Re: No Login on GUI
by Christian Reiss
Hey Angus,
thanks for replying. Allow me to reply inline:
On 06/12/2019 16:00, Angus Clarke wrote:
> Have you checked your times are in sync within 5 minutes?
Yes. And it's monitored.
> Have you checked DNS is working for all node entries between all nodes?
Yes. And it's monitored. Even PTR <-> A check.
> Have you used ipactl [status|restart|stop]?
Yes.
[root@auth1:~] # ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@auth2:~] # ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
auth3 is down.
> -> Do you see certain services fail and have you checked their logs?
Well thats the wild thing. ipa cli (host remove, host add etc) all work
from auth1 (which the webui does not allow access). And all changes are
propagated to auth2. Same for the other way around.
It's just the login to auth1.
> I'm hoping your remaining IPA server is the renewal master:
>
> On remaining good server:
> kinit admin
> ipa config-show | grep "IPA CA renewal master"
auth1 and auth2 agree on auth1 being the IPA CA renewal master.
> If it is then the following rebuild instructions should be ok.
> If it is not, then you prolly need some other advice (I haven't faced
> that situation yet ...)
> [...]
The following items seem to mix my two problems.
a) auth1 web login broken,
b) auth3 needs re-setup.
Any clue on how to debug the web login (or lack thereof) issue?
Chedked httpd logs, nothing to see there in the error logs....
Cheers,
Chris.
--
Christian Reiss - email(a)christian-reiss.de /"\ ASCII Ribbon
support(a)alpha-labs.net \ / Campaign
X against HTML
WEB alpha-labs.net / \ in eMails
GPG Retrieval https://gpg.christian-reiss.de
GPG ID ABCD43C5, 0x44E29126ABCD43C5
GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5
"It's better to reign in hell than to serve in heaven.",
John Milton, Paradise lost.
4 years, 4 months
FreeIPA and IPV6
by TomK
Hey All,
Does FreeIPA fully support IPV6 or are there corner cases and
limitations that could make it a show stopper?
Just a general question. If folks here could elaborate on this topic a
bit, it would be appreciated.
--
Thx,
TK.
4 years, 4 months
No Login on GUI
by Christian Reiss
Hey folks,
I am running a 4.6.5 (CentOS 7) Cluster containing out of 3 nodes.
Replication is working and I have been using it for nearly a year now.
Now, two issues arose. First on my first node, I can no longer login to
the WebUI, neither with password nor with Kerberos Login. I can login on
the 2nd node without any issues. Replication works, however (If I delete
a host on node1 it is replicated to node2, and creating a host on node2
will replicate to node1).
/var/log/httpd/* yields not usable errors. Login with password just says
"wrong password".
Second issue: My home server where node3 was running died. I have file
based backup, but several errors are flashing up, no good.
Can I simply replace the VM with a fresh one, re-attach it using the
same name and all is well? What would be the correct way to replace a node?
Thanks for your help,
Chris.
--
Christian Reiss - email(a)christian-reiss.de /"\ ASCII Ribbon
support(a)alpha-labs.net \ / Campaign
X against HTML
WEB alpha-labs.net / \ in eMails
GPG Retrieval https://gpg.christian-reiss.de
GPG ID ABCD43C5, 0x44E29126ABCD43C5
GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5
"It's better to reign in hell than to serve in heaven.",
John Milton, Paradise lost.
4 years, 4 months
Apache mod_ssl on the same host as FreeIPA
by Vinícius Ferrão
Hello,
Is it supported to install mod_ssl on the same machine of FreeIPA? I’m asking this because FreeIPA ships by default mod_nss and this may lead to conflicting issues inside /etc/httpd/conf.d. For example:
[root@headnode conf.d]# grep -iR virtualhost
nss.conf:<VirtualHost _default_:443>
nss.conf:</VirtualHost>
ssl.conf:<VirtualHost _default_:443>
ssl.conf:</VirtualHost>
Both add a default virtual host to 443.
What’s the correct procedure? Don’t use mod_ssl at all?
Thanks,
4 years, 4 months
ipa-server-install error [37/44] initializing group membership: [error] NotFound: no such entry
by Michael Schefczyk
Dear All,
Trying to install ipa-server (4.7.1-11.module_el8.0.0+79+bbd20d7b package from @AppStream) on a new virtual CentOS Linux 8.0.1905 server within my LAN (fresh test install, the previous version on CentOS 7 did work), I persistently get the following error message when freipa-install tries to configure the dirsrv:
[37/44]: initializing group membership
[error] NotFound: no such entry
I would very much welcome if anyone could point me to the right direction. I find the log content (below) not very telling.
Regards,
Michael Schefczyk
2019-10-13T07:21:07Z DEBUG step duration: dirsrv __add_topology_entries 0.05 sec
2019-10-13T07:21:07Z DEBUG [37/44]: initializing group membership
2019-10-13T07:21:07Z DEBUG Starting external process
2019-10-13T07:21:07Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpm2nl4f4x', '-H', 'ldapi://%2fvar%2frun%2fslapd-B72-COM.socket', '-Y', 'EXTERNAL']
2019-10-13T07:21:07Z DEBUG Process finished, return code=0
2019-10-13T07:21:07Z DEBUG stdout=add objectClass:
top
extensibleObject
add cn:
IPA install
add basedn:
dc=b72,dc=com
add filter:
(objectclass=*)
add ttl:
10
adding new entry "cn=IPA install 1570951250, cn=memberof task, cn=tasks, cn=config"
modify complete
2019-10-13T07:21:07Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-B72-COM.socket/??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
2019-10-13T07:21:07Z DEBUG Waiting for memberof task to complete.
2019-10-13T07:21:07Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1022, in error_handler
yield
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1514, in find_entries
raise e
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1474, in find_entries
result = self.conn.result3(id, 0)
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 749, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 756, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 329, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 44, in reraise
raise exc_value
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 313, in _ldap_call
result = func(*args,**kwargs)
ldap.NO_SUCH_OBJECT: {'desc': 'No such object'}
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 605, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 591, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 712, in init_memberof
replication.wait_for_task(conn, dn)
File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py", line 171, in wait_for_task
entry = conn.get_entry(dn, attrlist)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1571, in get_entry
size_limit=size_limit, get_effective_rights=get_effective_rights,
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1383, in get_entries
**kwargs)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1521, in find_entries
break
File "/usr/lib64/python3.6/contextlib.py", line 99, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1032, in error_handler
raise errors.NotFound(reason=arg_desc or 'no such entry')
ipalib.errors.NotFound: no such entry
2019-10-13T07:21:07Z DEBUG [error] NotFound: no such entry
2019-10-13T07:21:07Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 347, in run
return cfgr.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 550, in main
master_install(self)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 253, in decorated
func(installer)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 800, in install
setup_pkinit=not options.no_pkinit)
File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 345, in create_instance
self.start_creation(runtime=30)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 605, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 591, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 712, in init_memberof
replication.wait_for_task(conn, dn)
File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py", line 171, in wait_for_task
entry = conn.get_entry(dn, attrlist)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1571, in get_entry
size_limit=size_limit, get_effective_rights=get_effective_rights,
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1383, in get_entries
**kwargs)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1521, in find_entries
break
File "/usr/lib64/python3.6/contextlib.py", line 99, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1032, in error_handler
raise errors.NotFound(reason=arg_desc or 'no such entry')
2019-10-13T07:21:07Z DEBUG The ipa-server-install command failed, exception: NotFound: no such entry
2019-10-13T07:21:07Z ERROR no such entry
2019-10-13T07:21:07Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
4 years, 4 months
Debug logging for dirsrv
by Russ Long
Hello,
I'm trying to figure out how to temporarily enable debug-level logging for dirsrv. I'm using an external application (elasticsearch/kibana) that I have setup to authenticate against my FreeIPA cluster using LDAP, and there's some odd issues that I'd like to prove are on the Elasticsearch side and not FreeIPA, but ES support wants debug level logging from the LDAP server.
4 years, 4 months
Manual ipa-client-install is not sufficient
by Vinícius Ferrão
Hello, this is probably to the developers.
I’m deploying FreeIPA clients in automated fashion and hit an issue on some ancillary softwares, like ipa-client-automount.
After a successful manual join of a FreeIPA client, this command specifically fails, saying that the machine isn’t joined to FreeIPA: "IPA client is not configured on this system”.
But if we try to run ipa-client-install, even if I didn’t used it at first time, it says it’s already joined: "IPA client is already configured on this system”.
So it’s probably some issue on the checking routines of those softwares.
Digging further I was able to nail it down to a specific directory that ipa-client-automount checks during execution: /var/lib/ipa/sysrestore/
This directory is empty when the machine is joined manually. But the verification method used by ipa-client-automount is to look at this directory and get the contents, or the size, of it. I ran the command with strace and there’s a getdents() function called just before the error, so it returns -1 if the directory does not exists and throw up the error.
I’ve created the directory. Now getdents() return 0, but it still fails.
Touched a random file inside the directory, so getdents() can return something higher than 0. And it worked. Isa-client-automount worked as expected.
So, I’m not a Python guy, I tried to read the code for ipa-client-automount and it was beyond my knowledge.
The thing is:
* Is it a bug?
* The check is flawed?
* There’s a way to fix this, or any workaround that I’m missing?
* Should I make ipa-client-automount manually too?
* Should I open some bug fix request?
Thank you guys.
4 years, 4 months
Re: ipa-replica-install latest failure attempt:
by Florence Blanc-Renaud
On 12/2/19 7:10 PM, Auerbach, Steven via FreeIPA-users wrote:
> A couple of follow-up questions and some results of an ldap search...
>
> In your suggested ldapmodify statement:
> ldapmodify -h <master_host> -p 389 -D "cn=directory manager" -W
> dn: cn=replica,cn=<suffix>, cn=mapping tree,cn=config
> changetype: modify
> replace: nsds5ReplicaBindDNGroupCheckInterval
> nsds5ReplicaBindDNGroupCheckInterval: 3
>
> 1: Is the command only the first line and the remaining lines responses to interactive prompts?
> 2: I know that <master host> is my host fqdn. What is supposed to replace <suffix> in the dn=<suffix> declaration?
The suffix corresponds to your baseDN, but with escape characters
(because the baseDN contains =). To find it, you can do
# ldapsearch -D "cn=directory manager" -W -b "cn=mapping tree,cn=config"
-s one -o ldif-wrap=no -LLL dn
Enter LDAP Password:
dn: cn=cn\3Dchangelog,cn=mapping tree,cn=config
dn: cn=dc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
So in my example, the suffix is dc=redhat,dc=com and the right way to
escape chars is to write cn=dc\3Dredhat\2Cdc\3Dcom.
>
> I did an ldapsearch on this ipa master. I was trying to determine the current settings on this option before I modify it. Looking specifically for ReplicaBindDN section I found the following:
You probably did a search on your base DN (dc=fbog,dc=local), but the
config you are looking for is in the cn=config subtree. The LDAP server
is able to contain multiple baseDNs that are called suffixes or naming
contexts. The user and group entries are stored below your usual base DN
dc=fbog,dc=local but the configuration is stored separately below cn=config.
Hope this clarifies,
flo
> # System: Read Replication Information, permissions, pbac, fbog.local
> dn: cn=System: Read Replication Information,cn=permissions,cn=pbac,dc=fbog,dc= local
> ipaPermTargetFilter: (objectclass=nsds5replica)
> ipaPermRight: read
> ipaPermRight: compare
> ipaPermRight: search
> ipaPermBindRuleType: all
> ipaPermissionType: SYSTEM
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> cn: System: Read Replication Information
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermission
> objectClass: ipapermissionv2
> ipaPermDefaultAttr: nsds5replicatombstonepurgeinterval
> ipaPermDefaultAttr: nsds5replicareferral
> ipaPermDefaultAttr: nsstate
> ipaPermDefaultAttr: cn
> ipaPermDefaultAttr: nsds5flags
> ipaPermDefaultAttr: nsds5replicacleanruv
> ipaPermDefaultAttr: nsds5replicabinddn
> ipaPermDefaultAttr: nsds5replicaprotocoltimeout
> ipaPermDefaultAttr: nsds5replicatype
> ipaPermDefaultAttr: nsds5replicachangecount
> ipaPermDefaultAttr: nsds5replicaroot
> ipaPermDefaultAttr: nsds5replicabackoffmin
> ipaPermDefaultAttr: nsds5replicaname
> ipaPermDefaultAttr: objectclass
> ipaPermDefaultAttr: nsds5replicalegacyconsumer
> ipaPermDefaultAttr: nsds5replicapurgedelay
> ipaPermDefaultAttr: nsds5replicaid
> ipaPermDefaultAttr: nsds5replicaautoreferral
> ipaPermDefaultAttr: nsds5replicabackoffmax
> ipaPermDefaultAttr: nsds5replicaabortcleanruv
> ipaPermDefaultAttr: nsds5task
> ipaPermLocation: cn=replication,cn=etc,dc=fbog,dc=local
>
> There is not telling me what the current values are. I could not locate declarations for nsds5ReplicaBindDNGroupCheckInterval. Does that even exist in ipa v3.0?
>
> -Steven Auerbach
>
> -----Original Message-----
> From: thierry bordaz <tbordaz(a)redhat.com>
> Sent: Tuesday, November 19, 2019 3:31 AM
> To: Rob Crittenden <rcritten(a)redhat.com>; FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> Cc: Auerbach, Steven <Steven.Auerbach(a)flbog.edu>
> Subject: Re: [Freeipa-users] ipa-replica-install latest failure attempt:
>
>
>
> On 11/18/19 11:24 PM, Rob Crittenden wrote:
>> Auerbach, Steven via FreeIPA-users wrote:
>>> Executed ipa-replica-prepare on an RHEL 6.9 server running ipa-server
>>> 3.0.0.1_51 (name : ipa01)
>>>
>>> Yum installed ipa-server, ipa-server-dns, bind-dyndb-ldap on the
>>> target Linux 7.6 server (name: ipa04)
>>>
>>> Copied the file to the target server to which ipa-server 4.6.5-11.0.1
>>> is installed (ipa04)
>>>
>>> Copied the file :/usr/share/ipa/copy-schema-to-ca.py from ipa v4.6
>>> server to the ipa v3.0 server and executed it successfully.
>>>
>>> Edited the /etc/resolv.con on ipa04 to include ipa01. Did not reboot.
>>>
>>> Executed ipa-replica-install --setup-dns --forwarder=8.8.8.8
>>> --setup-ca /var/lib/ipa/replica-info-ipa04.fbog.local.gpg (on ipa04)
>>>
>>>
>>> 2019-11-16T16:23:24Z DEBUG The ipa-replica-install command failed,
>>> exception: NotFound: wait_for_entry timeout on
>>> ldap://ipa01.fbog.local:389 for
>>> krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=acco
>>> unts,dc=fbog,dc=local
>>>
>>> 2019-11-16T16:23:24Z ERROR wait_for_entry timeout on
>>> ldap://ipa01.fbog.local:389 for
>>> krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=acco
>>> unts,dc=fbog,dc=local
>>>
>>>
>>>
>>> Not sure where to go from here. Did I leave out some declaration or
>>> specification on the initial command?
>> The problem isn't in the command invocation, replication is just slow
>> enough for some reason that the new principal(s) weren't replicated to
>> the existing master.
>>
>> I seem to recall a 389-ds option to mitigate this but I can't remember
>> it off the to of my head (or maybe it isn't applicable for RHEL 6
>> master). cc'ing someone who would know.
>>
>> rob
>
> It is difficult to be sure without all logs (ipa-replica-install, DS
> logs) and config.
> From the top of my head I recall an old bug where the replica agreement
> replica->master was failing to bind because master did not lookup the
> updated bind group.
>
> Rob, is it the bug you were thinking of ?
>
> If it is this bug, you may try to set nsds5ReplicaBindDNGroupCheckInterval
>
> ldapmodify -h <master_host> -p 389 -D "cn=directory manager" -W
> dn: cn=replica,cn=<suffix>, cn=mapping tree,cn=config
> changetype: modify
> replace: nsds5ReplicaBindDNGroupCheckInterval
> nsds5ReplicaBindDNGroupCheckInterval: 3
>
> This modification does not require restart.
>
> best regards
> thierry
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
4 years, 4 months
Re: ipa-replica-install latest failure attempt:
by Mark Reynolds
On 12/2/19 1:10 PM, Auerbach, Steven via FreeIPA-users wrote:
> A couple of follow-up questions and some results of an ldap search...
>
> In your suggested ldapmodify statement:
> ldapmodify -h <master_host> -p 389 -D "cn=directory manager" -W
> dn: cn=replica,cn=<suffix>, cn=mapping tree,cn=config
> changetype: modify
> replace: nsds5ReplicaBindDNGroupCheckInterval
> nsds5ReplicaBindDNGroupCheckInterval: 3
>
> 1: Is the command only the first line and the remaining lines responses to interactive prompts?
At the command prompt run the ldapmodify command, then you will be in a
editor mode:
# ldapmodify -D "cn=directory manager" -W <enter password when prompted>
< You are now in the editor mode, enter these lines below, followed by
two blank lines to initiate the operation. Then press Contorl-D to exit>
dn: cn=replica,cn="dc=fbog,dc=local", cn=mapping tree,cn=config
changetype: modify
replace: nsds5ReplicaBindDNGroupCheckInterval
nsds5ReplicaBindDNGroupCheckInterval: 3
<press enter twice>
<press control-D to exit>
HTH,
Mark
> 2: I know that <master host> is my host fqdn. What is supposed to replace <suffix> in the dn=<suffix> declaration?
>
> I did an ldapsearch on this ipa master. I was trying to determine the current settings on this option before I modify it. Looking specifically for ReplicaBindDN section I found the following:
> # System: Read Replication Information, permissions, pbac, fbog.local
> dn: cn=System: Read Replication Information,cn=permissions,cn=pbac,dc=fbog,dc= local
> ipaPermTargetFilter: (objectclass=nsds5replica)
> ipaPermRight: read
> ipaPermRight: compare
> ipaPermRight: search
> ipaPermBindRuleType: all
> ipaPermissionType: SYSTEM
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> cn: System: Read Replication Information
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermission
> objectClass: ipapermissionv2
> ipaPermDefaultAttr: nsds5replicatombstonepurgeinterval
> ipaPermDefaultAttr: nsds5replicareferral
> ipaPermDefaultAttr: nsstate
> ipaPermDefaultAttr: cn
> ipaPermDefaultAttr: nsds5flags
> ipaPermDefaultAttr: nsds5replicacleanruv
> ipaPermDefaultAttr: nsds5replicabinddn
> ipaPermDefaultAttr: nsds5replicaprotocoltimeout
> ipaPermDefaultAttr: nsds5replicatype
> ipaPermDefaultAttr: nsds5replicachangecount
> ipaPermDefaultAttr: nsds5replicaroot
> ipaPermDefaultAttr: nsds5replicabackoffmin
> ipaPermDefaultAttr: nsds5replicaname
> ipaPermDefaultAttr: objectclass
> ipaPermDefaultAttr: nsds5replicalegacyconsumer
> ipaPermDefaultAttr: nsds5replicapurgedelay
> ipaPermDefaultAttr: nsds5replicaid
> ipaPermDefaultAttr: nsds5replicaautoreferral
> ipaPermDefaultAttr: nsds5replicabackoffmax
> ipaPermDefaultAttr: nsds5replicaabortcleanruv
> ipaPermDefaultAttr: nsds5task
> ipaPermLocation: cn=replication,cn=etc,dc=fbog,dc=local
>
> There is not telling me what the current values are. I could not locate declarations for nsds5ReplicaBindDNGroupCheckInterval. Does that even exist in ipa v3.0?
>
> -Steven Auerbach
>
> -----Original Message-----
> From: thierry bordaz <tbordaz(a)redhat.com>
> Sent: Tuesday, November 19, 2019 3:31 AM
> To: Rob Crittenden <rcritten(a)redhat.com>; FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> Cc: Auerbach, Steven <Steven.Auerbach(a)flbog.edu>
> Subject: Re: [Freeipa-users] ipa-replica-install latest failure attempt:
>
>
>
> On 11/18/19 11:24 PM, Rob Crittenden wrote:
>> Auerbach, Steven via FreeIPA-users wrote:
>>> Executed ipa-replica-prepare on an RHEL 6.9 server running ipa-server
>>> 3.0.0.1_51 (name : ipa01)
>>>
>>> Yum installed ipa-server, ipa-server-dns, bind-dyndb-ldap on the
>>> target Linux 7.6 server (name: ipa04)
>>>
>>> Copied the file to the target server to which ipa-server 4.6.5-11.0.1
>>> is installed (ipa04)
>>>
>>> Copied the file :/usr/share/ipa/copy-schema-to-ca.py from ipa v4.6
>>> server to the ipa v3.0 server and executed it successfully.
>>>
>>> Edited the /etc/resolv.con on ipa04 to include ipa01. Did not reboot.
>>>
>>> Executed ipa-replica-install --setup-dns --forwarder=8.8.8.8
>>> --setup-ca /var/lib/ipa/replica-info-ipa04.fbog.local.gpg (on ipa04)
>>>
>>>
>>> 2019-11-16T16:23:24Z DEBUG The ipa-replica-install command failed,
>>> exception: NotFound: wait_for_entry timeout on
>>> ldap://ipa01.fbog.local:389 for
>>> krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=acco
>>> unts,dc=fbog,dc=local
>>>
>>> 2019-11-16T16:23:24Z ERROR wait_for_entry timeout on
>>> ldap://ipa01.fbog.local:389 for
>>> krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=acco
>>> unts,dc=fbog,dc=local
>>>
>>>
>>>
>>> Not sure where to go from here. Did I leave out some declaration or
>>> specification on the initial command?
>> The problem isn't in the command invocation, replication is just slow
>> enough for some reason that the new principal(s) weren't replicated to
>> the existing master.
>>
>> I seem to recall a 389-ds option to mitigate this but I can't remember
>> it off the to of my head (or maybe it isn't applicable for RHEL 6
>> master). cc'ing someone who would know.
>>
>> rob
> It is difficult to be sure without all logs (ipa-replica-install, DS
> logs) and config.
> From the top of my head I recall an old bug where the replica agreement
> replica->master was failing to bind because master did not lookup the
> updated bind group.
>
> Rob, is it the bug you were thinking of ?
>
> If it is this bug, you may try to set nsds5ReplicaBindDNGroupCheckInterval
>
> ldapmodify -h <master_host> -p 389 -D "cn=directory manager" -W
> dn: cn=replica,cn=<suffix>, cn=mapping tree,cn=config
> changetype: modify
> replace: nsds5ReplicaBindDNGroupCheckInterval
> nsds5ReplicaBindDNGroupCheckInterval: 3
>
> This modification does not require restart.
>
> best regards
> thierry
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
389 Directory Server Development Team
4 years, 4 months