[Freeipa-devel] topology issues

Ludwig Krispenz lkrispen at redhat.com
Tue Jun 9 15:32:19 UTC 2015 

Hi Oleg,
thanks for access to your machine, the replication agreements are still 
there - and that is expected since the server was not removed.

In the access log I see:

[09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH 
base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net" 
scope=2 filter="(objectClass=*)" attrs=ALL
[09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101 
nentries=8 etime=0 notes=U
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL 
dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb000600040000
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL 
dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107 
nentries=0 etime=0 csn=5576dceb000700040000
[09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL 
dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107 
nentries=0 etime=1 csn=5576dcec000100040000
[09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND

the search for cn=f22replica1.bagam.net,cn=masters,.... returns 8 
entries, which then should be deleted, but only 3 ae deleted and the
cn=f22replica1.bagam.net,cn=masters,... entry is not deleted, so the 
topology segments are not deleted, and the agreement is not removed.

I don't know why ipa-replica-manage del does stop deleting services and 
the master entry



On 06/09/2015 04:25 PM, Oleg Fayans wrote:
>
>
> On 06/09/2015 04:19 PM, Ludwig Krispenz wrote:
>>
>> On 06/09/2015 04:14 PM, Oleg Fayans wrote:
>>>
>>>
>>> On 06/09/2015 04:04 PM, Ludwig Krispenz wrote:
>>>>
>>>> On 06/09/2015 03:55 PM, Oleg Fayans wrote:
>>>>> Hi everybody,
>>>>>
>>>>> The current status of Topology plugin testing is as follows:
>>>>>
>>>>> 1. There is still no proper way of removing the replica.
>>>>> Standard procedure using `ipa-replica-manage del` throws "Server 
>>>>> is unwilling to perform: Entry is managed by topology 
>>>>> plugin.Deletion not allowed.". 
>>>> yes, that is for the first attempt to directly remove the 
>>>> agreement, but when the server is removed the agreements should be 
>>>> removed
>>> We should probably think of less threatening error message in this 
>>> case. Just from reading the command output one might conclude that 
>>> replica removal failed.
>>>>> The replication agreement though does get deleted, 
>>>> then it is ok,
>>>>> but the topology information does not get updated. 
>>>> what do you mean, where do you check ? in the "remaining" topology 
>>>> the shared tree should be updated, for the removed replica it will 
>>>> not, but this should be uninstalled anyway
>>> The problem here, is that the topology information does not get 
>>> updated on master as well.
>> could you be a bit more precise. what do you still see ? the 
>> agreement will be only removed if the segment is removed, and this 
>> should be reoplicated to all severs in the remaining topology - if 
>> you don't disconnect it by removing the replica.
>> and what was the topology structure and which replica did you remove, 
>> on which server did you remove it?
> So,  Here is the results of the `topologysegment-find` command before 
> replica removal:
> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa topologysegment-find
> Suffix name: realm
> ------------------
> 2 segments matched
> ------------------
>   Segment name: f22master.bagam.net-to-f22replica1.bagam.net
>   Left node: f22master.bagam.net
>   Right node: f22replica1.bagam.net
>   Connectivity: both
>
>   Segment name: f22master.bagam.net-to-f22replica2.bagam.net
>   Left node: f22master.bagam.net
>   Right node: f22replica2.bagam.net
>   Connectivity: both
> ----------------------------
> Number of entries returned 2
> ----------------------------
> Then, after issuing `ipa-replica-manage-del f2replica1.bagam.net 
> --force` on the master, the same command on master still shows exactly 
> the same topology:
>
> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa topologysegment-find
> Suffix name: realm
> ------------------
> 2 segments matched
> ------------------
>   Segment name: f22master.bagam.net-to-f22replica1.bagam.net
>   Left node: f22master.bagam.net
>   Right node: f22replica1.bagam.net
>   Connectivity: both
>
>   Segment name: f22master.bagam.net-to-f22replica2.bagam.net
>   Left node: f22master.bagam.net
>   Right node: f22replica2.bagam.net
>   Connectivity: both
> ----------------------------
> Number of entries returned 2
> ----------------------------
>
>>>>> When I then issue `ipa topologysegment-del`, it fails due to "ipa: 
>>>>> ERROR: Server is unwilling to perform: Removal of Segment 
>>>>> disconnects topology.Deletion not allowed."
>>>> correct, you can only do it after removal of the server
>>> I do not get it. Master still thinks it has the replica, it displays 
>>> it both in CLI using `ipa topologysegment-find` and in the web-ui. 
>>> (although it does not show it using `ipa host-find`, which is 
>>> correct), and there is no way to manually make it change it's mind?
>>>>>
>>>>> I tried to disable the segment first and then delete it, but with 
>>>>> the segment properly disabled, the attempt to delete it raised a 
>>>>> GSS error: "ipa: ERROR: Kerberos error: Kerberos error: 
>>>>> ('Unspecified GSS failure.  Minor code may provide more 
>>>>> information', 851968)/('KDC returned error string: PROCESS_TGS', 
>>>>> -1765328324)/". I am not sure, where to search for corresponding 
>>>>> logs. The session transcript is attached.
>>>>>
>>>>> 2. The following is probably unrelated to the topology plugin:
>>>>> I installed a replica with --setup-ca option. Then, on this 
>>>>> replica tried to prepare another replica:
>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- 
>>>>>
>>>>> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare 
>>>>> --ip-address 192.168.122.141 f22replica3.bagam.net
>>>>> Directory Manager (existing master) password:
>>>>>
>>>>> Preparing replica for f22replica3.bagam.net from 
>>>>> f22replica2.bagam.net
>>>>> Creating SSL certificate for the Directory Server
>>>>> Certificate issuance failed
>>>>> ------------------------------------------------------------------------------------------------------------------------------------------------- 
>>>>>
>>>>> The corresponding line in the dirsrv log:
>>>>> [09/Jun/2015:09:54:46 -0400] - Entry "uid=admin,ou=people,o=ipaca" 
>>>>> -- attribute "krbExtraData" not allowed
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>> -- 
>>> Oleg Fayans
>>> Quality Engineer
>>> FreeIPA team
>>> RedHat.
>>>
>>>
>>
>>
>>
>
> -- 
> Oleg Fayans
> Quality Engineer
> FreeIPA team
> RedHat.
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150609/f71a552d/attachment.htm>

More information about the Freeipa-devel mailing list