Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/278 attempting to replicate schema gives the following error: [01/Feb/2012:17:47:32 -0500] NSMMReplicationPlugin - agmt="cn=agreementname" (server:389): Schema replication update failed: Invalid syntax
steps to verify in upstream ticket
To reproduce: Install IPA server with dogtag CA Prepare replica: ipa-replica-prepare serverb.example.com Install on replica with CA: ipa-replica-install serverb.example.com --setup-ca dogtag handles creating the replication agreement. The dogtag DS instance can be found on both servers in /etc/dirsrv/slapd-PKI-IPA/ This repeats in the log on the initial master every 5 minutes: [02/Feb/2012:16:04:02 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-doberman.greyoak.com-pki-ca" (doberman:7389): Schema replication update failed: Invalid syntax [02/Feb/2012:16:04:02 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-doberman.greyoak.com-pki-ca" (doberman:7389): Warning: unable to replicate schema: rc=1 99user.ldif contains lots of custom schema (attached). If I copy this to the replica and restart it then dogtag appears to work fine.
What log file were those errors seen in? /var/log/dirsrv/slapd-PKI-IPA/errors? What version of 389-ds-base was affected here? I've tried reproducing with the following but have not seen that error in the log yet: 389-ds-base-1.2.9.14-1.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 Could other command line options have affect whether or not the bug is seen? Outside or yum installs and some hostname/resolv.conf fixes, this is what I was doing when trying to reproduce: ### ON MASTER: ipa-server-install --idstart=3000 --idmax=50000 --setup-dns --forwarder=$DNSFORWARD --hostname=$hostname_s.$DOMAIN -r $RELM -n $DOMAIN -p $ADMINPW -P $ADMINPW -a $ADMINPW -U ipa-replica-prepare -p $ADMINPW --ip-address=$SLAVEIP $hostname_s.$DOMAIN ### ON REPLICA: cd /dev/shm sftp root@$MASTERIP:/var/lib/ipa/replica-info-$hostname_s.$DOMAIN.gpg ipa-replica-install -U --setup-dns --forwarder=$DNSFORWARD --setup-ca -w $ADMINPW -p $ADMINPW /dev/shm/replica-info-$hostname_s.$DOMAIN.gpg
(un)fortunately it is impossible to reproduce unless you are using 389-ds-base-1.2.10.a5 that is, the bug was introduced in 389-ds-base-1.2.10.a5 and fixed in .rc1 so no RHEL version had the bug it is enough to verify that schema replication works between RHEL 6.3 and RHEL 6.2 with no errors
Ok, I setup a RHEL 6.3 IPA Master. Then I tried to setup a RHEL 6.2 Replica but, the install fails. However, during install, I do see some errors but, not the invalid syntax ones. Could those be from multiple re-install attempts? ### On MASTER: # ipa-replica-prepare -p $ADMINPW --ip-address=$SLAVEIP $hostname_s.$DOMAIN ### On REPLICA: # ipa-replica-install -U --setup-dns --forwarder=$DNSFORWARD --setup-ca -w $ADMINPW -p $ADMINPW /dev/shm/replica-info-$hostname_s.$DOMAIN.gpg ...looked normal until the following error: [29/29]: configuring directory to start on boot done configuring dirsrv. creation of replica failed: [Errno 2] No such file or directory: '/tmp/tmp1O5dxFipa/realm_info/ldappwd' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ### On Master in /var/log/dirsrv/slapd-PKI-IPA/errors: [03/May/2012:18:07:05 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Unable to acquire replica: there is no replicated area "o=ipaca" on the consumer server. Replication is aborting. [03/May/2012:18:07:05 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Incremental update failed and requires administrator action [03/May/2012:18:07:22 -0500] NSMMReplicationPlugin - agmt_delete: begin [03/May/2012:18:07:26 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Schema replication update failed: Type or value exists [03/May/2012:18:07:26 -0500] NSMMReplicationPlugin - Warning: unable to replicate schema to host spoore-dvm2.testrelm.com, port 7389. Continuing with total update session. [03/May/2012:18:07:26 -0500] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389)". [03/May/2012:18:07:30 -0500] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389)". Sent 97 entries. [03/May/2012:18:07:31 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Schema replication update failed: Type or value exists [03/May/2012:18:07:31 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Warning: unable to replicate schema: rc=1 [03/May/2012:18:07:32 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20 [03/May/2012:18:07:32 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Schema replication update failed: Type or value exists [03/May/2012:18:07:32 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Warning: unable to replicate schema: rc=1 [03/May/2012:18:07:34 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20 [03/May/2012:18:07:35 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Schema replication update failed: Type or value exists [03/May/2012:18:07:35 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Warning: unable to replicate schema: rc=1 [03/May/2012:18:07:37 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20 [03/May/2012:18:07:37 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Schema replication update failed: Type or value exists [03/May/2012:18:07:37 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Warning: unable to replicate schema: rc=1 [03/May/2012:18:07:37 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Schema replication update failed: Type or value exists [03/May/2012:18:07:37 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Warning: unable to replicate schema: rc=1 [03/May/2012:18:07:39 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20 [03/May/2012:18:07:40 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Schema replication update failed: Type or value exists [03/May/2012:18:07:40 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Warning: unable to replicate schema: rc=1 [03/May/2012:18:10:49 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Schema replication update failed: Type or value exists [03/May/2012:18:10:49 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Warning: unable to replicate schema: rc=1 [03/May/2012:18:10:49 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20 [03/May/2012:18:15:51 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Schema replication update failed: Type or value exists [03/May/2012:18:15:51 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Warning: unable to replicate schema: rc=1
(In reply to comment #6) > Ok, I setup a RHEL 6.3 IPA Master. Then I tried to setup a RHEL 6.2 Replica > but, the install fails. However, during install, I do see some errors but, not > the invalid syntax ones. Could those be from multiple re-install attempts? Probably. I don't think you can do a valid test for this bug unless you can do a master and replica setup with no errors.
Doesn't matter which direction does it? I'll try a 6.2 master and 6.3 replica and see if that works better. On a side note, when I uninstall from replica and upgrade from 6.2 to 6..3 and do the prepare and install, I don't see those messages: [03/May/2012:19:15:17 -0500] NSMMReplicationPlugin - agmt_delete: begin [03/May/2012:19:15:22 -0500] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389)". [03/May/2012:19:15:26 -0500] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389)". Sent 115 entries. [03/May/2012:19:15:28 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20 [03/May/2012:19:15:30 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20 [03/May/2012:19:15:33 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20 [03/May/2012:19:15:35 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20 [03/May/2012:19:16:18 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20 [03/May/2012:19:16:18 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [03/May/2012:19:16:20 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20 [03/May/2012:19:16:21 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Replication bind with SIMPLE auth resumed [03/May/2012:19:18:51 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
(In reply to comment #8) > Doesn't matter which direction does it? I'll try a 6.2 master and 6.3 replica > and see if that works better. It shouldn't matter. Ideally we would test both ways. > > On a side note, when I uninstall from replica and upgrade from 6.2 to 6..3 and > do the prepare and install, I don't see those messages: > > [03/May/2012:19:15:17 -0500] NSMMReplicationPlugin - agmt_delete: begin > [03/May/2012:19:15:22 -0500] NSMMReplicationPlugin - Beginning total update of > replica "agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" > (spoore-dvm2:7389)". > [03/May/2012:19:15:26 -0500] NSMMReplicationPlugin - Finished total update of > replica "agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" > (spoore-dvm2:7389)". Sent 115 entries. > [03/May/2012:19:15:28 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: > could not set referrals for replica o=ipaca: 20 > [03/May/2012:19:15:30 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: > could not set referrals for replica o=ipaca: 20 > [03/May/2012:19:15:33 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: > could not set referrals for replica o=ipaca: 20 > [03/May/2012:19:15:35 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: > could not set referrals for replica o=ipaca: 20 > [03/May/2012:19:16:18 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: > could not set referrals for replica o=ipaca: 20 > [03/May/2012:19:16:18 -0500] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): > Unable to receive the response for a startReplication extended operation to > consumer (Can't contact LDAP server). Will retry later. > [03/May/2012:19:16:20 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: > could not set referrals for replica o=ipaca: 20 > [03/May/2012:19:16:21 -0500] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): > Replication bind with SIMPLE auth resumed > [03/May/2012:19:18:51 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: > could not set referrals for replica o=ipaca: 20 These error code 20 messages indicate that you have deleted one or more replicas. That's why I recommend starting over from scratch.
Verified with sanity check. I had to Install Master/Replica on 6.2 and then upgrade though to get it to work. There were problems with installing with on 6.2 and the other 6.3. Version :: ipa-server-2.2.0-12.el6.x86_64 389-ds-base-1.2.10.2-9.el6.x86_64 Manual Test Results :: Master=6.3/Replica=6.2 ------------------------- 1. Installed IPA Master on 6.2 2. Installed IPA Replica on 6.2 with --setup-ca 3. Upgrade master to 6.3 with yum update 'ipa*' 4. Wait for ~15 minutes 5. Grep for error on master does not show error reported for this bug: # egrep "NSMMReplicationPlugin.*Schema replication update failed: Invalid syntax" /var/log/dirsrv/slapd-PKI-IPA/errors # So, I don't see the errors from this bug, so this looks like it's fixed. If I need to sanity check it against a Master=6.2/Replica=6.3, we can move this back to ON_QA and do so. It shouldn't matter though, right?
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: This is not a bug that could have been seen by a customer. We have included this bug for upstream tracking purposes.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0813.html