[Freeipa-devel] topology issues
Ludwig Krispenz
lkrispen at redhat.com
Tue Jun 9 15:32:19 UTC 2015
Hi Oleg,
thanks for access to your machine, the replication agreements are still
there - and that is expected since the server was not removed.
In the access log I see:
[09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH
base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
scope=2 filter="(objectClass=*)" attrs=ALL
[09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101
nentries=8 etime=0 notes=U
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL
dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107
nentries=0 etime=0 csn=5576dceb000600040000
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL
dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107
nentries=0 etime=0 csn=5576dceb000700040000
[09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL
dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
[09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107
nentries=0 etime=1 csn=5576dcec000100040000
[09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND
the search for cn=f22replica1.bagam.net,cn=masters,.... returns 8
entries, which then should be deleted, but only 3 ae deleted and the
cn=f22replica1.bagam.net,cn=masters,... entry is not deleted, so the
topology segments are not deleted, and the agreement is not removed.
I don't know why ipa-replica-manage del does stop deleting services and
the master entry
On 06/09/2015 04:25 PM, Oleg Fayans wrote:
>
>
> On 06/09/2015 04:19 PM, Ludwig Krispenz wrote:
>>
>> On 06/09/2015 04:14 PM, Oleg Fayans wrote:
>>>
>>>
>>> On 06/09/2015 04:04 PM, Ludwig Krispenz wrote:
>>>>
>>>> On 06/09/2015 03:55 PM, Oleg Fayans wrote:
>>>>> Hi everybody,
>>>>>
>>>>> The current status of Topology plugin testing is as follows:
>>>>>
>>>>> 1. There is still no proper way of removing the replica.
>>>>> Standard procedure using `ipa-replica-manage del` throws "Server
>>>>> is unwilling to perform: Entry is managed by topology
>>>>> plugin.Deletion not allowed.".
>>>> yes, that is for the first attempt to directly remove the
>>>> agreement, but when the server is removed the agreements should be
>>>> removed
>>> We should probably think of less threatening error message in this
>>> case. Just from reading the command output one might conclude that
>>> replica removal failed.
>>>>> The replication agreement though does get deleted,
>>>> then it is ok,
>>>>> but the topology information does not get updated.
>>>> what do you mean, where do you check ? in the "remaining" topology
>>>> the shared tree should be updated, for the removed replica it will
>>>> not, but this should be uninstalled anyway
>>> The problem here, is that the topology information does not get
>>> updated on master as well.
>> could you be a bit more precise. what do you still see ? the
>> agreement will be only removed if the segment is removed, and this
>> should be reoplicated to all severs in the remaining topology - if
>> you don't disconnect it by removing the replica.
>> and what was the topology structure and which replica did you remove,
>> on which server did you remove it?
> So, Here is the results of the `topologysegment-find` command before
> replica removal:
> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa topologysegment-find
> Suffix name: realm
> ------------------
> 2 segments matched
> ------------------
> Segment name: f22master.bagam.net-to-f22replica1.bagam.net
> Left node: f22master.bagam.net
> Right node: f22replica1.bagam.net
> Connectivity: both
>
> Segment name: f22master.bagam.net-to-f22replica2.bagam.net
> Left node: f22master.bagam.net
> Right node: f22replica2.bagam.net
> Connectivity: both
> ----------------------------
> Number of entries returned 2
> ----------------------------
> Then, after issuing `ipa-replica-manage-del f2replica1.bagam.net
> --force` on the master, the same command on master still shows exactly
> the same topology:
>
> root at f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa topologysegment-find
> Suffix name: realm
> ------------------
> 2 segments matched
> ------------------
> Segment name: f22master.bagam.net-to-f22replica1.bagam.net
> Left node: f22master.bagam.net
> Right node: f22replica1.bagam.net
> Connectivity: both
>
> Segment name: f22master.bagam.net-to-f22replica2.bagam.net
> Left node: f22master.bagam.net
> Right node: f22replica2.bagam.net
> Connectivity: both
> ----------------------------
> Number of entries returned 2
> ----------------------------
>
>>>>> When I then issue `ipa topologysegment-del`, it fails due to "ipa:
>>>>> ERROR: Server is unwilling to perform: Removal of Segment
>>>>> disconnects topology.Deletion not allowed."
>>>> correct, you can only do it after removal of the server
>>> I do not get it. Master still thinks it has the replica, it displays
>>> it both in CLI using `ipa topologysegment-find` and in the web-ui.
>>> (although it does not show it using `ipa host-find`, which is
>>> correct), and there is no way to manually make it change it's mind?
>>>>>
>>>>> I tried to disable the segment first and then delete it, but with
>>>>> the segment properly disabled, the attempt to delete it raised a
>>>>> GSS error: "ipa: ERROR: Kerberos error: Kerberos error:
>>>>> ('Unspecified GSS failure. Minor code may provide more
>>>>> information', 851968)/('KDC returned error string: PROCESS_TGS',
>>>>> -1765328324)/". I am not sure, where to search for corresponding
>>>>> logs. The session transcript is attached.
>>>>>
>>>>> 2. The following is probably unrelated to the topology plugin:
>>>>> I installed a replica with --setup-ca option. Then, on this
>>>>> replica tried to prepare another replica:
>>>>> -------------------------------------------------------------------------------------------------------------------------------------------------
>>>>>
>>>>> root at f22replica2:/home/ofayans/f22]$ ipa-replica-prepare
>>>>> --ip-address 192.168.122.141 f22replica3.bagam.net
>>>>> Directory Manager (existing master) password:
>>>>>
>>>>> Preparing replica for f22replica3.bagam.net from
>>>>> f22replica2.bagam.net
>>>>> Creating SSL certificate for the Directory Server
>>>>> Certificate issuance failed
>>>>> -------------------------------------------------------------------------------------------------------------------------------------------------
>>>>>
>>>>> The corresponding line in the dirsrv log:
>>>>> [09/Jun/2015:09:54:46 -0400] - Entry "uid=admin,ou=people,o=ipaca"
>>>>> -- attribute "krbExtraData" not allowed
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> Oleg Fayans
>>> Quality Engineer
>>> FreeIPA team
>>> RedHat.
>>>
>>>
>>
>>
>>
>
> --
> Oleg Fayans
> Quality Engineer
> FreeIPA team
> RedHat.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150609/f71a552d/attachment.htm>
More information about the Freeipa-devel
mailing list