Hi,
I have managed to setup an IPA cluster which is still replicating changes to users and CA's, but thinks it has no replication configured. I'm not sure how I have managed this and have not been able to figure it out so would appreciate any pointers anyone can provide.
I setup an initial IPA server, successfully joined a further 5 and setup the replication using the web based GUI with 3 being domain+ca and the remaining 3 being just domain. All seemed good, a user created on one server appeared on remote IPA servers and I left for Christmas.
Returning for work yesterday and the web based GUI does not show any links between the servers and will not let me add any with error "leftnode does not support suffix 'domain'". However if I create or edit a user then it appears on the other IPA servers and adding a new root CA also is visible from all IPA servers. I can also successfully join client servers, and then login to them with IPA based credentials.
The "ipa topology*" commands show no suffixes or segments, however an LDAP search does show the links as I set them up (output below). The only errors I have seen in the logs are for things which google searches list as "normal" - but I'm obviously missing something. Disabling firewall/selinux does not seem to have any impact and DNS/reverse DNS is resolving correctly from all the servers. The only difference to the guides is that FreeIPA is not hosting the reverse zones itself - I'm using forwarders to my main DNS servers which host those records - but I can't see that being related as resolution is working.
Any pointers for where to look and what to look for next greatly appreciated. This is a fresh deploy, so I can wipe and restart if needed, but I'd like to at least understand what is going on so I can avoid repeating it in the future.
versions installed :
ipa-client-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64
ipa-server-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64
ipa-server-dns-4.9.6-10.module+el8.5.0+719+4f06efb6.noarch
# ipa topologysuffix-show
Suffix name: domain
ipa: ERROR: domain: suffix not found
# ipa topologysuffix-find --all
---------------------------
0 topology suffixes matched
---------------------------
----------------------------
Number of entries returned 0
----------------------------
# ipa topologysegment-find domain --all
------------------
0 segments matched
------------------
----------------------------
Number of entries returned 0
----------------------------
$ ldapsearch -D "cn=directory manager" -W -b "cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# topology, ipa, etc, ipa.mydomain.net
dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
objectClass: top
objectClass: nsContainer
cn: topology
# domain, topology, ipa, etc, ipa.mydomain.net
dn: cn=domain,cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
objectClass: top
objectClass: iparepltopoconf
ipaReplTopoConfRoot: dc=ipa,dc=mydomain,dc=net
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
uccessfulauth krblastfailedauth krbloginfailedcount
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
ternalModifyTimestamp
cn: domain
# ca, topology, ipa, etc, ipa.mydomain.net
dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
objectClass: top
objectClass: iparepltopoconf
ipaReplTopoConfRoot: o=ipaca
cn: ca
# ipa1-c.ipa.mydomain.net-to-ipa2-c.ipa.mydomain.net, domain, topology, ipa, et
c, ipa.mydomain.net
dn: cn=ipa1-c.ipa.mydomain.net-to-ipa2-c.ipa.mydomain.net,cn=domain,cn=topolog
y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
ipaReplTopoSegmentDirection: both
objectClass: iparepltoposegment
objectClass: top
cn: ipa1-c.ipa.mydomain.net-to-ipa2-c.ipa.mydomain.net
ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net
ipaReplTopoSegmentRightNode: ipa2-c.ipa.mydomain.net
ipaReplTopoSegmentStatus: autogen
# ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net, domain, topology, ipa, et
c, ipa.mydomain.net
dn: cn=ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net,cn=domain,cn=topolog
y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
ipaReplTopoSegmentDirection: both
objectClass: iparepltoposegment
objectClass: top
cn: ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net
ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net
ipaReplTopoSegmentRightNode: ipa1-b.ipa.mydomain.net
ipaReplTopoSegmentStatus: autogen
# ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net, ca, topology, ipa, etc, i
pa.mydomain.net
dn: cn=ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net,cn=ca,cn=topology,cn
=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
ipaReplTopoSegmentDirection: both
objectClass: iparepltoposegment
objectClass: top
cn: ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net
ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net
ipaReplTopoSegmentRightNode: ipa1-b.ipa.mydomain.net
ipaReplTopoSegmentStatus: autogen
# ipa2-c.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net, domain, topology, ipa, et
c, ipa.mydomain.net
dn: cn=ipa2-c.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net,cn=domain,cn=topolog
y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
ipaReplTopoSegmentDirection: both
objectClass: iparepltoposegment
objectClass: top
cn: ipa2-c.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net
ipaReplTopoSegmentLeftNode: ipa2-c.ipa.mydomain.net
ipaReplTopoSegmentRightNode: ipa2-b.ipa.mydomain.net
ipaReplTopoSegmentStatus: autogen
# ipa1-b.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net, domain, topology, ipa, et
c, ipa.mydomain.net
dn: cn=ipa1-b.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net,cn=domain,cn=topolog
y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
ipaReplTopoSegmentLeftNode: ipa1-b.ipa.mydomain.net
ipaReplTopoSegmentRightNode: ipa2-b.ipa.mydomain.net
ipaReplTopoSegmentDirection: both
cn: ipa1-b.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net
objectClass: iparepltoposegment
objectClass: top
# ipa1-c.ipa.mydomain.net-to-ipa1-a.ipa.mydomain.net, domain, topology, ipa, et
c, ipa.mydomain.net
dn: cn=ipa1-c.ipa.mydomain.net-to-ipa1-a.ipa.mydomain.net,cn=domain,cn=topolog
y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
ipaReplTopoSegmentDirection: both
objectClass: iparepltoposegment
objectClass: top
cn: ipa1-c.ipa.mydomain.net-to-ipa1-a.ipa.mydomain.net
ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net
ipaReplTopoSegmentRightNode: ipa1-a.ipa.mydomain.net
ipaReplTopoSegmentStatus: autogen
<SNIP several more links>
# search result
search: 2
result: 0 Success
# numResponses: 17
# numEntries: 16
| | | Neal Harrington | | | System Administrator |
| | |
|
|
*** Please consider your environmental responsibility before printing this e‑mail ***
|
|
|  | MyPhones.com is the trading name of Et Al Innovations Limited, registered in the United Kingdom.
Company Number: 03718039 | VAT Registration Number: GB 697877637
Registered Address: Glebe Farm, Down Street, Dummer, Basingstoke RG25 2AD
This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential and/or legally privileged.
Unauthorised use is strictly prohibited and may be unlawful. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, including any picture or graphic and any attachment,
except for the purpose of delivery to the addressee. We make every effort to keep our network free from viruses. However, you do need to verify this e‑mail and any attachments to it to be virus free as we can
take no responsibility for any computer virus which might be transferred by way of this e‑mail.
|
|
