While researching the steps to perform the offline initilalization I notice peculiarity with the the replica aggrements on the system I plan to use as my source data.  Notice the duplicate hostname from the ipa-csreplica-mange command.  Is this yet another concern?  If so, how do I remove the duplicate?  Looking at the list of RUVs I don't see a duplicate there.

Please forgive me if I'm off topic and seem to be going through a squirell moment. I'm finding thissituation a bit nerve wracking.

Thank you for all of your help.

# ipa-csreplica-manage list tierod.<domain> -v
Directory Manager password:

fitch.<domain>
  last init status: 0 Total update succeeded
  last init ended: 2018-05-10 19:28:58+00:00
  last update status: Error (0) Replica acquired successfully: Incremental update succeeded
  last update ended: 2018-05-11 15:13:48+00:00
piston.<domain>
  last init status: None
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: Error (32) Problem connecting to replica - LDAP error: No such object (connection error)
  last update ended: 1970-01-01 00:00:00+00:00
fitch.<domain>
  last init status: None
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error)
  last update ended: 1970-01-01 00:00:00+00:00
kodiak.<domain>
  last init status: None
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: Error (18) Replication error acquiring replica: Incremental update transient error.  Backing off, will retry update later. (transient error)
  last update ended: 1970-01-01 00:00:00+00:00
piston.<domain>
  last init status: None
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: Error (0) Replica acquired successfully: Incremental update succeeded
  last update ended: 2018-05-11 15:13:48+00:00

# ipa-replica-manage list tierod.<domain> -v
Directory Manager password:

fitch.<domain>: replica
  last init status: None
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: Error (0) Replica acquired successfully: Incremental update succeeded
  last update ended: 2018-05-11 15:26:31+00:00
sump.<domain>: replica
  last init status: None
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: Error (0) Replica acquired successfully: Incremental update succeeded
  last update ended: 2018-05-11 15:26:31+00:00

# ipa-replica-manage list-ruv
Directory Manager password:

Replica Update Vectors:
        tierod.<domain>:389: 8
        sump.<domain>:389: 15
        piston.<domain>:389: 12
        kodiak.<domain>:389: 11
        voge.<domain>:389: 10
        fitch.<domain>:389: 14
Certificate Server Replica Update Vectors:
        tierod.<domain>:389: 1095
        piston.<domain>:389: 1180
        kodiak.<domain>:389: 1185
        voge.<domain>:389: 1190
        fitch.<domain>:389: 1295





*Michael Rainey*
Network Representative
Naval Research Laboratory, Code 7320
Building 1009, Room C156
Stennis Space Center, MS 39529

On 05/10/2018 03:06 PM, Mark Reynolds via FreeIPA-users wrote:

On 05/10/2018 03:30 PM, Rob Crittenden wrote:
Michael Rainey (Contractor, Code 7320) via FreeIPA-users wrote:
Sigh... My replication agreements really do seem to be completely
jacked up.  I would have expected the hostname replica agreements and
the hostname csreplica agreements to match.
This is fairly typical. You don't really need a full CA on every
master you just want > 1 CAs in your installation.

Maybe Mark can provide some insight into the replication issues.
replication is not working because the master can not bind to the
consumer to initialize it.  Another option is to do an offline
initialization so that the consumer gets the usercertificate it needs
for incremental replication to work.

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-initializing_consumers#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line
I think that once we work that out the the other CA master will get
its updated certificate via standard means and things will hopefully
just work at that point.

rob

# ipa-replica-manage list fitch.<domain> -v
Directory Manager password:

kodiak.<domain>: replica
   last init status: None
   last init ended: 1970-01-01 00:00:00+00:00
   last update status: Error (18) Replication error acquiring
replica: Incremental update transient error.  Backing off, will
retry update later. (transient error)
   last update ended: 1970-01-01 00:00:00+00:00
piston.<domain>: replica
   last init status: None
   last init ended: 1970-01-01 00:00:00+00:00
   last update status: Error (0) Replica acquired successfully:
Incremental update succeeded
   last update ended: 2018-05-10 19:11:56+00:00
tierod.<domain>: replica
   last init status: None
   last init ended: 1970-01-01 00:00:00+00:00
   last update status: Error (18) Replication error acquiring
replica: Incremental update transient error.  Backing off, will
retry update later. (transient error)
   last update ended: 1970-01-01 00:00:00+00:00
# ipa-csreplica-manage list fitch.<domain> -v
Directory Manager password:

voge.<domain>
   last init status: None
   last init ended: 1970-01-01 00:00:00+00:00
   last update status: Error (0) No replication sessions started
since server startup
   last update ended: 1970-01-01 00:00:00+00:00

*Michael Rainey*
Network Representative
Naval Research Laboratory, Code 7320
Building 1009, Room C156
Stennis Space Center, MS 39529

On 05/10/2018 01:02 PM, Michael Rainey (Contractor, Code 7320) via
FreeIPA-users wrote:
Sigh. This is what I get when I type too fast.
No worries.  You're helping me to make some headway on this problem.

This is more of what you are wanting to see, and for me it doesn't
look good.  Does this mean I'll be using the re-initialize option or
some variation?

ipa-csreplica-manage list fitch.<domain> -v
Directory Manager password:

voge.<domain>
   last init status: None
   last init ended: 1970-01-01 00:00:00+00:00
   last update status: Error (0) No replication sessions started
since server startup
   last update ended: 1970-01-01 00:00:00+00:00

*Michael Rainey*
Network Representative
Naval Research Laboratory, Code 7320
Building 1009, Room C156
Stennis Space Center, MS 39529

On 05/10/2018 12:09 PM, Rob Crittenden wrote:
Michael Rainey (Contractor, Code 7320) via FreeIPA-users wrote:
Use ipa-cacert-manage -v `hostname` to see what the status is.
Is this correct usage for this command?  It throws out debug
messages.
Sigh. This is what I get when I type too fast.

ipa-csreplica-manage ...

rob

ipa-cacert-manage -v 'fitch'
ipa: DEBUG: Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
Usage: ipa-cacert-manage renew [options]
        ipa-cacert-manage install [options] CERTFILE

ipa-cacert-manage: error: unknown command "fitch"
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
169, in execute
     self.validate_options()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py",
line 105, in validate_options
     parser.error("unknown command \"%s\"" % command)
   File "/usr/lib64/python2.7/optparse.py", line 1583, in error
     self.exit(2, "%s: error: %s\n" % (self.get_prog_name(), msg))
   File "/usr/lib64/python2.7/optparse.py", line 1573, in exit
     sys.exit(status)

ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The
ipa-cacert-manage command failed, exception: SystemExit: 2
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: The
ipa-cacert-manage command failed.



*Michael Rainey*
Network Representative
Naval Research Laboratory, Code 7320
Building 1009, Room C156
Stennis Space Center, MS 39529

On 05/10/2018 10:59 AM, Rob Crittenden via FreeIPA-users wrote:
Use ipa-cacert-manage -v `hostname` to see what the status is.


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org



_______________________________________________
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email
tofreeipa-users-le...@lists.fedorahosted.org


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to