On 02/06/2017 05:14 PM, Giorgio Biacchi wrote:
On 02/06/2017 04:54 PM, Rob Crittenden wrote:
Giorgio Biacchi wrote:
Hi list,
I have this message in the logs:
Feb 6 16:43:10 dc01 ns-slapd: [06/Feb/2017:16:43:10.157801305 +0100]
NSMMReplicationPlugin -
agmt="cn=masterAgreement1-dc02.myorg.local-pki-tomcat" (dc02:389): Data
required to update replica has been purged from the changelog. The
replica must be reinitialized.
But ipa-replica-manage re-initialize --from dc02.myorg.local does not
fix the problem. Even moving away the changelog directory didn't help..
I'm running ipa-server-4.4.0-14.el7.centos.4.x86_64 and
389-ds-base-1.3.5.10-15.el7_3.x86_64, and setup is:
#ipa-replica-manage list
Directory Manager password:
dc01.myorg.local: master
dc02.myorg.local: master
Can someone please tell me which is the correct sequence of actions to
fix this issue?
The error appears to be the CA replicated data (ref to tomcat in the
agreement) so you need to use ipa-csreplica-manage instead of
ipa-replica-manage.
rob
Hi Rob,
even ipa-csreplica-manage re-initialize --from dc02.myorg.local seems not to
solve the issue, here's the logs after the command you suggested:
Feb 6 17:12:06 dc01 ns-slapd: [06/Feb/2017:17:12:06.432485541 +0100]
NSMMReplicationPlugin - changelog program - agmt="cn=meTodc02.myorg.local"
(idc02:389): CSN 58989367000c00040000 not found, we aren't as up to date, or we
purged
Feb 6 17:12:06 dc01 ns-slapd: [06/Feb/2017:17:12:06.436444629 +0100]
NSMMReplicationPlugin - agmt="cn=meTodc02.myorg.local" (dc02:389): Data required
to update replica has been purged from the changelog. The replica must be
reinitialized.
Thanks for your kind attention
Hello again,
after a couple of re-initialization (ipa-csreplica-manage and
ipa-replica-manage) and after systemctl restart ipa now the previuos error is
gone and the replica is working in both directions.
Now I have a new error:
Feb 6 18:02:12 dc01 [sssd[ldap_child[10109]]]: Failed to initialize credentials
using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check failed. Unable
to create GSSAPI-encrypted LDAP connection.
Feb 6 18:02:12 dc01 [sssd[ldap_child[10109]]]: Decrypt integrity check failed
There's a way to fix this??
Thanks
--
gb
PGP Key: http://pgp.mit.edu/
Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
