[Freeipa-devel] topology-related issues

Ludwig Krispenz lkrispen at redhat.com
Tue Jun 23 12:41:16 UTC 2015 

On 06/23/2015 02:27 PM, Ludwig Krispenz wrote:
>
> On 06/23/2015 11:44 AM, Oleg Fayans wrote:
>> It looks like the second issue was caused by not running ipa service 
>> on vm-244.idm.lab.eng.brq.redhat.com.
>> However, after manual start of the ipa service on thios node, I was 
>> still unable to setup the segment:
>>
>> [11:38:39]ofayans at vm-069:~]$ ipa topologysegment-add realm
>> Left node: vm-244.idm.lab.eng.brq.redhat.com
>> Right node: vm-069.idm.lab.eng.brq.redhat.com
>> Connectivity [both]:
>> Segment name 
>> [vm-244.idm.lab.eng.brq.redhat.com-vm-069.idm.lab.eng.brq.redhat.com]:
>> ipa: ERROR: Kerberos error: ('Unspecified GSS failure.  Minor code 
>> may provide more information', 851968)/('Ticket not yet valid', 
>> -1765328351)
> I don't know, what this specific error is, but in the dirsrv log, 
> which seems to be from vm-244, we have:
>
> set_krb5_creds - Could not get initial credentials for principal 
> [ldap/vm-244.idm.lab.eng.brq.redhat.com at IDM.LAB.ENG.BRQ.REDHAT.COM] in 
> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any 
> KDC for requested realm)
>
> so is your kdc running ?
an additional observation, there are lines like:

csngen_new_csn - Warning: too much time skew (-3146 secs). Current seqnum=1

so looks like the time on your vms is not in sync, replication should 
handle this (so it is a warning), but don't know about other components

>
>>
> I don't know
>
>
>> The dirsrv error log of this node is attached.
>>
>>
>> On 06/23/2015 11:27 AM, Oleg Fayans wrote:
>>> Hi Ludwig, team,
>>>
>>> I have a couple of issues with the topology plugin.
>>>
>>> 1. I was able to remove the middle node in a line topology, which 
>>> resulted in disconnecting a segment. I had
>>> master - replica1 - replica2 -  replica3 - replica4
>>> I removed replica2 with a standard `ipa-replica-manage del`
>>> And it resulted in the following topology:
>>>
>>> [13:13:08]ofayans at vm-086:~]$ ipa topologysegment-find realm
>>> ------------------
>>> 2 segments matched
>>> ------------------
>>>   Segment name: 086-to-069
>>>   Left node: vm-086.idm.lab.eng.brq.redhat.com
>>>   Right node: vm-069.idm.lab.eng.brq.redhat.com
>>>   Connectivity: both
>>>
>>>   Segment name: 127-to-244
>>>   Left node: vm-127.idm.lab.eng.brq.redhat.com
>>>   Right node: vm-244.idm.lab.eng.brq.redhat.com
>>>   Connectivity: both
>>> ----------------------------
>>> Number of entries returned 2
>>> ----------------------------
>>>
>>> We should probably prohibit such scenarios.
>>>
>>> 2. When I subsequently tried to create a link between the two 
>>> segments manually, I bumped into the following error:
>>>
>>> [[13:17:02]ofayans at vm-069:~]$ ipa topologysegment-add realm
>>> Left node: vm-069.idm.lab.eng.brq.redhat.com
>>> Right node: vm-244.idm.lab.eng.brq.redhat.com
>>> Connectivity [both]:
>>> Segment name 
>>> [vm-069.idm.lab.eng.brq.redhat.com-vm-244.idm.lab.eng.brq.redhat.com]: 
>>> 069-to-244
>>> ipa: ERROR: invalid 'rightnode': right node is not a topology node: 
>>> vm-244.idm.lab.eng.brq.redhat.com
>>>
>>
>>
>>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150623/93cfb63d/attachment.htm>

More information about the Freeipa-devel mailing list