[Freeipa-users] Stock with a Master in read-only mode
Davis Goodman
davis.goodman at digital-district.ca
Wed May 21 11:31:08 UTC 2014
On May 21, 2014, at 6:54 , Martin Kosek <mkosek at redhat.com> wrote:
> On 05/21/2014 09:12 AM, Davis Goodman wrote:
>>
>>
>>
>>
>> On May 21, 2014, at 2:45 , Martin Kosek <mkosek at redhat.com> wrote:
>>
>>> On 05/21/2014 08:36 AM, Davis Goodman wrote:
>>>> Hi,
>>>>
>>>> Lately I’ve been having issues of replication between my server and my 2 replicas.
>>>>
>>>> I decided I was going to delete my 2 replicas and start over keeping my master intact.
>>>>
>>>> I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work)
>>>>
>>>> I tried deleting 1 replica after the other one to always keep one of the two available.
>>>>
>>>> I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine.
>>>>
>>>> But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas.
>>>>
>>>> I went back to my master to use the ldapdelete to remove both host`s records so that I could start over.
>>>>
>>>> Unfortunately now I’m getting this error.
>>>>
>>>> ldapdelete -x -D "cn=Directory Manager" -W cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int
>>>> Enter LDAP Password:
>>>> ldap_delete: Server is unwilling to perform (53)
>>>> additional info: database is read-only
>>>>
>>>>
>>>>
>>>> I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help.
>>>>
>>>> Any insights would be more than welcome.
>>>>
>>>>
>>>> Davis
>>>
>>> Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an
>>> operation or an upgrade was interrupted and left the database put in read only
>>> mode?
>>>
>>> You can find out with this ldapsearch:
>>>
>>> ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 -b
>>> 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base
>>>
>>> Check for nsslapd-readonly, it should be put to "off" in normal operation.
>>>
>>> Martin
>> Ok finally managed to modify the read-only flag.
>>
>> Could prepare my replicas and get them going.
>>
>> Everything seems fine but I’m getting this error while setting up the replicas. Should I be concerned about this one:
>>
>> Update in progress
>> Update in progress
>> Update in progress
>> Update in progress
>> Update in progress
>> Update in progress
>> Update succeeded
>> [23/31]: adding replication acis
>> [24/31]: setting Auto Member configuration
>> [25/31]: enabling S4U2Proxy delegation
>> ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20
>> [26/31]: initializing group membership
>> [27/31]: adding master entry
>> [28/31]: configuring Posix uid/gid generation
>>
>>
>>
>> the rest seems to work fine.
>
> You need to check ipareplica-install.log to see the real error.
>
> I wonder if "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" and
> "cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" exist.
>
> Martin
>
The first one is there:
ldapsearch -D "cn=Directory Manager” -W -LLL -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int""
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int
ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr
ict,dc=int
ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr
ict,dc=int
memberPrincipal: HTTP/freeipa01.prs.ddistrict.int at DDISTRICT.INT
memberPrincipal: HTTP/freeipa02.prs.ddistrict.int at DDISTRICT.INT
memberPrincipal: HTTP/freeipa02.mtl.ddistrict.int at DDISTRICT.INT
memberPrincipal: HTTP/freeipa01.chr.ddistrict.int at DDISTRICT.INT
memberPrincipal: HTTP/freeipa01.bxl.ddistrict.int at DDISTRICT.INT
memberPrincipal: HTTP/freeipa01.mtl.ddistrict.int at DDISTRICT.INT
cn: ipa-http-delegation
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
But not the second one:
ldapsearch -D "cn=Directory Manager” -W -LLL -x -b cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int""
No such object (32)
Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int
Also what is strange is that I got the error only on one of the replicas, the other one went through without any hiccups.
Thanks for the help.
Davis
--
Davis Goodman
Directeur Informatique | IT Manager
5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4
Tél: +1 (514) 360-3253 x104 Cell: +1 (514) 994-7360
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140521/6aa061ce/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo_dd_small.png
Type: image/png
Size: 7313 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140521/6aa061ce/attachment.png>
More information about the Freeipa-users
mailing list