Hi,
I have managed to setup an IPA cluster which is still replicating changes to users and
CA's, but thinks it has no replication configured. I'm not sure how I have managed
this and have not been able to figure it out so would appreciate any pointers anyone can
provide.
I setup an initial IPA server, successfully joined a further 5 and setup the replication
using the web based GUI with 3 being domain+ca and the remaining 3 being just domain. All
seemed good, a user created on one server appeared on remote IPA servers and I left for
Christmas.
Returning for work yesterday and the web based GUI does not show any links between the
servers and will not let me add any with error "leftnode does not support suffix
'domain'". However if I create or edit a user then it appears on the other
IPA servers and adding a new root CA also is visible from all IPA servers. I can also
successfully join client servers, and then login to them with IPA based credentials.
The "ipa topology*" commands show no suffixes or segments, however an LDAP
search does show the links as I set them up (output below). The only errors I have seen in
the logs are for things which google searches list as "normal" - but I'm
obviously missing something. Disabling firewall/selinux does not seem to have any impact
and DNS/reverse DNS is resolving correctly from all the servers. The only difference to
the guides is that FreeIPA is not hosting the reverse zones itself - I'm using
forwarders to my main DNS servers which host those records - but I can't see that
being related as resolution is working.
Any pointers for where to look and what to look for next greatly appreciated. This is a
fresh deploy, so I can wipe and restart if needed, but I'd like to at least understand
what is going on so I can avoid repeating it in the future.
versions installed :
ipa-client-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64
ipa-server-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64
ipa-server-dns-4.9.6-10.module+el8.5.0+719+4f06efb6.noarch
# ipa topologysuffix-show
Suffix name: domain
ipa: ERROR: domain: suffix not found
# ipa topologysuffix-find --all
---------------------------
0 topology suffixes matched
---------------------------
----------------------------
Number of entries returned 0
----------------------------
# ipa topologysegment-find domain --all
------------------
0 segments matched
------------------
----------------------------
Number of entries returned 0
----------------------------
$ ldapsearch -D "cn=directory manager" -W -b
"cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# topology, ipa, etc,
ipa.mydomain.net
dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
objectClass: top
objectClass: nsContainer
cn: topology
# domain, topology, ipa, etc,
ipa.mydomain.net
dn: cn=domain,cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
objectClass: top
objectClass: iparepltopoconf
ipaReplTopoConfRoot: dc=ipa,dc=mydomain,dc=net
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
uccessfulauth krblastfailedauth krbloginfailedcount
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
ternalModifyTimestamp
cn: domain
# ca, topology, ipa, etc,
ipa.mydomain.net
dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
objectClass: top
objectClass: iparepltopoconf
ipaReplTopoConfRoot: o=ipaca
cn: ca
#
ipa1-c.ipa.mydomain.net-to-ipa2-c.ipa.mydomain.net, domain, topology, ipa, et
c,
ipa.mydomain.net
dn: cn=ipa1-c.ipa.mydomain.net-to-ipa2-c.ipa.mydomain.net,cn=domain,cn=topolog
y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
ipaReplTopoSegmentDirection: both
objectClass: iparepltoposegment
objectClass: top
cn:
ipa1-c.ipa.mydomain.net-to-ipa2-c.ipa.mydomain.net
ipaReplTopoSegmentLeftNode:
ipa1-c.ipa.mydomain.net
ipaReplTopoSegmentRightNode:
ipa2-c.ipa.mydomain.net
ipaReplTopoSegmentStatus: autogen
#
ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net, domain, topology, ipa, et
c,
ipa.mydomain.net
dn: cn=ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net,cn=domain,cn=topolog
y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
ipaReplTopoSegmentDirection: both
objectClass: iparepltoposegment
objectClass: top
cn:
ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net
ipaReplTopoSegmentLeftNode:
ipa1-c.ipa.mydomain.net
ipaReplTopoSegmentRightNode:
ipa1-b.ipa.mydomain.net
ipaReplTopoSegmentStatus: autogen
#
ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net, ca, topology, ipa, etc, i
pa.mydomain.net
dn: cn=ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net,cn=ca,cn=topology,cn
=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
ipaReplTopoSegmentDirection: both
objectClass: iparepltoposegment
objectClass: top
cn:
ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net
ipaReplTopoSegmentLeftNode:
ipa1-c.ipa.mydomain.net
ipaReplTopoSegmentRightNode:
ipa1-b.ipa.mydomain.net
ipaReplTopoSegmentStatus: autogen
#
ipa2-c.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net, domain, topology, ipa, et
c,
ipa.mydomain.net
dn: cn=ipa2-c.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net,cn=domain,cn=topolog
y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
ipaReplTopoSegmentDirection: both
objectClass: iparepltoposegment
objectClass: top
cn:
ipa2-c.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net
ipaReplTopoSegmentLeftNode:
ipa2-c.ipa.mydomain.net
ipaReplTopoSegmentRightNode:
ipa2-b.ipa.mydomain.net
ipaReplTopoSegmentStatus: autogen
#
ipa1-b.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net, domain, topology, ipa, et
c,
ipa.mydomain.net
dn: cn=ipa1-b.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net,cn=domain,cn=topolog
y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
ipaReplTopoSegmentLeftNode:
ipa1-b.ipa.mydomain.net
ipaReplTopoSegmentRightNode:
ipa2-b.ipa.mydomain.net
ipaReplTopoSegmentDirection: both
cn:
ipa1-b.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net
objectClass: iparepltoposegment
objectClass: top
#
ipa1-c.ipa.mydomain.net-to-ipa1-a.ipa.mydomain.net, domain, topology, ipa, et
c,
ipa.mydomain.net
dn: cn=ipa1-c.ipa.mydomain.net-to-ipa1-a.ipa.mydomain.net,cn=domain,cn=topolog
y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
ipaReplTopoSegmentDirection: both
objectClass: iparepltoposegment
objectClass: top
cn:
ipa1-c.ipa.mydomain.net-to-ipa1-a.ipa.mydomain.net
ipaReplTopoSegmentLeftNode:
ipa1-c.ipa.mydomain.net
ipaReplTopoSegmentRightNode:
ipa1-a.ipa.mydomain.net
ipaReplTopoSegmentStatus: autogen
<SNIP several more links>
# search result
search: 2
result: 0 Success
# numResponses: 17
# numEntries: 16
Follow us:
Neal Harrington | System Administrator
Direct - 01256831040 | Mobile - 07849089832
Office - 01494410000 |
https://www.myphones.com
*** Please consider your environmental responsibility before printing this e-mail ***
MyPhones.com is the trading name of Et Al Innovations Limited, registered in the United
Kingdom.
Company Number: 03718039 | VAT Registration Number: GB 697877637
Registered Address: Glebe Farm, Down Street, Dummer, Basingstoke RG25 2AD
This message and any files transmitted with it is intended for the addressee only and may
contain information that is confidential and/or legally privileged.
Unauthorised use is strictly prohibited and may be unlawful. If you are not the
addressee, you should not read, copy, disclose or otherwise use this message, including
any picture or graphic and any attachment,
except for the purpose of delivery to the addressee. We make every effort to keep our
network free from viruses. However, you do need to verify this e-mail and any attachments
to it to be virus free as we can
take no responsibility for any computer virus which might be transferred by way of this
e-mail.