On Fri, Oct 8, 2010 at 14:52, James Roman <james.ro...@ssaihq.com> wrote: > On 10/08/2010 01:49 PM, Dan Scott wrote: >> >> On Fri, Oct 8, 2010 at 13:18, Rich Megginson<rmegg...@redhat.com> wrote: >>> >>> Dan Scott wrote: >>>> >>>> On Fri, Oct 8, 2010 at 11:39, James Roman<james.ro...@ssaihq.com> >>>> wrote: >>>> >>>>>> So does anyone have any more suggestions? Or should I just configure a >>>>>> new replica with new hostname and IP? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Dan >>>>>> >>>>> I've seen the initial problem where the memberof elements stop updating >>>>> on >>>>> my own FreeIPA v1 replica as well. Normally it happens after I perform >>>>> a >>>>> full init of the replica. The subsequent errors you are experiencing >>>>> have >>>>> not occurred on my system. You have not indicated a synchronization >>>>> error >>>>> anywhere, but they tend to get buried in the error logs. I assume you >>>>> are >>>>> not short on disk space on the replica. I also assume that the /var has >>>>> not >>>>> been mounted as read-only. (I've had a few oddities where disk/storage >>>>> problems have caused a file-system to be remounted read-only recently) >>>>> >>>>> Out of curiosity, if you modify a user on the replica, do the changes >>>>> get >>>>> saved to the record? If you add a user to a new group on the replica >>>>> does >>>>> the memberof attribute get added to the user's record? >>>>> >>>> Hmm, very strange. Adding my user to another group appears to have >>>> fixed the memberOf attributes for my user on the replica.... >>>> >>>> Presumably, the fixup-memberof.pl script is supposed to do this - >>>> strange that it does not appear to work. >>>> >>>> I can create a temporary group, add all users to it and then remove >>>> them again - possibly that would fix the problem? >>>> >>>> I'm still a little concerned by log entries such as (on the replica): >>>> >>>> NSMMReplicationPlugin - replica_check_for_data_reload: Warning: data >>>> for replica dc=example,dc=com was reloaded and it no longer matches >>>> the data in the changelog (replica data> changelog). Recreating the >>>> changelog file. This could affect replication with replica's consumers >>>> in which case the consumers should be reinitialized. >>>> >>> You should only see this once. This is ok for an initial initialization >>> or >>> a reinitialization. >> >> OK, thanks. I also get the following (on both master and replica) on >> each alteration of LDAP: >> >> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set >> referrals for replica dc=example,dc=com: 20 >> >> Is this expected/normal? >> >> Thanks, >> >> Dan > > Dan > > I was going to suggest reinitializing the sync agreement and running the > fixmemberof script again. Did I miss that you have actually done that > already?
Yes, once I realised that there were difference between the master and replica I ran: ipa-replica-manage init ohm.example.com from curie. To try and get the syncing working. > If not than that error seems pretty out of place. Before you do run > the following script on both servers (replacing dc=example and hostname) and > remove the admin group from any that you find on both servers before doing > your re-init. > ldapsearch -Y GSSAPI -h hostname -b > "cn=groups,cn=accounts,dc=example,dc=com" > '(member=cn=admins,cn=groups,cn=accounts,dc=example,dc=com)' I did have a group which contained the admins group as a member. I removed this yesterday and so there are now no groups containing the member 'admins'. > The test of adding the user to the group was only to test that the > ipa-memberof plug-in is functioning properly on the replica. It is triggered > by a group change on the server. The fixmemberof script is really a much > more efficient way of updating all accounts. Yes, but the fixmember script doesn't appear to work. It appeared to successfully add the entry: cn=memberOf_fixup_2010_10_8_15_6_11 but the memberOf attributes weren't corrected. > One other consideration, are both server time in sync (at least within 5 > minutes) but in general, you want them to be pretty close. Yes, they are both in sync ('Exactly' in sync, < 1s apart as far as I can tell). Thanks for your help. Dan _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users