[Freeipa-users] IPA Replica cannot add user
Dmitri Pal
dpal at redhat.com
Thu Feb 13 18:30:22 UTC 2014
On 02/13/2014 12:55 PM, Bruno Henrique Barbosa wrote:
> Hi everyone,
>
> I've installed my IPA environment as it follows:
>
> ipa01.example.com - master install
> ipa02.example.com - replica install, as the guide says, with
> ipa-replica-prepare on ipa01 and ipa-replica-install using gpg key
> generated.
>
> All good, environment is fine, can access both UI, but the underlying
> problem is: I can edit and remove users from IPA using instance ipa02
> (replica), but I CANNOT add users from that instance. In the UI, error
> returned is:
>
> IPA Error 4203
> Operations error: Allocation of a new value for range cn=posix
> ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config
> failed! Unable to proceed.
>
>
> Via command-line, debug-enabled:
>
> root at ipa02's password:
> Last login: Thu Feb 13 15:36:34 2014
> [root at ipa02 ~]# kinit admin
> Password for admin at EXAMPLE.COM:
> [root at ipa02 ~]# ipa-replica-manage list
> ipa01.example.com: master
> ipa02.example.com: master
> [root at ipa02 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at EXAMPLE.COM
>
> Valid starting Expires Service principal
> 02/13/14 15:37:48 02/14/14 15:37:29 krbtgt/EXAMPLE.COM at EXAMPLE.COM
> 02/13/14 15:38:03 02/14/14 15:37:29 ldap/ipa02.example.com at EXAMPLE.COM
> [root at ipa02 ~]# ipa -d user-add usertest
> ipa: DEBUG: importing all plugin modules in
> '/usr/lib/python2.6/site-packages/ipalib/plugins'...
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
> ipa: DEBUG: args=klist -V
> ipa: DEBUG: stdout=Kerberos 5 version 1.10.3
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
> ipa: DEBUG: args=keyctl search @s user
> ipa_session_cookie:admin at EXAMPLE.COM
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=keyctl_search: Required key not available
>
> ipa: DEBUG: failed to find session_cookie in persistent storage for
> principal 'admin at EXAMPLE.COM'
> ipa: INFO: trying https://ipa02.example.com/ipa/xml
> ipa: DEBUG: NSSConnection init ipa02.example.com
> ipa: DEBUG: Connecting: 192.168.0.2:0
> ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
> Data:
> Version: 3 (0x2)
> Serial Number: 14 (0xe)
> Signature Algorithm:
> Algorithm: PKCS #1 SHA-256 With RSA Encryption
> Issuer: CN=Certificate Authority,O=EXAMPLE.COM
> Validity:
> Not Before: Qua Fev 12 19:42:11 2014 UTC
> Not After: Sáb Fev 13 19:42:11 2016 UTC
> Subject: CN=ipa02.example.com,O=EXAMPLE.COM
> Subject Public Key Info:
> Public Key Algorithm:
> Algorithm: PKCS #1 RSA Encryption
> RSA Public Key:
> Modulus:
> 93:ce:2f:b4:3c:61:bd:ec:42:a2:cd:b2:44:1a:ad:14:
> f0:50:89:d7:cc:5d:cf:96:db:0e:f5:39:4c:8d:26:b5:
> 47:9c:e6:77:86:1b:7a:ec:22:64:a2:f8:dd:67:fa:0f:
> 49:16:e9:9a:ca:d8:0e:d9:37:d6:0c:92:9c:a4:1f:b5:
> 43:e4:80:0f:80:de:a8:f4:4b:8f:97:db:24:08:9b:24:
> e7:e8:7a:a7:f8:61:0d:c1:d0:6e:89:94:4b:9d:f3:65:
> 6a:a8:81:21:fc:7e:e8:72:5d:bb:0f:3e:bb:0c:ce:da:
> 58:34:b4:64:ed:ac:ab:17:2b:c6:75:87:6d:8d:8e:3f:
> 3f:56:82:f8:0c:f7:d7:a3:dc:73:b7:60:88:6f:f4:76:
> db:d6:81:44:c7:04:7c:22:90:c6:f7:bc:0a:34:2a:28:
> 2a:15:46:9e:06:da:bd:42:10:c0:d3:c4:5e:81:88:6d:
> 6d:75:ad:3e:f0:a2:88:2e:3d:23:ce:19:a7:71:3c:0a:
> c0:fa:bd:54:c5:c2:d5:f1:46:b1:74:80:65:31:dc:bb:
> d5:01:86:de:f5:38:c6:cd:ad:2d:3a:32:17:4f:c7:d4:
> 2a:44:82:69:4a:ad:d2:1a:59:cb:bb:25:3b:86:50:fa:
> c7:8c:ab:0f:bf:1f:82:39:c0:ba:7b:45:6e:b6:1f:fd
> Exponent:
> 65537 (0x10001)
> Signed Extensions: (5)
> Name: Certificate Authority Key Identifier
> Critical: False
> Key ID:
> 7f:77:f3:aa:bc:9a:8a:97:0f:29:2c:b6:a4:ff:81:ea:
> c3:9c:48:63
> Serial Number: None
> General Names: [0 total]
>
> Name: Authority Information Access
> Critical: False
>
> Name: Certificate Key Usage
> Critical: True
> Usages:
> Digital Signature
> Non-Repudiation
> Key Encipherment
> Data Encipherment
>
> Name: Extended Key Usage
> Critical: False
> Usages:
> TLS Web Server Authentication Certificate
> TLS Web Client Authentication Certificate
>
> Name: Certificate Subject Key ID
> Critical: False
> Data:
> ba:bd:55:29:33:53:0c:6b:fb:54:2f:ce:ce:40:ce:4c:
> 55:7c:07:ec
>
> Signature:
> Signature Algorithm:
> Algorithm: PKCS #1 SHA-256 With RSA Encryption
> Signature:
> b5:b0:34:b0:4c:e0:97:42:55:2e:44:34:d0:b9:12:c1:
> 1d:60:57:a4:ae:e7:2e:22:74:a9:fd:64:99:2c:54:7d:
> f0:b9:32:8e:bd:d5:71:c5:23:14:a1:82:3f:63:c1:bf:
> 7b:e3:e1:3c:32:95:ca:48:22:eb:56:98:2b:71:90:34:
> 9c:24:58:02:15:e2:ed:a8:81:11:bd:a9:1a:80:7d:a1:
> 23:d6:33:78:9b:1a:b6:42:43:49:7e:07:02:a4:7a:1b:
> f5:8c:78:a2:23:27:66:be:5f:30:43:a0:46:9b:0e:8d:
> 76:9a:b0:6c:e6:ba:54:d2:9d:7a:24:ae:c9:7f:ee:bf:
> 5b:6b:b0:c2:3a:ac:d0:9d:cf:d6:36:ec:2b:6d:e9:c2:
> df:ac:27:d6:63:0a:c0:0f:1b:bc:93:8f:0f:4c:62:ca:
> f9:c1:10:94:77:5d:b8:ad:f5:b6:18:1c:26:bc:3d:70:
> 30:20:a3:7e:14:e3:a1:84:d4:9f:f8:73:4c:6d:59:a6:
> 8d:2b:e3:3f:b5:84:42:62:b9:90:23:dc:24:df:ed:42:
> bc:ab:f4:a4:5e:9f:ed:7f:e3:f2:e5:f4:07:81:ac:7c:
> c4:5d:34:6b:69:7b:6f:29:20:30:95:ef:d3:45:ad:83:
> 51:fb:72:cb:a4:eb:85:f3:f6:0d:2d:31:d8:8b:72:54
> Fingerprint (MD5):
> 4e:06:54:a8:e4:62:8e:65:a1:7f:3c:31:01:4b:06:bf
> Fingerprint (SHA1):
> a2:43:5f:65:c0:61:13:cf:2c:9c:9d:32:72:d6:cc:78:
> 66:6e:f7:77
> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
> ipa: DEBUG: cert valid True for "CN=ipa02.example.com,O=EXAMPLE.COM"
> ipa: DEBUG: handshake complete, peer = 192.168.0.2:443
> ipa: DEBUG: received Set-Cookie
> 'ipa_session=eb4b207ba589878a328ee100b9ab16ae;
> Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:58:46
> GMT; Secure; HttpOnly'
> ipa: DEBUG: storing cookie
> 'ipa_session=eb4b207ba589878a328ee100b9ab16ae;
> Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:58:46
> GMT; Secure; HttpOnly' for principal admin at EXAMPLE.COM
> ipa: DEBUG: args=keyctl search @s user
> ipa_session_cookie:admin at EXAMPLE.COM
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=keyctl_search: Required key not available
>
> ipa: DEBUG: args=keyctl search @s user
> ipa_session_cookie:admin at EXAMPLE.COM
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=keyctl_search: Required key not available
>
> ipa: DEBUG: args=keyctl padd user ipa_session_cookie:admin at EXAMPLE.COM @s
> ipa: DEBUG: stdout=227287872
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: Created connection context.xmlclient
> First name: usertest
> Last name: testname
> ipa: DEBUG: raw: user_add(u'usertest', givenname=u'usertest',
> sn=u'testname', cn=u'usertest testname', uidnumber=999, gidnumber=999,
> noprivate=False, all=False, raw=False, version=u'2.49', no_members=False)
> ipa: DEBUG: user_add(u'usertest', givenname=u'usertest',
> sn=u'testname', cn=u'usertest testname', displayname=u'usertest
> testname', initials=u'ut', gecos=u'usertest testname',
> krbprincipalname=u'usertest at EXAMPLE.COM', random=False, uidnumber=999,
> gidnumber=999, noprivate=False, all=False, raw=False, version=u'2.49',
> no_members=False)
> ipa: INFO: Forwarding 'user_add' to server
> u'https://ipa02.example.com/ipa/xml'
> ipa: DEBUG: NSSConnection init ipa02.example.com
> ipa: DEBUG: Connecting: 192.168.0.2:0
> ipa: DEBUG: handshake complete, peer = 192.168.0.2:443
> ipa: DEBUG: received Set-Cookie
> 'ipa_session=d5dcde16a47612ec6debfc7ed42b5efb;
> Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:59:04
> GMT; Secure; HttpOnly'
> ipa: DEBUG: storing cookie
> 'ipa_session=d5dcde16a47612ec6debfc7ed42b5efb;
> Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:59:04
> GMT; Secure; HttpOnly' for principal admin at EXAMPLE.COM
> ipa: DEBUG: args=keyctl search @s user
> ipa_session_cookie:admin at EXAMPLE.COM
> ipa: DEBUG: stdout=227287872
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: args=keyctl search @s user
> ipa_session_cookie:admin at EXAMPLE.COM
> ipa: DEBUG: stdout=227287872
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: args=keyctl pupdate 227287872
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Caught fault 4203 from server
> https://ipa02.example.com/ipa/xml: Operations error: Allocation of a
> new value for range cn=posix ids,cn=distributed numeric assignment
> plugin,cn=plugins,cn=config failed! Unable to proceed.
> ipa: DEBUG: Destroyed connection context.xmlclient
> ipa: ERROR: Operations error: Allocation of a new value for range
> cn=posix ids,cn=distributed numeric assignment
> plugin,cn=plugins,cn=config failed! Unable to proceed.
>
>
> Under the labs I did on IPA, I could resolve that by booting the
> replica server, but this time I couldn't solve. Looking for
> assistance, please!
Looks like problems with the DNA plugin.
Did you by any chance tried to install and untinstall replica for couple
dozen times?
I think we would need replica DS logs and the DNA plugin configuration
entries from primary and replica servers.
>
> Thank you for any help you can provide in this situation!
>
> Bruno Henrique Barbosa
> Jr. Sys Admin
> IT Department
> Santos City Hall
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140213/6b53505a/attachment.htm>
More information about the Freeipa-users
mailing list