Red Hat Bugzilla – Bug 811394
IPA Replica out of sync and cannot see user added from master
Last modified: 2012-04-11 14:46:00 EDT
Created attachment 576612 [details] ipareplica-install.log file Description of problem: After setting up an IPA Master server and replica, I can add a user on the Master that I cannot see from the replica. Version-Release number of selected component (if applicable): RHEL6.2 ipa-server-2.1.3-9.el6.x86_64 389-ds-base-1.2.9.14-1.el6.x86_64 How reproducible: Often if not always. Steps to Reproduce: 1. <setup IPA master> 2. <setup IPA replica> 3. ipa user-add replicatest --first=first --last=last # on Master 4. ipa user-show replicatest # on both Actual results: See replicatest user from Master search but, not from Replica. Expected results: See replicatest user from both servers. Additional info: I see messages like this in /var/log/messages: Apr 10 15:59:08 spoore-dvm2 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/COM@TESTRELM.COM not found in Kerberos database) in /var/log/dirsrv/slapd-TESTRELM-COM/errors: [10/Apr/2012:15:57:21 -0500] set_krb5_creds - Could not get initial credentials for principal [ldap/spoore-dvm2.testrelm.com@TESTRELM.COM] in keytab [WRFILE:/etc/krb5.keytab]: 13 (Permission denied) [10/Apr/2012:15:57:21 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found)) [10/Apr/2012:15:57:21 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [10/Apr/2012:15:57:21 -0500] NSMMReplicationPlugin - agmt="cn=meTospoore-dvm1.testrelm.com" (spoore-dvm1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found)) ... [10/Apr/2012:15:58:46 -0500] set_krb5_creds - Could not get initial credentials for principal [ldap/spoore-dvm2.testrelm.com@TESTRELM.COM] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
Created attachment 576613 [details] messages file from replica
Created attachment 576614 [details] dirsrv error log from replica
Created attachment 576615 [details] kdc log from replica
Created attachment 576616 [details] httpd error log from replica
Quick update/note. I tried unsuccessfully to reproduce on a different set of servers so it's not always reproducible. So, I guess the question is what is wrong with my test for which I included the logs?
I believe I found my problem. The /etc/hosts files on my master and replica servers had entries for both servers with their example.com FQDNs. I believe this was causing some issues as seen in the krb5kdc.log: This is an example from another failed attempt that I noticed: Apr 11 11:36:32 spoore-dvm2.testrelm.com krb5kdc[12468](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.122.102: UNKNOWN_SERVER: authtime 0, ldap/spoore-dvm2.testrelm.com@TESTRELM.COM for ldap/spoore-dvm1.example.com@TESTRELM.COM, Server not found in Kerberos database Apr 11 11:36:32 spoore-dvm2.testrelm.com krb5kdc[12468](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.122.102: UNKNOWN_SERVER: authtime 0, ldap/spoore-dvm2.testrelm.com@TESTRELM.COM for krbtgt/EXAMPLE.COM@TESTRELM.COM, Server not found in Kerberos database I'm going to go ahead and close this one as NOTABUG since it was specific to my environment/setup and not really a bug.