[Freeipa-devel] topology issues

Oleg Fayans ofayans at redhat.com
Tue Jun 9 14:25:25 UTC 2015 


On 06/09/2015 04:19 PM, Ludwig Krispenz wrote:
>
> On 06/09/2015 04:14 PM, Oleg Fayans wrote:
>>
>>
>> On 06/09/2015 04:04 PM, Ludwig Krispenz wrote:
>>>
>>> On 06/09/2015 03:55 PM, Oleg Fayans wrote:
>>>> Hi everybody,
>>>>
>>>> The current status of Topology plugin testing is as follows:
>>>>
>>>> 1. There is still no proper way of removing the replica.
>>>> Standard procedure using `ipa-replica-manage del` throws "Server is 
>>>> unwilling to perform: Entry is managed by topology plugin.Deletion 
>>>> not allowed.". 
>>> yes, that is for the first attempt to directly remove the agreement, 
>>> but when the server is removed the agreements should be removed
>> We should probably think of less threatening error message in this 
>> case. Just from reading the command output one might conclude that 
>> replica removal failed.
>>>> The replication agreement though does get deleted, 
>>> then it is ok,
>>>> but the topology information does not get updated. 
>>> what do you mean, where do you check ? in the "remaining" topology 
>>> the shared tree should be updated, for the removed replica it will 
>>> not, but this should be uninstalled anyway
>> The problem here, is that the topology information does not get 
>> updated on master as well.
> could you be a bit more precise. what do you still see ? the agreement 
> will be only removed if the segment is removed, and this should be 
> reoplicated to all severs in the remaining topology - if you don't 
> disconnect it by removing the replica.
> and what was the topology structure and which replica did you remove, 
> on which server did you remove it?
So,  Here is the results of the `topologysegment-find` command before 
replica removal:
root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa topologysegment-find
Suffix name: realm
------------------
2 segments matched
------------------
   Segment name: f22master.bagam.net-to-f22replica1.bagam.net
   Left node: f22master.bagam.net
   Right node: f22replica1.bagam.net
   Connectivity: both

   Segment name: f22master.bagam.net-to-f22replica2.bagam.net
   Left node: f22master.bagam.net
   Right node: f22replica2.bagam.net
   Connectivity: both
----------------------------
Number of entries returned 2
----------------------------
Then, after issuing `ipa-replica-manage-del f2replica1.bagam.net 
--force` on the master, the same command on master still shows exactly 
the same topology:

root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa topologysegment-find
Suffix name: realm
------------------
2 segments matched
------------------
   Segment name: f22master.bagam.net-to-f22replica1.bagam.net
   Left node: f22master.bagam.net
   Right node: f22replica1.bagam.net
   Connectivity: both

   Segment name: f22master.bagam.net-to-f22replica2.bagam.net
   Left node: f22master.bagam.net
   Right node: f22replica2.bagam.net
   Connectivity: both
----------------------------
Number of entries returned 2
----------------------------

>>>> When I then issue `ipa topologysegment-del`, it fails due to "ipa: 
>>>> ERROR: Server is unwilling to perform: Removal of Segment 
>>>> disconnects topology.Deletion not allowed."
>>> correct, you can only do it after removal of the server
>> I do not get it. Master still thinks it has the replica, it displays 
>> it both in CLI using `ipa topologysegment-find` and in the web-ui. 
>> (although it does not show it using `ipa host-find`, which is 
>> correct), and there is no way to manually make it change it's mind?
>>>>
>>>> I tried to disable the segment first and then delete it, but with 
>>>> the segment properly disabled, the attempt to delete it raised a 
>>>> GSS error: "ipa: ERROR: Kerberos error: Kerberos error: 
>>>> ('Unspecified GSS failure.  Minor code may provide more 
>>>> information', 851968)/('KDC returned error string: PROCESS_TGS', 
>>>> -1765328324)/". I am not sure, where to search for corresponding 
>>>> logs. The session transcript is attached.
>>>>
>>>> 2. The following is probably unrelated to the topology plugin:
>>>> I installed a replica with --setup-ca option. Then, on this replica 
>>>> tried to prepare another replica:
>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- 
>>>>
>>>> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare 
>>>> --ip-address 192.168.122.141 f22replica3.bagam.net
>>>> Directory Manager (existing master) password:
>>>>
>>>> Preparing replica for f22replica3.bagam.net from f22replica2.bagam.net
>>>> Creating SSL certificate for the Directory Server
>>>> Certificate issuance failed
>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- 
>>>>
>>>> The corresponding line in the dirsrv log:
>>>> [09/Jun/2015:09:54:46 -0400] - Entry "uid=admin,ou=people,o=ipaca" 
>>>> -- attribute "krbExtraData" not allowed
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>> -- 
>> Oleg Fayans
>> Quality Engineer
>> FreeIPA team
>> RedHat.
>>
>>
>
>
>

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150609/a2a9481b/attachment.htm>

More information about the Freeipa-devel mailing list