[Freeipa-devel] topology issues

Oleg Fayans ofayans at redhat.com
Tue Jun 9 13:55:33 UTC 2015 

Hi everybody,

The current status of Topology plugin testing is as follows:

1. There is still no proper way of removing the replica.
Standard procedure using `ipa-replica-manage del` throws "Server is 
unwilling to perform: Entry is managed by topology plugin.Deletion not 
allowed.". The replication agreement though does get deleted, but the 
topology information does not get updated. When I then issue `ipa 
topologysegment-del`, it fails due to "ipa: ERROR: Server is unwilling 
to perform: Removal of Segment disconnects topology.Deletion not allowed."

I tried to disable the segment first and then delete it, but with the 
segment properly disabled, the attempt to delete it raised a GSS error: 
"ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure.  
Minor code may provide more information', 851968)/('KDC returned error 
string: PROCESS_TGS', -1765328324)/". I am not sure, where to search for 
corresponding logs. The session transcript is attached.

2. The following is probably unrelated to the topology plugin:
I installed a replica with --setup-ca option. Then, on this replica 
tried to prepare another replica:
-------------------------------------------------------------------------------------------------------------------------------------------------
root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare --ip-address 
192.168.122.141 f22replica3.bagam.net
Directory Manager (existing master) password:

Preparing replica for f22replica3.bagam.net from f22replica2.bagam.net
Creating SSL certificate for the Directory Server
Certificate issuance failed
-------------------------------------------------------------------------------------------------------------------------------------------------
The corresponding line in the dirsrv log:
[09/Jun/2015:09:54:46 -0400] - Entry "uid=admin,ou=people,o=ipaca" -- 
attribute "krbExtraData" not allowed

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

-------------- next part --------------
root at f22master:/home/ofayans]$ ipa topologysegment-find
Suffix name: realm
------------------
2 segments matched
------------------
  Segment name: f22master.bagam.net-to-f22replica1.bagam.net
  Left node: f22master.bagam.net
  Right node: f22replica1.bagam.net
  Connectivity: both

  Segment name: f22master.bagam.net-to-f22replica2.bagam.net
  Left node: f22master.bagam.net
  Right node: f22replica2.bagam.net
  Connectivity: both
----------------------------
Number of entries returned 2
----------------------------
root at f22master:/home/ofayans]$ ipa-replica-manage del f22replica1.bagam.net
Deleting a master is irreversible.
To reconnect to the remote master you will need to prepare a new replica file
and re-install.
Continue to delete? [no]: yes
Deleting replication agreements between f22replica1.bagam.net and f22master.bagam.net
ipa: INFO: Setting agreement cn=meTof22master.bagam.net,cn=replica,cn=dc\=bagam\,dc\=net,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meTof22master.bagam.net,cn=replica,cn=dc\=bagam\,dc\=net,cn=mapping tree,cn=config
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 0: end: 0
Unable to remove agreement on f22replica1.bagam.net: Server is unwilling to perform: Entry is managed by topology plugin.Deletion not allowed.
Forcing removal on 'f22master.bagam.net'
Any DNA range on 'f22replica1.bagam.net' will be lost
There were issues removing a connection for f22replica1.bagam.net from f22master.bagam.net: Server is unwilling to perform: Entry is managed by topology plugin.Deletion not allowed.
Background task created to clean replication data. This may take a while.
This may be safely interrupted with Ctrl+C
root at f22master:/home/ofayans]$ ipa topologysegment-del 
Suffix name: realm
Segment name: f22master.bagam.net-to-f22replica1.bagam.net
ipa: ERROR: Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed.
root at f22master:/home/ofayans]$ ipa help topologysegment-mod
Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options]

Modify a segment.
Options:
  -h, --help            show this help message and exit
  --leftnode=STR        Left replication node - an IPA server
  --rightnode=STR       Right replication node - an IPA server
  --direction=['both', 'left-right', 'right-left', 'none']
                        Direction of replication between left and right
                        replication node
  --stripattrs=STR      A space separated list of attributes which are removed
                        from replication updates.
  --replattrs=STR       Attributes that are not replicated to a consumer
                        server during a fractional update. E.g.,
                        `(objectclass=*) $ EXCLUDE accountlockout memberof
  --replattrstotal=STR  Attributes that are not replicated to a consumer
                        server during a total update. E.g. (objectclass=*) $
                        EXCLUDE accountlockout
  --timeout=INT         Number of seconds outbound LDAP operations waits for a
                        response from the remote replica before timing out and
                        failing
  --enabled=['on', 'off']
                        Whether a replication agreement is active, meaning
                        whether replication is occurring per that agreement
  --setattr=STR         Set an attribute to a name/value pair. Format is
                        attr=value. For multi-valued attributes, the command
                        replaces the values already present.
  --addattr=STR         Add an attribute/value pair. Format is attr=value. The
                        attribute must be part of the schema.
  --delattr=STR         Delete an attribute/value pair. The option will be
                        evaluated last, after all sets and adds.
  --rights              Display the access rights of this entry (requires
                        --all). See ipa man page for details.
  --all                 Retrieve and print all attributes from the server.
                        Affects command output.
  --raw                 Print entries as stored on the server. Only affects
                        output format.
root at f22master:/home/ofayans]$ ipa topologysegment-mod --enabled=off 
Suffix name: realm
Segment name: f22master.bagam.net-to-f22replica1.bagam.net
---------------------------------------------------------------
Modified segment "f22master.bagam.net-to-f22replica1.bagam.net"
---------------------------------------------------------------
  Segment name: f22master.bagam.net-to-f22replica1.bagam.net
  Left node: f22master.bagam.net
  Right node: f22replica1.bagam.net
  Connectivity: both
  Replication agreement enabled: off
root at f22master:/home/ofayans]$ ipa topologysegment-del
ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/

More information about the Freeipa-devel mailing list