[Freeipa-users] Replication Issue

Rich Megginson rmeggins at redhat.com
Fri Apr 5 15:51:30 UTC 2013 

On 04/05/2013 08:41 AM, Simo Sorce wrote:
> On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
>> You were correct, my reverse DNS entries for the master and replica
>> were missing. Odd, since they both existed at one point.
>
> Rob,
> I think we should open a ticket against 389ds, we should never depend on
> PTR records.
>
> In this case I believe the ldap libraries are at fault since they now
> force SASL canonicalization on which is know to be broken for gssapi as
> it causes reverse resolution.
>
> Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ?
Yes.
ldap/servers/slapd/ldaputil.c:    ldap_set_option(ld, 
LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);

Should this be off by default?  Should this be configurable?

>
> Simo.
>> Running the same commands again results in the following
>> On the Replica system
>>
>>
>> ipa-replica-manage list replica.example.com -v
>>
>> master.example.com: replica
>>    last init status: None
>>    last init ended: None
>>    last update status: 0 Replica acquired successfully: Incremental
>> update succeeded
>>    last update ended: 2013-04-05 14:18:11+00:00
>>
>>
>> ipa-replica-manage list master.example.com -v
>>
>> Failed to get data from 'dpu-inf-ldap01.tni01.com': {'info':
>> 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied
>> (Cannot determine realm for numeric host address)', 'desc': 'Local
>> error'}
>> ===========
>> On the master system
>>
>>
>> ipa-replica-manage list replica.example.com -v
>> master.example.com: replica
>>    last init status: None
>>    last init ended: None
>>    last update status: 0 Replica acquired successfully: Incremental
>> update succeeded
>>    last update ended: 2013-04-05 14:19:39+00:00
>>
>>
>> ipa-replica-manage list master.example.tni01.com -v
>> replica.example.com: replica
>>    last init status: 0 Total update succeeded
>>    last init ended: 2013-04-04 20:06:44+00:00
>>    last update status: 49  - LDAP error: Invalid credentials
>>    last update ended: 2013-04-04 20:06:55+00:00
>>
>>
>>
>>
>> On Thu, Apr 4, 2013 at 2:51 PM, Rob Crittenden <rcritten at redhat.com>
>> wrote:
>>          Brent Clark wrote:
>>                  Ok, I have done as Steven Jones requested... here is
>>                  the output from the
>>                  replica
>>                  
>>                  I am able to kinit to admin using the password.
>>                  
>>                  issuing the ipa-replica-manage command on the replica
>>                  for the replica
>>                  
>>                  
>>                  replcia.mydomain.com <http://replcia.mydomain.com>:
>>                  replica
>>                  
>>                    last init status: None
>>                    last init ended: None
>>                    last update status: -2  - System error
>>                    last update ended: None
>>                  
>>                  Same command but for the master
>>                  Failed to get data from 'master.example.com
>>                  
>>                  <http://master.example.com>': {'info': SASL (-1):
>>                  generic failure:
>>                  
>>                  GSSAPI Error: An invalid name was supplied (Cannot
>>                  determine realm for
>>                  numeric host address)', 'desc':'Local error'}
>>                  
>>                  I can ping, telnet on all the IPA ports and ssh to the
>>                  main server from
>>                  the replica.
>>                  
>>                  So... im confused.
>>                  
>>                  Also on a whim, I was able to add a server to the
>>                  replica and that host
>>                  info did make it to the master.
>>                  
>>          
>>          Sounds like a DNS issue. Make sure forward and reverse DNS
>>          works for master.example.com.
>>          
>>          rob
>>          
>>
>>
>>
>>
>> -- 
>> Brent S. Clark
>> NOC Engineer
>>
>> 2580 55th St.  |  Boulder, Colorado 80301
>> www.tendrilinc.com  |  blog
>> Tendril
>>
>>
>> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.
>> If you have received this email in error please notify the sender.
>> Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company.
>> Finally, the recipient should check this email and any attachments for the presence of viruses.
>> The company accepts no liability for any damage caused by any virus transmitted by this email.
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list