[Freeipa-users] replication conflicts

Ludwig Krispenz lkrispen at redhat.com
Wed Jun 17 08:08:12 UTC 2015 

Hi, this is really strange, if these conflict entries get created they 
should be the same on all servers.

could you repeat the two searches requesting the attribute 
"nscpentrywsi" (you have to do it as directory manager, and add -o 
ldif-wrap=no), it could give info when and where these entries were created.

Ludwig

On 06/17/2015 08:13 AM, Alexander Frolushkin wrote:
>
> Hello.
>
> Anotherexample. Today appeared on servers of different site.
>
> Original LDIF:
>
> # extended LDIF
>
> #
>
> # LDAPv3
>
> # base <cn=System: Manage Host 
> Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> with scope subtree
>
> # filter: (objectclass=*)
>
> # requesting: ALL
>
> #
>
> # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru
>
> dn: cn=System: Manage Host 
> Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc
>
> =ru
>
> ipaPermTargetFilter: (objectclass=ipahost)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage Host Keytab
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru
>
> member: cn=Host 
> Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru
>
> ipaPermDefaultAttr: krbprincipalkey
>
> ipaPermDefaultAttr: krblastpwdchange
>
> ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru
>
> # search result
>
> search: 2
>
> result: 0 Success
>
> # numResponses: 2
>
> # numEntries: 1
>
> Duplicate:
>
> # extended LDIF
>
> #
>
> # LDAPv3
>
> # base <cn=System: Manage Host 
> Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> 
> with scope subtree
>
> # filter: (objectclass=*)
>
> # requesting: ALL
>
> #
>
> # System: Manage Host Keytab + 708bba65-14a611e5-8a48fd19-df27ff01, 
> permissio
>
> ns, pbac, unix.megafon.ru
>
> dn: cn=System: Manage Host 
> Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff
>
> 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
>
> ipaPermTargetFilter: (objectclass=ipahost)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage Host Keytab
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru
>
> member: cn=Host 
> Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru
>
> ipaPermDefaultAttr: krbprincipalkey
>
> ipaPermDefaultAttr: krblastpwdchange
>
> ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru
>
> # search result
>
> search: 2
>
> result: 0 Success
>
> # numResponses: 2
>
> # numEntries: 1
>
> No other servers in IPA domain have such duplicates.
>
> WBR,
>
> Alexander Frolushkin
>
> Cell +79232508764
>
> Work +79232507764
>
> *From:*freeipa-users-bounces at redhat.com 
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Ludwig Krispenz
> *Sent:* Tuesday, June 16, 2015 3:52 PM
> *To:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] replication conflicts
>
> On 06/16/2015 11:42 AM, Alexander Frolushkin wrote:
>
>     Hello.
>
>     Just to remind if somebody still not familiar with our IPA
>     installation J
>
>     We currently have 18 IPA servers in domain, on 8 sites in
>     different regions across the Russia.
>
>     And now, our new problem.
>
>     Regularly we getting a nsds5ReplConflict records on some of our
>     servers, very often on servers from specific site. Usually it is
>     simply a doubles and we can remove the renamed change to get
>     everything back. But why do we have them at all?
>
>     May be someone could explain, how we can detect the cause of this
>     replication conflicts?
>
> if you are talking about having two "duplicate" entries,
> one: uid=xxxxx,<suffix>
> one: nsuniqueid=nnnnnnnn+uid=xxxxx,<suffix>
>
> these entries appear if the entry uid=xxxxx was added, simultaneously, 
> on two servers. I think this can happen if a client tries to add an 
> entry and if it doesn't get a response in some time retries on another 
> server.
> to find out which client this is you need to check on which servers 
> the entries were originally added and then see which client was doing it
>
> Sometime it is moderately harmful, because, for example HBAC stops 
> working on specific server while doubles still present.
>
> Thanks in forward...
>
> WBR,
>
> Alexander Frolushkin
>
> Cell +79232508764
>
> Work +79232507764
>
> ------------------------------------------------------------------------
>
>
> Информация в этом сообщении предназначена исключительно для конкретных 
> лиц, которым она адресована. В сообщении может содержаться 
> конфиденциальная информация, которая не может быть раскрыта или 
> использована кем-либо, кроме адресатов. Если вы не адресат этого 
> сообщения, то использование, переадресация, копирование или 
> распространение содержания сообщения или его части незаконно и 
> запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, 
> незамедлительно сообщите отправителю об этом и удалите со всем 
> содержимым само сообщение и любые возможные его копии и приложения.
>
> The information contained in this communication is intended solely for 
> the use of the individual or entity to whom it is addressed and others 
> authorized to receive it. It may contain confidential or legally 
> privileged information. The contents may not be disclosed or used by 
> anyone other than the addressee. If you are not the intended 
> recipient(s), any use, disclosure, copying, distribution or any action 
> taken or omitted to be taken in reliance on it is prohibited and may 
> be unlawful. If you have received this communication in error please 
> notify us immediately by responding to this email and then delete the 
> e-mail and all attachments and any copies thereof.
>
> (c)20mf50
>
>
>
> ------------------------------------------------------------------------
>
> Информация в этом сообщении предназначена исключительно для конкретных 
> лиц, которым она адресована. В сообщении может содержаться 
> конфиденциальная информация, которая не может быть раскрыта или 
> использована кем-либо, кроме адресатов. Если вы не адресат этого 
> сообщения, то использование, переадресация, копирование или 
> распространение содержания сообщения или его части незаконно и 
> запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, 
> незамедлительно сообщите отправителю об этом и удалите со всем 
> содержимым само сообщение и любые возможные его копии и приложения.
>
> The information contained in this communication is intended solely for 
> the use of the individual or entity to whom it is addressed and others 
> authorized to receive it. It may contain confidential or legally 
> privileged information. The contents may not be disclosed or used by 
> anyone other than the addressee. If you are not the intended 
> recipient(s), any use, disclosure, copying, distribution or any action 
> taken or omitted to be taken in reliance on it is prohibited and may 
> be unlawful. If you have received this communication in error please 
> notify us immediately by responding to this email and then delete the 
> e-mail and all attachments and any copies thereof.
>
> (c)20mf50

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150617/116e5b2f/attachment.htm>

More information about the Freeipa-users mailing list