[Freeipa-users] ui login error and questions about replication

Tamas Papp tompos at martos.bme.hu
Tue Nov 5 12:32:36 UTC 2013 

hi,

The systems are uptodate F19 KVM guests.


I'm trying to login the web ui with no success:

"Your session has expired. Please re-login.

To login with Kerberos, please make sure you have valid tickets
(obtainable via kinit) and configured
<http://ipa31.bph.cxn/ipa/config/unauthorized.html> the browser
correctly, then click Login.

To login with username and password, enter them in the fields below then
click Login."


Then after a while something happens and it starts working.

In logs:

On the "primary" node:

[05/Nov/2013:12:19:06 +0100] NSMMReplicationPlugin -
agmt="cn=meToipa12.bpo.cxn" (ipa12:389): Replication bind with GSSAPI
auth resumed


On the "secondary" node:

[05/Nov/2013:12:31:25 +0100] csngen_new_csn - Warning: too much time
skew (-1658 secs). Current seqnum=3
[05/Nov/2013:12:45:33 +0100] csngen_new_csn - Warning: too much time
skew (-811 secs). Current seqnum=a
[05/Nov/2013:12:45:33 +0100] csngen_new_csn - Warning: too much time
skew (-812 secs). Current seqnum=1
[05/Nov/2013:12:45:35 +0100] csngen_new_csn - Warning: too much time
skew (-811 secs). Current seqnum=1
[05/Nov/2013:12:45:47 +0100] csngen_new_csn - Warning: too much time
skew (-800 secs). Current seqnum=4
[05/Nov/2013:12:45:47 +0100] csngen_new_csn - Warning: too much time
skew (-801 secs). Current seqnum=1
[05/Nov/2013:12:45:49 +0100] csngen_new_csn - Warning: too much time
skew (-800 secs). Current seqnum=1


Date shows up the same system time on both machines:

Tue Nov  5 12:59:29 CET 2013

I called as primary the machine that was installed initially and
secondary is the one that was deployed by replication.



Finally, I have some questions:)

1. How can this happen, what's the problem? Is it something about the
design, I screwed up something, or maybe the virtualization layer..?
How can I avoid it and if it happens, how can I fix it immediately?


2. What is the difference between 'primary' and 'secondary'. What does
happen, if the primary machine gets destroyed?


4. How many "master" can I use?


5. If I have a network like this:

A1______B1
A2          B2

A2 and B1,2 are replicated from A1

If the connection gets lost between A and B site, are B1 and 2 (and
A1,2) replicated fine?


6. If a client is installed with ipa-client-install using A1 and A1 gets
lost, does the client know, where it needs to connect (failover..)?


7. Can I install slave (read-only) replicas so clients access them only
for queries and for changes (like pw change) they access master servers?



Thanks,
tamas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131105/a5a3f2a5/attachment.htm>

More information about the Freeipa-users mailing list