[Freeipa-users] Replication Issue
Simo Sorce
simo at redhat.com
Fri Apr 5 14:41:37 UTC 2013
On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
> You were correct, my reverse DNS entries for the master and replica
> were missing. Odd, since they both existed at one point.
Rob,
I think we should open a ticket against 389ds, we should never depend on
PTR records.
In this case I believe the ldap libraries are at fault since they now
force SASL canonicalization on which is know to be broken for gssapi as
it causes reverse resolution.
Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ?
Simo.
>
> Running the same commands again results in the following
> On the Replica system
>
>
> ipa-replica-manage list replica.example.com -v
>
> master.example.com: replica
> last init status: None
> last init ended: None
> last update status: 0 Replica acquired successfully: Incremental
> update succeeded
> last update ended: 2013-04-05 14:18:11+00:00
>
>
> ipa-replica-manage list master.example.com -v
>
> Failed to get data from 'dpu-inf-ldap01.tni01.com': {'info':
> 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied
> (Cannot determine realm for numeric host address)', 'desc': 'Local
> error'}
> ===========
> On the master system
>
>
> ipa-replica-manage list replica.example.com -v
> master.example.com: replica
> last init status: None
> last init ended: None
> last update status: 0 Replica acquired successfully: Incremental
> update succeeded
> last update ended: 2013-04-05 14:19:39+00:00
>
>
> ipa-replica-manage list master.example.tni01.com -v
> replica.example.com: replica
> last init status: 0 Total update succeeded
> last init ended: 2013-04-04 20:06:44+00:00
> last update status: 49 - LDAP error: Invalid credentials
> last update ended: 2013-04-04 20:06:55+00:00
>
>
>
>
> On Thu, Apr 4, 2013 at 2:51 PM, Rob Crittenden <rcritten at redhat.com>
> wrote:
> Brent Clark wrote:
> Ok, I have done as Steven Jones requested... here is
> the output from the
> replica
>
> I am able to kinit to admin using the password.
>
> issuing the ipa-replica-manage command on the replica
> for the replica
>
>
> replcia.mydomain.com <http://replcia.mydomain.com>:
> replica
>
> last init status: None
> last init ended: None
> last update status: -2 - System error
> last update ended: None
>
> Same command but for the master
> Failed to get data from 'master.example.com
>
> <http://master.example.com>': {'info': SASL (-1):
> generic failure:
>
> GSSAPI Error: An invalid name was supplied (Cannot
> determine realm for
> numeric host address)', 'desc':'Local error'}
>
> I can ping, telnet on all the IPA ports and ssh to the
> main server from
> the replica.
>
> So... im confused.
>
> Also on a whim, I was able to add a server to the
> replica and that host
> info did make it to the master.
>
>
> Sounds like a DNS issue. Make sure forward and reverse DNS
> works for master.example.com.
>
> rob
>
>
>
>
>
> --
> Brent S. Clark
> NOC Engineer
>
> 2580 55th St. | Boulder, Colorado 80301
> www.tendrilinc.com | blog
> Tendril
>
>
> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the sender.
> Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company.
> Finally, the recipient should check this email and any attachments for the presence of viruses.
> The company accepts no liability for any damage caused by any virus transmitted by this email.
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list