that did the trick! Running
db2index.pl -D cn='Directory Manager' -v -w - -t entryrdn fixed the database. After that i was able to setup my Replication again. Thanks for your help! ________________________________________ Von: Rob Crittenden <[email protected]> Gesendet: Freitag, 15. April 2016 16:50 An: Kilian Ries; Ludwig Krispenz Cc: [email protected] Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted Kilian Ries wrote: > I'm not quite familiar with the db2index.pl script ... what am i doing wrong? > > db2index.pl -n userRoot -D cn=admin -w > ldap_bind: No such object (32) > Failed to search the server for indexes, error (32) > > > db2index.pl -n userRoot -D cn=admin -w -v -t entryrdn > ldap_bind: No such object (32) > Failed to add task entry "cn=db2index_2016_4_15_16_44_19, cn=index, cn=tasks, > cn=config" error (32) Use 'cn=Directory Manager' instead of cn=admin rob > > ________________________________________ > Von: Ludwig Krispenz <[email protected]> > Gesendet: Freitag, 15. April 2016 12:31 > An: Kilian Ries > Cc: [email protected] > Betreff: Re: AW: [Freeipa-users] Error setting up Replication: ldap service > principals is missing. Replication agreement cannot be converted > > On 04/15/2016 10:14 AM, Kilian Ries wrote: >> Hi, >> >> on auht01 i see the following error just before installation fails: >> >> >> [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, >> err=9999 Unknown error 9999 >> [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999 >> [14/Apr/2016:15:57:09 +0200] - str2entry_fast: entry has no dn >> [14/Apr/2016:15:57:09 +0200] id2entry - str2entry returned NULL for id 252, >> string="" >> [14/Apr/2016:15:57:09 +0200] - dn2entry_ext: the dn >> "krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=intern,dc=eu" >> was in the entryrdn index, but it did not exist in id2entry of instance >> userRoot. >> [14/Apr/2016:15:57:09 +0200] entryrdn-index - _entryrdn_insert_key: Same DN >> (dn: >> krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=intern,dc=eu) >> is already in the entryrdn file with different ID 252. Expected ID is 625. >> [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, >> err=9999 Unknown error 9999 >> [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999 >> [14/Apr/2016:15:57:19 +0200] - str2entry_fast: entry has no dn >> [14/Apr/2016:15:57:19 +0200] id2entry - str2entry returned NULL for id 252, >> string="" >> [14/Apr/2016:15:57:21 +0200] - str2entry_fast: entry has no dn > this looks like a database/index corruption. There are traces for the > ldapprincipal for auth02in the database, but teh index and the database > are inconsistent. you can try to reindex teh database and see if this helps: > db2index.pl -D ... -w .. -Z <instance> -t entryrdn #only this index > or > db2index.pl -D ... -w .. -Z <instance> # full reindex >> >> >> [14/Apr/2016:16:02:01 +0200] attrlist_replace - attr_replace >> (nsslapd-referral, ldap://auth02.intern.eu:389/o%3Dipaca) failed. >> >> >> Greets >> Kilian >> >> >> ________________________________________ >> Von: [email protected] <[email protected]> im >> Auftrag von Ludwig Krispenz <[email protected]> >> Gesendet: Donnerstag, 14. April 2016 16:46 >> An: [email protected] >> Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service >> principals is missing. Replication agreement cannot be converted >> >> On 04/14/2016 04:19 PM, Kilian Ries wrote: >>> Hello Rob, >>> >>> thanks for your explanations. I followed your hints and did a complete >>> uninstall and started over with a fresh installation. I ended up with >>> exactly the same error as the first time... >>> >>> I did the following steps: >>> >>> >>> auth01$ ipa-replica-manage del auth02 >>> >>> auth02$ ipa-server-install --uninstall >>> >>> auth01$ ipa-replica-prepare --ip-address 192.168.210.181 auth02.intern.eu >>> >>> auth02$ ipa-replica-install --setup-dns --setup-ca --forwarder >>> 192.168.210.40 /root/replica-info-auth02.intern.eu.gpg >>> >>> >>> Are there other logfiles i can check for more specific errors? >> you should have a look to the DS error logs in /var/log/dirsrv on both >> instances >>> Greets >>> Kilian >>> >>> ________________________________________ >>> Von: Rob Crittenden <[email protected]> >>> Gesendet: Mittwoch, 13. April 2016 16:18 >>> An: Kilian Ries; [email protected] >>> Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service >>> principals is missing. Replication agreement cannot be converted >>> >>> Kilian Ries wrote: >>>> Does nobody have an idea whats the problem here? >>> TL;DR you are best off deleting this failed replica install and trying >>> again. >>> >>> Initial replication is done over TLS. When replication is completed both >>> sides of the agreement are converted to using GSSAPI and both ldap >>> principals are needed to do this. Given that replication just completed >>> both principals should be available but rarely one is not (hence the >>> vague-ish error message). >>> >>> In this case the new ldap principal for the new replica wasn't found on >>> the remote master so things blew up. >>> >>> There is no continuing the installation after this type of failure so >>> you'll need to remove the failed install as a master on auth01 >>> (ipa-replica-manage del auth02...) and then run ipa-server-install >>> --uninstall on autho02 and try again. >>> >>> rob >>> >>>> Thanks >>>> >>>> Kilian >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> *Von:* [email protected] >>>> <[email protected]> im Auftrag von Kilian Ries >>>> <[email protected]> >>>> *Gesendet:* Mittwoch, 6. April 2016 10:41 >>>> *An:* [email protected] >>>> *Betreff:* [Freeipa-users] Error setting up Replication: ldap service >>>> principals is missing. Replication agreement cannot be converted >>>> >>>> Hello, >>>> >>>> >>>> i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm >>>> trying to add an replication partner. >>>> >>>> >>>> During the installation i got the following error: >>>> >>>> >>>> ### >>>> >>>> Restarting the directory and certificate servers >>>> >>>> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds >>>> >>>> [1/8]: adding sasl mappings to the directory >>>> >>>> [2/8]: configuring KDC >>>> >>>> [3/8]: creating a keytab for the directory >>>> >>>> [4/8]: creating a keytab for the machine >>>> >>>> [5/8]: adding the password extension to the directory >>>> >>>> [6/8]: enable GSSAPI for replication >>>> >>>> [error] RuntimeError: One of the ldap service principals is missing. >>>> Replication agreement cannot be converted. >>>> >>>> Your system may be partly configured. >>>> >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>> >>>> >>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the >>>> ldap service principals is missing. Replication agreement cannot be >>>> converted. >>>> >>>> ### >>>> >>>> >>>> >>>> The installation Log shows the following: >>>> >>>> >>>> >>>> ### >>>> >>>> 2016-04-06T08:22:34Z INFO Getting ldap service principals for >>>> conversion: (krbprincipalname=ldap/[email protected]) and >>>> (krbprincipalname=ldap/[email protected]) >>>> >>>> 2016-04-06T08:22:34Z DEBUG Unable to find entry for >>>> (krbprincipalname=ldap/[email protected]) on auth01.intern.eu:636 >>>> >>>> 2016-04-06T08:22:34Z INFO Setting agreement >>>> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping >>>> tree,cn=config schedule to 2358-2359 0 to force synch >>>> >>>> 2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement >>>> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping >>>> tree,cn=config >>>> >>>> 2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status: >>>> 0 Replica acquired successfully: Incremental update succeeded: start: 0: >>>> end: 0 >>>> >>>> 2016-04-06T08:22:36Z DEBUG Traceback (most recent call last): >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 418, in start_creation >>>> >>>> run_step(full_msg, method) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 408, in run_step >>>> >>>> method() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >>>> line 438, in __convert_to_gssapi_replication >>>> >>>> r_bindpw=self.dm_password) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 1104, in convert_to_gssapi_replication >>>> >>>> self.gssapi_update_agreements(self.conn, r_conn) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 797, in gssapi_update_agreements >>>> >>>> self.setup_krb_princs_as_replica_binddns(a, b) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 767, in setup_krb_princs_as_replica_binddns >>>> >>>> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 751, in get_replica_principal_dns >>>> >>>> raise RuntimeError(error) >>>> >>>> RuntimeError: One of the ldap service principals is missing. Replication >>>> agreement cannot be converted. >>>> >>>> >>>> 2016-04-06T08:22:36Z DEBUG [error] RuntimeError: One of the ldap >>>> service principals is missing. Replication agreement cannot be converted. >>>> >>>> 2016-04-06T08:22:36Z DEBUG File >>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in >>>> execute >>>> >>>> return_value = self.run() >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >>>> line 311, in run >>>> >>>> cfgr.run() >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 281, in run >>>> >>>> self.execute() >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 303, in execute >>>> >>>> for nothing in self._executor(): >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 343, in __runner >>>> >>>> self._handle_exception(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 365, in _handle_exception >>>> >>>> util.raise_exc_info(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 333, in __runner >>>> >>>> step() >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 87, in run_generator_with_yield_from >>>> >>>> raise_exc_info(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 65, in run_generator_with_yield_from >>>> >>>> value = gen.send(prev_value) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 524, in _configure >>>> >>>> executor.next() >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 343, in __runner >>>> >>>> self._handle_exception(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 421, in _handle_exception >>>> >>>> self.__parent._handle_exception(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 365, in _handle_exception >>>> >>>> util.raise_exc_info(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 418, in _handle_exception >>>> >>>> super(ComponentBase, self)._handle_exception(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 365, in _handle_exception >>>> >>>> util.raise_exc_info(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 333, in __runner >>>> >>>> step() >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 87, in run_generator_with_yield_from >>>> >>>> raise_exc_info(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 65, in run_generator_with_yield_from >>>> >>>> value = gen.send(prev_value) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", >>>> line 63, in _install >>>> >>>> for nothing in self._installer(self.parent): >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>>> line 879, in main >>>> >>>> install(self) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>>> line 295, in decorated >>>> >>>> func(installer) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>>> line 586, in install >>>> >>>> krb = install_krb(config, setup_pkinit=not options.no_pkinit) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>>> line 93, in install_krb >>>> >>>> setup_pkinit, pkcs12_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >>>> line 214, in create_replica >>>> >>>> self.start_creation(runtime=30) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 418, in start_creation >>>> >>>> run_step(full_msg, method) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 408, in run_step >>>> >>>> method() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >>>> line 438, in __convert_to_gssapi_replication >>>> >>>> r_bindpw=self.dm_password) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 1104, in convert_to_gssapi_replication >>>> >>>> self.gssapi_update_agreements(self.conn, r_conn) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 797, in gssapi_update_agreements >>>> >>>> self.setup_krb_princs_as_replica_binddns(a, b) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 767, in setup_krb_princs_as_replica_binddns >>>> >>>> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 751, in get_replica_principal_dns >>>> >>>> raise RuntimeError(error) >>>> >>>> >>>> 2016-04-06T08:22:36Z DEBUG The ipa-replica-install command failed, >>>> exception: RuntimeError: One of the ldap service principals is missing. >>>> Replication agreement cannot be converted. >>>> >>>> 2016-04-06T08:22:36Z ERROR One of the ldap service principals is >>>> missing. Replication agreement cannot be converted. >>>> >>>> ### >>>> >>>> >>>> >>>> Can anybody help me? >>>> >>>> >>>> Thanks >>>> >>>> Greets >>>> >>>> Kilian >>>> >>>> >>>> >> -- >> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, >> Commercial register: Amtsgericht Muenchen, HRB 153243, >> Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, >> Michael O'Neill >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > O'Neill > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
