On 06/13/2017 10:34 AM, Eric Renfro via FreeIPA-users wrote: > Huh.. Well, who'da thunk it. I just literally reported the same kind of > trouble I was having, which looks like it matches this same situation, > with the ipa-replica-install failing to initiate replication because of > Invalid password, because the password for some reason does not seem to > be being set. Sorry, replication does not use the Directory Manager account. Typically some type of "replication manager" entry is used, and in IPA I'm pretty sure this account uses kerberos credentials (not a password).
Going back to the Directory Manager.... To confirm if the password is set, look in /etc/dirsv/slapd-INSTANCE/dse.ldif, and under cn=config look for "nsslapd-rootpw" if this attribute is missing then it truly is not set. If your directory manager account does not have a password, or there is a password but you don't know what it is, then you can reset it following this doc: http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html <http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html> > > Eric > > > -----Original Message----- > > Date: Tue, 13 Jun 2017 09:49:40 -0400 > Subject: [Freeipa-users] Re: replication problem > Cc: FreeIPA users list <freeipa-users@lists.fedorahosted.org>, Adrian > HY <ayeja...@gmail.com> > To: Mark Reynolds <marey...@redhat.com> > Reply-to: FreeIPA users list <freeipa-users@lists.fedorahosted.org> > From: Adrian HY via FreeIPA-users <freeipa-users@lists.fedorahosted.org > Hi Mark, my problem is during the replica installation. I can't use > ldapmodify because cn=directory manager does not have the password > assigned. > > Regards. > > On Mon, Jun 12, 2017 at 1:38 PM, Mark Reynolds <marey...@redhat.com> > wrote: >> On 06/11/2017 01:49 PM, Adrian HY via FreeIPA-users wrote: >>> I think I detected the problem. The error log in the replica >>> writes: >>> >>> [11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length >>> exceeds maximum allowed limit (length=2483849, limit=2097152). >>> Change the nsslapd-maxsasliosize attribute in cn=config to increase >>> limit. >>> [11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import abandoned >>> >>> According this: (https://access.redhat.com/documentation/en-US/Red_ >>> Hat_Directory_Server/8.2/pdf/Configuration_and_Command- >>> Line_Tool_Reference/Red_Hat_Directory_Server-8.2- >>> Configuration_and_Command-Line_Tool_Reference-en-US.pdf) >>> >>> "When an incoming SASL IO packet is larger than the nsslapd- >>> maxsasliosize limit, the server immediately disconnects the client >>> and logs a message to the error log, so that an administrator can >>> adjust the setting if necessary" >>> >>> The problem now is how can I change the value of the attribute >>> during replication. >> You just use ldapmodify to change the value on each replica: >> >> # ldapmodify -D "cn=directory manager" -W >> dn: cn=config >> changetype: modify >> replace: nsslapd-maxsasliosize >> nsslapd-maxsasliosize: YOUR_NEW_VALUE >> >>> Regards. >>> >>> On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY <ayeja...@gmail.com> >>> wrote: >>>> Hi folks, I had a problem with replication and I tried to add the >>>> slave back to the replica. The process stops in the initial >>>> replication phase. >>>> >>>> The firewall and selinux are down and both servers are >>>> synchronized with the time. >>>> >>>> Centos 7.3 >>>> Freeipa 4.4.0-14 >>>> >>>> Master error log: >>>> >>>> 11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin - >>>> agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- >>>> replica:389): Replication bind with GSSAPI auth failed: LDAP >>>> error 49 (Invalid credentials) () >>>> [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin - >>>> Warning: unable to acquire replica for total update, error: 49, >>>> retrying in 1 seconds. >>>> [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin - >>>> agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- >>>> replica:389): Replication bind with GSSAPI auth resumed >>>> [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin - >>>> Beginning total update of replica "agmt="cn=meTousuarios- >>>> replica.ipa.server.com" (usuarios-replica:389)". >>>> [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin - >>>> agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- >>>> replica:389): Failed to send extended operation: LDAP error -1 >>>> (Can't contact LDAP server) >>>> [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin - >>>> agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- >>>> replica:389): Received error -1 (Can't contact LDAP server): for >>>> total updat >>>> e operation >>>> [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin - >>>> agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- >>>> replica:389): Warning: unable to send endReplication extended >>>> operation (Can' >>>> t contact LDAP server) >>>> [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin - >>>> Total update failed for replica "agmt="cn=meTousuarios- >>>> replica.ipa.server.com" (usuarios-replica:389)", error (-11) >>>> [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin - >>>> agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- >>>> replica:389): Replication bind with GSSAPI auth resumed >>>> [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin - >>>> agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- >>>> replica:389): The remote replica has a different database >>>> generation ID than >>>> the local database. You may have to reinitialize the remote >>>> replica, or the local replica. >>>> [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin - >>>> agmt="cn=meTousuarios-replica.ipa.server.com" (usuarios- >>>> replica:389): The remote replica has a different database >>>> generation ID than >>>> the local database. You may have to reinitialize the remote >>>> replica, or the local replica. >>>> >>>> Client ipareplica-install.log: >>>> >>>> 2017-06-11T05:24:24Z DEBUG stderr= >>>> 2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost [389] >>>> timeout 300 >>>> 2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from master >>>> [attempt 1/5] >>>> 2017-06-11T05:24:24Z DEBUG flushing >>>> ldap://usuarios.ipa.server.com:389 from SchemaCache >>>> 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache >>>> url=ldap://usuarios.ipa.server.com:389 >>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0> >>>> 2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId. >>>> 2017-06-11T05:24:24Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd- >>>> IPA.SERVER.COM.socket from SchemaCache >>>> 2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache >>>> url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket >>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440> >>>> 2017-06-11T05:24:46Z DEBUG Traceback (most recent call last): >>>> File "/usr/lib/python2.7/site- >>>> packages/ipaserver/install/service.py", line 449, in >>>> start_creation >>>> run_step(full_msg, method) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipaserver/install/service.py", line 439, in run_step >>>> method() >>>> File "/usr/lib/python2.7/site- >>>> packages/ipaserver/install/dsinstance.py", line 416, in >>>> __setup_replica >>>> repl.setup_promote_replication(self.master_fqdn) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipaserver/install/replication.py", line 1643, in >>>> setup_promote_replication >>>> raise RuntimeError("Failed to start replication") >>>> RuntimeError: Failed to start replication >>>> >>>> 2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to >>>> start replication >>>> 2017-06-11T05:24:46Z DEBUG Destroyed connection >>>> context.ldap2_101192976 >>>> 2017-06-11T05:24:46Z DEBUG File "/usr/lib/python2.7/site- >>>> packages/ipapython/admintool.py", line 171, in execute >>>> return_value = self.run() >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/cli.py", line 318, in run >>>> cfgr.run() >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/core.py", line 310, in run >>>> self.execute() >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/core.py", line 332, in execute >>>> for nothing in self._executor(): >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/core.py", line 372, in __runner >>>> self._handle_exception(exc_info) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/core.py", line 394, in >>>> _handle_exception >>>> six.reraise(*exc_info) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/core.py", line 362, in __runner >>>> step() >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/core.py", line 359, in <lambda> >>>> step = lambda: next(self.__gen) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/util.py", line 81, in >>>> run_generator_with_yield_from >>>> six.reraise(*exc_info) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/util.py", line 59, in >>>> run_generator_with_yield_from >>>> value = gen.send(prev_value) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/core.py", line 586, in _configure >>>> next(executor) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/core.py", line 372, in __runner >>>> self._handle_exception(exc_info) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/core.py", line 449, in >>>> _handle_exception >>>> self.__parent._handle_exception(exc_info) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/core.py", line 394, in >>>> _handle_exception >>>> six.reraise(*exc_info) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/core.py", line 446, in >>>> _handle_exception >>>> super(ComponentBase, self)._handle_exception(exc_info) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/core.py", line 394, in >>>> _handle_exception >>>> six.reraise(*exc_info) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/core.py", line 362, in __runner >>>> step() >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/core.py", line 359, in <lambda> >>>> step = lambda: next(self.__gen) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/util.py", line 81, in >>>> run_generator_with_yield_from >>>> six.reraise(*exc_info) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/util.py", line 59, in >>>> run_generator_with_yield_from >>>> value = gen.send(prev_value) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipapython/install/common.py", line 63, in _install >>>> for nothing in self._installer(self.parent): >>>> File "/usr/lib/python2.7/site- >>>> packages/ipaserver/install/server/replicainstall.py", line 1722, >>>> in main >>>> promote(self) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipaserver/install/server/replicainstall.py", line 372, >>>> in decorated >>>> func(installer) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipaserver/install/server/replicainstall.py", line 1423, >>>> in promote >>>> promote=True, pkcs12_info=dirsrv_pkcs12_info) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipaserver/install/server/replicainstall.py", line 135, >>>> in install_replica_ds >>>> api=remote_api, >>>> File "/usr/lib/python2.7/site- >>>> packages/ipaserver/install/dsinstance.py", line 401, in >>>> create_replica >>>> self.start_creation(runtime=60) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipaserver/install/service.py", line 449, in >>>> start_creation >>>> run_step(full_msg, method) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipaserver/install/service.py", line 439, in run_step >>>> method() >>>> File "/usr/lib/python2.7/site- >>>> packages/ipaserver/install/dsinstance.py", line 416, in >>>> __setup_replica >>>> repl.setup_promote_replication(self.master_fqdn) >>>> File "/usr/lib/python2.7/site- >>>> packages/ipaserver/install/replication.py", line 1643, in >>>> setup_promote_replication >>>> raise RuntimeError("Failed to start replication") >>>> >>>> >>> >>> >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahos >>> ted.org >> >> > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted. > org > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
