1167964 – RHEL7.1 ipa replica unable to replicate to rhel6 master

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1167964 - RHEL7.1 ipa replica unable to replicate to rhel6 master

Summary: RHEL7.1 ipa replica unable to replicate to rhel6 master

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1140496
TreeView+	depends on / blocked

Reported:	2014-11-25 18:09 UTC by Scott Poore
Modified:	2019-08-15 04:06 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-4.1.0-11.el7
Doc Type:	Bug Fix
Doc Text:	Cause: RHEL 6.6 schema contains 'cn' attribute in 'idnsRecord' object class. In RHEL 7.1, 'idnsRecord' contains two new attributes but lacks 'cn' attribute. Consequence: Schema conflict appears. 6.6 nor 7.1 could LEARN or APPLY schema of the other server. Workaround1: Remove cn attribute from all 'idnsRecord' objects and from schema on 6.6 server. Workaround2: Add 'cn' attribute to MAY section of 'idnsRecord' object class definition in /usr/share/ipa/60ipadns.ldif on 7.1 server prior installation of replica. Result:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:15:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
RHEL 6.6 Master dirsrv errors log after replica install (721.84 KB, text/plain) 2014-11-25 18:14 UTC, Scott Poore	no flags	Details
RHEL 7.1 Replica dirsrv errors log after replica install (160.87 KB, text/plain) 2014-11-25 18:14 UTC, Scott Poore	no flags	Details
RHEL 6.6 Master dirsrv errors log after clean restart with replication logging (99.27 KB, text/plain) 2014-11-25 18:15 UTC, Scott Poore	no flags	Details
RHEL 7.1 Replica dirsrv errors log after clean restart with replication logging (89.91 KB, text/plain) 2014-11-25 18:19 UTC, Scott Poore	no flags	Details
RHEL 6.6 Master dirsrv errors log after copy schema (610.07 KB, text/plain) 2014-11-25 19:54 UTC, Scott Poore	no flags	Details
RHEL 7.1 Replica dirsrv errors log after copy schema (1.53 MB, text/plain) 2014-11-25 19:54 UTC, Scott Poore	no flags	Details
/etc/dirsrv from new RHEL6.6 master (215.88 KB, application/x-gzip) 2014-12-01 17:34 UTC, Scott Poore	no flags	Details
/etc/dirsrv from RHEL7.1 replica (158.75 KB, application/x-gzip) 2014-12-01 17:35 UTC, Scott Poore	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	0	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 14:50:39 UTC

Description Scott Poore 2014-11-25 18:09:31 UTC

Description of problem:

I'm seeing issues with replication between new RHEL7.1 IPA replica added to environment with IPA master on RHEL6.6.

[25/Nov/2014:20:49:39 +051800] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=testrelm
,dc=test is coming online; enabling replication
[25/Nov/2014:20:49:39 +051800] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=testrelm,dc=
test--no CoS Templates found, which should be added before the CoS Definition.
[25/Nov/2014:20:49:41 +051800] NSMMReplicationPlugin - [S] Schema agmt="cn=meTovm-idm-052.testrelm.test
" (vm-idm-052:389) must not be overwritten (set replication log for additional info)
[25/Nov/2014:20:49:42 +051800] NSMMReplicationPlugin - [S] Schema agmt="cn=meTovm-idm-052.testrelm.test
" (vm-idm-052:389) must not be overwritten (set replication log for additional info)
[25/Nov/2014:20:49:42 +051800] NSMMReplicationPlugin - agmt="cn=meTovm-idm-052.testrelm.test" (vm-idm-0
52:389): Warning: unable to replicate schema: rc=1

Version-Release number of selected component (if applicable):
Master (rhel6.6):
ipa-server-3.0.0-42.el6.x86_64
389-ds-base-1.2.11.15-48.el6_6.x86_64

Replica (rhel7.1):
ipa-server-4.1.0-7.el7.x86_64
389-ds-base-1.3.3.1-9.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1.  setup IPA master on RHEL6.6 server
2.  setup IPA replica on RHEL7.1 server
3.

Actual results:
errors in log file and 

Expected results:


Additional info:
getting more logs and replication debugging information that I will attach.

Comment 1 Scott Poore 2014-11-25 18:14:18 UTC

Created attachment 961321 [details]
RHEL 6.6 Master dirsrv errors log after replica install

Comment 2 Scott Poore 2014-11-25 18:14:56 UTC

Created attachment 961322 [details]
RHEL 7.1 Replica dirsrv errors log after replica install

Comment 3 Scott Poore 2014-11-25 18:15:29 UTC

Created attachment 961323 [details]
RHEL 6.6 Master dirsrv errors log after clean restart with replication logging

Comment 5 Scott Poore 2014-11-25 18:19:59 UTC

Created attachment 961324 [details]
RHEL 7.1 Replica dirsrv errors log after clean restart with replication logging

Comment 6 Scott Poore 2014-11-25 19:54:05 UTC

Created attachment 961360 [details]
RHEL 6.6 Master dirsrv errors log after copy schema

Comment 7 Scott Poore 2014-11-25 19:54:33 UTC

Created attachment 961361 [details]
RHEL 7.1 Replica dirsrv errors log after copy schema

Comment 8 Martin Kosek 2014-11-26 15:02:15 UTC

Ludwig or Thierry, can either of you please investigate this one?

Comment 9 Ludwig 2014-11-26 15:04:26 UTC

I'll look into it

Comment 10 thierry bordaz 2014-11-26 15:26:02 UTC

Just few comments:

  - The problem is related to schema replication between version

  - During the first replication session the master fail to send its schema
master
[25/Nov/2014:20:49:34 +051800] NSMMReplicationPlugin - agmt="cn=meTovm-idm-046.testrelm.test" (vm-idm-046:389): Schema replication update failed: Server is unwilling to perform
[25/Nov/2014:20:49:34 +051800] NSMMReplicationPlugin - agmt="cn=meTovm-idm-046.testrelm.test" (vm-idm-046:389): Warning: unable to replicate schema: rc=1

consumer
[25/Nov/2014:20:49:33 +051800] schema - [C] Local objectClasses must not be overwritten (set replication log for additional info)

  - The ability for a DS instance to "learn" its missing definition is done in https://fedorahosted.org/389/ticket/47721

  - The above errors should be transient during the "learning" phase. 
    So here it is looking like the DS instance are not able to learn the missing definitions.
    I think enabling replication log should help to know why extra definitions are missing

Comment 11 Ludwig 2014-11-26 15:37:13 UTC

The error log after schema copy still says that attributes cannot be found in the schema. Can you tar the schema directory on both machines and upload

Comment 12 Ludwig 2014-11-27 08:28:04 UTC

Looks like replication cannot reconcile the schema differences:

[25/Nov/2014:23:37:24 +051800] schema - remote consumer schema attribute [nsViewFilter] syntax can not be overwritten
[25/Nov/2014:23:37:25 +051800] schema - remote consumer schema attribute [mgrpRFC822MailMember] syntax can not be overwritten
[25/Nov/2014:23:37:26 +051800] NSMMReplicationPlugin - [S] Schema agmt="cn=meTovm-idm-052.testrelm.test" (vm-idm-052:389) must not be overwritten (set replication log for additional info)

Thierry, can you confirm that this is a situation where schemaS are incompatible.

Scott, please uploade the schema files from both instances

Comment 13 thierry bordaz 2014-11-27 08:36:53 UTC

A server acting as a consumer may refuse a received schema if the schema is missing some definitions (attribute/objectclass) compare to the schema currently running on the consumer.
In that case the message is logged with a [C].

A server acting as a supplier may refuse to send the schema if the schema it is about to send (its schema) is missing definitions compare to what is currently running on the consumer.
In that case the message is logged with a [S]

You may enable the replication log on both servers, it will then log additional information in particular what attribute/objectclass are problematic.

This kind of issue should be resolved by https://fedorahosted.org/389/ticket/47721 that allows a server to 'learn' what it does not know. So such message should be transient. 47721 needs to be fixed in one or both of the replica to make it work.
Apparently there is a corner case here and likely there is a bug in 47721.

Comment 14 Ludwig 2014-11-27 08:44:39 UTC

Thierry, the snippet in comment 12 is from a log with replication logging, it is in the attachment (4)

But copying the schema files to 6.6 should resolve the issue, no ?

Comment 15 thierry bordaz 2014-11-27 09:06:21 UTC

In this attachement we can see that 7.1 server did not want to update 6.6 because:
[25/Nov/2014:23:36:51 +051800] schema - Attribute nsds5ReplicaPreciseTombstonePurging is not allowed in 'nsDS5Replica' of the remote consumer schema
[25/Nov/2014:23:36:53 +051800] schema - Attribute nstombstonecsn is not allowed in 'nsTombstone' of the remote consumer schema
[25/Nov/2014:23:36:53 +051800] schema - Attribute nsds5ReplicaProtocolTimeout is not allowed in 'nsDS5ReplicationAgreement' of the remote consumer schema
[25/Nov/2014:23:36:53 +051800] schema - Attribute nsSaslMapPriority is not allowed in 'nsSaslMapping' of the remote consumer schema
[25/Nov/2014:23:36:53 +051800] schema - Attribute sslVersionMin is not allowed in 'nsEncryptionConfig' of the remote consumer schema
[25/Nov/2014:23:36:53 +051800] schema - Attribute nsRoleScopeDN is not allowed in 'nsRoleDefinition' of the remote consumer schema
[25/Nov/2014:23:36:54 +051800] schema - Attribute winSyncDirectoryFilter is not allowed in 'nsDSWindowsReplicationAgreement' of the remote consumer schema
[25/Nov/2014:23:36:54 +051800] schema - Attribute dnaRemoteBindDN is not allowed in 'dnaPluginConfig' of the remote consumer schema
[25/Nov/2014:23:36:57 +051800] schema - Attribute dnaRemoteBindMethod is not allowed in 'dnaSharedConfig' of the remote consumer schema
[25/Nov/2014:23:36:58 +051800] schema - Attribute mail is no longer 'required' in 'mailGroup' of the remote consumer schema but is now 'allowed'
[25/Nov/2014:23:37:06 +051800] schema - Attribute mail is not allowed in 'mailGroup' of the remote consumer schema
[25/Nov/2014:23:37:06 +051800] schema - Attribute ipaAssignedIDView is not allowed in 'ipaHost' of the remote consumer schema
[25/Nov/2014:23:37:07 +051800] schema - Attribute ipaNTSIDBlacklistIncoming is not allowed in 'ipaNTTrustedDomain' of the remote consumer schema
[25/Nov/2014:23:37:07 +051800] schema - Attribute ipaRangeType is not required in 'ipaIDrange' of the remote consumer schema
[25/Nov/2014:23:37:07 +051800] schema - Attribute cn is not allowed in 'idnsRecord' of the remote consumer schema
[25/Nov/2014:23:37:08 +051800] schema - Remote idnsRecord schema objectclasses is a superset of the received one.
[25/Nov/2014:23:37:08 +051800] schema - Attribute idnsSecInlineSigning is not allowed in 'idnsZone' of the remote consumer schema
[25/Nov/2014:23:37:08 +051800] schema - Do not check if this OBJECTCLASS is missing on local/remote schema [printer-uri or printer-uri-oid]
[25/Nov/2014:23:37:08 +051800] schema - Attribute ipaSudoRunAsExtUserGroup is not allowed in 'ipaSudoRule' of the remote consumer schema
[25/Nov/2014:23:37:09 +051800] schema - Attribute ipaUniqueID is not required in 'ipaSudoCmdGrp' of the remote consumer schema
[25/Nov/2014:23:37:09 +051800] schema - Attribute nsds5ReplicaPreciseTombstonePurging is not allowed in 'nsDS5Replica' of the remote consumer schema
[25/Nov/2014:23:37:10 +051800] schema - Attribute nstombstonecsn is not allowed in 'nsTombstone' of the remote consumer schema
[25/Nov/2014:23:37:10 +051800] schema - Attribute nsds5ReplicaProtocolTimeout is not allowed in 'nsDS5ReplicationAgreement' of the remote consumer schema
[25/Nov/2014:23:37:10 +051800] schema - Attribute nsSaslMapPriority is not allowed in 'nsSaslMapping' of the remote consumer schema
[25/Nov/2014:23:37:10 +051800] schema - Attribute sslVersionMin is not allowed in 'nsEncryptionConfig' of the remote consumer schema
[25/Nov/2014:23:37:11 +051800] schema - Attribute nsRoleScopeDN is not allowed in 'nsRoleDefinition' of the remote consumer schema
[25/Nov/2014:23:37:11 +051800] schema - Attribute winSyncDirectoryFilter is not allowed in 'nsDSWindowsReplicationAgreement' of the remote consumer schema
[25/Nov/2014:23:37:11 +051800] schema - Attribute dnaRemoteBindDN is not allowed in 'dnaPluginConfig' of the remote consumer schema
[25/Nov/2014:23:37:11 +051800] schema - Attribute dnaRemoteBindMethod is not allowed in 'dnaSharedConfig' of the remote consumer schema
[25/Nov/2014:23:37:12 +051800] schema - Attribute mail is not allowed in 'mailGroup' of the remote consumer schema
[25/Nov/2014:23:37:12 +051800] schema - Attribute ipaAssignedIDView is not allowed in 'ipaHost' of the remote consumer schema
[25/Nov/2014:23:37:12 +051800] schema - Attribute ipaNTSIDBlacklistIncoming is not allowed in 'ipaNTTrustedDomain' of the remote consumer schema
[25/Nov/2014:23:37:12 +051800] schema - Attribute ipaRangeType is not required in 'ipaIDrange' of the remote consumer schema
[25/Nov/2014:23:37:14 +051800] schema - Attribute DLVRecord is not allowed in 'idnsRecord' of the remote consumer schema
[25/Nov/2014:23:37:15 +051800] schema - Attribute idnsSecInlineSigning is not allowed in 'idnsZone' of the remote consumer schema
[25/Nov/2014:23:37:15 +051800] schema - Attribute ipaSudoRunAsExtUserGroup is not allowed in 'ipaSudoRule' of the remote consumer schema
[25/Nov/2014:23:37:21 +051800] schema - Attribute ipaUniqueID is not required in 'ipaSudoCmdGrp' of the remote consumer schema
[25/Nov/2014:23:37:24 +051800] schema - remote consumer schema attribute [nsViewFilter] syntax can not be overwritten
[25/Nov/2014:23:37:25 +051800] schema - remote consumer schema attribute [mgrpRFC822MailMember] syntax can not be overwritten
[25/Nov/2014:23:37:26 +051800] NSMMReplicationPlugin - [S] Schema agmt="cn=meTovm-idm-052.testrelm.test" (vm-idm-052:389) must not be overwritten (set replication log for additional info)


Those errors occur regularly. So 47721 fails to resolve the missing definitions. Perhaps in some specific case it needs to be fixed on both side.

In those cases, copying the schema should be enough to fix the issue.
about user99.ldif, was it also overwritten ?

Comment 16 Scott Poore 2014-12-01 17:34:41 UTC

Created attachment 963381 [details]
/etc/dirsrv from new RHEL6.6 master

Comment 17 Scott Poore 2014-12-01 17:35:14 UTC

Created attachment 963382 [details]
/etc/dirsrv from RHEL7.1 replica

Comment 18 Scott Poore 2014-12-01 17:51:20 UTC

I've uploaded /etc/dirsrv to look at schema files (and anything else) from two new servers where I reproduced this issue.  I also have the logs to these if needed and can provide login access if necessary.

Let me know if you need anything else from these?

Comment 22 Petr Vobornik 2014-12-05 09:57:32 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4794

Comment 24 Jan Cholasta 2014-12-09 20:41:38 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/489dfe64689f86f7ddc4ad0784de0636f8e6c1f8
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/2fa07b1d24f61f9bcff5adb804a18c9eae72932d

Comment 26 Scott Poore 2014-12-12 04:53:38 UTC

Verified.

Version ::

ipa-server-4.1.0-12.el7.x86_64

Results ::

[root@rhel7-3 ~]# grep "Attribute cn is not allowed in 'idnsRecord' of the remote consumer schema" /var/log/dirsrv/slapd-EXAMPLE-COM/errors

[root@rhel7-3 ~]# 

So, some of the main errors are not present.

[root@rhel6-1 ~]# ipa dnszone-find
  Zone name: 122.168.192.in-addr.arpa.
  Authoritative nameserver: rhel6-1.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1418352809
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: example.com
  Authoritative nameserver: rhel6-1.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1418357082
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 2
----------------------------

It has to be noted that the first sign I saw there was a problem originally was that the RHEL6 server returned 0 entries for dnszone-find.

Comment 28 errata-xmlrpc 2015-03-05 10:15:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.