On slave: :_getAccountFlags Referral received

[sanga.c@…]

i am at the point of no return in a deployment and i can not get rid of this error for a couple of accounts on the slave that are no longer on the master. This situation happens more and more and i do not have a way to fix without erasing everything and starting again :(

Error

Unknown error at EBox::SambaLdapUser::_getAccountFlags Referral received

Trace

Unknown error at EBox::SambaLdapUser::_getAccountFlags Referral received at /usr/share/perl5/EBox/Ldap.pm line 701
	EBox::Ldap::_errorOnLdap('Net::LDAP::Search=HASH(0x7f4cbf98a938)', 'HASH(0x7f4cbf915c90)') called at /usr/share/perl5/EBox/Ldap.pm line 341
	EBox::Ldap::search('EBox::Ldap=HASH(0x7f4cbe789148)', 'HASH(0x7f4cbf915c90)') called at /usr/share/perl5/EBox/SambaLdapUser.pm line 843
	EBox::SambaLdapUser::_getAccountFlags('EBox::SambaLdapUser=HASH(0x7f4cbf3796a8)', 'hr.spca.sc') called at /usr/share/perl5/EBox/SambaLdapUser.pm line 853
	EBox::SambaLdapUser::_userSharing('EBox::SambaLdapUser=HASH(0x7f4cbf3796a8)', 'hr.spca.sc') called at /usr/share/perl5/EBox/SambaLdapUser.pm line 431
	EBox::SambaLdapUser::_userAddOns('EBox::SambaLdapUser=HASH(0x7f4cbf3796a8)', 'hr.spca.sc') called at /usr/share/perl5/EBox/UsersAndGroups.pm line 2474
	EBox::UsersAndGroups::allUserAddOns('EBox::UsersAndGroups=HASH(0x7f4cbd89bd88)', 'hr.spca.sc') called at /usr/share/perl5/EBox/CGI/UsersAndGroups/User.pm line 51
	EBox::CGI::UsersAndGroups::User::_process('EBox::CGI::UsersAndGroups::User=HASH(0x7f4cbf996c50)') called at /usr/share/perl5/EBox/CGI/Base.pm line 275
	EBox::CGI::Base::run('EBox::CGI::UsersAndGroups::User=HASH(0x7f4cbf996c50)') called at /usr/share/perl5/EBox/CGI/Run.pm line 129
	EBox::CGI::Run::run('EBox::CGI::Run', 'UsersAndGroups/User', 'EBox') called at /usr/share/zentyal/cgi/ebox.cgi line 34
	ModPerl::ROOT::ModPerl::Registry::usr_share_zentyal_cgi_ebox_2ecgi::handler('Apache2::RequestRec=SCALAR(0x7f4cbf95ae88)') called at /usr/lib/perl5/ModPerl/RegistryCooker.pm line 204
	eval {...} called at /usr/lib/perl5/ModPerl/RegistryCooker.pm line 204
	ModPerl::RegistryCooker::run('ModPerl::Registry=HASH(0x7f4cbf94aab0)') called at /usr/lib/perl5/ModPerl/RegistryCooker.pm line 170
	ModPerl::RegistryCooker::default_handler('ModPerl::Registry=HASH(0x7f4cbf94aab0)') called at /usr/lib/perl5/ModPerl/Registry.pm line 31
	ModPerl::Registry::handler('ModPerl::Registry', 'Apache2::RequestRec=SCALAR(0x7f4cbf95ae88)') called at -e line 0
	eval {...} called at -e line 0

[anonymous]

zentyal.log

[jamor@…]

Hello Sanga C,

normally this error is fired by a synchronization problem. We are rewriting master/slave to be more resilient but in the meantime try the following command in the slave to rejoin the master:

sudo /usr/share/zentyal-users/rejoin-slave

Regards,

Javier

[jamor@…]

Other problem that could cause this error is when the master cannot resolve the name of the slave. In this case add the name of the salve to your local DNS server or to the master's /etc/hosts file.

Please, reopen if none of the proposed solutions works.

Regards,

Javier

[sanga.c@…]

sorry i couldnt reply immediately i am still on the road trying to wrap up this deployment. Also when i try to respond on the website i get a message that my post was rejected as spam :)

/usr/share/zentyal-users/rejoin-slave was a big problem since it forced me to also reinstall users and groups module on the slave and then i had to rejoin all the computers to the domain which was painful since the site had over 30 workstations. DNS is ok since i have a dedicated dns server just for the master to use. I can resolve hostnames of slave servers as well as fqns without a problem. (including the slave in question)

The issue is still occuring and i think its almost at random. Ive tried using bulk user script to create accounts and also from the webui (takes on average 10 minutes to create an account)

Let me know what other information you need. I will be flying back to my home office tonight and over this up coming weekend ill need to resolve this once and for all b4 my boss throws the book at me :)

[jamor@…]

Hello Sanga C,

I think you are confusing 'zentyal-users/rejoin-slave' with 'zentyal-users/reintall'. Rejoin slave doesnt reisntall the modules but starts again the process of synchronization.

Another thing, you have pending actions in the slaves?. (This could be viewed in the master).

Normally when are pending actions, the slave could go out of sync and have missing LDAP attributes. This in turn fires the Referral error. Usually we fix this with the rejoin-slave command

Regards,

Javier

[Sanga.c@…]

I did rejoin-slave and none of the computers could log into the domain. Also just mapping a drive on the slave to see if authentication was active failed. So after rebooting computers and slave server I had to do a reinstall of users and groups to get the domain function back. This then deleted all the machine accounts so I had to rejoin all the computers to the domain.

In the master the list of pending operations grows and grows even though the sync is taking place. It's now about 60 pending operations that simply want clear. I've even tried going into the sync folder for each salve and deleting pending operations. Not sure what else to do since I don't get consistent results from the different fixes I have tried.

[jamor@…]

Hello Sanga C,

normally this problem is a configuration problem. Are you sure that the master can resolve the name of th slaves? and connect to them?.

Also since they use SOAP to synchornize the pending operations maybe the apache erro log could give you more light into this problem, you can see it in /var/log/zentyal/error.log

Regards,

Javier

[sanga.c@…]

Hi Javier,

I confirmed the master can resolve the slave hostname and FQDN. From the master i can also connect to the webui for all the slaves on port 443. I will start digging through the error.log to see if i can find more details on what is going on.