Bug 994980

Summary: Re-initializing a winsync connection exits with "unexpected error"
Product: Red Hat Enterprise Linux 7 Reporter: Steeve Goveas <sgoveas>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: nkinder, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.3.2-2.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 10:09:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
logs generated while re-initializing none

Description Steeve Goveas 2013-08-08 10:34:06 UTC
Description of problem:
Re-initializing a winsync connection exits with an unexpected error. It seems to work fine functionally by updating data from the AD, but exits with an error.

[root@dhcp207-140 ipa-winsync]# date ; ipa-replica-manage -v re-initialize --from squab.adrelm.com ; date
Wed Aug  7 18:15:45 IST 2013
Update in progress, 47 seconds elapsed
Update succeeded

unexpected error: [Errno -2] Name or service not known
Wed Aug  7 18:16:36 IST 2013 


Version-Release number of selected component (if applicable):
389-ds-base-1.3.1.5-1.el7.x86_64
ipa-server-3.2.2-1.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup AD and IPA servers
2. Create winsync agreement between the 2
3. Add a new user in AD
4. Re-initialize the winsync connection with AD

Actual results:
New user gets synced, but command exits with following error

unexpected error: [Errno -2] Name or service not known

Expected results:
Command should complete successfully without error

Additional info:
Attached logs generated while re-initializing

Comment 1 Steeve Goveas 2013-08-08 10:35:06 UTC
Created attachment 784307 [details]
logs generated while re-initializing

Comment 3 Nathan Kinder 2013-08-08 18:37:14 UTC
I don't see anything that looks like a failure in the DS errors log, and sync is apparently working.

The error you are receiving comes from ipa-replica-manage.  I think that this needs to be investigated on the IPA side.  Adjusting the component to ipa.

Comment 4 Nathan Kinder 2013-08-08 20:48:40 UTC
I looked at the code for ipa-replica-manage a bit, and it looks like the actual replica initialization portion of the re_initialze() call is working.  The error must occur when we try to add a memberOf task at the very end of re_initialize().

Does the DS access log show an ADD operation for a memberOf task entry when you attempt to reinit the sync agreement?  The entry will be named something like "cn=IPA install <timestamp>, cn=memberof task, cn=tasks, cn=config".  If you do see this ADD, what is the result of the operation?  

The error message you are receiving makes me think that this is a failure on the ipa-replica-manage side of things to get the correct hostname.

Comment 5 Martin Kosek 2013-08-09 07:22:48 UTC
Correct. I investigated the failure and found out that ipa-replica-manage tries to do an LDAP modify with an unitialized server FQDN.

ipa-replica-manage:
...
        ds = dsinstance.DsInstance(realm_name = realm, dm_password = dirman_passwd)
        ds.init_memberof()
...

ds.init_memberof() needs self.fqdn to operate. I will create an upstream ticket to fix it.

Comment 6 Martin Kosek 2013-08-09 07:25:43 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3854

Comment 7 Martin Kosek 2013-10-11 08:11:39 UTC
Fixed upstream:

master:
dfa135e6069f9cb7f158d4540b530b137887932f Winsync re-initialize should not run memberOf fixup task
524a1a856739dd695e701ac33b67c8e758ac42c4 Use consistent realm name in cainstance and dsinstance

ipa-3-3:
233d07d030500be4a593c22fef9cd841b7e7a12d Winsync re-initialize should not run memberOf fixup task
b73adb72a410fc5669eee25e3670dd7abeeeeb6f Use consistent realm name in cainstance and dsinstance

Comment 9 Namita Soman 2013-12-16 15:16:57 UTC
Verified using ipa-server-3.3.3-5.el7.x86_64

Automated test result:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_winsync_bz994980: Using option re-initialize bz994980 bz1016042
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 10:29:11 ] ::  https://bugzilla.redhat.com/show_bug.cgi?id=994980
:: [ 10:29:11 ] ::  https://bugzilla.redhat.com/show_bug.cgi?id=1016042
:: [   PASS   ] :: Creating error log ldif file (Expected 0, got 0)
modifying entry "cn=config"

:: [   PASS   ] :: Setting the error log level (Expected 0, got 0)
:: [   PASS   ] :: aduser2 does not exist in IPA (Expected 2, got 2)
ipa: ERROR: aduser2: user not found
:: [   PASS   ] :: Sleeping 60 seconds to make sure previous sync is done (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.J3C2YukU34/tmpout.ipa_winsync_bz994980.out' should contain 'ipa: ERROR: aduser2: user not found' 
:: [   PASS   ] :: Generate ldif file to add user aduser2 (Expected 0, got 0)
adding new entry "CN=aduser2 ads,CN=Users,DC=adrelm,DC=com"

:: [   PASS   ] :: Adding aduser2 in AD to test re-initialize option (Expected 0, got 0)
:: [   PASS   ] :: Wait for last sync interval 35 seconds (Expected 0, got 0)
:: [   PASS   ] :: User not synced (Expected 2, got 2)
ipa: ERROR: aduser2: user not found
:: [   PASS   ] :: File '/tmp/tmp.J3C2YukU34/tmpout.ipa_winsync_bz994980.out' should contain 'ipa: ERROR: aduser2: user not found' 
:: [ 10:30:50 ] ::  Using re-initiatize option of ipa-replica-manage
:: [ 10:30:50 ] ::  ipa-replica-manage re-initialize --from squab.adrelm.com > /tmp/tmp.J3C2YukU34/tmpout.ipa_winsync_bz994980.out 2>&1
:: [   PASS   ] :: Using re-initialize option (Expected 0, got 0)

Update in progress, 1 seconds elapsed
Update in progress, 2 seconds elapsed
Update in progress, 3 seconds elapsed
Update in progress, 4 seconds elapsed
Update in progress, 5 seconds elapsed
Update in progress, 6 seconds elapsed
Update in progress, 7 seconds elapsed
Update in progress, 8 seconds elapsed
Update in progress, 9 seconds elapsed
Update in progress, 10 seconds elapsed
Update in progress, 11 seconds elapsed
Update in progress, 12 seconds elapsed
Update in progress, 13 seconds elapsed
Update in progress, 14 seconds elapsed
Update in progress, 15 seconds elapsed
Update in progress, 16 seconds elapsed
Update in progress, 17 seconds elapsed
Update in progress, 18 seconds elapsed
Update in progress, 19 seconds elapsed
Update in progress, 20 seconds elapsed
Update in progress, 21 seconds elapsed
Update in progress, 22 seconds elapsed
Update in progress, 23 seconds elapsed
Update in progress, 24 seconds elapsed
Update in progress, 25 seconds elapsed
Update in progress, 26 seconds elapsed
Update in progress, 27 seconds elapsed
Update in progress, 28 seconds elapsed
Update in progress, 29 seconds elapsed
Update in progress, 30 seconds elapsed
Update in progress, 31 seconds elapsed
Update in progress, 32 seconds elapsed
Update in progress, 33 seconds elapsed
Update in progress, 34 seconds elapsed
Update in progress, 35 seconds elapsed
Update in progress, 36 seconds elapsed
Update succeeded

:: [   PASS   ] :: File '/tmp/tmp.J3C2YukU34/tmpout.ipa_winsync_bz994980.out' should contain 'Update in progress' 
:: [   PASS   ] :: File '/tmp/tmp.J3C2YukU34/tmpout.ipa_winsync_bz994980.out' should contain 'Update succeeded' 
:: [   PASS   ] :: File '/tmp/tmp.J3C2YukU34/tmpout.ipa_winsync_bz994980.out' should not contain 'Can't contact LDAP server' 
:: [   PASS   ] :: File '/tmp/tmp.J3C2YukU34/tmpout.ipa_winsync_bz994980.out' should not contain 'unexpected error: [Errno -2] Name or service not known' 
:: [   PASS   ] :: aduser2 added in AD, synced to IPA with reinitialize option (Expected 0, got 0)
  User login: aduser2
  First name: aduser2
  Last name: ads
  Home directory: /home/aduser2
  Login shell: /bin/sh
  UID: 1474600010
  GID: 1474600010
  Account disabled: False
  Password: False
  Kerberos keys available: False
:: [   PASS   ] :: File '/tmp/tmp.J3C2YukU34/tmpout.ipa_winsync_bz994980.out' should contain 'Account disabled: False' 
:: [   PASS   ] :: Running 'grep "Running Dirsync" /var/log/dirsrv/slapd-TESTRELM-COM/errors | tail -n2 > /tmp/tmp.J3C2YukU34/tmpout.ipa_winsync_bz994980.out 2>&1' (Expected 0, got 0)
[26/Nov/2013:10:27:58 -0500] NSMMReplicationPlugin - Running Dirsync 
[26/Nov/2013:10:31:30 -0500] NSMMReplicationPlugin - Running Dirsync 
'2396e4f5-4896-4dd3-b6ad-6ea3a850aaa9'
ipa-winsync-bz994980 result: PASS

Comment 10 Ludek Smid 2014-06-13 10:09:31 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.