[Freeipa-users] Replication Issue
Rich Megginson
rmeggins at redhat.com
Fri Apr 5 15:51:30 UTC 2013
On 04/05/2013 08:41 AM, Simo Sorce wrote:
> On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
>> You were correct, my reverse DNS entries for the master and replica
>> were missing. Odd, since they both existed at one point.
>
> Rob,
> I think we should open a ticket against 389ds, we should never depend on
> PTR records.
>
> In this case I believe the ldap libraries are at fault since they now
> force SASL canonicalization on which is know to be broken for gssapi as
> it causes reverse resolution.
>
> Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ?
Yes.
ldap/servers/slapd/ldaputil.c: ldap_set_option(ld,
LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
Should this be off by default? Should this be configurable?
>
> Simo.
>> Running the same commands again results in the following
>> On the Replica system
>>
>>
>> ipa-replica-manage list replica.example.com -v
>>
>> master.example.com: replica
>> last init status: None
>> last init ended: None
>> last update status: 0 Replica acquired successfully: Incremental
>> update succeeded
>> last update ended: 2013-04-05 14:18:11+00:00
>>
>>
>> ipa-replica-manage list master.example.com -v
>>
>> Failed to get data from 'dpu-inf-ldap01.tni01.com': {'info':
>> 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied
>> (Cannot determine realm for numeric host address)', 'desc': 'Local
>> error'}
>> ===========
>> On the master system
>>
>>
>> ipa-replica-manage list replica.example.com -v
>> master.example.com: replica
>> last init status: None
>> last init ended: None
>> last update status: 0 Replica acquired successfully: Incremental
>> update succeeded
>> last update ended: 2013-04-05 14:19:39+00:00
>>
>>
>> ipa-replica-manage list master.example.tni01.com -v
>> replica.example.com: replica
>> last init status: 0 Total update succeeded
>> last init ended: 2013-04-04 20:06:44+00:00
>> last update status: 49 - LDAP error: Invalid credentials
>> last update ended: 2013-04-04 20:06:55+00:00
>>
>>
>>
>>
>> On Thu, Apr 4, 2013 at 2:51 PM, Rob Crittenden <rcritten at redhat.com>
>> wrote:
>> Brent Clark wrote:
>> Ok, I have done as Steven Jones requested... here is
>> the output from the
>> replica
>>
>> I am able to kinit to admin using the password.
>>
>> issuing the ipa-replica-manage command on the replica
>> for the replica
>>
>>
>> replcia.mydomain.com <http://replcia.mydomain.com>:
>> replica
>>
>> last init status: None
>> last init ended: None
>> last update status: -2 - System error
>> last update ended: None
>>
>> Same command but for the master
>> Failed to get data from 'master.example.com
>>
>> <http://master.example.com>': {'info': SASL (-1):
>> generic failure:
>>
>> GSSAPI Error: An invalid name was supplied (Cannot
>> determine realm for
>> numeric host address)', 'desc':'Local error'}
>>
>> I can ping, telnet on all the IPA ports and ssh to the
>> main server from
>> the replica.
>>
>> So... im confused.
>>
>> Also on a whim, I was able to add a server to the
>> replica and that host
>> info did make it to the master.
>>
>>
>> Sounds like a DNS issue. Make sure forward and reverse DNS
>> works for master.example.com.
>>
>> rob
>>
>>
>>
>>
>>
>> --
>> Brent S. Clark
>> NOC Engineer
>>
>> 2580 55th St. | Boulder, Colorado 80301
>> www.tendrilinc.com | blog
>> Tendril
>>
>>
>> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.
>> If you have received this email in error please notify the sender.
>> Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company.
>> Finally, the recipient should check this email and any attachments for the presence of viruses.
>> The company accepts no liability for any damage caused by any virus transmitted by this email.
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list