749275 – ipa-csreplica-manage list is incorrect when setting agreement between 2 replicas

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 749275 - ipa-csreplica-manage list is incorrect when setting agreement between 2 replicas

Summary: ipa-csreplica-manage list is incorrect when setting agreement between 2 replicas

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:	788140
Blocks:	756082
TreeView+	depends on / blocked

Reported:	2011-10-26 15:44 UTC by Namita Soman
Modified:	2012-06-20 13:15 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-2.2.0-1.el6
Doc Type:	Bug Fix
Doc Text:	No documentation needed.
Clone Of:
Environment:
Last Closed:	2012-06-20 13:15:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
From replica2: ldapsearch -x -D 'cn=directory manager' -b 'cn=mapping tree,cn=config' (5.60 KB, text/plain) 2011-10-26 15:50 UTC, Namita Soman	no flags	Details
from replica3 (4.75 KB, text/plain) 2011-10-26 15:52 UTC, Namita Soman	no flags	Details
Test verification info, stdout for Master and Replica Installs. (22.64 KB, text/plain) 2012-05-24 16:03 UTC, Kashyap Chamarthy	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0819	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2012-06-19 20:34:17 UTC

Description Namita Soman 2011-10-26 15:44:21 UTC

Description of problem:
- Installed a Master
- Generated Replica Packages from Master for Replica1, Replica2, and installed 2 Replicas - Replica1, Replica2
- Installed CS on Replica2, generated Replica Package from Replica2 for Replica3, and installed Replica3

When running:
# ipa-csreplica-manage list on master, it lists master, replica1, replica2
but running: 
# ipa-csreplica-manage list on replica2, expected replica3 to be in the list, and it wasn't
Also:
# ipa-csreplica-manage list on replica3, listed all 4 servers - master, replica1, replica2, replica3


Attaching ldapsearch outputs from replica2 and replica3

Version-Release number of selected component (if applicable):
ipa-server-2.1.3-4.el6.x86_64

How reproducible:
always

Steps to Reproduce:
As listed in description above
  
Actual results:
ipa-csreplica-manage from replica2 doesn't include replica3

Expected results:
ipa-csreplica-manage from replica2 should include replica3

Additional info:
When running:
ipa-csreplica-manage list on master, it lists master, replica1, replica2
output:
ipa-replica1.testrelm: CA not configured
ipa-replica2.testrelm: master
ipa-master.testrelm: master


but running: 
ipa-csreplica-manage list on replica2, expected replica3 to be in the list, and it wasn't
output:
ipa-replica1.testrelm: CA not configured
ipa-replica2.testrelm: master
ipa-master.testrelm: master

Also:
ipa-csreplica-manage list on replica3, listed all 4 servers - master, replica1, replica2, replica3
output:
ipa-replica3.testrelm: CA not configured
ipa-replica1.testrelm: CA not configured
ipa-replica2.testrelm: master
ipa-master.testrelm: master

Comment 1 Namita Soman 2011-10-26 15:50:55 UTC

Created attachment 530308 [details]
From replica2: ldapsearch -x -D 'cn=directory manager' -b 'cn=mapping tree,cn=config'

Comment 2 Namita Soman 2011-10-26 15:52:37 UTC

Created attachment 530309 [details]
from replica3

Comment 4 Namita Soman 2011-10-26 15:54:40 UTC

note that my replica hostnames are a bit off on numbers in relation to how they
are referred above.
In my env, they are ipa-master, ipa-replica, ipa-replica1, ipa-replica2

Comment 5 Rob Crittenden 2011-10-26 20:51:13 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2031

Comment 7 Rob Crittenden 2012-02-03 16:28:26 UTC

I have been unable to reproduce this. I invested where we get the information on available masters further and rather than getting it from the replication agreements we get it from the cn=masters,cn=ipa,cn=etc,$SUFFIX. 389-ds replication should always keep this in sync.

Did you break IPA replication between these servers at any time (using ipa-replica-manage)?

Comment 8 Namita Soman 2012-02-03 16:42:53 UTC

I may have...was some time back, and don't remember for sure. I do recall using ipa-replica-manage to change my config while testing.....so it is possible.

Comment 9 Martin Kosek 2012-02-03 17:19:14 UTC

This may be connected to Bug 755094. Ondra Hamada is investigating it. So far he was only able reproduce the issue on RHEL 6.2.

Comment 10 Martin Kosek 2012-02-08 15:52:49 UTC

Ondrej Hamada found out that this issue is fixed by 389-ds-base-1.2.10.rc1 which was released for Fedora and epel6. I will link this BZ to Bug 788140 that Rich marked as the root cause of this bug.

Comment 13 Martin Kosek 2012-04-19 11:21:14 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.

Comment 14 Kashyap Chamarthy 2012-05-24 15:56:37 UTC

VERIFIED.

[root@neptune slapd-LAB-ENG-PNQ-REDHAT-COM]# rpm -q ipa-server
ipa-server-2.2.0-15.el6.x86_64
[root@neptune slapd-LAB-ENG-PNQ-REDHAT-COM]# 

Test:
-----
1] Create Master (neptune)
1.1] Create replica files for Replica-1(mars) and Replica-2(silverbolt). And scp them to respective machines.

2] Do a replica install with '--setup-ca' on Replica-1 

3] Do a replica install with '--setup-ca' on Replica-2

3.1] Generate a replica file on Replica-2 for Replica-3

4] On Replica-3, Do an replica install with '--setup-ca'

Then run 'ipa-csreplica-manage list' on Master, Replica1, Replica-2, Replica-3

On Master
---------
[root@neptune ~]# ipa-csreplica-manage list -p Secret123
mars.lab.eng.pnq.redhat.com: CA not configured
neptune.lab.eng.pnq.redhat.com: master
silverbolt.lab.eng.pnq.redhat.com: master
uranus.lab.eng.pnq.redhat.com: master
[root@neptune ~]# 

[root@neptune slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 neptune.lab.eng.pnq.redhat.com
silverbolt.lab.eng.pnq.redhat.com
[root@neptune slapd-LAB-ENG-PNQ-REDHAT-COM]# 


[root@neptune slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 silverbolt.lab.eng.pnq.redhat.com
neptune.lab.eng.pnq.redhat.com
uranus.lab.eng.pnq.redhat.com
[root@neptune slapd-LAB-ENG-PNQ-REDHAT-COM]# 


On Replica-1 (mars. This is replica of Master with --setup-ca)
------------
[root@mars slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 
mars.lab.eng.pnq.redhat.com: CA not configured
neptune.lab.eng.pnq.redhat.com: master
silverbolt.lab.eng.pnq.redhat.com: master
uranus.lab.eng.pnq.redhat.com: master
[root@mars slapd-LAB-ENG-PNQ-REDHAT-COM]# 

(Expected)
[root@mars slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 mars.lab.eng.pnq.redhat.com  
Can't contact LDAP server 
[root@mars slapd-LAB-ENG-PNQ-REDHAT-COM]# 

[root@mars slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 silverbolt.lab.eng.pnq.redhat.com
neptune.lab.eng.pnq.redhat.com
uranus.lab.eng.pnq.redhat.com
[root@mars slapd-LAB-ENG-PNQ-REDHAT-COM]# 


On Replica-2 (silverbolt. This is replica of Master with --setup-ca)
------------
[root@silverbolt ~]# ipa-csreplica-manage list -p Secret123
mars.lab.eng.pnq.redhat.com: CA not configured
neptune.lab.eng.pnq.redhat.com: master
silverbolt.lab.eng.pnq.redhat.com: master
uranus.lab.eng.pnq.redhat.com: master

[root@silverbolt slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 silverbolt.lab.eng.pnq.redhat.com
neptune.lab.eng.pnq.redhat.com
uranus.lab.eng.pnq.redhat.com
[root@silverbolt slapd-LAB-ENG-PNQ-REDHAT-COM]# 

[root@silverbolt slapd-LAB-ENG-PNQ-REDHAT-COM]# ipa-csreplica-manage list -p Secret123 uranus.lab.eng.pnq.redhat.com
silverbolt.lab.eng.pnq.redhat.com
[root@silverbolt slapd-LAB-ENG-PNQ-REDHAT-COM]# 


On Replica-3 (uranus. This is replica of uranus with --setup-ca)
------------
[root@uranus network-scripts]# ipa-csreplica-manage list -p Secret123 
mars.lab.eng.pnq.redhat.com: CA not configured
neptune.lab.eng.pnq.redhat.com: master
silverbolt.lab.eng.pnq.redhat.com: master
uranus.lab.eng.pnq.redhat.com: master
[root@uranus network-scripts]# 


[root@uranus network-scripts]# ipa-csreplica-manage list -p Secret123 uranus.lab.eng.pnq.redhat.com
silverbolt.lab.eng.pnq.redhat.com
[root@uranus network-scripts]# 


[root@uranus network-scripts]# ipa-csreplica-manage list -p Secret123 silverbolt.lab.eng.pnq.redhat.com
neptune.lab.eng.pnq.redhat.com
uranus.lab.eng.pnq.redhat.com
[root@uranus network-scripts]#

Comment 15 Kashyap Chamarthy 2012-05-24 16:03:07 UTC

Created attachment 586670 [details]
Test verification info, stdout for Master and Replica Installs.

Comment 17 errata-xmlrpc 2012-06-20 13:15:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html

Note You need to log in before you can comment on or make changes to this bug.