| Summary: | Connect after del using ipa-replica-manage fails | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Namita Soman <nsoman> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.1 | CC: | grajaiya, jgalipea, ksuzuoki, mkosek, spoore |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.2.0-3.el6 | Doc Type: | Bug Fix |
| Doc Text: |
No documentation needed.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 13:17:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 756082 | ||
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2126 Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/2d555256526827564f89d941c2d2b31815378a6b ipa-2-2: https://fedorahosted.org/freeipa/changeset/4e7e98fd842edb590202cdaf39e7d2a153230143 This patch may affect tests for "ipa-replica-manage del $REPLICA". It now needs --force flag to go unattended, without any prompt.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
No documentation needed.
1. [root@primenova ~]# ipa-replica-manage del rodimus.lab.eng.pnq.redhat.com --binddn=admin --bindpw=Secret123 Deleting a master is irreversible. To reconnect to the remote master you will need to prepare a new replica file and re-install. Continue to delete? [no]: yes Deleted replication agreement from 'primenova.lab.eng.pnq.redhat.com' to 'rodimus.lab.eng.pnq.redhat.com' [root@primenova ~]# 2. [root@rodimus ~]# ipa-replica-manage connect primenova.lab.eng.pnq.redhat.com You cannot connect to a previously deleted master [root@rodimus ~]# Verified: ipa-server-2.2.0-13.el6.x86_64 There seems to be a new problem here. I was seeing the new expected error until recently. I'm now seeing this: [root@spoore-dvm1 slapd-TESTRELM-COM]# ipa-replica-manage connect spoore-dvm2.testrelm.com SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/spoore-dvm2.testrelm.com not found in Kerberos database) Can you check the KDC logs to see which side this error is coming from? Is there an ldap service principal for spoore-dvm2 on both sides? Ok, after troubleshooting with Rob, found that this was because ipa-replica-manage was trying to use the existing info from kerberos ticket but, that info was gone from MASTER side. On a different env showing same GSSAPI error, I see this: [root@kvm-guest-05 log]# kdestroy [root@kvm-guest-05 log]# ipa-replica-manage connect qe-blade-11.testrelm.com Directory Manager password: You cannot connect to a previously deleted master Testing again without the kdestroy but using -p and DM password: [root@kvm-guest-05 log]# ipa-replica-manage connect $SLAVE SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/qe-blade-11.testrelm.com not found in Kerberos database) [root@kvm-guest-05 log]# ipa-replica-manage connect $SLAVE -p $ADMINPW You cannot connect to a previously deleted master I've created a new bug to cover the missing case for what I found. It's bug 823657. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html |
Description of problem: Have a master and replica installed. From master do a del - to delete the replica # ipa-replica-manage del <replica hostname> -v -p XXX From master connect this replica # ipa-replica-manage connect <replica hostname> -v -p Secret123 unexpected error: list index out of range From deleted replica, connect to master: # ipa-replica-manage connect <master hostname> -p Secret123 unexpected error: list index out of range Version-Release number of selected component (if applicable): ipa-server-2.1.3-9.el6.x86_64 How reproducible: always Steps to Reproduce: 1.see above Actual results: cannot connect deleted replica back Expected results: be able to connect the deleted replica back Additional info: Rob looked into this and got the info below: Traceback (most recent call last): File "/usr/sbin/ipa-replica-manage", line 487, in <module> main() File "/usr/sbin/ipa-replica-manage", line 476, in main add_link(realm, replica1, replica2, dirman_passwd, options) File "/usr/sbin/ipa-replica-manage", line 383, in add_link repl1.setup_gssapi_replication(replica2, "cn=Directory Manager", dirman_passwd) File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 796, in setup_gssapi_replication self.setup_krb_princs_as_replica_binddns(self.conn, r_conn) File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 506, in setup_krb_princs_as_replica_binddns mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)] IndexError: list index out of range filter_a (krbprincipalname=ldap/ibm-x3650-04.testrelm@TESTRELM) filter_b (krbprincipalname=ldap/hp-xw4200-01.testrelm@TESTRELM), b_pn krbprincipalname=ldap/hp-xw4200-01.testrelm@TESTRELM,cn=services,cn=accounts,dc=testrelm hp-xw4200-01.testrelm is remove master ibm-x3650-04.testrelm is local, machine, former replica [root@ibm-x3650-04 ~]# ldapsearch -LLL -x -h hp-xw4200-01.testrelm -s base -b 'krbprincipalname=ldap/ibm-x3650-04.testrelm@TESTRELM,cn=services,cn=accounts,dc=testrelm' dn No such object (32) Matched DN: cn=services,cn=accounts,dc=testrelm [root@ibm-x3650-04 ~]# ldapsearch -LLL -x -h ibm-x3650-04.testrelm -s base -b 'krbprincipalname=ldap/ibm-x3650-04.testrelm@TESTRELM,cn=services,cn=accounts,dc=testrelm' dn dn: krbprincipalname=ldap/ibm-x3650-04.testrelm@TESTRELM,cn=services,cn=accoun ts,dc=testrelm possibly related bug: https://fedorahosted.org/freeipa/ticket/2088