After an IPA server is re-initialized it immediately begins failing incremental updates. I checked the kerberos logs and things appear to be ok there, I can manually test LDAP from all servers against all other servers.
There is an DS5ReplicaBindDN entry in "dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" for an IPA server that no longer exists. But all IPA living servers have an entry for all other living servers. There is the correct number of cn=master, and cn=ca, and the caRenewalMaster is set on the correct master. "ipa-replica-manage del --force --clean <server>" does not remove the entry. There were some RUV from the old servers also and I cleaned them. The man page says if a clean is run on the wrong ID then the server should be re-initialized, so I just did that on purpose and re-initialized the one of the servers and that has cleared the NSMMReplicationPlugin error (so far) but I am still getting the attrlist_replace error. I'm getting no indication of kerberos problems.Could it be the NSACLPlugin ? It preceeds the other error every time but that is probably just regular startup procedure, and having an ACL for something that doesn't exist doesn't feel like a fatal error to me. I didn't do the KRA install. [root@ipa05 slapd-example-com]# tail -f errors [10/Oct/2016:23:27:57 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist [10/Oct/2016:23:27:57 +0000] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not exist [10/Oct/2016:23:27:57 +0000] agmt="cn=meToipa07.example.com" (ipa07:389) - Can't locate CSN 57fc2e7f000a000d0000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin - changelog program - agmt="cn=meToipa07.example.com" (ipa07:389): CSN 57fc2e7f000a000d0000 not found, we aren't as up to date, or we purged [10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin - agmt="cn=meToipa07.example.com" (ipa07:389): Data required to update replica has been purged. The replica must be reinitialized. [10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin - agmt="cn=meToipa07.example.com" (ipa07:389): Incremental update failed and requires administrator action [10/Oct/2016:23:29:09 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa07.example.com:389/o%3Dipaca) failed. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project