Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 749275

Summary: ipa-csreplica-manage list is incorrect when setting agreement between 2 replicas
Product: Red Hat Enterprise Linux 6 Reporter: Namita Soman <nsoman>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1CC: jgalipea, kchamart, mkosek, ohamada
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-1.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:15:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 788140    
Bug Blocks: 756082    
Attachments:
Description Flags
From replica2: ldapsearch -x -D 'cn=directory manager' -b 'cn=mapping tree,cn=config'
none
from replica3
none
Test verification info, stdout for Master and Replica Installs. none

Description Namita Soman 2011-10-26 15:44:21 UTC 
Description of problem:
- Installed a Master
- Generated Replica Packages from Master for Replica1, Replica2, and installed 2 Replicas - Replica1, Replica2
- Installed CS on Replica2, generated Replica Package from Replica2 for Replica3, and installed Replica3

When running:
# ipa-csreplica-manage list on master, it lists master, replica1, replica2
but running: 
# ipa-csreplica-manage list on replica2, expected replica3 to be in the list, and it wasn't
Also:
# ipa-csreplica-manage list on replica3, listed all 4 servers - master, replica1, replica2, replica3


Attaching ldapsearch outputs from replica2 and replica3

Version-Release number of selected component (if applicable):
ipa-server-2.1.3-4.el6.x86_64

How reproducible:
always

Steps to Reproduce:
As listed in description above
  
Actual results:
ipa-csreplica-manage from replica2 doesn't include replica3

Expected results:
ipa-csreplica-manage from replica2 should include replica3

Additional info:
When running:
ipa-csreplica-manage list on master, it lists master, replica1, replica2
output:
ipa-replica1.testrelm: CA not configured
ipa-replica2.testrelm: master
ipa-master.testrelm: master


but running: 
ipa-csreplica-manage list on replica2, expected replica3 to be in the list, and it wasn't
output:
ipa-replica1.testrelm: CA not configured
ipa-replica2.testrelm: master
ipa-master.testrelm: master

Also:
ipa-csreplica-manage list on replica3, listed all 4 servers - master, replica1, replica2, replica3
output:
ipa-replica3.testrelm: CA not configured
ipa-replica1.testrelm: CA not configured
ipa-replica2.testrelm: master
ipa-master.testrelm: master
Comment 1 Namita Soman 2011-10-26 15:50:55 UTC 
Created attachment 530308 [details]
From replica2: ldapsearch -x -D 'cn=directory manager' -b 'cn=mapping tree,cn=config'
Comment 2 Namita Soman 2011-10-26 15:52:37 UTC 
Created attachment 530309 [details]
from replica3
Comment 4 Namita Soman 2011-10-26 15:54:40 UTC 
note that my replica hostnames are a bit off on numbers in relation to how they
are referred above.
In my env, they are ipa-master, ipa-replica, ipa-replica1, ipa-replica2
Comment 5 Rob Crittenden 2011-10-26 20:51:13 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2031
Comment 7 Rob Crittenden 2012-02-03 16:28:26 UTC 
I have been unable to reproduce this. I invested where we get the information on available masters further and rather than getting it from the replication agreements we get it from the cn=masters,cn=ipa,cn=etc,$SUFFIX. 389-ds replication should always keep this in sync.

Did you break IPA replication between these servers at any time (using ipa-replica-manage)?
Comment 8 Namita Soman 2012-02-03 16:42:53 UTC 
I may have...was some time back, and don't remember for sure. I do recall using ipa-replica-manage to change my config while testing.....so it is possible.
Comment 9 Martin Kosek 2012-02-03 17:19:14 UTC 
This may be connected to Bug 755094. Ondra Hamada is investigating it. So far he was only able reproduce the issue on RHEL 6.2.
Comment 10 Martin Kosek 2012-02-08 15:52:49 UTC 
Ondrej Hamada found out that this issue is fixed by 389-ds-base-1.2.10.rc1 which was released for Fedora and epel6. I will link this BZ to Bug 788140 that Rich marked as the root cause of this bug.
Comment 13 Martin Kosek 2012-04-19 11:21:14 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 14 Kashyap Chamarthy 2012-05-24 15:56:37 UTC 
VERIFIED.

[root@neptune slapd-LAB-ENG-PNQ-REDHAT-COM]# rpm -q ipa-server
ipa-server-2.2.0-15.el6.x86_64
[root@neptune slapd-LAB-ENG-PNQ-REDHAT-COM]# 

Test:
-----
1] Create Master (neptune)
1.1] Create replica files for Replica-1(mars) and Replica-2(silverbolt). And scp them to respective machines.

2] Do a replica install with '--setup-ca' on Replica-1 

3] Do a replica install with '--setup-ca' on Replica-2

3.1] Generate a replica file on Replica-2 for Replica-3

4] On Replica-3, Do an replica install with '--setup-ca'

Then run 'ipa-csreplica-manage list' on Master, Replica1, Replica-2, Replica-3

On Master
---------
[root@neptune ~]# ipa-csreplica-manage list -p Secret123
mars.lab.eng.pnq.redhat.com: CA not configured
neptune.lab.eng.pnq.redhat.com: master
silverbolt.lab.eng.pnq.redhat.com: master
uranus.lab.eng.pnq.redhat.com: master
[root@neptune ~]# 

[root@neptune slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 neptune.lab.eng.pnq.redhat.com
silverbolt.lab.eng.pnq.redhat.com
[root@neptune slapd-LAB-ENG-PNQ-REDHAT-COM]# 


[root@neptune slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 silverbolt.lab.eng.pnq.redhat.com
neptune.lab.eng.pnq.redhat.com
uranus.lab.eng.pnq.redhat.com
[root@neptune slapd-LAB-ENG-PNQ-REDHAT-COM]# 


On Replica-1 (mars. This is replica of Master with --setup-ca)
------------
[root@mars slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 
mars.lab.eng.pnq.redhat.com: CA not configured
neptune.lab.eng.pnq.redhat.com: master
silverbolt.lab.eng.pnq.redhat.com: master
uranus.lab.eng.pnq.redhat.com: master
[root@mars slapd-LAB-ENG-PNQ-REDHAT-COM]# 

(Expected)
[root@mars slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 mars.lab.eng.pnq.redhat.com  
Can't contact LDAP server 
[root@mars slapd-LAB-ENG-PNQ-REDHAT-COM]# 

[root@mars slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 silverbolt.lab.eng.pnq.redhat.com
neptune.lab.eng.pnq.redhat.com
uranus.lab.eng.pnq.redhat.com
[root@mars slapd-LAB-ENG-PNQ-REDHAT-COM]# 


On Replica-2 (silverbolt. This is replica of Master with --setup-ca)
------------
[root@silverbolt ~]# ipa-csreplica-manage list -p Secret123
mars.lab.eng.pnq.redhat.com: CA not configured
neptune.lab.eng.pnq.redhat.com: master
silverbolt.lab.eng.pnq.redhat.com: master
uranus.lab.eng.pnq.redhat.com: master

[root@silverbolt slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 silverbolt.lab.eng.pnq.redhat.com
neptune.lab.eng.pnq.redhat.com
uranus.lab.eng.pnq.redhat.com
[root@silverbolt slapd-LAB-ENG-PNQ-REDHAT-COM]# 

[root@silverbolt slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 uranus.lab.eng.pnq.redhat.com
silverbolt.lab.eng.pnq.redhat.com
[root@silverbolt slapd-LAB-ENG-PNQ-REDHAT-COM]# 


On Replica-3 (uranus. This is replica of uranus with --setup-ca)
------------
[root@uranus network-scripts]# ipa-csreplica-manage list -p Secret123 
mars.lab.eng.pnq.redhat.com: CA not configured
neptune.lab.eng.pnq.redhat.com: master
silverbolt.lab.eng.pnq.redhat.com: master
uranus.lab.eng.pnq.redhat.com: master
[root@uranus network-scripts]# 


[root@uranus network-scripts]# ipa-csreplica-manage list -p Secret123 uranus.lab.eng.pnq.redhat.com
silverbolt.lab.eng.pnq.redhat.com
[root@uranus network-scripts]# 


[root@uranus network-scripts]# ipa-csreplica-manage list -p Secret123 silverbolt.lab.eng.pnq.redhat.com
neptune.lab.eng.pnq.redhat.com
uranus.lab.eng.pnq.redhat.com
[root@uranus network-scripts]#
Comment 15 Kashyap Chamarthy 2012-05-24 16:03:07 UTC 
Created attachment 586670 [details]
Test verification info, stdout for Master and Replica Installs.
Comment 17 errata-xmlrpc 2012-06-20 13:15:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html