[Freeipa-devel] topology issues

Oleg Fayans ofayans at redhat.com
Tue Jun 9 14:14:48 UTC 2015 


On 06/09/2015 04:04 PM, Ludwig Krispenz wrote:
>
> On 06/09/2015 03:55 PM, Oleg Fayans wrote:
>> Hi everybody,
>>
>> The current status of Topology plugin testing is as follows:
>>
>> 1. There is still no proper way of removing the replica.
>> Standard procedure using `ipa-replica-manage del` throws "Server is 
>> unwilling to perform: Entry is managed by topology plugin.Deletion 
>> not allowed.". 
> yes, that is for the first attempt to directly remove the agreement, 
> but when the server is removed the agreements should be removed
We should probably think of less threatening error message in this case. 
Just from reading the command output one might conclude that replica 
removal failed.
>> The replication agreement though does get deleted, 
> then it is ok,
>> but the topology information does not get updated. 
> what do you mean, where do you check ? in the "remaining" topology the 
> shared tree should be updated, for the removed replica it will not, 
> but this should be uninstalled anyway
The problem here, is that the topology information does not get updated 
on master as well.
>> When I then issue `ipa topologysegment-del`, it fails due to "ipa: 
>> ERROR: Server is unwilling to perform: Removal of Segment disconnects 
>> topology.Deletion not allowed."
> correct, you can only do it after removal of the server
I do not get it. Master still thinks it has the replica, it displays it 
both in CLI using `ipa topologysegment-find` and in the web-ui. 
(although it does not show it using `ipa host-find`, which is correct), 
and there is no way to manually make it change it's mind?
>>
>> I tried to disable the segment first and then delete it, but with the 
>> segment properly disabled, the attempt to delete it raised a GSS 
>> error: "ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS 
>> failure.  Minor code may provide more information', 851968)/('KDC 
>> returned error string: PROCESS_TGS', -1765328324)/". I am not sure, 
>> where to search for corresponding logs. The session transcript is 
>> attached.
>>
>> 2. The following is probably unrelated to the topology plugin:
>> I installed a replica with --setup-ca option. Then, on this replica 
>> tried to prepare another replica:
>> ------------------------------------------------------------------------------------------------------------------------------------------------- 
>>
>> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare --ip-address 
>> 192.168.122.141 f22replica3.bagam.net
>> Directory Manager (existing master) password:
>>
>> Preparing replica for f22replica3.bagam.net from f22replica2.bagam.net
>> Creating SSL certificate for the Directory Server
>> Certificate issuance failed
>> ------------------------------------------------------------------------------------------------------------------------------------------------- 
>>
>> The corresponding line in the dirsrv log:
>> [09/Jun/2015:09:54:46 -0400] - Entry "uid=admin,ou=people,o=ipaca" -- 
>> attribute "krbExtraData" not allowed
>>
>>
>>
>
>
>

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150609/baec3ac7/attachment.htm>

More information about the Freeipa-devel mailing list