[Freeipa-users] Replication Issue
Brent Clark
bclark at tendrilinc.com
Fri Apr 5 16:53:07 UTC 2013
Thanks for all the help!
After fixing the DNS issues, I then solved the LDAP error by rebooting the
master and replica. Something I hadnt done since installing IPA on both of
them and setting them up.
On Fri, Apr 5, 2013 at 9:51 AM, Rich Megginson <rmeggins at redhat.com> wrote:
> On 04/05/2013 08:41 AM, Simo Sorce wrote:
>
>> On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
>>
>>> You were correct, my reverse DNS entries for the master and replica
>>> were missing. Odd, since they both existed at one point.
>>>
>>
>> Rob,
>> I think we should open a ticket against 389ds, we should never depend on
>> PTR records.
>>
>> In this case I believe the ldap libraries are at fault since they now
>> force SASL canonicalization on which is know to be broken for gssapi as
>> it causes reverse resolution.
>>
>> Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ?
>>
> Yes.
> ldap/servers/slapd/ldaputil.c: ldap_set_option(ld,
> LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
>
> Should this be off by default? Should this be configurable?
>
>
>
>> Simo.
>>
>>> Running the same commands again results in the following
>>> On the Replica system
>>>
>>>
>>> ipa-replica-manage list replica.example.com -v
>>>
>>> master.example.com: replica
>>> last init status: None
>>> last init ended: None
>>> last update status: 0 Replica acquired successfully: Incremental
>>> update succeeded
>>> last update ended: 2013-04-05 14:18:11+00:00
>>>
>>>
>>> ipa-replica-manage list master.example.com -v
>>>
>>> Failed to get data from 'dpu-inf-ldap01.tni01.com': {'info':
>>> 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied
>>> (Cannot determine realm for numeric host address)', 'desc': 'Local
>>> error'}
>>> ===========
>>> On the master system
>>>
>>>
>>> ipa-replica-manage list replica.example.com -v
>>> master.example.com: replica
>>> last init status: None
>>> last init ended: None
>>> last update status: 0 Replica acquired successfully: Incremental
>>> update succeeded
>>> last update ended: 2013-04-05 14:19:39+00:00
>>>
>>>
>>> ipa-replica-manage list master.example.tni01.com -v
>>> replica.example.com: replica
>>> last init status: 0 Total update succeeded
>>> last init ended: 2013-04-04 20:06:44+00:00
>>> last update status: 49 - LDAP error: Invalid credentials
>>> last update ended: 2013-04-04 20:06:55+00:00
>>>
>>>
>>>
>>>
>>> On Thu, Apr 4, 2013 at 2:51 PM, Rob Crittenden <rcritten at redhat.com>
>>> wrote:
>>> Brent Clark wrote:
>>> Ok, I have done as Steven Jones requested... here is
>>> the output from the
>>> replica
>>> I am able to kinit to admin using the
>>> password.
>>> issuing the ipa-replica-manage command
>>> on the replica
>>> for the replica
>>> replcia.mydomain.com<
>>> http://replcia.mydomain.com>:
>>> replica
>>> last init status: None
>>> last init ended: None
>>> last update status: -2 - System error
>>> last update ended: None
>>> Same command but for the master
>>> Failed to get data from 'master.example.com
>>> <http://master.example.com>':
>>> {'info': SASL (-1):
>>> generic failure:
>>> GSSAPI Error: An invalid name was
>>> supplied (Cannot
>>> determine realm for
>>> numeric host address)', 'desc':'Local error'}
>>> I can ping, telnet on all the IPA
>>> ports and ssh to the
>>> main server from
>>> the replica.
>>> So... im confused.
>>> Also on a whim, I was able to add a
>>> server to the
>>> replica and that host
>>> info did make it to the master.
>>> Sounds like a DNS issue. Make sure
>>> forward and reverse DNS
>>> works for master.example.com.
>>> rob
>>>
>>>
>>>
>>>
>>> --
>>> Brent S. Clark
>>> NOC Engineer
>>>
>>> 2580 55th St. | Boulder, Colorado 80301
>>> www.tendrilinc.com | blog
>>> Tendril
>>>
>>>
>>> This email and any files transmitted with it are confidential and
>>> intended solely for the use of the individual or entity to whom they are
>>> addressed.
>>> If you have received this email in error please notify the sender.
>>> Please note that any views or opinions presented in this email are
>>> solely those of the author and do not necessarily represent those of the
>>> company.
>>> Finally, the recipient should check this email and any attachments for
>>> the presence of viruses.
>>> The company accepts no liability for any damage caused by any virus
>>> transmitted by this email.
>>> ______________________________**_________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>>
>>
>>
>
--
Brent S. Clark
NOC Engineer
2580 55th St. | Boulder, Colorado 80301
www.tendrilinc.com | blog <http://www.tendrilinc.com/news-room/blog/>
[image: Tendril] <http://www.tendrilinc.com/>
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the presence of viruses.
The company accepts no liability for any damage caused by any virus transmitted by this email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130405/c2e0e353/attachment.htm>
More information about the Freeipa-users
mailing list