Bug 811394
| Summary: | IPA Replica out of sync and cannot see user added from master | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Scott Poore <spoore> | ||||||||||||
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> | ||||||||||||
| Status: | CLOSED NOTABUG | QA Contact: | IDM QE LIST <seceng-idm-qe-list> | ||||||||||||
| Severity: | unspecified | Docs Contact: | |||||||||||||
| Priority: | unspecified | ||||||||||||||
| Version: | 6.2 | CC: | mkosek | ||||||||||||
| Target Milestone: | rc | ||||||||||||||
| Target Release: | --- | ||||||||||||||
| Hardware: | Unspecified | ||||||||||||||
| OS: | Unspecified | ||||||||||||||
| Whiteboard: | |||||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||
| Clone Of: | Environment: | ||||||||||||||
| Last Closed: | 2012-04-11 18:46:00 UTC | Type: | Bug | ||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||
| Documentation: | --- | CRM: | |||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
| Embargoed: | |||||||||||||||
| Attachments: |
|
||||||||||||||
Created attachment 576613 [details]
messages file from replica
Created attachment 576614 [details]
dirsrv error log from replica
Created attachment 576615 [details]
kdc log from replica
Created attachment 576616 [details]
httpd error log from replica
Quick update/note. I tried unsuccessfully to reproduce on a different set of servers so it's not always reproducible. So, I guess the question is what is wrong with my test for which I included the logs? I believe I found my problem.
The /etc/hosts files on my master and replica servers had entries for both servers with their example.com FQDNs. I believe this was causing some issues as seen in the krb5kdc.log:
This is an example from another failed attempt that I noticed:
Apr 11 11:36:32 spoore-dvm2.testrelm.com krb5kdc[12468](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.122.102: UNKNOWN_SERVER: authtime 0, ldap/spoore-dvm2.testrelm.com for ldap/spoore-dvm1.example.com, Server not found in Kerberos database
Apr 11 11:36:32 spoore-dvm2.testrelm.com krb5kdc[12468](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.122.102: UNKNOWN_SERVER: authtime 0, ldap/spoore-dvm2.testrelm.com for krbtgt/EXAMPLE.COM, Server not found in Kerberos database
I'm going to go ahead and close this one as NOTABUG since it was specific to my environment/setup and not really a bug.
|
Created attachment 576612 [details] ipareplica-install.log file Description of problem: After setting up an IPA Master server and replica, I can add a user on the Master that I cannot see from the replica. Version-Release number of selected component (if applicable): RHEL6.2 ipa-server-2.1.3-9.el6.x86_64 389-ds-base-1.2.9.14-1.el6.x86_64 How reproducible: Often if not always. Steps to Reproduce: 1. <setup IPA master> 2. <setup IPA replica> 3. ipa user-add replicatest --first=first --last=last # on Master 4. ipa user-show replicatest # on both Actual results: See replicatest user from Master search but, not from Replica. Expected results: See replicatest user from both servers. Additional info: I see messages like this in /var/log/messages: Apr 10 15:59:08 spoore-dvm2 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/COM not found in Kerberos database) in /var/log/dirsrv/slapd-TESTRELM-COM/errors: [10/Apr/2012:15:57:21 -0500] set_krb5_creds - Could not get initial credentials for principal [ldap/spoore-dvm2.testrelm.com] in keytab [WRFILE:/etc/krb5.keytab]: 13 (Permission denied) [10/Apr/2012:15:57:21 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found)) [10/Apr/2012:15:57:21 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [10/Apr/2012:15:57:21 -0500] NSMMReplicationPlugin - agmt="cn=meTospoore-dvm1.testrelm.com" (spoore-dvm1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found)) ... [10/Apr/2012:15:58:46 -0500] set_krb5_creds - Could not get initial credentials for principal [ldap/spoore-dvm2.testrelm.com] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))