Bug 694283

Summary: Converting to GSSAPI replication may fail
Product: Red Hat Enterprise Linux 6 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED DEFERRED QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1CC: benl, dpal, jgalipea, nkinder, nsoman, rmeggins, ssorce
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
The issue is sporadic. The workaround is to re-install the replica again.
 Story Points: ---
Clone Of:
: 694540 (view as bug list) Environment:
Last Closed: 2011-04-07 15:38:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 694540    
Attachments:
Description Flags
master server 389-ds access log
none
replica server access log
none
replica install log none

Description Rob Crittenden 2011-04-06 20:54:52 UTC 
Description of problem:

Converting to GSSAPI replication may fail in some cases (unclear which). It looks like this when it fails:

2011-04-06 15:39:36,085 DEBUG list index out of range
  File "/usr/sbin/ipa-replica-install", line 540, in <module>
    main()

  File "/usr/sbin/ipa-replica-install", line 501, in main
    install_krb(config, setup_pkinit=options.setup_pkinit)

  File "/usr/sbin/ipa-replica-install", line 242, in install_krb
    setup_pkinit, pkcs12_info)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py", line 217, in create_replica
    self.start_creation("Configuring Kerberos KDC", 30)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 301, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py", line 562, in __convert_to_gssapi_replication
    r_bindpw=self.dm_password)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 714, in convert_to_gssapi_replication
    self.gssapi_update_agreements(self.conn, r_conn)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 456, in gssapi_update_agreements
    self.setup_krb_princs_as_replica_binddns(a, b)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 449, in setup_krb_princs_as_replica_binddns
    mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)]

The reason it fails is that searching with filter_a against server b (the remote) returns no entries. search_s() returns [] when nothing is found, it doesn't raise an exception, so there is nothing to index.

server a is the replica, server b is the remote master.

The krbprincipalname for server a is found in server a.
The krbprincipalname for server b is found in both server a and server b.

Just prior to this in the log it is clear that re-initialization was requested.

In the master access logs I see this:

[06/Apr/2011:15:39:25 -0400] conn=10 op=8 MOD dn="krbprincipalname=ldap/rhel61-server2.testrelm@testrelm,cn=services,cn=accounts,dc=testrelm"
[06/Apr/2011:15:39:25 -0400] conn=10 op=8 RESULT err=32 tag=103 nentries=0 etime=0 csn=4d9cc16d000300030000

Version-Release number of selected component (if applicable):

ipa-server-2.0.0-20.el6.x86_64
Comment 1 Rob Crittenden 2011-04-06 20:55:31 UTC 
Created attachment 490399 [details]
master server 389-ds access log
Comment 2 Rob Crittenden 2011-04-06 20:56:06 UTC 
Created attachment 490400 [details]
replica server access log
Comment 3 Rob Crittenden 2011-04-06 20:56:43 UTC 
Created attachment 490401 [details]
replica install log
Comment 5 RHEL Program Management 2011-04-06 21:04:25 UTC 
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 6 Dmitri Pal 2011-04-07 15:38:07 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The issue is sporadic. The workaround is to re-install the replica again.
Comment 7 Rich Megginson 2011-04-21 17:49:44 UTC 
I believe this is a dup of https://bugzilla.redhat.com/show_bug.cgi?id=698421 see https://bugzilla.redhat.com/show_bug.cgi?id=698421#c8 for an explanation