[Freeipa-devel] topology-related issues

Ludwig Krispenz lkrispen at redhat.com
Tue Jun 23 12:27:29 UTC 2015 

On 06/23/2015 11:44 AM, Oleg Fayans wrote:
> It looks like the second issue was caused by not running ipa service 
> on vm-244.idm.lab.eng.brq.redhat.com.
> However, after manual start of the ipa service on thios node, I was 
> still unable to setup the segment:
>
> [11:38:39]ofayans at vm-069:~]$ ipa topologysegment-add realm
> Left node: vm-244.idm.lab.eng.brq.redhat.com
> Right node: vm-069.idm.lab.eng.brq.redhat.com
> Connectivity [both]:
> Segment name 
> [vm-244.idm.lab.eng.brq.redhat.com-vm-069.idm.lab.eng.brq.redhat.com]:
> ipa: ERROR: Kerberos error: ('Unspecified GSS failure.  Minor code may 
> provide more information', 851968)/('Ticket not yet valid', -1765328351)
I don't know, what this specific error is, but in the dirsrv log, which 
seems to be from vm-244, we have:

set_krb5_creds - Could not get initial credentials for principal 
[ldap/vm-244.idm.lab.eng.brq.redhat.com at IDM.LAB.ENG.BRQ.REDHAT.COM] in 
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC 
for requested realm)

so is your kdc running ?

>
I don't know


> The dirsrv error log of this node is attached.
>
>
> On 06/23/2015 11:27 AM, Oleg Fayans wrote:
>> Hi Ludwig, team,
>>
>> I have a couple of issues with the topology plugin.
>>
>> 1. I was able to remove the middle node in a line topology, which 
>> resulted in disconnecting a segment. I had
>> master - replica1 - replica2 -  replica3 - replica4
>> I removed replica2 with a standard `ipa-replica-manage del`
>> And it resulted in the following topology:
>>
>> [13:13:08]ofayans at vm-086:~]$ ipa topologysegment-find realm
>> ------------------
>> 2 segments matched
>> ------------------
>>   Segment name: 086-to-069
>>   Left node: vm-086.idm.lab.eng.brq.redhat.com
>>   Right node: vm-069.idm.lab.eng.brq.redhat.com
>>   Connectivity: both
>>
>>   Segment name: 127-to-244
>>   Left node: vm-127.idm.lab.eng.brq.redhat.com
>>   Right node: vm-244.idm.lab.eng.brq.redhat.com
>>   Connectivity: both
>> ----------------------------
>> Number of entries returned 2
>> ----------------------------
>>
>> We should probably prohibit such scenarios.
>>
>> 2. When I subsequently tried to create a link between the two 
>> segments manually, I bumped into the following error:
>>
>> [[13:17:02]ofayans at vm-069:~]$ ipa topologysegment-add realm
>> Left node: vm-069.idm.lab.eng.brq.redhat.com
>> Right node: vm-244.idm.lab.eng.brq.redhat.com
>> Connectivity [both]:
>> Segment name 
>> [vm-069.idm.lab.eng.brq.redhat.com-vm-244.idm.lab.eng.brq.redhat.com]: 069-to-244 
>>
>> ipa: ERROR: invalid 'rightnode': right node is not a topology node: 
>> vm-244.idm.lab.eng.brq.redhat.com
>>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150623/ddf3324a/attachment.htm>

More information about the Freeipa-devel mailing list