I'm now trying to detach ipa2c7 from ipa1, the server from which it was
originally replicated in an attempt to use the newer replication mechanism to
create a pair of replicas. It appears that we're both connected and
disconnected at the same time:
[root@ipa2c7 ~]# ipa-replica-manage del ipa1.our.net
'ipa2c7.our.net' has no replication agreement for 'ipa1.our.net'
[root@ipa2c7 ~]# ipa-replica-manage list
ipa1.our.net: master
ipa2c7.our.net: master
[root@ipa2c7 ~]# ipa domainlevel-set 1
ipa: ERROR: Domain Level cannot be raised to 1, server ipa1.our.net does not
support it.
[root@ipa2c7 ~]#
--
Bret Wortman
bret.wort...@damascusgrp.com
On Mon, Jun 21, 2021, at 12:16 PM, Bret Wortman via FreeIPA-users wrote:
> On Mon, Jun 21, 2021, at 11:02 AM, Bret Wortman via FreeIPA-users wrote:
> > On Mon, Jun 21, 2021, at 10:55 AM, Rob Crittenden wrote:
> > > Bret Wortman via FreeIPA-users wrote:
> > > > On Mon, Jun 21, 2021, at 9:03 AM, Bret Wortman via FreeIPA-users wrote:
> > > >> On Fri, Jun 18, 2021, at 1:32 PM, Rob Crittenden wrote:
> > > >>> Awesome, glad to hear it. When you complete the migration don't forget
> > > >>> to move over the DNA settings, CRL generation and other stuff.
> > > >>
> > > >> Is this documented somewhere? I'd hate to miss a step.
> > > >
> > > > Also, my new host, ipa2, is claiming to already have a replication
> > > > agreement with ipa2c7 but I'm not seeing it:
> > > >
> > > > [root@ipa2c7 ~]# ipa-replica-manage list
> > > > ipa1.our.net: master
> > > > ipa2c7.our.net: master
> > > > [root@ipa2c7 ~]# ipa-replica-manage list-ruv
> > > > Directory Manager password:
> > > >
> > > > unable to decode: {replica 13} 60b907570001000d0000 60b907570001000d0000
> > > > unable to decode: {replica 14} 60b923030002000e0000 60b923030002000e0000
> > > > unable to decode: {replica 21} 60cb27ed000600150000 60cb27ed000600150000
> > > > unable to decode: {replica 24} 60cc5b11000400180000 60cc5b11000400180000
> > > > unable to decode: {replica 17} 60be13a5000000110000 60be13c9000700110000
> > > > unable to decode: {replica 18} 60bf4aec000000120000 60c07065000200120000
> > > > unable to decode: {replica 5}
> > > > Replica Update Vectors:
> > > > ipa2c7.our.net:389: 26
> > > > ipa1.our.net:389: 4
> > > > Certificate Server Replica Update Vectors:
> > > > ipa2c7.our.net:389: 91
> > > > ipa1.our.net:389: 96
> > > > [root@ipa2c7 ~]#
> > > >
> > > > Could it be one of those "unable to decode" replicas and if so how do I
> > > > get rid of those?
> > >
> > > Try ipa-replica-manage clean-dangling-ruv
> > >
> > > and/or ipa-replica-manage clean-ruv <replica id>
> >
> > I did the clean-dangling-ruv and it got me to this point. When I try to
> > clean-ruv one of these IDs:
> >
> > [root@ipa2c7 ~]# ipa-replica-manage clean-ruv 13
> > Directory Manager password:
> >
> > unable to decode: {replica 13} 60b907570001000d0000 60b907570001000d0000
> > unable to decode: {replica 14} 60b923030002000e0000 60b923030002000e0000
> > unable to decode: {replica 21} 60cb27ed000600150000 60cb27ed000600150000
> > unable to decode: {replica 24} 60cc5b11000400180000 60cc5b11000400180000
> > unable to decode: {replica 17} 60be13a5000000110000 60be13c9000700110000
> > unable to decode: {replica 18} 60bf4aec000000120000 60c07065000200120000
> > unable to decode: {replica 5}
> > Replica ID 13 not found
> > [root@ipa2c7 ~]#
> >
> > And it does the same for each.
>
> ipa-replica-install (from a file) fails at LDAP each time without
> exception and I'm at a loss. I assume this is the local LDAP (it's up
> and running, as is the one on the master). The session running the
> install shows this:
>
> [28/42]: ignore time skew for initial replication
> [29/42]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 14 seconds elapsed
> [ldap://ipa2c7.our.net:389] reports: Update failed! Status: [Error (-1)
> - LDAP error: Can't contact LDAP server]
>
> [error] RuntimeError: Failed to start replication
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipapython.admintool: ERROR Failed to start replication
> ipapython.admintool: ERROR The ipa-replica-install command failed.
> See /var/log/ipareplica-install.log for more information
>
> While /var/log/dirsrv/slapd-OUR-NET/errors shows:
>
> [21/Jun/2021:16:09:27.828454697 +0000] - NOTICE - ldbm_back_start -
> found 3880256k physical memory
> [21/Jun/2021:16:09:27.828686874 +0000] - NOTICE - ldbm_back_start -
> found 3217604k available
> [21/Jun/2021:16:09:27.828889226 +0000] - NOTICE - ldbm_back_start -
> cache autosizing: db cache: 97006k
> [21/Jun/2021:16:09:27.829111098 +0000] - NOTICE - ldbm_back_start -
> cache autosizing: userRoot entry cache (1 total): 262144k
> [21/Jun/2021:16:09:27.830332460 +0000] - NOTICE - ldbm_back_start -
> cache autosizing: userRoot dn cache (1 total): 65536k
> [21/Jun/2021:16:09:27.830869767 +0000] - NOTICE - ldbm_back_start -
> total cache size: 415011962 B;
> [21/Jun/2021:16:09:27.966802789 +0000] - INFO - slapd_daemon - slapd
> started. Listening on All Interfaces port 389 for LDAP requests
> [21/Jun/2021:16:09:27.967189984 +0000] - INFO - slapd_daemon -
> Listening on /var/run/slapd-OUR-NET.socket for LDAPI requests
> [21/Jun/2021:16:09:28.106773443 +0000] - ERR - NSMMReplicationPlugin -
> acquire_replica - agmt="cn=meToipa2c7.our.net" (ipa2c7:389): Unable to
> acquire replica: permission denied. The bind dn "" does not have
> permission to supply replication updates to the replica. Will retry
> later.
> [21/Jun/2021:16:09:28.119010503 +0000] - ERR - NSMMReplicationPlugin -
> acquire_replica - agmt="cn=meToipa2c7.our.net" (ipa2c7:389): Unable to
> acquire replica: permission denied. The bind dn "" does not have
> permission to supply replication updates to the replica. Will retry
> later.
> [21/Jun/2021:16:09:31.136160660 +0000] - WARN - NSMMReplicationPlugin -
> repl5_inc_run - agmt="cn=meToipa2c7.our.net" (ipa2c7:389): The remote
> replica has a different database generation ID than the local database.
> You may have to reinitialize the remote replica, or the local replica.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
