Hide Forgot
Description of problem: "force-sync, re-initialize and del" fail against AD. On the same setup I created a standard replica and these options for ipa-replica-manage work as expected. Version-Release number of selected component (if applicable): ipa-server-2.1.3-9.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. [root@decepticons ~]# ipa-replica-manage force-sync --from dhcp201-112.englab.pnq.redhat.com Actual results: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM not found in Kerberos database) [root@decepticons ~]# Expected results: force-sync and other options (re-initialize and del) are successful. Additional info: Against AD: [root@decepticons ~]# kinit admin Password for admin.PNQ.REDHAT.COM: [root@decepticons ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin.PNQ.REDHAT.COM Valid starting Expires Service principal 11/18/11 16:34:56 11/19/11 16:34:54 krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM [root@decepticons ~]# [root@decepticons ~]# ipa-replica-manage list decepticons.lab.eng.pnq.redhat.com: master [root@decepticons ~]# [root@decepticons ~]# ipa-replica-manage connect --winsync --passsync=password --cacert=/root/wincertnew.cer dhcp201-112.englab.pnq.redhat.com --binddn "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" --bindpw Secret123 -v -p Secret123 Added CA certificate /root/wincertnew.cer to certificate database for decepticons.lab.eng.pnq.redhat.com INFO:root:AD Suffix is: DC=englab,DC=pnq,DC=redhat,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Windows PassSync entry exists, not resetting password INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 20111118110522Z: end: 20111118110522Z INFO:root:Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update succeeded Connected 'decepticons.lab.eng.pnq.redhat.com' to 'dhcp201-112.englab.pnq.redhat.com' [root@decepticons ~]# [root@decepticons ~]# ipa-replica-manage list decepticons.lab.eng.pnq.redhat.com: master dhcp201-112.englab.pnq.redhat.com: winsync [root@decepticons ~]# [root@decepticons ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin.PNQ.REDHAT.COM Valid starting Expires Service principal 11/18/11 16:34:56 11/19/11 16:34:54 krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM 11/18/11 16:35:04 11/19/11 16:34:54 ldap/decepticons.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM [root@decepticons ~]# [root@decepticons ~]# ipa-replica-manage force-sync --from dhcp201-112.englab.pnq.redhat.com SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM not found in Kerberos database) [root@decepticons ~]# Against standard replica: [root@decepticons ~]# /usr/sbin/ipa-replica-manage re-initialize --from sideswipe.lab.eng.pnq.redhat.com Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [root@decepticons ~]# [root@decepticons ~]# /usr/sbin/ipa-replica-manage force-sync --from sideswipe.lab.eng.pnq.redhat.com [root@decepticons ~]# echo $? 0 [root@decepticons ~]# [root@decepticons ~]# ipa-replica-manage del sideswipe.lab.eng.pnq.redhat.com [root@decepticons ~]# echo $? 0 [root@decepticons ~]# [root@decepticons ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin.PNQ.REDHAT.COM Valid starting Expires Service principal 11/18/11 17:06:58 11/19/11 17:06:56 krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM 11/18/11 17:07:07 11/19/11 17:06:56 ldap/decepticons.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM 11/18/11 17:07:43 11/19/11 17:06:56 ldap/sideswipe.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM [root@decepticons ~]#
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2128
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/31f00f90f1a08804e9dfdd6bdf85c2dc245bea51 ipa-2-2: https://fedorahosted.org/freeipa/changeset/fefbdce40222f926209b79eebdcbb3a1f36e1ac2
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: ipa-replica-manage force-sync, re-initialize and del commands failed when used against winsync agreement on Active Directory machine. Consequence: User ability to control winsync replication agreements are limited. Fix: ipa-replica-manage was fixed to manage both standard replication agreement and winsync agreements in a more robust way. Result: User experience with a management of winsync agreements should improve.
Created a winsync agreement between IPA and Active directory [root@primenova ~]# ipa-replica-manage connect --winsync --passsync=password --cacert=/etc/openldap/certs/ADcert.cer dhcp201-215.englab.pnq.redhat.com --binddn "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" --bindpw Secret123 -v -p Secret123 Added CA certificate /etc/openldap/certs/ADcert.cer to certificate database for primenova.lab.eng.pnq.redhat.com ipa: INFO: AD Suffix is: DC=englab,DC=pnq,DC=redhat,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 20120425070725Z: end: 20120425070725Z ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress Update succeeded Connected 'primenova.lab.eng.pnq.redhat.com' to 'dhcp201-215.englab.pnq.redhat.com' [root@primenova ~]# ipa user-find steeve -------------- 1 user matched -------------- User login: steeve First name: steeve Last name: ad Home directory: /home/steeve Login shell: /bin/sh UID: 1084800079 GID: 1084800079 Account disabled: False Password: True Kerberos keys available: True ---------------------------- Number of entries returned 1 ---------------------------- Added new user steeve2 [root@primenova ~]# ipa-replica-manage force-sync --from dhcp201-215.englab.pnq.redhat.com ipa: INFO: Setting agreement cn=meTodhcp201-215.englab.pnq.redhat.com,cn=replica,cn=dc\3Dlab\2Cdc\3Deng\2Cdc\3Dpnq\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meTodhcp201-215.englab.pnq.redhat.com,cn=replica,cn=dc\3Dlab\2Cdc\3Deng\2Cdc\3Dpnq\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config [root@primenova ~]# ipa user-find steeve --------------- 2 users matched --------------- User login: steeve First name: steeve Last name: ad Home directory: /home/steeve Login shell: /bin/sh UID: 1084800079 GID: 1084800079 Account disabled: False Password: True Kerberos keys available: True User login: steeve2 First name: steeve2 Last name: ad Home directory: /home/steeve2 Login shell: /bin/sh UID: 1084800133 GID: 1084800133 Account disabled: False Password: True Kerberos keys available: True ---------------------------- Number of entries returned 2 ---------------------------- Deleted user steeve2 and added new user steeve3 [root@primenova ~]# ipa-replica-manage re-initialize --from dhcp201-215.englab.pnq.redhat.comUpdate succeeded [root@primenova ~]# ipa user-find steeve --------------- 2 users matched --------------- User login: steeve First name: steeve Last name: ad Home directory: /home/steeve Login shell: /bin/sh UID: 1084800079 GID: 1084800079 Account disabled: False Password: True Kerberos keys available: True User login: steeve3 First name: steeve3 Last name: ads Home directory: /home/steeve3 Login shell: /bin/sh UID: 1084800137 GID: 1084800137 Account disabled: False Password: True Kerberos keys available: True ---------------------------- Number of entries returned 2 ---------------------------- Deleted agreement [root@primenova ~]# ipa-replica-manage del dhcp201-215.englab.pnq.redhat.com Forcing removal on 'primenova.lab.eng.pnq.redhat.com' Deleted replication agreement from 'primenova.lab.eng.pnq.redhat.com' to 'dhcp201-215.englab.pnq.redhat.com' Failed to cleanup dhcp201-215.englab.pnq.redhat.com DNS entries: SRV record does not contain '0 100 389 dhcp201-215' You may need to manually remove them from the tree [root@primenova ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin.PNQ.REDHAT.COM Valid starting Expires Service principal 04/24/12 05:45:56 04/25/12 05:45:53 krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM 04/24/12 05:46:02 04/25/12 05:45:53 HTTP/primenova.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM 04/24/12 05:47:00 04/25/12 05:45:53 ldap/primenova.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM [root@primenova ~]# Verified in version ipa-server-2.2.0-11.el6.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html