<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt"><div id="yiv6198026196"><div><div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;">I am going to follow this, I seem to have a similar problem, which is being discussed in a different email chain. Just in case you are interested it has "ipa-client-install fails on replica" in the subject line. I see that CA services are not running on your replica as well. The way I got there was skipping "--setup-ca" option which running the "ipa-replica-install". <br clear="none"><div id="yiv6198026196yui_3_13_0_ym1_17_1392246654277_29"><span></span></div><div id="yiv6198026196yui_3_13_0_ym1_17_1392246654277_31"> </div><div id="yiv6198026196yui_3_13_0_ym1_17_1392246654277_33">Shreeraj
<br clear="none">----------------------------------------------------------------------------------------
<br clear="none">
<br clear="none">Change is the only Constant !</div><div class="yiv6198026196yqt0021881518" id="yiv6198026196yqt73697"><div class="yiv6198026196yahoo_quoted" id="yiv6198026196yui_3_13_0_ym1_17_1392246654277_35" style="display: block;"> <br clear="none"> <br clear="none"> <div class="yiv6198026196yui_3_13_0_ym1_1_1392246654277_159881" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;"> <div class="yiv6198026196yui_3_13_0_ym1_1_1392246654277_159882" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt;"> <div dir="ltr"> <font face="Arial" size="2"> On Friday, February 14, 2014 4:59 AM, Martin Kosek <mkosek@redhat.com> wrote:<br clear="none"> </font> </div>  <div class="yiv6198026196y_msg_container">Ok, this part seems ok then. I would then focus directly on DNA operation itself.<br clear="none"><br clear="none">DNA plugin says:<br
 clear="none"><br clear="none">[13/Feb/2014:15:32:02 -0200] dna-plugin - dna_request_range: Error sending<br clear="none">range extension extended operation request to server
 ipa01.example.com:389<br clear="none">[error 53]<br clear="none">[13/Feb/2014:15:32:02 -0200] dna-plugin - dna_pre_op: no more values available!!<br clear="none"><br clear="none">Error 53 should be Unwilling to perform. Are there any errors on master dirsrv<br clear="none">errors log?<br clear="none"><br clear="none">Is any free number available on the master server?<br clear="none"><br clear="none">[master] $ ldapsearch -h `hostname` -D "cn=Directory Manager" -x -W -b<br clear="none">'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'<br clear="none">dnaNextValue dnaMaxValue<br clear="none"><br clear="none">Martin<br clear="none"><br clear="none">On 02/14/2014 12:36 PM, Bruno Henrique Barbosa wrote:<br clear="none">> Hi Martin, thanks for the help. <br clear="none">> <br clear="none">> <br clear="none">> Yes, I already did that test. Created a user on ipa01 (master), then he appeared on ipa02 (replica), in the
 replica, I modified his email address, it appeared back on master. Still, I cannot create a brand new user (or POSIX group) on ipa02. <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> [<a rel="nofollow" shape="rect" ymailto="mailto:root@ipa01" target="_blank" href="mailto:root@ipa01">root@ipa01</a> ~]# ipactl status <br clear="none">> Directory Service: RUNNING <br clear="none">> KDC Service: RUNNING <br clear="none">> KPASSWD Service: RUNNING <br clear="none">> MEMCACHE Service: RUNNING <br clear="none">> HTTP Service: RUNNING <br clear="none">> CA Service: RUNNING <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> [<a rel="nofollow" shape="rect" ymailto="mailto:root@ipa02" target="_blank" href="mailto:root@ipa02">root@ipa02</a> ~]# ipactl status <br clear="none">> Directory Service: RUNNING <br clear="none">> KDC Service: RUNNING <br clear="none">>
 KPASSWD Service: RUNNING <br clear="none">> MEMCACHE Service:
 RUNNING <br clear="none">> HTTP Service: RUNNING <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> Interesting on replica's /var/log/krb5kdc.log: <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> [<a rel="nofollow" shape="rect" ymailto="mailto:root@ipa02" target="_blank" href="mailto:root@ipa02">root@ipa02</a> ~]# cat /var/log/krb5kdc.log | grep "Feb 13 15:31" <br clear="none">> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): setting up network... <br clear="none">> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 6: udp 0.0.0.0.88 (pktinfo) <br clear="none">> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): skipping unrecognized local address family 17 <br clear="none">> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): skipping unrecognized local address family 17 <br clear="none">> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 8:
 tcp 0.0.0.0.88 <br clear="none">> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 7: tcp ::.88 <br clear="none">> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): set up 3 sockets <br clear="none">> Feb 13 15:31:13 ipa02 krb5kdc[1525](info): creating 4 worker processes <br clear="none">> Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 7 <br clear="none">> Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 8 <br clear="none">> Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 6 <br clear="none">> Feb 13 15:31:13 ipa02 krb5kdc[1535](info): commencing operation <br clear="none">> Feb 13 15:31:13 ipa02 krb5kdc[1533](info): commencing operation <br clear="none">> Feb 13 15:31:13 ipa02 krb5kdc[1536](info): commencing operation <br clear="none">> Feb 13 15:31:13 ipa02 krb5kdc[1534](info): commencing operation <br clear="none">> Feb 13 15:31:14 ipa02 krb5kdc[1534](info): AS_REQ (4 etypes {18 17
 16 23}) 192.168.0.2:
 NEEDED_PREAUTH: ldap/<a rel="nofollow" shape="rect" ymailto="mailto:ipa02.example.com@EXAMPLE.COM" target="_blank" href="mailto:ipa02.example.com@EXAMPLE.COM">ipa02.example.com@EXAMPLE.COM</a> for krbtgt/<a rel="nofollow" shape="rect" ymailto="mailto:EXAMPLE.COM@EXAMPLE.COM" target="_blank" href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>, Additional pre-authentication required <br clear="none">> Feb 13 15:31:14 ipa02 krb5kdc[1533](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392312674, etypes {rep=18 tkt=18 ses=18}, ldap/<a rel="nofollow" shape="rect" ymailto="mailto:ipa02.example.com@EXAMPLE.COM" target="_blank" href="mailto:ipa02.example.com@EXAMPLE.COM">ipa02.example.com@EXAMPLE.COM</a> for krbtgt/<a rel="nofollow" shape="rect" ymailto="mailto:EXAMPLE.COM@EXAMPLE.COM" target="_blank" href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a> <br clear="none">> <br clear="none">> <br
 clear="none">> Feb 13 15:31:14 ipa02 krb5kdc[1536](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392312674,
 etypes {rep=18 tkt=18 ses=18}, ldap/<a rel="nofollow" shape="rect" ymailto="mailto:ipa02.example.com@EXAMPLE.COM" target="_blank" href="mailto:ipa02.example.com@EXAMPLE.COM">ipa02.example.com@EXAMPLE.COM</a> for ldap/<a rel="nofollow" shape="rect" ymailto="mailto:ipa01.example.com@EXAMPLE.COM" target="_blank" href="mailto:ipa01.example.com@EXAMPLE.COM">ipa01.example.com@EXAMPLE.COM</a> <br clear="none">> <br clear="none">> <br clear="none">> Feb 13 15:31:28 ipa02 krb5kdc[1536](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: NEEDED_PREAUTH: <a rel="nofollow" shape="rect" ymailto="mailto:user01@EXAMPLE.COM" target="_blank" href="mailto:user01@EXAMPLE.COM">user01@EXAMPLE.COM</a> for krbtgt/<a rel="nofollow" shape="rect" ymailto="mailto:EXAMPLE.COM@EXAMPLE.COM" target="_blank" href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>, Additional pre-authentication required <br clear="none">> Feb 13 15:31:28 ipa02 krb5kdc[1535](info):
 AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392312688, etypes {rep=18 tkt=18 ses=18}, <a rel="nofollow" shape="rect" ymailto="mailto:user01@EXAMPLE.COM" target="_blank" href="mailto:user01@EXAMPLE.COM">user01@EXAMPLE.COM</a> for krbtgt/<a rel="nofollow" shape="rect" ymailto="mailto:EXAMPLE.COM@EXAMPLE.COM" target="_blank" href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a> <br clear="none">> Feb 13 15:31:28 ipa02 krb5kdc[1535](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392312688, etypes {rep=18 tkt=18 ses=18}, <a rel="nofollow" shape="rect" ymailto="mailto:user01@EXAMPLE.COM" target="_blank" href="mailto:user01@EXAMPLE.COM">user01@EXAMPLE.COM</a> for ldap/<a rel="nofollow" shape="rect" ymailto="mailto:ipa02.example.com@EXAMPLE.COM" target="_blank" href="mailto:ipa02.example.com@EXAMPLE.COM">ipa02.example.com@EXAMPLE.COM</a> <br clear="none">> <br clear="none">> <br clear="none">> <br
 clear="none">> <br clear="none">> Running kinit -kt on replica, returns nothing on prompt, but populates /var/log/krb5kdc.log with: <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> Feb 14 09:34:05 ipa02 krb5kdc[1536](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: NEEDED_PREAUTH: ldap/<a rel="nofollow" shape="rect" ymailto="mailto:ipa02.example.com@EXAMPLE.COM" target="_blank" href="mailto:ipa02.example.com@EXAMPLE.COM">ipa02.example.com@EXAMPLE.COM</a> for krbtgt/<a rel="nofollow" shape="rect" ymailto="mailto:EXAMPLE.COM@EXAMPLE.COM" target="_blank" href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>, Additional pre-authentication required <br clear="none">> Feb 14 09:34:05 ipa02 krb5kdc[1533](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392377645, etypes {rep=18 tkt=18 ses=18}, ldap/<a rel="nofollow" shape="rect"
 ymailto="mailto:ipa02.example.com@EXAMPLE.COM" target="_blank" href="mailto:ipa02.example.com@EXAMPLE.COM">ipa02.example.com@EXAMPLE.COM</a> for krbtgt/<a rel="nofollow" shape="rect" ymailto="mailto:EXAMPLE.COM@EXAMPLE.COM" target="_blank" href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> DNS is OK, resolving FQDN of both master and replica forward and reverse. <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> Bruno Henrique Barbosa <br clear="none">> <br clear="none">> Jr. Sys Admin <br clear="none">> IT Department <br clear="none">> Santos City Hall <br clear="none">> ----- Mensagem original -----<div class="yiv6198026196yqt6720960821" id="yiv6198026196yqtfd64186"><br clear="none">> <br clear="none">> De: "Martin Kosek" <<a rel="nofollow" shape="rect"
 ymailto="mailto:mkosek@redhat.com" target="_blank" href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>> <br clear="none">> Para: "Bruno Henrique Barbosa" <<a rel="nofollow" shape="rect" ymailto="mailto:bruno-barbosa@prodesan.com.br" target="_blank" href="mailto:bruno-barbosa@prodesan.com.br">bruno-barbosa@prodesan.com.br</a>>, <a rel="nofollow" shape="rect" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <br clear="none">> Enviadas: Sexta-feira, 14 de Fevereiro de 2014 5:51:49 <br clear="none">> Assunto: Re: [Freeipa-users] IPA Replica cannot add user <br clear="none">> <br clear="none">> On 02/13/2014 06:55 PM, Bruno Henrique Barbosa wrote: <br clear="none">>><br clear="none">>><br clear="none">>><br clear="none">>> Hi everyone, <br clear="none">>><br clear="none">>><br clear="none">>> I've installed my IPA
 environment as it follows: <br clear="none">>><br clear="none">>><br clear="none">>> ipa01.example.com - master install <br clear="none">>> ipa02.example.com - replica install, as the guide says, with ipa-replica-prepare on ipa01 and ipa-replica-install using gpg key generated. <br clear="none">>><br clear="none">>><br clear="none">>> All good, environment is fine, can access both UI, but the underlying problem is: I can edit and remove users from IPA using
 instance ipa02 (replica), but I CANNOT add users from that instance. In the UI, error returned is: <br clear="none">>><br clear="none">>><br clear="none">>> IPA Error 4203 <br clear="none">>> Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. <br clear="none">>><br clear="none">>><br clear="none">>><br clear="none">>><br clear="none">>> Via command-line, debug-enabled: <br clear="none">>><br clear="none">>><br clear="none">>> <a rel="nofollow" shape="rect" ymailto="mailto:root@ipa02" target="_blank" href="mailto:root@ipa02">root@ipa02</a>'s password: <br clear="none">>> Last login: Thu Feb 13 15:36:34 2014 <br clear="none">>> [<a rel="nofollow" shape="rect" ymailto="mailto:root@ipa02" target="_blank" href="mailto:root@ipa02">root@ipa02</a> ~]# kinit admin <br
 clear="none">>> Password for <a rel="nofollow" shape="rect" ymailto="mailto:admin@EXAMPLE.COM" target="_blank" href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a>: <br clear="none">>> [<a rel="nofollow" shape="rect" ymailto="mailto:root@ipa02" target="_blank" href="mailto:root@ipa02">root@ipa02</a> ~]# ipa-replica-manage list <br clear="none">>> ipa01.example.com: master <br clear="none">>> ipa02.example.com: master <br clear="none">>> [<a rel="nofollow" shape="rect" ymailto="mailto:root@ipa02" target="_blank" href="mailto:root@ipa02">root@ipa02</a> ~]# klist <br clear="none">>> Ticket cache: FILE:/tmp/krb5cc_0 <br clear="none">>> Default principal: <a rel="nofollow" shape="rect" ymailto="mailto:admin@EXAMPLE.COM" target="_blank" href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a> <br clear="none">>><br clear="none">>><br clear="none">>> Valid starting Expires Service principal <br
 clear="none">>> 02/13/14 15:37:48 02/14/14 15:37:29 krbtgt/<a rel="nofollow" shape="rect" ymailto="mailto:EXAMPLE.COM@EXAMPLE.COM" target="_blank" href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a> <br clear="none">>> 02/13/14 15:38:03 02/14/14 15:37:29 ldap/<a rel="nofollow" shape="rect" ymailto="mailto:ipa02.example.com@EXAMPLE.COM" target="_blank" href="mailto:ipa02.example.com@EXAMPLE.COM">ipa02.example.com@EXAMPLE.COM</a> <br clear="none">>> [<a rel="nofollow" shape="rect" ymailto="mailto:root@ipa02" target="_blank" href="mailto:root@ipa02">root@ipa02</a> ~]# ipa -d user-add usertest <br clear="none">>> ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' <br clear="none">>> ipa: DEBUG: importing plugin module
 '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' <br clear="none">>> ipa: DEBUG: importing plugin
 module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' <br clear="none">>> ipa: DEBUG:
 importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' <br
 clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' <br clear="none">>> ipa: DEBUG: importing plugin module
 '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' <br clear="none">>> ipa: DEBUG: args=klist -V <br clear="none">>> ipa: DEBUG: stdout=Kerberos 5 version 1.10.3 <br clear="none">>><br clear="none">>><br clear="none">>> ipa: DEBUG: stderr= <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' <br clear="none">>> ipa: DEBUG: importing plugin module
 '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' <br clear="none">>> ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' <br clear="none">>> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:<a rel="nofollow" shape="rect" ymailto="mailto:admin@EXAMPLE.COM" target="_blank"
 href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a> <br clear="none">>> ipa: DEBUG: stdout= <br clear="none">>> ipa: DEBUG: stderr=keyctl_search: Required key not available <br clear="none">>><br clear="none">>><br clear="none">>> ipa: DEBUG: failed to find session_cookie in persistent storage for principal '<a rel="nofollow" shape="rect" ymailto="mailto:admin@EXAMPLE.COM" target="_blank" href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a>' <br clear="none">>> ipa: INFO: trying <a rel="nofollow" shape="rect" target="_blank" href="https://ipa02.example.com/ipa/xml">https://ipa02.example.com/ipa/xml </a><br clear="none">>> ipa: DEBUG: NSSConnection init ipa02.example.com <br clear="none">>> ipa: DEBUG: Connecting: 192.168.0.2:0 <br clear="none">>> ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False <br clear="none">>> Data: <br clear="none">>> Version: 3 (0x2) <br
 clear="none">>> Serial Number: 14 (0xe) <br clear="none">>> Signature Algorithm: <br clear="none">>> Algorithm: PKCS #1 SHA-256 With RSA Encryption <br clear="none">>> Issuer: CN=Certificate Authority,O=EXAMPLE.COM <br clear="none">>> Validity: <br clear="none">>> Not Before: Qua Fev 12 19:42:11 2014 UTC <br clear="none">>> Not After: Sáb Fev 13 19:42:11 2016 UTC <br clear="none">>> Subject: CN=ipa02.example.com,O=EXAMPLE.COM <br clear="none">>> Subject Public Key Info: <br clear="none">>> Public Key Algorithm: <br clear="none">>> Algorithm: PKCS #1 RSA Encryption <br clear="none">>> RSA Public Key: <br clear="none">>> Modulus: <br clear="none">>> 93:ce:2f:b4:3c:61:bd:ec:42:a2:cd:b2:44:1a:ad:14: <br clear="none">>> f0:50:89:d7:cc:5d:cf:96:db:0e:f5:39:4c:8d:26:b5: <br clear="none">>> 47:9c:e6:77:86:1b:7a:ec:22:64:a2:f8:dd:67:fa:0f: <br clear="none">>>
 49:16:e9:9a:ca:d8:0e:d9:37:d6:0c:92:9c:a4:1f:b5:
 <br clear="none">>> 43:e4:80:0f:80:de:a8:f4:4b:8f:97:db:24:08:9b:24: <br clear="none">>> e7:e8:7a:a7:f8:61:0d:c1:d0:6e:89:94:4b:9d:f3:65: <br clear="none">>> 6a:a8:81:21:fc:7e:e8:72:5d:bb:0f:3e:bb:0c:ce:da: <br clear="none">>> 58:34:b4:64:ed:ac:ab:17:2b:c6:75:87:6d:8d:8e:3f: <br clear="none">>> 3f:56:82:f8:0c:f7:d7:a3:dc:73:b7:60:88:6f:f4:76: <br clear="none">>> db:d6:81:44:c7:04:7c:22:90:c6:f7:bc:0a:34:2a:28: <br clear="none">>> 2a:15:46:9e:06:da:bd:42:10:c0:d3:c4:5e:81:88:6d: <br clear="none">>> 6d:75:ad:3e:f0:a2:88:2e:3d:23:ce:19:a7:71:3c:0a: <br clear="none">>> c0:fa:bd:54:c5:c2:d5:f1:46:b1:74:80:65:31:dc:bb: <br clear="none">>> d5:01:86:de:f5:38:c6:cd:ad:2d:3a:32:17:4f:c7:d4: <br clear="none">>> 2a:44:82:69:4a:ad:d2:1a:59:cb:bb:25:3b:86:50:fa: <br clear="none">>> c7:8c:ab:0f:bf:1f:82:39:c0:ba:7b:45:6e:b6:1f:fd <br clear="none">>> Exponent: <br clear="none">>> 65537
 (0x10001) <br clear="none">>> Signed Extensions: (5) <br clear="none">>> Name: Certificate Authority Key Identifier <br clear="none">>> Critical: False <br clear="none">>> Key ID: <br clear="none">>> 7f:77:f3:aa:bc:9a:8a:97:0f:29:2c:b6:a4:ff:81:ea: <br clear="none">>> c3:9c:48:63 <br clear="none">>> Serial Number: None <br clear="none">>> General Names: [0 total] <br clear="none">>><br clear="none">>><br clear="none">>> Name: Authority Information Access <br clear="none">>> Critical: False <br clear="none">>><br clear="none">>><br clear="none">>> Name: Certificate Key Usage <br clear="none">>> Critical: True <br clear="none">>> Usages: <br clear="none">>> Digital Signature <br clear="none">>> Non-Repudiation <br clear="none">>> Key Encipherment <br clear="none">>> Data Encipherment <br clear="none">>><br
 clear="none">>><br clear="none">>> Name: Extended Key Usage <br clear="none">>> Critical: False <br clear="none">>> Usages: <br clear="none">>> TLS Web Server Authentication Certificate <br clear="none">>> TLS Web Client Authentication Certificate <br clear="none">>><br clear="none">>><br clear="none">>> Name: Certificate Subject Key ID <br clear="none">>> Critical: False <br clear="none">>> Data: <br clear="none">>> ba:bd:55:29:33:53:0c:6b:fb:54:2f:ce:ce:40:ce:4c: <br clear="none">>> 55:7c:07:ec <br clear="none">>><br clear="none">>><br clear="none">>> Signature: <br clear="none">>> Signature Algorithm: <br clear="none">>> Algorithm: PKCS #1 SHA-256 With RSA Encryption <br clear="none">>> Signature: <br clear="none">>> b5:b0:34:b0:4c:e0:97:42:55:2e:44:34:d0:b9:12:c1: <br clear="none">>>
 1d:60:57:a4:ae:e7:2e:22:74:a9:fd:64:99:2c:54:7d: <br clear="none">>> f0:b9:32:8e:bd:d5:71:c5:23:14:a1:82:3f:63:c1:bf: <br clear="none">>> 7b:e3:e1:3c:32:95:ca:48:22:eb:56:98:2b:71:90:34: <br clear="none">>> 9c:24:58:02:15:e2:ed:a8:81:11:bd:a9:1a:80:7d:a1: <br clear="none">>> 23:d6:33:78:9b:1a:b6:42:43:49:7e:07:02:a4:7a:1b: <br clear="none">>> f5:8c:78:a2:23:27:66:be:5f:30:43:a0:46:9b:0e:8d: <br clear="none">>> 76:9a:b0:6c:e6:ba:54:d2:9d:7a:24:ae:c9:7f:ee:bf: <br clear="none">>> 5b:6b:b0:c2:3a:ac:d0:9d:cf:d6:36:ec:2b:6d:e9:c2: <br clear="none">>> df:ac:27:d6:63:0a:c0:0f:1b:bc:93:8f:0f:4c:62:ca: <br clear="none">>> f9:c1:10:94:77:5d:b8:ad:f5:b6:18:1c:26:bc:3d:70: <br clear="none">>> 30:20:a3:7e:14:e3:a1:84:d4:9f:f8:73:4c:6d:59:a6: <br clear="none">>> 8d:2b:e3:3f:b5:84:42:62:b9:90:23:dc:24:df:ed:42: <br clear="none">>> bc:ab:f4:a4:5e:9f:ed:7f:e3:f2:e5:f4:07:81:ac:7c: <br
 clear="none">>> c4:5d:34:6b:69:7b:6f:29:20:30:95:ef:d3:45:ad:83: <br clear="none">>> 51:fb:72:cb:a4:eb:85:f3:f6:0d:2d:31:d8:8b:72:54 <br clear="none">>> Fingerprint (MD5): <br clear="none">>> 4e:06:54:a8:e4:62:8e:65:a1:7f:3c:31:01:4b:06:bf <br clear="none">>> Fingerprint (SHA1): <br clear="none">>> a2:43:5f:65:c0:61:13:cf:2c:9c:9d:32:72:d6:cc:78: <br clear="none">>> 66:6e:f7:77 <br clear="none">>> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer <br clear="none">>> ipa: DEBUG: cert valid True for "CN=ipa02.example.com,O=EXAMPLE.COM" <br clear="none">>> ipa: DEBUG: handshake complete, peer = 192.168.0.2:443 <br clear="none">>> ipa: DEBUG: received Set-Cookie 'ipa_session=eb4b207ba589878a328ee100b9ab16ae; Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:58:46 GMT; Secure; HttpOnly' <br clear="none">>> ipa: DEBUG: storing cookie
 'ipa_session=eb4b207ba589878a328ee100b9ab16ae; Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:58:46 GMT; Secure; HttpOnly' for principal <a rel="nofollow" shape="rect" ymailto="mailto:admin@EXAMPLE.COM" target="_blank" href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a> <br clear="none">>> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:<a rel="nofollow" shape="rect" ymailto="mailto:admin@EXAMPLE.COM" target="_blank" href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a> <br clear="none">>> ipa: DEBUG: stdout= <br clear="none">>> ipa: DEBUG: stderr=keyctl_search: Required key not available <br clear="none">>><br clear="none">>><br clear="none">>> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:<a rel="nofollow" shape="rect" ymailto="mailto:admin@EXAMPLE.COM" target="_blank" href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a> <br clear="none">>> ipa: DEBUG: stdout= <br
 clear="none">>> ipa: DEBUG: stderr=keyctl_search: Required key not available <br clear="none">>><br clear="none">>><br clear="none">>> ipa: DEBUG: args=keyctl padd user ipa_session_cookie:<a rel="nofollow" shape="rect" ymailto="mailto:admin@EXAMPLE.COM" target="_blank" href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a> @s <br clear="none">>> ipa: DEBUG: stdout=227287872 <br clear="none">>><br clear="none">>><br clear="none">>> ipa: DEBUG: stderr= <br clear="none">>> ipa: DEBUG: Created connection context.xmlclient <br clear="none">>> First name: usertest <br clear="none">>> Last name: testname <br clear="none">>> ipa: DEBUG: raw: user_add(u'usertest', givenname=u'usertest', sn=u'testname', cn=u'usertest testname', uidnumber=999, gidnumber=999, noprivate=False, all=False, raw=False, version=u'2.49', no_members=False) <br clear="none">>> ipa: DEBUG: user_add(u'usertest',
 givenname=u'usertest', sn=u'testname', cn=u'usertest testname', displayname=u'usertest testname', initials=u'ut',
 gecos=u'usertest testname', krbprincipalname=u'<a rel="nofollow" shape="rect" ymailto="mailto:usertest@EXAMPLE.COM" target="_blank" href="mailto:usertest@EXAMPLE.COM">usertest@EXAMPLE.COM</a>', random=False, uidnumber=999, gidnumber=999, noprivate=False, all=False, raw=False, version=u'2.49', no_members=False) <br clear="none">>> ipa: INFO: Forwarding 'user_add' to server u'<a rel="nofollow" shape="rect" target="_blank" href="https://ipa02.example.com/ipa/xml%27">https://ipa02.example.com/ipa/xml' </a><br clear="none">>> ipa: DEBUG: NSSConnection init ipa02.example.com <br clear="none">>> ipa: DEBUG: Connecting: 192.168.0.2:0 <br clear="none">>> ipa: DEBUG: handshake complete, peer = 192.168.0.2:443 <br clear="none">>> ipa: DEBUG: received Set-Cookie 'ipa_session=d5dcde16a47612ec6debfc7ed42b5efb; Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:59:04 GMT; Secure; HttpOnly' <br clear="none">>> ipa:
 DEBUG: storing cookie
 'ipa_session=d5dcde16a47612ec6debfc7ed42b5efb; Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:59:04 GMT; Secure; HttpOnly' for principal <a rel="nofollow" shape="rect" ymailto="mailto:admin@EXAMPLE.COM" target="_blank" href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a> <br clear="none">>> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:<a rel="nofollow" shape="rect" ymailto="mailto:admin@EXAMPLE.COM" target="_blank" href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a> <br clear="none">>> ipa: DEBUG: stdout=227287872 <br clear="none">>><br clear="none">>><br clear="none">>> ipa: DEBUG: stderr= <br clear="none">>> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:<a rel="nofollow" shape="rect" ymailto="mailto:admin@EXAMPLE.COM" target="_blank" href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a> <br clear="none">>> ipa: DEBUG: stdout=227287872 <br clear="none">>><br
 clear="none">>><br clear="none">>> ipa: DEBUG: stderr= <br clear="none">>>
 ipa: DEBUG: args=keyctl pupdate 227287872 <br clear="none">>> ipa: DEBUG: stdout= <br clear="none">>> ipa: DEBUG: stderr= <br clear="none">>> ipa: DEBUG: Caught fault 4203 from server <a rel="nofollow" shape="rect" target="_blank" href="https://ipa02.example.com/ipa/xml:">https://ipa02.example.com/ipa/xml: </a>Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. <br clear="none">>> ipa: DEBUG: Destroyed connection context.xmlclient <br clear="none">>> ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. <br clear="none">>><br clear="none">>><br clear="none">>><br clear="none">>><br clear="none">>> Under the labs I did on IPA, I could resolve that by booting the replica server, but
 this time I
 couldn't solve. Looking for assistance, please! <br clear="none">>><br clear="none">>><br clear="none">>> Thank you for any help you can provide in this situation! <br clear="none">>><br clear="none">>><br clear="none">>> Bruno Henrique Barbosa <br clear="none">>> Jr. Sys Admin <br clear="none">>> IT Department <br clear="none">>> Santos City Hall <br clear="none">> <br clear="none">> Hello Bruno, <br clear="none">> <br clear="none">> I saw the logs you sent to Dmitri. It seems to me that the replication link is <br clear="none">> broken, thus replica DNA plugin cannot acquire DNA ranges from master, thus it <br clear="none">> has no available range, thus adding users fails as DS cannot allocate UID and GID. <br clear="none">> <br clear="none">> I think your replication will be broken as well, did you verify that users you <br clear="none">> delete/modify on replica are
 also deleted/modified on master? <br clear="none">> <br clear="none">> I think the root cause is this log: <br clear="none">> <br clear="none">> [13/Feb/2014:15:31:11 -0200] set_krb5_creds - Could not get initial credentials <br clear="none">> for principal [ldap/<a rel="nofollow" shape="rect" ymailto="mailto:ipa02.example.com@EXAMPLE.COM" target="_blank" href="mailto:ipa02.example.com@EXAMPLE.COM">ipa02.example.com@EXAMPLE.COM</a>] in keytab <br clear="none">> [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested <br clear="none">> realm) <br clear="none">> <br clear="none">> Is your KDC running? <br clear="none">> <br clear="none">> [replica] # ipactl status <br clear="none">> <br clear="none">> You can also try to kinit manually to debug: <br clear="none">> <br clear="none">> [replica] # kinit -kt /etc/dirsrv/ds.keytab ldap/<a rel="nofollow" shape="rect"
 ymailto="mailto:ipa02.example.com@EXAMPLE.COM" target="_blank" href="mailto:ipa02.example.com@EXAMPLE.COM">ipa02.example.com@EXAMPLE.COM</a> <br clear="none">> <br clear="none">> If it does not succeed, neither it'd succeed for the DS. <br clear="none">> <br clear="none">> I would also recommend checking that DNS is sane. You can find some pointers here: <br clear="none">> <a rel="nofollow" shape="rect" target="_blank" href="http://www.freeipa.org/page/Troubleshooting#DNS_Issues">http://www.freeipa.org/page/Troubleshooting#DNS_Issues </a><br clear="none">> <br clear="none">> HTH, <br clear="none">> Martin <br clear="none">> <br clear="none">> <br clear="none"><br clear="none">_______________________________________________<br clear="none">Freeipa-users mailing list<br clear="none"><a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank"
 href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br clear="none"><a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div><br clear="none"><br clear="none"></div>  </div> </div>  </div></div> </div></div></div></div></body></html>