[Freeipa-users] Stock with a Master in read-only mode

Martin Kosek mkosek at redhat.com
Wed May 21 16:06:15 UTC 2014 

On 05/21/2014 01:31 PM, Davis Goodman wrote:
> 
> 
> 
> 
> <http://www.digital-district.ca/>
> 
> On May 21, 2014, at 6:54 , Martin Kosek <mkosek at redhat.com 
> <mailto:mkosek at redhat.com>> wrote:
> 
>> On 05/21/2014 09:12 AM, Davis Goodman wrote:
>>>
>>>
>>>
>>>
>>> On May 21, 2014, at 2:45 , Martin Kosek <mkosek at redhat.com 
>>> <mailto:mkosek at redhat.com>> wrote:
>>>
>>>> On 05/21/2014 08:36 AM, Davis Goodman wrote:
>>>>> Hi,
>>>>>
>>>>> Lately I’ve been having issues of replication between my server and my 2 
>>>>> replicas.
>>>>>
>>>>> I decided I was going to delete my 2 replicas and start over keeping my 
>>>>> master intact.
>>>>>
>>>>> I wasn`t successfull in getting all 3 servers to replicate to each other. ( 
>>>>> it used to work)
>>>>>
>>>>> I tried deleting  1 replica after the other one  to always keep one of the 
>>>>> two available.
>>>>>
>>>>> I had to delete manually the replica host on the master with a bunch of 
>>>>> ldapdelete command which worked fine.
>>>>>
>>>>> But after many unsuccessful trials of getting everyone to sync I decided to 
>>>>> delete my two replicas.
>>>>>
>>>>> I went back to my master to use the ldapdelete to remove both host`s 
>>>>> records so that I could start over.
>>>>>
>>>>> Unfortunately now I’m getting this error.
>>>>>
>>>>> ldapdelete -x -D "cn=Directory Manager" -W 
>>>>>   cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int
>>>>> Enter LDAP Password:
>>>>> ldap_delete: Server is unwilling to perform (53)
>>>>> additional info: database is read-only
>>>>>
>>>>>
>>>>>
>>>>> I’m kinda stuck now with no replicas and no DNS. I could restore the backup 
>>>>> prior to the start of the operation but with a master in read-only mode it 
>>>>> wouldn’t of much help.
>>>>>
>>>>> Any insights would be more than welcome.
>>>>>
>>>>>
>>>>> Davis
>>>>
>>>> Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an
>>>> operation or an upgrade was interrupted  and left the database put in read only
>>>> mode?
>>>>
>>>> You can find out with this ldapsearch:
>>>>
>>>> ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 -b
>>>> 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base
>>>>
>>>> Check for nsslapd-readonly, it should be put to "off" in normal operation.
>>>>
>>>> Martin
>>> Ok finally managed to modify the read-only flag.
>>>
>>> Could prepare my replicas and get them going.
>>>
>>> Everything seems fine but I’m getting this error while setting up the 
>>> replicas. Should I be concerned about this one:
>>>
>>> Update in progress
>>> Update in progress
>>> Update in progress
>>> Update in progress
>>> Update in progress
>>> Update in progress
>>> Update succeeded
>>>  [23/31]: adding replication acis
>>>  [24/31]: setting Auto Member configuration
>>>  [25/31]: enabling S4U2Proxy delegation
>>> ipa         : CRITICAL Failed to load replica-s4u2proxy.ldif: Command 
>>> '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H 
>>> ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y 
>>> /tmp/tmp4Svn9k' returned non-zero exit status 20
>>>  [26/31]: initializing group membership
>>>  [27/31]: adding master entry
>>>  [28/31]: configuring Posix uid/gid generation
>>>
>>>
>>>
>>> the rest seems to work fine.
>>
>> You need to check ipareplica-install.log to see the real error.
>>
>> I wonder if "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" and
>> "cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" exist.
>>
>> Martin
>>
> 
> The first one is there:
> 
> ldapsearch -D "cn=Directory Manager” -W -LLL -x -b 
> cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int""
> dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int
> ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr
>   ict,dc=int
> ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr
>   ict,dc=int
> memberPrincipal: HTTP/freeipa01.prs.ddistrict.int at DDISTRICT.INT 
> <mailto:HTTP/freeipa01.prs.ddistrict.int at DDISTRICT.INT>
> memberPrincipal: HTTP/freeipa02.prs.ddistrict.int at DDISTRICT.INT 
> <mailto:HTTP/freeipa02.prs.ddistrict.int at DDISTRICT.INT>
> memberPrincipal: HTTP/freeipa02.mtl.ddistrict.int at DDISTRICT.INT 
> <mailto:HTTP/freeipa02.mtl.ddistrict.int at DDISTRICT.INT>
> memberPrincipal: HTTP/freeipa01.chr.ddistrict.int at DDISTRICT.INT 
> <mailto:HTTP/freeipa01.chr.ddistrict.int at DDISTRICT.INT>
> memberPrincipal: HTTP/freeipa01.bxl.ddistrict.int at DDISTRICT.INT 
> <mailto:HTTP/freeipa01.bxl.ddistrict.int at DDISTRICT.INT>
> memberPrincipal: HTTP/freeipa01.mtl.ddistrict.int at DDISTRICT.INT 
> <mailto:HTTP/freeipa01.mtl.ddistrict.int at DDISTRICT.INT>
> cn: ipa-http-delegation
> objectClass: ipaKrb5DelegationACL
> objectClass: groupOfPrincipals
> objectClass: top
> 
> 
> But not the second one:
> 
> ldapsearch -D "cn=Directory Manager” -W -LLL -x -b 
> cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int""
> No such object (32)
> Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int
> 
> 
> Also what is strange is that I got the error only on one of the replicas, the 
> other one went through without any hiccups.

Ok, I think I misguided you with the second DN, the real DN should be
"cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int", see
/usr/share/ipa/replica-s4u2proxy.ldif for the LDIF that is being loaded.

The key here is to check the error message of ldapmodify that was run on the
failing replica, try to search in /var/log/ipareplica-install.log.

Martin

More information about the Freeipa-users mailing list