[Freeipa-devel] topology issues
Ludwig Krispenz
lkrispen at redhat.com
Tue Jun 9 14:36:03 UTC 2015
On 06/09/2015 04:25 PM, Oleg Fayans wrote:
>
>
> On 06/09/2015 04:19 PM, Ludwig Krispenz wrote:
>>
>> On 06/09/2015 04:14 PM, Oleg Fayans wrote:
>>>
>>>
>>> On 06/09/2015 04:04 PM, Ludwig Krispenz wrote:
>>>>
>>>> On 06/09/2015 03:55 PM, Oleg Fayans wrote:
>>>>> Hi everybody,
>>>>>
>>>>> The current status of Topology plugin testing is as follows:
>>>>>
>>>>> 1. There is still no proper way of removing the replica.
>>>>> Standard procedure using `ipa-replica-manage del` throws "Server
>>>>> is unwilling to perform: Entry is managed by topology
>>>>> plugin.Deletion not allowed.".
>>>> yes, that is for the first attempt to directly remove the
>>>> agreement, but when the server is removed the agreements should be
>>>> removed
>>> We should probably think of less threatening error message in this
>>> case. Just from reading the command output one might conclude that
>>> replica removal failed.
>>>>> The replication agreement though does get deleted,
>>>> then it is ok,
>>>>> but the topology information does not get updated.
>>>> what do you mean, where do you check ? in the "remaining" topology
>>>> the shared tree should be updated, for the removed replica it will
>>>> not, but this should be uninstalled anyway
>>> The problem here, is that the topology information does not get
>>> updated on master as well.
>> could you be a bit more precise. what do you still see ? the
>> agreement will be only removed if the segment is removed, and this
>> should be reoplicated to all severs in the remaining topology - if
>> you don't disconnect it by removing the replica.
>> and what was the topology structure and which replica did you remove,
>> on which server did you remove it?
> So, Here is the results of the `topologysegment-find` command before
> replica removal:
> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa topologysegment-find
> Suffix name: realm
> ------------------
> 2 segments matched
> ------------------
> Segment name: f22master.bagam.net-to-f22replica1.bagam.net
> Left node: f22master.bagam.net
> Right node: f22replica1.bagam.net
> Connectivity: both
>
> Segment name: f22master.bagam.net-to-f22replica2.bagam.net
> Left node: f22master.bagam.net
> Right node: f22replica2.bagam.net
> Connectivity: both
> ----------------------------
> Number of entries returned 2
> ----------------------------
> Then, after issuing `ipa-replica-manage-del f2replica1.bagam.net
> --force` on the master, the same command on master still shows exactly
> the same topology:
>
> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa topologysegment-find
> Suffix name: realm
> ------------------
> 2 segments matched
> ------------------
> Segment name: f22master.bagam.net-to-f22replica1.bagam.net
> Left node: f22master.bagam.net
> Right node: f22replica1.bagam.net
> Connectivity: both
>
> Segment name: f22master.bagam.net-to-f22replica2.bagam.net
> Left node: f22master.bagam.net
> Right node: f22replica2.bagam.net
> Connectivity: both
> ----------------------------
> Number of entries returned 2
> ----------------------------
that's weird if the agreement is removed, the removal of the agreement
is only done in the postop of the removal of the segment.
do you have the access and error logs for the master ?
>
>>>>> When I then issue `ipa topologysegment-del`, it fails due to "ipa:
>>>>> ERROR: Server is unwilling to perform: Removal of Segment
>>>>> disconnects topology.Deletion not allowed."
>>>> correct, you can only do it after removal of the server
>>> I do not get it. Master still thinks it has the replica, it displays
>>> it both in CLI using `ipa topologysegment-find` and in the web-ui.
>>> (although it does not show it using `ipa host-find`, which is
>>> correct), and there is no way to manually make it change it's mind?
>>>>>
>>>>> I tried to disable the segment first and then delete it, but with
>>>>> the segment properly disabled, the attempt to delete it raised a
>>>>> GSS error: "ipa: ERROR: Kerberos error: Kerberos error:
>>>>> ('Unspecified GSS failure. Minor code may provide more
>>>>> information', 851968)/('KDC returned error string: PROCESS_TGS',
>>>>> -1765328324)/". I am not sure, where to search for corresponding
>>>>> logs. The session transcript is attached.
>>>>>
>>>>> 2. The following is probably unrelated to the topology plugin:
>>>>> I installed a replica with --setup-ca option. Then, on this
>>>>> replica tried to prepare another replica:
>>>>> -------------------------------------------------------------------------------------------------------------------------------------------------
>>>>>
>>>>> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare
>>>>> --ip-address 192.168.122.141 f22replica3.bagam.net
>>>>> Directory Manager (existing master) password:
>>>>>
>>>>> Preparing replica for f22replica3.bagam.net from
>>>>> f22replica2.bagam.net
>>>>> Creating SSL certificate for the Directory Server
>>>>> Certificate issuance failed
>>>>> -------------------------------------------------------------------------------------------------------------------------------------------------
>>>>>
>>>>> The corresponding line in the dirsrv log:
>>>>> [09/Jun/2015:09:54:46 -0400] - Entry "uid=admin,ou=people,o=ipaca"
>>>>> -- attribute "krbExtraData" not allowed
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> Oleg Fayans
>>> Quality Engineer
>>> FreeIPA team
>>> RedHat.
>>>
>>>
>>
>>
>>
>
> --
> Oleg Fayans
> Quality Engineer
> FreeIPA team
> RedHat.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150609/9aca8258/attachment.htm>
More information about the Freeipa-devel
mailing list