<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 06/23/2015 03:43 PM, Oleg Fayans wrote: </div> <blockquote cite="mid:55896280.3010500@redhat.com" type="cite"> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> <div class="moz-cite-prefix">On 06/23/2015 02:27 PM, Ludwig Krispenz wrote: </div> <blockquote cite="mid:558950B1.2030803@redhat.com" type="cite"> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> <div class="moz-cite-prefix">On 06/23/2015 11:44 AM, Oleg Fayans wrote: </div> <blockquote cite="mid:55892A8F.4070302@redhat.com" type="cite">It looks like the second issue was caused by not running ipa service on vm-244.idm.lab.eng.brq.redhat.com. However, after manual start of the ipa service on thios node, I was still unable to setup the segment: [11:38:39]ofayans@vm-069:~]$ ipa topologysegment-add realm Left node: vm-244.idm.lab.eng.brq.redhat.com Right node: vm-069.idm.lab.eng.brq.redhat.com Connectivity [both]: Segment name [vm-244.idm.lab.eng.brq.redhat.com-vm-069.idm.lab.eng.brq.redhat.com]: ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('Ticket not yet valid', -1765328351) </blockquote> I don't know, what this specific error is, but in the dirsrv log, which seems to be from vm-244, we have: set_krb5_creds - Could not get initial credentials for principal [<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:ldap/vm-244.idm.lab.eng.brq.redhat.com@IDM.LAB.ENG.BRQ.REDHAT.COM">ldap/vm-244.idm.lab.eng.brq.redhat.com@IDM.LAB.ENG.BRQ.REDHAT.COM</a>] in keytab [<a moz-do-not-send="true" class="moz-txt-link-freetext" href="FILE:/etc/dirsrv/ds.keytab">FILE:/etc/dirsrv/ds.keytab</a>]: -1765328228 (Cannot contact any KDC for requested realm) so is your kdc running ? </blockquote> The weirdest thing is: I actually deleted this replica on master before. This host is not shown among hosts, but the corresponding topology segment was not deleted. This is how it looks on master: [15:40:59]ofayans@vm-069:~]$ ipa host-find --------------- 2 hosts matched --------------- Host name: vm-069.idm.lab.eng.brq.redhat.com Principal name: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:host/vm-069.idm.lab.eng.brq.redhat.com@IDM.LAB.ENG.BRQ.REDHAT.COM">host/vm-069.idm.lab.eng.brq.redhat.com@IDM.LAB.ENG.BRQ.REDHAT.COM</a> Password: False Keytab: True Managed by: vm-069.idm.lab.eng.brq.redhat.com SSH public key fingerprint: EA:D2:75:A7:A8:E2:2E:6D:83:DE:6F:7F:87:3F:DE:55 (ssh-ed25519), B2:79:ED:4B:94:11:03:94:E2:61:07:2C:EA:A4:87:BF (ecdsa-sha2-nistp256), 9C:45:86:FA:DC:BC:5F:F7:1D:B1:38:DC:FC:FB:04:19 (ssh-rsa) Host name: vm-086.idm.lab.eng.brq.redhat.com Principal name: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:host/vm-086.idm.lab.eng.brq.redhat.com@IDM.LAB.ENG.BRQ.REDHAT.COM">host/vm-086.idm.lab.eng.brq.redhat.com@IDM.LAB.ENG.BRQ.REDHAT.COM</a> Password: False Keytab: True Managed by: vm-086.idm.lab.eng.brq.redhat.com SSH public key fingerprint: EA:D2:75:A7:A8:E2:2E:6D:83:DE:6F:7F:87:3F:DE:55 (ssh-ed25519), B2:79:ED:4B:94:11:03:94:E2:61:07:2C:EA:A4:87:BF (ecdsa-sha2-nistp256), 9C:45:86:FA:DC:BC:5F:F7:1D:B1:38:DC:FC:FB:04:19 (ssh-rsa) ---------------------------- Number of entries returned 2 ---------------------------- [15:41:07]ofayans@vm-069:~]$ ipa topologysegment-find realm ------------------ 2 segments matched ------------------ Segment name: 086-to-069 Left node: vm-086.idm.lab.eng.brq.redhat.com Right node: vm-069.idm.lab.eng.brq.redhat.com Connectivity: both Segment name: 127-to-244 Left node: vm-127.idm.lab.eng.brq.redhat.com Right node: vm-244.idm.lab.eng.brq.redhat.com Connectivity: both ---------------------------- Number of entries returned 2 ---------------------------- [15:41:19]ofayans@vm-069:~]$ I'll re-build the packages and try to record all the steps to reproduce this issue today. </blockquote> yes, please. <blockquote cite="mid:55896280.3010500@redhat.com" type="cite"> <blockquote cite="mid:558950B1.2030803@redhat.com" type="cite"> <blockquote cite="mid:55892A8F.4070302@redhat.com" type="cite"> </blockquote> I don't know <blockquote cite="mid:55892A8F.4070302@redhat.com" type="cite">The dirsrv error log of this node is attached. On 06/23/2015 11:27 AM, Oleg Fayans wrote: <blockquote type="cite">Hi Ludwig, team, I have a couple of issues with the topology plugin. 1. I was able to remove the middle node in a line topology, which resulted in disconnecting a segment. I had master - replica1 - replica2 - replica3 - replica4 I removed replica2 with a standard `ipa-replica-manage del` And it resulted in the following topology: [13:13:08]ofayans@vm-086:~]$ ipa topologysegment-find realm ------------------ 2 segments matched ------------------ Segment name: 086-to-069 Left node: vm-086.idm.lab.eng.brq.redhat.com Right node: vm-069.idm.lab.eng.brq.redhat.com Connectivity: both Segment name: 127-to-244 Left node: vm-127.idm.lab.eng.brq.redhat.com Right node: vm-244.idm.lab.eng.brq.redhat.com Connectivity: both ---------------------------- Number of entries returned 2 ---------------------------- We should probably prohibit such scenarios. 2. When I subsequently tried to create a link between the two segments manually, I bumped into the following error: [[13:17:02]ofayans@vm-069:~]$ ipa topologysegment-add realm Left node: vm-069.idm.lab.eng.brq.redhat.com Right node: vm-244.idm.lab.eng.brq.redhat.com Connectivity [both]: Segment name [vm-069.idm.lab.eng.brq.redhat.com-vm-244.idm.lab.eng.brq.redhat.com]: 069-to-244 ipa: ERROR: invalid 'rightnode': right node is not a topology node: vm-244.idm.lab.eng.brq.redhat.com </blockquote> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> <pre class="moz-signature" cols="72">-- Oleg Fayans Quality Engineer FreeIPA team RedHat.</pre> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> </body> </html>