Hide Forgot
Description of problem: - Installed a Master - Generated Replica Packages from Master for Replica1, Replica2, and installed 2 Replicas - Replica1, Replica2 - Installed CS on Replica2, generated Replica Package from Replica2 for Replica3, and installed Replica3 When running: # ipa-csreplica-manage list on master, it lists master, replica1, replica2 but running: # ipa-csreplica-manage list on replica2, expected replica3 to be in the list, and it wasn't Also: # ipa-csreplica-manage list on replica3, listed all 4 servers - master, replica1, replica2, replica3 Attaching ldapsearch outputs from replica2 and replica3 Version-Release number of selected component (if applicable): ipa-server-2.1.3-4.el6.x86_64 How reproducible: always Steps to Reproduce: As listed in description above Actual results: ipa-csreplica-manage from replica2 doesn't include replica3 Expected results: ipa-csreplica-manage from replica2 should include replica3 Additional info: When running: ipa-csreplica-manage list on master, it lists master, replica1, replica2 output: ipa-replica1.testrelm: CA not configured ipa-replica2.testrelm: master ipa-master.testrelm: master but running: ipa-csreplica-manage list on replica2, expected replica3 to be in the list, and it wasn't output: ipa-replica1.testrelm: CA not configured ipa-replica2.testrelm: master ipa-master.testrelm: master Also: ipa-csreplica-manage list on replica3, listed all 4 servers - master, replica1, replica2, replica3 output: ipa-replica3.testrelm: CA not configured ipa-replica1.testrelm: CA not configured ipa-replica2.testrelm: master ipa-master.testrelm: master
Created attachment 530308 [details] From replica2: ldapsearch -x -D 'cn=directory manager' -b 'cn=mapping tree,cn=config'
Created attachment 530309 [details] from replica3
note that my replica hostnames are a bit off on numbers in relation to how they are referred above. In my env, they are ipa-master, ipa-replica, ipa-replica1, ipa-replica2
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2031
I have been unable to reproduce this. I invested where we get the information on available masters further and rather than getting it from the replication agreements we get it from the cn=masters,cn=ipa,cn=etc,$SUFFIX. 389-ds replication should always keep this in sync. Did you break IPA replication between these servers at any time (using ipa-replica-manage)?
I may have...was some time back, and don't remember for sure. I do recall using ipa-replica-manage to change my config while testing.....so it is possible.
This may be connected to Bug 755094. Ondra Hamada is investigating it. So far he was only able reproduce the issue on RHEL 6.2.
Ondrej Hamada found out that this issue is fixed by 389-ds-base-1.2.10.rc1 which was released for Fedora and epel6. I will link this BZ to Bug 788140 that Rich marked as the root cause of this bug.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed.
VERIFIED. [root@neptune slapd-LAB-ENG-PNQ-REDHAT-COM]# rpm -q ipa-server ipa-server-2.2.0-15.el6.x86_64 [root@neptune slapd-LAB-ENG-PNQ-REDHAT-COM]# Test: ----- 1] Create Master (neptune) 1.1] Create replica files for Replica-1(mars) and Replica-2(silverbolt). And scp them to respective machines. 2] Do a replica install with '--setup-ca' on Replica-1 3] Do a replica install with '--setup-ca' on Replica-2 3.1] Generate a replica file on Replica-2 for Replica-3 4] On Replica-3, Do an replica install with '--setup-ca' Then run 'ipa-csreplica-manage list' on Master, Replica1, Replica-2, Replica-3 On Master --------- [root@neptune ~]# ipa-csreplica-manage list -p Secret123 mars.lab.eng.pnq.redhat.com: CA not configured neptune.lab.eng.pnq.redhat.com: master silverbolt.lab.eng.pnq.redhat.com: master uranus.lab.eng.pnq.redhat.com: master [root@neptune ~]# [root@neptune slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 neptune.lab.eng.pnq.redhat.com silverbolt.lab.eng.pnq.redhat.com [root@neptune slapd-LAB-ENG-PNQ-REDHAT-COM]# [root@neptune slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 silverbolt.lab.eng.pnq.redhat.com neptune.lab.eng.pnq.redhat.com uranus.lab.eng.pnq.redhat.com [root@neptune slapd-LAB-ENG-PNQ-REDHAT-COM]# On Replica-1 (mars. This is replica of Master with --setup-ca) ------------ [root@mars slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 mars.lab.eng.pnq.redhat.com: CA not configured neptune.lab.eng.pnq.redhat.com: master silverbolt.lab.eng.pnq.redhat.com: master uranus.lab.eng.pnq.redhat.com: master [root@mars slapd-LAB-ENG-PNQ-REDHAT-COM]# (Expected) [root@mars slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 mars.lab.eng.pnq.redhat.com Can't contact LDAP server [root@mars slapd-LAB-ENG-PNQ-REDHAT-COM]# [root@mars slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 silverbolt.lab.eng.pnq.redhat.com neptune.lab.eng.pnq.redhat.com uranus.lab.eng.pnq.redhat.com [root@mars slapd-LAB-ENG-PNQ-REDHAT-COM]# On Replica-2 (silverbolt. This is replica of Master with --setup-ca) ------------ [root@silverbolt ~]# ipa-csreplica-manage list -p Secret123 mars.lab.eng.pnq.redhat.com: CA not configured neptune.lab.eng.pnq.redhat.com: master silverbolt.lab.eng.pnq.redhat.com: master uranus.lab.eng.pnq.redhat.com: master [root@silverbolt slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 silverbolt.lab.eng.pnq.redhat.com neptune.lab.eng.pnq.redhat.com uranus.lab.eng.pnq.redhat.com [root@silverbolt slapd-LAB-ENG-PNQ-REDHAT-COM]# [root@silverbolt slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 uranus.lab.eng.pnq.redhat.com silverbolt.lab.eng.pnq.redhat.com [root@silverbolt slapd-LAB-ENG-PNQ-REDHAT-COM]# On Replica-3 (uranus. This is replica of uranus with --setup-ca) ------------ [root@uranus network-scripts]# ipa-csreplica-manage list -p Secret123 mars.lab.eng.pnq.redhat.com: CA not configured neptune.lab.eng.pnq.redhat.com: master silverbolt.lab.eng.pnq.redhat.com: master uranus.lab.eng.pnq.redhat.com: master [root@uranus network-scripts]# [root@uranus network-scripts]# ipa-csreplica-manage list -p Secret123 uranus.lab.eng.pnq.redhat.com silverbolt.lab.eng.pnq.redhat.com [root@uranus network-scripts]# [root@uranus network-scripts]# ipa-csreplica-manage list -p Secret123 silverbolt.lab.eng.pnq.redhat.com neptune.lab.eng.pnq.redhat.com uranus.lab.eng.pnq.redhat.com [root@uranus network-scripts]#
Created attachment 586670 [details] Test verification info, stdout for Master and Replica Installs.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html