Description of problem: In an IPA environment, I'm seeing the DNA plugin fail to fetch a replication agreement. The DNA plugin is trying a replica where there is no replication agreement. This is causing ipa user-add to fail. [root@ipaqa64vmd tmp.izaYf564ZD]# ipa user-add test --first=f --last=l ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. [root@ipaqa64vmd tmp.izaYf564ZD]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config" dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: Posix IDs dnaType: uidNumber dnaType: gidNumber dnaNextValue: 1101 dnaMaxValue: 1100 dnaMagicRegen: -1 dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip aIDobject)) dnaScope: dc=testrelm,dc=com dnaThreshold: 500 dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=testrelm,dc=com So, looking in the logs at the time of the failure: [29/May/2013:10:03:14 -0400] dna-plugin - dna_get_replica_bind_creds: Failed to fetch replication agreement for range cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=testrelm,dc=com, server ipaqa64vmf.testrelm.com, port 389 [29/May/2013:10:03:14 -0400] dna-plugin - dna_request_range: Unable to retrieve replica bind credentials. ... [29/May/2013:10:03:14 -0400] dna-plugin - dna_get_replica_bind_creds: Failed to fetch replication agreement for range cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=testrelm,dc=com, server cloud-qe-15.testrelm.com, port 389 [29/May/2013:10:03:14 -0400] dna-plugin - dna_request_range: Unable to retrieve replica bind credentials. [29/May/2013:10:03:14 -0400] dna-plugin - dna_pre_op: no more values available!! After some help from Dev, it was pointed out that my IPA replica is running the dna-plugin. The plugin fails to get the range from the master because it doesn't actually have a replication agreement with that master. Topology is: R1 - M - R2 - R3 - R4 Failure is occurring on R3. dna-plugin on R3 is attempting to contact M but, there is not replication agreement. M="master" and was the first IPA server setup in the environment. Version-Release number of selected component (if applicable): 389-ds-base-1.3.0.6-1.fc18.x86_64 How reproducible: very Steps to Reproduce: 1. Setup IPA environment with similar topology. 2. On R3 or R4, ipa user-add Actual results: failure like above. Expected results: dna-plugin accurately looks up the range. Additional info:
Upstream ticket: https://fedorahosted.org/389/ticket/47379
This is fixed in F19 (389-ds-base-1.3.1.x). Is a fix required in F18 (389-ds-base-1.3.0.x)?
This is fixed in F19, and we have no plans to fix it in F18. Closing this as WONTFIX.