811394 – IPA Replica out of sync and cannot see user added from master

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 811394 - IPA Replica out of sync and cannot see user added from master

Summary: IPA Replica out of sync and cannot see user added from master

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-04-10 21:38 UTC by Scott Poore
Modified:	2012-04-11 18:46 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-04-11 18:46:00 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
ipareplica-install.log file (3.00 MB, application/x-gzip) 2012-04-10 21:38 UTC, Scott Poore	no flags	Details
messages file from replica (25.93 KB, application/x-gzip) 2012-04-10 21:39 UTC, Scott Poore	no flags	Details
dirsrv error log from replica (2.41 KB, application/x-gzip) 2012-04-10 21:39 UTC, Scott Poore	no flags	Details
kdc log from replica (1.17 KB, application/x-gzip) 2012-04-10 21:40 UTC, Scott Poore	no flags	Details
httpd error log from replica (766 bytes, application/x-gzip) 2012-04-10 21:40 UTC, Scott Poore	no flags	Details
View All

Description Scott Poore 2012-04-10 21:38:07 UTC

Created attachment 576612 [details]
ipareplica-install.log file

Description of problem:

After setting up an IPA Master server and replica, I can add a user on the Master that I cannot see from the replica.

Version-Release number of selected component (if applicable):
RHEL6.2
ipa-server-2.1.3-9.el6.x86_64
389-ds-base-1.2.9.14-1.el6.x86_64

How reproducible:
Often if not always.  

Steps to Reproduce:
1.  <setup IPA master>
2.  <setup IPA replica>
3.  ipa user-add replicatest --first=first --last=last # on Master
4.  ipa user-show replicatest # on both
  
Actual results:

See replicatest user from Master search but, not from Replica.

Expected results:

See replicatest user from both servers.

Additional info:

I see messages like this in /var/log/messages:

Apr 10 15:59:08 spoore-dvm2 ns-slapd: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server krbtgt/COM not found in Kerberos database)

in /var/log/dirsrv/slapd-TESTRELM-COM/errors:

[10/Apr/2012:15:57:21 -0500] set_krb5_creds - Could not get initial credentials for principal [ldap/spoore-dvm2.testrelm.com] in keytab [WRFILE:/etc/krb5.keytab]: 13 (Permission denied)
[10/Apr/2012:15:57:21 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found))
[10/Apr/2012:15:57:21 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[10/Apr/2012:15:57:21 -0500] NSMMReplicationPlugin - agmt="cn=meTospoore-dvm1.testrelm.com" (spoore-dvm1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found))

...

[10/Apr/2012:15:58:46 -0500] set_krb5_creds - Could not get initial credentials for principal [ldap/spoore-dvm2.testrelm.com] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))

Comment 1 Scott Poore 2012-04-10 21:39:19 UTC

Created attachment 576613 [details]
messages file from replica

Comment 2 Scott Poore 2012-04-10 21:39:49 UTC

Created attachment 576614 [details]
dirsrv error log from replica

Comment 3 Scott Poore 2012-04-10 21:40:23 UTC

Created attachment 576615 [details]
kdc log from replica

Comment 4 Scott Poore 2012-04-10 21:40:48 UTC

Created attachment 576616 [details]
httpd error log from replica

Comment 6 Scott Poore 2012-04-11 00:42:44 UTC

Quick update/note.   I tried unsuccessfully to reproduce on a different set of servers so it's not always reproducible.

So, I guess the question is what is wrong with my test for which I included the logs?

Comment 7 Scott Poore 2012-04-11 18:46:00 UTC

I believe I found my problem.

The /etc/hosts files on my master and replica servers had entries for both servers with their example.com FQDNs.  I believe this was causing some issues as seen in the krb5kdc.log:

This is an example from another failed attempt that I noticed:

Apr 11 11:36:32 spoore-dvm2.testrelm.com krb5kdc[12468](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.122.102: UNKNOWN_SERVER: authtime 0,  ldap/spoore-dvm2.testrelm.com for ldap/spoore-dvm1.example.com, Server not found in Kerberos database

Apr 11 11:36:32 spoore-dvm2.testrelm.com krb5kdc[12468](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.122.102: UNKNOWN_SERVER: authtime 0,  ldap/spoore-dvm2.testrelm.com for krbtgt/EXAMPLE.COM, Server not found in Kerberos database


I'm going to go ahead and close this one as NOTABUG since it was specific to my environment/setup and not really a bug.

Note You need to log in before you can comment on or make changes to this bug.