dn does not have permission to supply replication updates to the replica. Will retry later. (permission denied) last update ended: 1970-01-01 00:00:00+00:00
When I try to create a new replication agreement via ipa-replica-manage connect I get this message:
# ipa-replica-manage connect ipa4.domain.tld Directory Manager password:
Connection unsuccessful: ipa4.domain.tld is an IPA Server, but it might be unknown, foreign or previously deleted one.
I saw this article: https://access.redhat.com/solutions/2988311
I checked all my replicas and they show: $ ldapsearch -o ldif-wrap=no -D "cn=directory manager" -W -b "cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# replication managers, sysaccounts, etc, domain.tld dn: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld member: krbprincipalname=ldap/ipa2.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa4.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa7.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa3.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa5.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa6.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa1.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa8.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
I also checked this on the new server:
# ldapsearch -xLLL -D "cn=directory manager" -W -b "cn=config" "(cn=replica)" nsds5replicabinddngroup nsds5replicabinddngroupcheckinterval Enter LDAP Password: dn: cn=replica,cn=dc\3Ddomain\2Cdc\3Dtld,cn=mapping tree,cn=config nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld nsds5replicabinddngroupcheckinterval: 60
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld nsds5replicabinddngroupcheckinterval: 60
On the other 4.x IPA servers (all non CA replicas) it showed the first stanza like above and on the 3.x servers it only had: $ ldapsearch -o ldif-wrap=no -xLLL -D "cn=directory manager" -W -b "cn=config" "(cn=replica)" nsds5replicabinddngroup nsds5replicabinddngroupcheckinterval Enter LDAP Password: dn: cn=replica,cn=dc\3Ddomain\2Cdc\3Dtld,cn=mapping tree,cn=config
Anything else I should verify as well that might lead to a solution?
Thanks!
After some trial and error I was finally able to get a new replica + CA (RHEL7.4 and ipa-server 4.5) added to our existing mixed (RHEL 6 and ipa server 3.0 - 4.x) and
the
ipa-replica-install command completed successfully but now when I run the ipa-manage-replica -v list <host> command I see this:
# ipa-replica-manage -v list ipa5.domain.tld Directory Manager password:
ipa1.domain.tld: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (3) Replication error acquiring replica: Unable to
acquire
replica: permission denied. The bind dn does not have permission to supply
replication
updates to the replica. Will retry later. (permission denied) last update ended: 1970-01-01 00:00:00+00:00
I ran the ipa-replica-manage re-initialize and it runs successfully and the above permission denied error goes away but the host can not be connected to any other
replicas,
it no longer sees itself as a replica or csreplica. I assume this is due to the
re-init.
I'm leery of trying to force it to try and join and potentially cause more
issues.
I would appreciate any helpful suggestions.
Bump hoping someone can confirm whether or not this is a good next step to try to resolve the issue. Mainly concerned that the solution only mentions:
Red Hat Identity Management (IPA) 4.3, 4.4 Red Hat Enterprise Linux (RHEL) 7.2 and 7.3
And we have RHEL 6 and IPA 3.x as well in the environment.
Thanks!
I tried a fresh install with the same result. The new replica install process completes successfully but it does not register as a master. When I look at the replication status via ipa-replica-manage it shows this:
# ipa-replica-manage list -v ipa8.domain.tld Directory Manager password:
ipa1.domain.tld: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (3) Replication error acquiring replica: Unable to acquire replica: permission denied. The bind dn does not have permission to supply replication updates to the replica. Will retry later. (permission denied) last update ended: 1970-01-01 00:00:00+00:00
When I try to create a new replication agreement via ipa-replica-manage connect I get this message:
# ipa-replica-manage connect ipa4.domain.tld Directory Manager password:
Connection unsuccessful: ipa4.domain.tld is an IPA Server, but it might be unknown, foreign or previously deleted one.
I saw this article: https://access.redhat.com/solutions/2988311
I checked all my replicas and they show: $ ldapsearch -o ldif-wrap=no -D "cn=directory manager" -W -b "cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# replication managers, sysaccounts, etc, domain.tld dn: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld member: krbprincipalname=ldap/ipa2.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa4.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa7.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa3.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa5.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa6.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa1.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa8.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
I also checked this on the new server:
# ldapsearch -xLLL -D "cn=directory manager" -W -b "cn=config" "(cn=replica)" nsds5replicabinddngroup nsds5replicabinddngroupcheckinterval Enter LDAP Password: dn: cn=replica,cn=dc\3Ddomain\2Cdc\3Dtld,cn=mapping tree,cn=config nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld nsds5replicabinddngroupcheckinterval: 60
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld nsds5replicabinddngroupcheckinterval: 60
On the other 4.x IPA servers (all non CA replicas) it showed the first stanza like above and on the 3.x servers it only had: $ ldapsearch -o ldif-wrap=no -xLLL -D "cn=directory manager" -W -b "cn=config" "(cn=replica)" nsds5replicabinddngroup nsds5replicabinddngroupcheckinterval Enter LDAP Password: dn: cn=replica,cn=dc\3Ddomain\2Cdc\3Dtld,cn=mapping tree,cn=config
Anything else I should verify as well that might lead to a solution?
Thanks!
After some trial and error I was finally able to get a new replica + CA (RHEL7.4 and ipa-server 4.5) added to our existing mixed (RHEL 6 and ipa server 3.0 - 4.x) and
the
ipa-replica-install command completed successfully but now when I run the ipa-manage-replica -v list <host> command I see this:
# ipa-replica-manage -v list ipa5.domain.tld Directory Manager password:
ipa1.domain.tld: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (3) Replication error acquiring replica: Unable to
acquire
replica: permission denied. The bind dn does not have permission to supply
replication
updates to the replica. Will retry later. (permission denied) last update ended: 1970-01-01 00:00:00+00:00
I ran the ipa-replica-manage re-initialize and it runs successfully and the above permission denied error goes away but the host can not be connected to any other
replicas,
it no longer sees itself as a replica or csreplica. I assume this is due to the
re-init.
I'm leery of trying to force it to try and join and potentially cause more
issues.
I would appreciate any helpful suggestions.
john.bowman--- via FreeIPA-users wrote:
Bump hoping someone can confirm whether or not this is a good next step to try to resolve the issue. Mainly concerned that the solution only mentions:
Red Hat Identity Management (IPA) 4.3, 4.4 Red Hat Enterprise Linux (RHEL) 7.2 and 7.3
And we have RHEL 6 and IPA 3.x as well in the environment.
I think that is more for an established agreement than a new one. During the process of creating a new master this value should be created. If you poke at the 389-ds access log during the replica installation you might be able to determine if this is happening, succeeding or what.
rob
Thanks!
I tried a fresh install with the same result. The new replica install process completes successfully but it does not register as a master. When I look at the replication status via ipa-replica-manage it shows this:
# ipa-replica-manage list -v ipa8.domain.tld Directory Manager password:
ipa1.domain.tld: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (3) Replication error acquiring replica: Unable to acquire replica: permission denied. The bind dn does not have permission to supply replication updates to the replica. Will retry later. (permission denied) last update ended: 1970-01-01 00:00:00+00:00
When I try to create a new replication agreement via ipa-replica-manage connect I get this message:
# ipa-replica-manage connect ipa4.domain.tld Directory Manager password:
Connection unsuccessful: ipa4.domain.tld is an IPA Server, but it might be unknown, foreign or previously deleted one.
I saw this article: https://access.redhat.com/solutions/2988311
I checked all my replicas and they show: $ ldapsearch -o ldif-wrap=no -D "cn=directory manager" -W -b "cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# replication managers, sysaccounts, etc, domain.tld dn: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld member: krbprincipalname=ldap/ipa2.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa4.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa7.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa3.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa5.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa6.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa1.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa8.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
I also checked this on the new server:
# ldapsearch -xLLL -D "cn=directory manager" -W -b "cn=config" "(cn=replica)" nsds5replicabinddngroup nsds5replicabinddngroupcheckinterval Enter LDAP Password: dn: cn=replica,cn=dc\3Ddomain\2Cdc\3Dtld,cn=mapping tree,cn=config nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld nsds5replicabinddngroupcheckinterval: 60
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld nsds5replicabinddngroupcheckinterval: 60
On the other 4.x IPA servers (all non CA replicas) it showed the first stanza like above and on the 3.x servers it only had: $ ldapsearch -o ldif-wrap=no -xLLL -D "cn=directory manager" -W -b "cn=config" "(cn=replica)" nsds5replicabinddngroup nsds5replicabinddngroupcheckinterval Enter LDAP Password: dn: cn=replica,cn=dc\3Ddomain\2Cdc\3Dtld,cn=mapping tree,cn=config
Anything else I should verify as well that might lead to a solution?
Thanks!
After some trial and error I was finally able to get a new replica + CA (RHEL7.4 and ipa-server 4.5) added to our existing mixed (RHEL 6 and ipa server 3.0 - 4.x) and
the
ipa-replica-install command completed successfully but now when I run the ipa-manage-replica -v list <host> command I see this:
# ipa-replica-manage -v list ipa5.domain.tld Directory Manager password:
ipa1.domain.tld: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (3) Replication error acquiring replica: Unable to
acquire
replica: permission denied. The bind dn does not have permission to supply
replication
updates to the replica. Will retry later. (permission denied) last update ended: 1970-01-01 00:00:00+00:00
I ran the ipa-replica-manage re-initialize and it runs successfully and the above permission denied error goes away but the host can not be connected to any other
replicas,
it no longer sees itself as a replica or csreplica. I assume this is due to the
re-init.
I'm leery of trying to force it to try and join and potentially cause more
issues.
I would appreciate any helpful suggestions.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
john.bowman@zayo.com -
Rob Crittenden