Bug 811394 - IPA Replica out of sync and cannot see user added from master
IPA Replica out of sync and cannot see user added from master
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
IDM QE LIST
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-10 17:38 EDT by Scott Poore
Modified: 2012-04-11 14:46 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-11 14:46:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ipareplica-install.log file (3.00 MB, application/x-gzip)
2012-04-10 17:38 EDT, Scott Poore
no flags Details
messages file from replica (25.93 KB, application/x-gzip)
2012-04-10 17:39 EDT, Scott Poore
no flags Details
dirsrv error log from replica (2.41 KB, application/x-gzip)
2012-04-10 17:39 EDT, Scott Poore
no flags Details
kdc log from replica (1.17 KB, application/x-gzip)
2012-04-10 17:40 EDT, Scott Poore
no flags Details
httpd error log from replica (766 bytes, application/x-gzip)
2012-04-10 17:40 EDT, Scott Poore
no flags Details

  None (edit)
Description Scott Poore 2012-04-10 17:38:07 EDT
Created attachment 576612 [details]
ipareplica-install.log file

Description of problem:

After setting up an IPA Master server and replica, I can add a user on the Master that I cannot see from the replica.

Version-Release number of selected component (if applicable):
RHEL6.2
ipa-server-2.1.3-9.el6.x86_64
389-ds-base-1.2.9.14-1.el6.x86_64

How reproducible:
Often if not always.  

Steps to Reproduce:
1.  <setup IPA master>
2.  <setup IPA replica>
3.  ipa user-add replicatest --first=first --last=last # on Master
4.  ipa user-show replicatest # on both
  
Actual results:

See replicatest user from Master search but, not from Replica.

Expected results:

See replicatest user from both servers.

Additional info:

I see messages like this in /var/log/messages:

Apr 10 15:59:08 spoore-dvm2 ns-slapd: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server krbtgt/COM@TESTRELM.COM not found in Kerberos database)

in /var/log/dirsrv/slapd-TESTRELM-COM/errors:

[10/Apr/2012:15:57:21 -0500] set_krb5_creds - Could not get initial credentials for principal [ldap/spoore-dvm2.testrelm.com@TESTRELM.COM] in keytab [WRFILE:/etc/krb5.keytab]: 13 (Permission denied)
[10/Apr/2012:15:57:21 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found))
[10/Apr/2012:15:57:21 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[10/Apr/2012:15:57:21 -0500] NSMMReplicationPlugin - agmt="cn=meTospoore-dvm1.testrelm.com" (spoore-dvm1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found))

...

[10/Apr/2012:15:58:46 -0500] set_krb5_creds - Could not get initial credentials for principal [ldap/spoore-dvm2.testrelm.com@TESTRELM.COM] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
Comment 1 Scott Poore 2012-04-10 17:39:19 EDT
Created attachment 576613 [details]
messages file from replica
Comment 2 Scott Poore 2012-04-10 17:39:49 EDT
Created attachment 576614 [details]
dirsrv error log from replica
Comment 3 Scott Poore 2012-04-10 17:40:23 EDT
Created attachment 576615 [details]
kdc log from replica
Comment 4 Scott Poore 2012-04-10 17:40:48 EDT
Created attachment 576616 [details]
httpd error log from replica
Comment 6 Scott Poore 2012-04-10 20:42:44 EDT
Quick update/note.   I tried unsuccessfully to reproduce on a different set of servers so it's not always reproducible.

So, I guess the question is what is wrong with my test for which I included the logs?
Comment 7 Scott Poore 2012-04-11 14:46:00 EDT
I believe I found my problem.

The /etc/hosts files on my master and replica servers had entries for both servers with their example.com FQDNs.  I believe this was causing some issues as seen in the krb5kdc.log:

This is an example from another failed attempt that I noticed:

Apr 11 11:36:32 spoore-dvm2.testrelm.com krb5kdc[12468](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.122.102: UNKNOWN_SERVER: authtime 0,  ldap/spoore-dvm2.testrelm.com@TESTRELM.COM for ldap/spoore-dvm1.example.com@TESTRELM.COM, Server not found in Kerberos database

Apr 11 11:36:32 spoore-dvm2.testrelm.com krb5kdc[12468](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.122.102: UNKNOWN_SERVER: authtime 0,  ldap/spoore-dvm2.testrelm.com@TESTRELM.COM for krbtgt/EXAMPLE.COM@TESTRELM.COM, Server not found in Kerberos database


I'm going to go ahead and close this one as NOTABUG since it was specific to my environment/setup and not really a bug.

Note You need to log in before you can comment on or make changes to this bug.