Bug 754973
Summary: | "force-sync, re-initialize and del" options for ipa-replica-manage fail against AD. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Gowrishankar Rajaiyan <grajaiya> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.2 | CC: | jgalipea, mkosek, mniranja, sgoveas |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-2.2.0-3.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: ipa-replica-manage force-sync, re-initialize and del commands failed when used against winsync agreement on Active Directory machine.
Consequence: User ability to control winsync replication agreements are limited.
Fix: ipa-replica-manage was fixed to manage both standard replication agreement and winsync agreements in a more robust way.
Result: User experience with a management of winsync agreements should improve.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-20 13:17:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Gowrishankar Rajaiyan
2011-11-18 12:23:29 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2128 Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/31f00f90f1a08804e9dfdd6bdf85c2dc245bea51 ipa-2-2: https://fedorahosted.org/freeipa/changeset/fefbdce40222f926209b79eebdcbb3a1f36e1ac2 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: ipa-replica-manage force-sync, re-initialize and del commands failed when used against winsync agreement on Active Directory machine. Consequence: User ability to control winsync replication agreements are limited. Fix: ipa-replica-manage was fixed to manage both standard replication agreement and winsync agreements in a more robust way. Result: User experience with a management of winsync agreements should improve. Created a winsync agreement between IPA and Active directory [root@primenova ~]# ipa-replica-manage connect --winsync --passsync=password --cacert=/etc/openldap/certs/ADcert.cer dhcp201-215.englab.pnq.redhat.com --binddn "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" --bindpw Secret123 -v -p Secret123 Added CA certificate /etc/openldap/certs/ADcert.cer to certificate database for primenova.lab.eng.pnq.redhat.com ipa: INFO: AD Suffix is: DC=englab,DC=pnq,DC=redhat,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 20120425070725Z: end: 20120425070725Z ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress Update succeeded Connected 'primenova.lab.eng.pnq.redhat.com' to 'dhcp201-215.englab.pnq.redhat.com' [root@primenova ~]# ipa user-find steeve -------------- 1 user matched -------------- User login: steeve First name: steeve Last name: ad Home directory: /home/steeve Login shell: /bin/sh UID: 1084800079 GID: 1084800079 Account disabled: False Password: True Kerberos keys available: True ---------------------------- Number of entries returned 1 ---------------------------- Added new user steeve2 [root@primenova ~]# ipa-replica-manage force-sync --from dhcp201-215.englab.pnq.redhat.com ipa: INFO: Setting agreement cn=meTodhcp201-215.englab.pnq.redhat.com,cn=replica,cn=dc\3Dlab\2Cdc\3Deng\2Cdc\3Dpnq\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meTodhcp201-215.englab.pnq.redhat.com,cn=replica,cn=dc\3Dlab\2Cdc\3Deng\2Cdc\3Dpnq\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config [root@primenova ~]# ipa user-find steeve --------------- 2 users matched --------------- User login: steeve First name: steeve Last name: ad Home directory: /home/steeve Login shell: /bin/sh UID: 1084800079 GID: 1084800079 Account disabled: False Password: True Kerberos keys available: True User login: steeve2 First name: steeve2 Last name: ad Home directory: /home/steeve2 Login shell: /bin/sh UID: 1084800133 GID: 1084800133 Account disabled: False Password: True Kerberos keys available: True ---------------------------- Number of entries returned 2 ---------------------------- Deleted user steeve2 and added new user steeve3 [root@primenova ~]# ipa-replica-manage re-initialize --from dhcp201-215.englab.pnq.redhat.comUpdate succeeded [root@primenova ~]# ipa user-find steeve --------------- 2 users matched --------------- User login: steeve First name: steeve Last name: ad Home directory: /home/steeve Login shell: /bin/sh UID: 1084800079 GID: 1084800079 Account disabled: False Password: True Kerberos keys available: True User login: steeve3 First name: steeve3 Last name: ads Home directory: /home/steeve3 Login shell: /bin/sh UID: 1084800137 GID: 1084800137 Account disabled: False Password: True Kerberos keys available: True ---------------------------- Number of entries returned 2 ---------------------------- Deleted agreement [root@primenova ~]# ipa-replica-manage del dhcp201-215.englab.pnq.redhat.com Forcing removal on 'primenova.lab.eng.pnq.redhat.com' Deleted replication agreement from 'primenova.lab.eng.pnq.redhat.com' to 'dhcp201-215.englab.pnq.redhat.com' Failed to cleanup dhcp201-215.englab.pnq.redhat.com DNS entries: SRV record does not contain '0 100 389 dhcp201-215' You may need to manually remove them from the tree [root@primenova ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin.PNQ.REDHAT.COM Valid starting Expires Service principal 04/24/12 05:45:56 04/25/12 05:45:53 krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM 04/24/12 05:46:02 04/25/12 05:45:53 HTTP/primenova.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM 04/24/12 05:47:00 04/25/12 05:45:53 ldap/primenova.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM [root@primenova ~]# Verified in version ipa-server-2.2.0-11.el6.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html |