[Freeipa-devel] topology issues
Ludwig Krispenz
lkrispen at redhat.com
Tue Jun 9 14:19:18 UTC 2015
On 06/09/2015 04:14 PM, Oleg Fayans wrote:
>
>
> On 06/09/2015 04:04 PM, Ludwig Krispenz wrote:
>>
>> On 06/09/2015 03:55 PM, Oleg Fayans wrote:
>>> Hi everybody,
>>>
>>> The current status of Topology plugin testing is as follows:
>>>
>>> 1. There is still no proper way of removing the replica.
>>> Standard procedure using `ipa-replica-manage del` throws "Server is
>>> unwilling to perform: Entry is managed by topology plugin.Deletion
>>> not allowed.".
>> yes, that is for the first attempt to directly remove the agreement,
>> but when the server is removed the agreements should be removed
> We should probably think of less threatening error message in this
> case. Just from reading the command output one might conclude that
> replica removal failed.
>>> The replication agreement though does get deleted,
>> then it is ok,
>>> but the topology information does not get updated.
>> what do you mean, where do you check ? in the "remaining" topology
>> the shared tree should be updated, for the removed replica it will
>> not, but this should be uninstalled anyway
> The problem here, is that the topology information does not get
> updated on master as well.
could you be a bit more precise. what do you still see ? the agreement
will be only removed if the segment is removed, and this should be
reoplicated to all severs in the remaining topology - if you don't
disconnect it by removing the replica.
and what was the topology structure and which replica did you remove, on
which server did you remove it?
>>> When I then issue `ipa topologysegment-del`, it fails due to "ipa:
>>> ERROR: Server is unwilling to perform: Removal of Segment
>>> disconnects topology.Deletion not allowed."
>> correct, you can only do it after removal of the server
> I do not get it. Master still thinks it has the replica, it displays
> it both in CLI using `ipa topologysegment-find` and in the web-ui.
> (although it does not show it using `ipa host-find`, which is
> correct), and there is no way to manually make it change it's mind?
>>>
>>> I tried to disable the segment first and then delete it, but with
>>> the segment properly disabled, the attempt to delete it raised a GSS
>>> error: "ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified
>>> GSS failure. Minor code may provide more information',
>>> 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/". I
>>> am not sure, where to search for corresponding logs. The session
>>> transcript is attached.
>>>
>>> 2. The following is probably unrelated to the topology plugin:
>>> I installed a replica with --setup-ca option. Then, on this replica
>>> tried to prepare another replica:
>>> -------------------------------------------------------------------------------------------------------------------------------------------------
>>>
>>> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare
>>> --ip-address 192.168.122.141 f22replica3.bagam.net
>>> Directory Manager (existing master) password:
>>>
>>> Preparing replica for f22replica3.bagam.net from f22replica2.bagam.net
>>> Creating SSL certificate for the Directory Server
>>> Certificate issuance failed
>>> -------------------------------------------------------------------------------------------------------------------------------------------------
>>>
>>> The corresponding line in the dirsrv log:
>>> [09/Jun/2015:09:54:46 -0400] - Entry "uid=admin,ou=people,o=ipaca"
>>> -- attribute "krbExtraData" not allowed
>>>
>>>
>>>
>>
>>
>>
>
> --
> Oleg Fayans
> Quality Engineer
> FreeIPA team
> RedHat.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150609/7ce935e6/attachment.htm>
More information about the Freeipa-devel
mailing list