<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 06/01/2015 01:34 PM, Oleg Fayans wrote: </div> <blockquote cite="mid:556C433E.90008@redhat.com" type="cite">So far I've bumped into problem, using the newly built packages: I've installed a master, a replica (replica1) Then replica3 (prepared on replica1), so, my topology looks like this: master <=> replica1 <=> replica3 However, the `ipa topologysegment-find` shows correct topology only on replicas (not on master) </blockquote> looks like replication from replica1 to master is not/nolonger working. will look into this. <blockquote cite="mid:556C433E.90008@redhat.com" type="cite"> master: root@testmaster:~]$ ipa topologysegment-find Suffix name: realm ----------------- 1 segment matched ----------------- Segment name: replica1.zaeba.li-to-testmaster.zaeba.li Left node: replica1.zaeba.li Right node: testmaster.zaeba.li Connectivity: both ---------------------------- Number of entries returned 1 ---------------------------- replica1: ofayans@replica1:~]$ ipa topologysegment-find Suffix name: realm ------------------ 2 segments matched ------------------ Segment name: replica1.zaeba.li-to-replica3.zaeba.li Left node: replica1.zaeba.li Right node: replica3.zaeba.li Connectivity: both Segment name: replica1.zaeba.li-to-testmaster.zaeba.li Left node: replica1.zaeba.li Right node: testmaster.zaeba.li Connectivity: both ---------------------------- Number of entries returned 2 ---------------------------- replica3: ofayans@replica3:~]$ ipa topologysegment-find Suffix name: realm ------------------ 2 segments matched ------------------ Segment name: replica1.zaeba.li-to-replica3.zaeba.li Left node: replica1.zaeba.li Right node: replica3.zaeba.li Connectivity: both Segment name: replica1.zaeba.li-to-testmaster.zaeba.li Left node: replica1.zaeba.li Right node: testmaster.zaeba.li Connectivity: both ---------------------------- Number of entries returned 2 ---------------------------- The second problem, is that the changes (like user creation) made on any of the nodes do not get replicate to other ones. The dirsrv logs are full of GSSAPI errors like this: ===================================================================== [01/Jun/2015:07:04:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:09:47 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) ===================================================================== Full logs are attached I am using the 389-ds-base from mreynolds/389-ds-base dnf repo: root@testmaster:~]$ rpm -q 389-ds-base 389-ds-base-2015_03_11-1.fc21.x86_64 On 06/01/2015 11:19 AM, Oleg Fayans wrote: <blockquote type="cite">Woks for me too. Will perform extensive testing today, and report everything that I find. Thanks, Ludwig! <blockquote type="cite">On 05/29/2015 04:44 PM, Ludwig Krispenz wrote: <blockquote type="cite">This is a patch for the two issues reported in ticket #5035 <a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/5035">https://fedorahosted.org/freeipa/ticket/5035</a> </blockquote> Works for me. I was able to install 2 replicas with domain level 1 in one topology. Code looks good to me as well. Tentative ACK (would be nice if it was skimmed by Thierry). </blockquote> </blockquote> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> </body> </html>