[Freeipa-users] Stock with a Master in read-only mode

Davis Goodman davis.goodman at digital-district.ca
Wed May 21 11:31:08 UTC 2014 





On May 21, 2014, at 6:54 , Martin Kosek <mkosek at redhat.com> wrote:

> On 05/21/2014 09:12 AM, Davis Goodman wrote:
>> 
>> 
>> 
>> 
>> On May 21, 2014, at 2:45 , Martin Kosek <mkosek at redhat.com> wrote:
>> 
>>> On 05/21/2014 08:36 AM, Davis Goodman wrote:
>>>> Hi,
>>>> 
>>>> Lately I’ve been having issues of replication between my server and my 2 replicas.
>>>> 
>>>> I decided I was going to delete my 2 replicas and start over keeping my master intact.
>>>> 
>>>> I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work)
>>>> 
>>>> I tried deleting  1 replica after the other one  to always keep one of the two available. 
>>>> 
>>>> I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine.
>>>> 
>>>> But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas.
>>>> 
>>>> I went back to my master to use the ldapdelete to remove both host`s records so that I could start over.
>>>> 
>>>> Unfortunately now I’m getting this error.
>>>> 
>>>> ldapdelete -x -D "cn=Directory Manager" -W   cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int
>>>> Enter LDAP Password: 
>>>> ldap_delete: Server is unwilling to perform (53)
>>>> 	additional info: database is read-only
>>>> 
>>>> 
>>>> 
>>>> I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help.
>>>> 
>>>> Any insights would be more than welcome.
>>>> 
>>>> 
>>>> Davis
>>> 
>>> Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an
>>> operation or an upgrade was interrupted  and left the database put in read only
>>> mode?
>>> 
>>> You can find out with this ldapsearch:
>>> 
>>> ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 -b
>>> 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base
>>> 
>>> Check for nsslapd-readonly, it should be put to "off" in normal operation.
>>> 
>>> Martin
>> Ok finally managed to modify the read-only flag.
>> 
>> Could prepare my replicas and get them going.
>> 
>> Everything seems fine but I’m getting this error while setting up the replicas. Should I be concerned about this one:
>> 
>> Update in progress
>> Update in progress
>> Update in progress
>> Update in progress
>> Update in progress
>> Update in progress
>> Update succeeded
>>  [23/31]: adding replication acis
>>  [24/31]: setting Auto Member configuration
>>  [25/31]: enabling S4U2Proxy delegation
>> ipa         : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20
>>  [26/31]: initializing group membership
>>  [27/31]: adding master entry
>>  [28/31]: configuring Posix uid/gid generation
>> 
>> 
>> 
>> the rest seems to work fine.
> 
> You need to check ipareplica-install.log to see the real error.
> 
> I wonder if "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" and
> "cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" exist.
> 
> Martin
> 

The first one is there:

ldapsearch -D "cn=Directory Manager” -W -LLL -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int""
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int
ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr
 ict,dc=int
ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr
 ict,dc=int
memberPrincipal: HTTP/freeipa01.prs.ddistrict.int at DDISTRICT.INT
memberPrincipal: HTTP/freeipa02.prs.ddistrict.int at DDISTRICT.INT
memberPrincipal: HTTP/freeipa02.mtl.ddistrict.int at DDISTRICT.INT
memberPrincipal: HTTP/freeipa01.chr.ddistrict.int at DDISTRICT.INT
memberPrincipal: HTTP/freeipa01.bxl.ddistrict.int at DDISTRICT.INT
memberPrincipal: HTTP/freeipa01.mtl.ddistrict.int at DDISTRICT.INT
cn: ipa-http-delegation
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top


But not the second one:

ldapsearch -D "cn=Directory Manager” -W -LLL -x -b cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int""
No such object (32)
Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int


Also what is strange is that I got the error only on one of the replicas, the other one went through without any hiccups.


Thanks for the help.

Davis
-- 


Davis Goodman
Directeur Informatique  |  IT Manager

5605 Avenue de Gaspé, Suite 408  |  Montréal, QC H2T 2A4 
Tél: +1 (514) 360-3253 x104            Cell: +1 (514) 994-7360 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140521/6aa061ce/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo_dd_small.png
Type: image/png
Size: 7313 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140521/6aa061ce/attachment.png>

More information about the Freeipa-users mailing list