Bug 754973 - "force-sync, re-initialize and del" options for ipa-replica-manage fail against AD.
Summary: "force-sync, re-initialize and del" options for ipa-replica-manage fail again...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-18 12:23 UTC by Gowrishankar Rajaiyan
Modified: 2012-06-20 13:17 UTC (History)
4 users (show)

Fixed In Version: ipa-2.2.0-3.el6
Doc Type: Bug Fix
Doc Text:
Cause: ipa-replica-manage force-sync, re-initialize and del commands failed when used against winsync agreement on Active Directory machine. Consequence: User ability to control winsync replication agreements are limited. Fix: ipa-replica-manage was fixed to manage both standard replication agreement and winsync agreements in a more robust way. Result: User experience with a management of winsync agreements should improve.
Clone Of:
Environment:
Last Closed: 2012-06-20 13:17:43 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0819 normal SHIPPED_LIVE ipa bug fix and enhancement update 2012-06-19 20:34:17 UTC

Description Gowrishankar Rajaiyan 2011-11-18 12:23:29 UTC
Description of problem:
"force-sync, re-initialize and del" fail against AD. On the same setup I created a standard replica and these options for ipa-replica-manage work as expected.

Version-Release number of selected component (if applicable):
ipa-server-2.1.3-9.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. [root@decepticons ~]# ipa-replica-manage force-sync --from dhcp201-112.englab.pnq.redhat.com


  
Actual results:
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server krbtgt/ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM not found in Kerberos database)
[root@decepticons ~]#

Expected results:
force-sync and other options (re-initialize and del) are successful.

Additional info:

Against AD:
[root@decepticons ~]# kinit admin
Password for admin@LAB.ENG.PNQ.REDHAT.COM: 


[root@decepticons ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@LAB.ENG.PNQ.REDHAT.COM

Valid starting     Expires            Service principal
11/18/11 16:34:56  11/19/11 16:34:54  krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM
[root@decepticons ~]# 


[root@decepticons ~]# ipa-replica-manage list
decepticons.lab.eng.pnq.redhat.com: master
[root@decepticons ~]# 


[root@decepticons ~]# ipa-replica-manage connect --winsync --passsync=password --cacert=/root/wincertnew.cer dhcp201-112.englab.pnq.redhat.com --binddn "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" --bindpw Secret123 -v -p Secret123
Added CA certificate /root/wincertnew.cer to certificate database for decepticons.lab.eng.pnq.redhat.com
INFO:root:AD Suffix is: DC=englab,DC=pnq,DC=redhat,DC=com
The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 20111118110522Z: end: 20111118110522Z
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update succeeded
Connected 'decepticons.lab.eng.pnq.redhat.com' to 'dhcp201-112.englab.pnq.redhat.com'
[root@decepticons ~]# 


[root@decepticons ~]# ipa-replica-manage list
decepticons.lab.eng.pnq.redhat.com: master
dhcp201-112.englab.pnq.redhat.com: winsync
[root@decepticons ~]# 


[root@decepticons ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@LAB.ENG.PNQ.REDHAT.COM

Valid starting     Expires            Service principal
11/18/11 16:34:56  11/19/11 16:34:54  krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM
11/18/11 16:35:04  11/19/11 16:34:54  ldap/decepticons.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
[root@decepticons ~]# 


[root@decepticons ~]# ipa-replica-manage force-sync --from dhcp201-112.englab.pnq.redhat.com
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server krbtgt/ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM not found in Kerberos database)
[root@decepticons ~]#





Against standard replica:

[root@decepticons ~]# /usr/sbin/ipa-replica-manage re-initialize --from sideswipe.lab.eng.pnq.redhat.com
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update succeeded
[root@decepticons ~]# 


[root@decepticons ~]# /usr/sbin/ipa-replica-manage force-sync --from sideswipe.lab.eng.pnq.redhat.com
[root@decepticons ~]# echo $?
0
[root@decepticons ~]# 


[root@decepticons ~]# ipa-replica-manage del sideswipe.lab.eng.pnq.redhat.com
[root@decepticons ~]# echo $?
0
[root@decepticons ~]# 


[root@decepticons ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@LAB.ENG.PNQ.REDHAT.COM

Valid starting     Expires            Service principal
11/18/11 17:06:58  11/19/11 17:06:56  krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM
11/18/11 17:07:07  11/19/11 17:06:56  ldap/decepticons.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
11/18/11 17:07:43  11/19/11 17:06:56  ldap/sideswipe.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
[root@decepticons ~]#

Comment 2 Martin Kosek 2011-11-21 09:28:27 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2128

Comment 6 Martin Kosek 2012-04-19 12:31:08 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: ipa-replica-manage force-sync, re-initialize and del commands failed when used against winsync agreement on Active Directory machine.
Consequence: User ability to control winsync replication agreements are limited.
Fix: ipa-replica-manage was fixed to manage both standard replication agreement and winsync agreements in a more robust way.
Result: User experience with a management of winsync agreements should improve.

Comment 7 Steeve Goveas 2012-04-25 10:54:27 UTC
Created a winsync agreement between IPA and Active directory

[root@primenova ~]# ipa-replica-manage connect --winsync --passsync=password --cacert=/etc/openldap/certs/ADcert.cer dhcp201-215.englab.pnq.redhat.com --binddn "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" --bindpw Secret123 -v -p Secret123
Added CA certificate /etc/openldap/certs/ADcert.cer to certificate database for primenova.lab.eng.pnq.redhat.com
ipa: INFO: AD Suffix is: DC=englab,DC=pnq,DC=redhat,DC=com
The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
Windows PassSync entry exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 20120425070725Z: end: 20120425070725Z
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update in progress
Update succeeded
Connected 'primenova.lab.eng.pnq.redhat.com' to 'dhcp201-215.englab.pnq.redhat.com'

[root@primenova ~]# ipa user-find steeve
--------------
1 user matched
--------------
  User login: steeve
  First name: steeve
  Last name: ad
  Home directory: /home/steeve
  Login shell: /bin/sh
  UID: 1084800079
  GID: 1084800079
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------

Added new user steeve2

[root@primenova ~]# ipa-replica-manage force-sync --from dhcp201-215.englab.pnq.redhat.com
ipa: INFO: Setting agreement cn=meTodhcp201-215.englab.pnq.redhat.com,cn=replica,cn=dc\3Dlab\2Cdc\3Deng\2Cdc\3Dpnq\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meTodhcp201-215.englab.pnq.redhat.com,cn=replica,cn=dc\3Dlab\2Cdc\3Deng\2Cdc\3Dpnq\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config

[root@primenova ~]# ipa user-find steeve
---------------
2 users matched
---------------
  User login: steeve
  First name: steeve
  Last name: ad
  Home directory: /home/steeve
  Login shell: /bin/sh
  UID: 1084800079
  GID: 1084800079
  Account disabled: False
  Password: True
  Kerberos keys available: True

  User login: steeve2
  First name: steeve2
  Last name: ad
  Home directory: /home/steeve2
  Login shell: /bin/sh
  UID: 1084800133
  GID: 1084800133
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 2
----------------------------

Deleted user steeve2 and added new user steeve3

[root@primenova ~]# ipa-replica-manage re-initialize --from dhcp201-215.englab.pnq.redhat.comUpdate succeeded
[root@primenova ~]# ipa user-find steeve
---------------
2 users matched
---------------
  User login: steeve
  First name: steeve
  Last name: ad
  Home directory: /home/steeve
  Login shell: /bin/sh
  UID: 1084800079
  GID: 1084800079
  Account disabled: False
  Password: True
  Kerberos keys available: True

  User login: steeve3
  First name: steeve3
  Last name: ads
  Home directory: /home/steeve3
  Login shell: /bin/sh
  UID: 1084800137
  GID: 1084800137
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 2
----------------------------

Deleted agreement

[root@primenova ~]# ipa-replica-manage del dhcp201-215.englab.pnq.redhat.com
Forcing removal on 'primenova.lab.eng.pnq.redhat.com'
Deleted replication agreement from 'primenova.lab.eng.pnq.redhat.com' to 'dhcp201-215.englab.pnq.redhat.com'
Failed to cleanup dhcp201-215.englab.pnq.redhat.com DNS entries: SRV record does not contain '0 100 389 dhcp201-215'
You may need to manually remove them from the tree

[root@primenova ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@LAB.ENG.PNQ.REDHAT.COM

Valid starting     Expires            Service principal
04/24/12 05:45:56  04/25/12 05:45:53  krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM
04/24/12 05:46:02  04/25/12 05:45:53  HTTP/primenova.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
04/24/12 05:47:00  04/25/12 05:45:53  ldap/primenova.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
[root@primenova ~]#

Verified in version ipa-server-2.2.0-11.el6.x86_64

Comment 9 errata-xmlrpc 2012-06-20 13:17:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html


Note You need to log in before you can comment on or make changes to this bug.