[Freeipa-devel] topology-related issues

Ludwig Krispenz lkrispen at redhat.com
Tue Jun 23 13:48:26 UTC 2015 

On 06/23/2015 03:43 PM, Oleg Fayans wrote:
>
>
> On 06/23/2015 02:27 PM, Ludwig Krispenz wrote:
>>
>> On 06/23/2015 11:44 AM, Oleg Fayans wrote:
>>> It looks like the second issue was caused by not running ipa service 
>>> on vm-244.idm.lab.eng.brq.redhat.com.
>>> However, after manual start of the ipa service on thios node, I was 
>>> still unable to setup the segment:
>>>
>>> [11:38:39]ofayans at vm-069:~]$ ipa topologysegment-add realm
>>> Left node: vm-244.idm.lab.eng.brq.redhat.com
>>> Right node: vm-069.idm.lab.eng.brq.redhat.com
>>> Connectivity [both]:
>>> Segment name 
>>> [vm-244.idm.lab.eng.brq.redhat.com-vm-069.idm.lab.eng.brq.redhat.com]:
>>> ipa: ERROR: Kerberos error: ('Unspecified GSS failure.  Minor code 
>>> may provide more information', 851968)/('Ticket not yet valid', 
>>> -1765328351)
>> I don't know, what this specific error is, but in the dirsrv log, 
>> which seems to be from vm-244, we have:
>>
>> set_krb5_creds - Could not get initial credentials for principal 
>> [ldap/vm-244.idm.lab.eng.brq.redhat.com at IDM.LAB.ENG.BRQ.REDHAT.COM] 
>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact 
>> any KDC for requested realm)
>>
>> so is your kdc running ?
>>
> The weirdest thing is: I actually deleted this replica on master 
> before. This host is not shown among hosts, but the corresponding 
> topology segment was not deleted. This is how it looks on master:
>
> [15:40:59]ofayans at vm-069:~]$ ipa host-find
> ---------------
> 2 hosts matched
> ---------------
>   Host name: vm-069.idm.lab.eng.brq.redhat.com
>   Principal name: 
> host/vm-069.idm.lab.eng.brq.redhat.com at IDM.LAB.ENG.BRQ.REDHAT.COM
>   Password: False
>   Keytab: True
>   Managed by: vm-069.idm.lab.eng.brq.redhat.com
>   SSH public key fingerprint: 
> EA:D2:75:A7:A8:E2:2E:6D:83:DE:6F:7F:87:3F:DE:55 (ssh-ed25519), 
> B2:79:ED:4B:94:11:03:94:E2:61:07:2C:EA:A4:87:BF (ecdsa-sha2-nistp256),
> 9C:45:86:FA:DC:BC:5F:F7:1D:B1:38:DC:FC:FB:04:19 (ssh-rsa)
>
>   Host name: vm-086.idm.lab.eng.brq.redhat.com
>   Principal name: 
> host/vm-086.idm.lab.eng.brq.redhat.com at IDM.LAB.ENG.BRQ.REDHAT.COM
>   Password: False
>   Keytab: True
>   Managed by: vm-086.idm.lab.eng.brq.redhat.com
>   SSH public key fingerprint: 
> EA:D2:75:A7:A8:E2:2E:6D:83:DE:6F:7F:87:3F:DE:55 (ssh-ed25519), 
> B2:79:ED:4B:94:11:03:94:E2:61:07:2C:EA:A4:87:BF (ecdsa-sha2-nistp256),
> 9C:45:86:FA:DC:BC:5F:F7:1D:B1:38:DC:FC:FB:04:19 (ssh-rsa)
> ----------------------------
> Number of entries returned 2
> ----------------------------
> [15:41:07]ofayans at vm-069:~]$ ipa topologysegment-find realm
> ------------------
> 2 segments matched
> ------------------
>   Segment name: 086-to-069
>   Left node: vm-086.idm.lab.eng.brq.redhat.com
>   Right node: vm-069.idm.lab.eng.brq.redhat.com
>   Connectivity: both
>
>   Segment name: 127-to-244
>   Left node: vm-127.idm.lab.eng.brq.redhat.com
>   Right node: vm-244.idm.lab.eng.brq.redhat.com
>   Connectivity: both
> ----------------------------
> Number of entries returned 2
> ----------------------------
> [15:41:19]ofayans at vm-069:~]$
>
> I'll re-build the packages and try to record all the steps to 
> reproduce this issue today.
yes, please.
>
>>>
>> I don't know
>>
>>
>>> The dirsrv error log of this node is attached.
>>>
>>>
>>> On 06/23/2015 11:27 AM, Oleg Fayans wrote:
>>>> Hi Ludwig, team,
>>>>
>>>> I have a couple of issues with the topology plugin.
>>>>
>>>> 1. I was able to remove the middle node in a line topology, which 
>>>> resulted in disconnecting a segment. I had
>>>> master - replica1 - replica2 -  replica3 - replica4
>>>> I removed replica2 with a standard `ipa-replica-manage del`
>>>> And it resulted in the following topology:
>>>>
>>>> [13:13:08]ofayans at vm-086:~]$ ipa topologysegment-find realm
>>>> ------------------
>>>> 2 segments matched
>>>> ------------------
>>>>   Segment name: 086-to-069
>>>>   Left node: vm-086.idm.lab.eng.brq.redhat.com
>>>>   Right node: vm-069.idm.lab.eng.brq.redhat.com
>>>>   Connectivity: both
>>>>
>>>>   Segment name: 127-to-244
>>>>   Left node: vm-127.idm.lab.eng.brq.redhat.com
>>>>   Right node: vm-244.idm.lab.eng.brq.redhat.com
>>>>   Connectivity: both
>>>> ----------------------------
>>>> Number of entries returned 2
>>>> ----------------------------
>>>>
>>>> We should probably prohibit such scenarios.
>>>>
>>>> 2. When I subsequently tried to create a link between the two 
>>>> segments manually, I bumped into the following error:
>>>>
>>>> [[13:17:02]ofayans at vm-069:~]$ ipa topologysegment-add realm
>>>> Left node: vm-069.idm.lab.eng.brq.redhat.com
>>>> Right node: vm-244.idm.lab.eng.brq.redhat.com
>>>> Connectivity [both]:
>>>> Segment name 
>>>> [vm-069.idm.lab.eng.brq.redhat.com-vm-244.idm.lab.eng.brq.redhat.com]: 
>>>> 069-to-244
>>>> ipa: ERROR: invalid 'rightnode': right node is not a topology node: 
>>>> vm-244.idm.lab.eng.brq.redhat.com
>>>>
>>>
>>>
>>>
>>
>>
>>
>
> -- 
> Oleg Fayans
> Quality Engineer
> FreeIPA team
> RedHat.
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150623/c88e7d04/attachment.htm>

More information about the Freeipa-devel mailing list