2 FreeIPA 4.1.4 servers running on CentOS 7.
dc1 has a sync agreement to a windows server.

It has been running fine since June 5 when I re-initialized a sync
agreement that had somehow uninitialized itself.  Original issue report
here :
Bug report here : https://fedorahosted.org/freeipa/ticket/5054

It appears the same thing may have happened again, one month later, but
this time randomly, as we have not made any changes to our sync agreement
since the initial change in June.  it appears to have unitialized itself
without us changing it and managed to crash the directory server in doing
so.  Note that during the last week I could still login to the web ui, but
around the time the log entries change, I became unable to.

I tried to login to the web server today and it would not let me login, so
I went to the shell on the server and noticed that ipactl command would
freeze up again.  I looked at the logs (which I will paste below) and
restarted the directory server service.

I then found that my sync agreement had become uninitialized.

--- output ---
[root@dc1 slapd-IPADOMAIN-NET]# ldapsearch -xLLL -D "cn=directory manager"
-W -b cn=config objectclass=nsDSWindowsReplicationAgreement
Enter LDAP Password:
dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain
 \2Cdc\3Dnet,cn=mapping tree,cn=config
nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net
nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net
cn: meToofficedc2.office.addomain.net
nsds7NewWinGroupSyncEnabled: false
objectClass: nsDSWindowsReplicationAgreement
objectClass: top
nsDS5ReplicaTransportInfo: TLS
description: me to officedc2.office.addomain.net
nsDS5ReplicaRoot: dc=ipadomain,dc=net
nsDS5ReplicaHost: officedc2.office.addomain.net
nsds5replicaTimeout: 120
nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service
nsds7NewWinUserSyncEnabled: true
nsDS5ReplicaPort: 389
nsds7WindowsDomain: ipadomain.net
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
  entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicaBindMethod: simple
nsds50ruv: {replicageneration} 553fe9bb000000040000
nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9
 000000040000 557f49fb000200040000
nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c
 4000000030000 557f3e4a000200030000
nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne
 t:389} 557f494a
nsruvReplicaLastModified: {replica 3 ldap://dc2.ipadomain.n
 et:389} 557f3d95
oneWaySync: fromWindows
nsds5ReplicaEnabled: on
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 0
nsds5replicaLastUpdateEnd: 0
nsds5replicaLastUpdateStatus: -1  - LDAP error: Can't contact LDAP server
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0
--- output ---

Here are the error logs for the last month for the directory server.  They
are totally empty until July 2.

        389-Directory/ B2015.040.128
        dc1.ipadomain.net:636 (/etc/dirsrv/slapd-IPADOMAIN-NET)

[02/Jul/2015:03:19:02 +0000] NSMMReplicationPlugin - windows sync - failed
to send dirsync search request: 2
[02/Jul/2015:06:10:29 +0000] - Entry
"uid=jenkinsdev,cn=users,cn=accounts,dc=ipadomain,dc=net" missing
attribute "sn" required by object class "person"
[03/Jul/2015:02:04:02 +0000] NSMMReplicationPlugin - windows sync - failed
to send dirsync search request: 2
[03/Jul/2015:05:39:01 +0000] NSMMReplicationPlugin - windows sync - failed
to send dirsync search request: 2
[03/Jul/2015:17:09:00 +0000] NSMMReplicationPlugin - windows sync - failed
to send dirsync search request: 2
[03/Jul/2015:22:41:32 +0000] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Cannot contact any KDC
for realm 'IPADOMAIN.NET')) errno 115 (Operation now in progress)
[03/Jul/2015:22:41:32 +0000] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -2
(Local error)
[03/Jul/2015:22:41:32 +0000] NSMMReplicationPlugin -
agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI
auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more
information (Cannot contact any KDC for realm 'IPADOMAIN.NET'))
[03/Jul/2015:22:41:36 +0000] NSMMReplicationPlugin -
agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI
auth resumed
[05/Jul/2015:19:24:00 +0000] NSMMReplicationPlugin - windows sync - failed
to send dirsync search request: 2
[06/Jul/2015:02:46:50 +0000] - Entry
"uid=accounting,cn=users,cn=accounts,dc=ipadomain,dc=net" missing
attribute "sn" required by object class "person"
[06/Jul/2015:17:47:04 +0000] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success)
[06/Jul/2015:17:47:04 +0000] NSMMReplicationPlugin - windows sync -
agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replication
bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server)
[06/Jul/2015:17:47:07 +0000] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success)
[06/Jul/2015:17:47:13 +0000] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success)
[06/Jul/2015:17:47:25 +0000] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success)

... repeats for 7 days ...

[13/Jul/2015:21:49:21 +0000] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such
file or directory)
[13/Jul/2015:21:49:45 +0000] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such
file or directory)
[13/Jul/2015:21:50:33 +0000] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such
file or directory)
[13/Jul/2015:21:52:09 +0000] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such
file or directory)
[13/Jul/2015:21:54:00 +0000] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such
file or directory)
[13/Jul/2015:23:04:05 +0000] set_krb5_creds - Could not get initial
credentials for principal [ldap/dc1.ipadomain....@ipadomain.net] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[13/Jul/2015:23:04:05 +0000] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Ticket expired)) errno
2 (No such file or directory)
[13/Jul/2015:23:04:10 +0000] set_krb5_creds - Could not get initial
credentials for principal [ldap/dc1.ipadomain....@ipadomain.net] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[13/Jul/2015:23:04:10 +0000] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Ticket expired)) errno
2 (No such file or directory)
[13/Jul/2015:23:04:10 +0000] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -2
(Local error)
[13/Jul/2015:23:04:10 +0000] NSMMReplicationPlugin -
agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI
auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more
information (Ticket expired))


