[Freeipa-users] replication conflicts
Ludwig Krispenz
lkrispen at redhat.com
Wed Jun 17 09:18:52 UTC 2015
On 06/17/2015 11:03 AM, Alexander Frolushkin wrote:
>
> This is correct, thank you for understanding and for helping!
>
> Replica with id 26 was created today, this is our new server which was
> included in domain just a few hours ago. Looks like this dup came
> right after this new replica creation.
>
so on which servers does the "nsuniqueid" entry exist ?
can you check for 5580f3210000001a0000 in the access log of replica 26,
then check the errro log around this time and eventually the replica
install log
>
> WBR,
>
> Alexander Frolushkin
>
> Cell +79232508764
>
> Work +79232507764
>
> *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com]
> *Sent:* Wednesday, June 17, 2015 2:58 PM
> *To:* Alexander Frolushkin (SIB)
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] replication conflicts
>
> Hi,
>
> you did send the data directly to me, maybe not wanting to share them
> to everyone. I'll continue discussion here, trying to be careful.
>
> The "good" entry was created in April on replica 12 "0x0c"
> createTimestamp;vucsn-5524d42b0067000c0000: 20150408070720Z
>
> the "nsuniqueid" entry was created today on replica 26 "0x1a"
> createTimestamp;vucsn-5580f3210000001a0000: 20150617040801Z
>
> if the original entry would have existed on replica26 the new add
> should have been rejected, if it was not there the question is why.
>
> Do you have any additional info on replica 26, when was it created,
> was it disconnected for some time ??
>
> Ludwig
>
> On 06/17/2015 08:13 AM, Alexander Frolushkin wrote:
>
> Hello.
>
> Another example. Today appeared on servers of different site.
>
> Original LDIF:
>
> # extended LDIF
>
> #
>
> # LDAPv3
>
> # base <cn=System: Manage Host
> Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru> with scope
> subtree
>
> # filter: (objectclass=*)
>
> # requesting: ALL
>
> #
>
> # System: Manage Host Keytab, permissions, pbac, unix.megafon.ru
>
> dn: cn=System: Manage Host
> Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc
>
> =ru
>
> ipaPermTargetFilter: (objectclass=ipahost)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage Host Keytab
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=Host
> Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru
>
> member: cn=Host
> Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru
>
> ipaPermDefaultAttr: krbprincipalkey
>
> ipaPermDefaultAttr: krblastpwdchange
>
> ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru
>
> # search result
>
> search: 2
>
> result: 0 Success
>
> # numResponses: 2
>
> # numEntries: 1
>
> Duplicate:
>
> # extended LDIF
>
> #
>
> # LDAPv3
>
> # base <cn=System: Manage Host
> Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru>
> with scope subtree
>
> # filter: (objectclass=*)
>
> # requesting: ALL
>
> #
>
> # System: Manage Host Keytab +
> 708bba65-14a611e5-8a48fd19-df27ff01, permissio
>
> ns, pbac, unix.megafon.ru
>
> dn: cn=System: Manage Host
> Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff
>
> 01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
>
> ipaPermTargetFilter: (objectclass=ipahost)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage Host Keytab
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=Host
> Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru
>
> member: cn=Host
> Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru
>
> ipaPermDefaultAttr: krbprincipalkey
>
> ipaPermDefaultAttr: krblastpwdchange
>
> ipaPermLocation: cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru
>
> # search result
>
> search: 2
>
> result: 0 Success
>
> # numResponses: 2
>
> # numEntries: 1
>
> No other servers in IPA domain have such duplicates.
>
> WBR,
>
> Alexander Frolushkin
>
> Cell +79232508764
>
> Work +79232507764
>
> *From:*freeipa-users-bounces at redhat.com
> <mailto:freeipa-users-bounces at redhat.com>
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Ludwig
> Krispenz
> *Sent:* Tuesday, June 16, 2015 3:52 PM
> *To:* freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] replication conflicts
>
> On 06/16/2015 11:42 AM, Alexander Frolushkin wrote:
>
> Hello.
>
> Just to remind if somebody still not familiar with our IPA
> installation J
>
> We currently have 18 IPA servers in domain, on 8 sites in
> different regions across the Russia.
>
> And now, our new problem.
>
> Regularly we getting a nsds5ReplConflict records on some of
> our servers, very often on servers from specific site. Usually
> it is simply a doubles and we can remove the renamed change to
> get everything back. But why do we have them at all?
>
> May be someone could explain, how we can detect the cause of
> this replication conflicts?
>
> if you are talking about having two "duplicate" entries,
> one: uid=xxxxx,<suffix>
> one: nsuniqueid=nnnnnnnn+uid=xxxxx,<suffix>
>
> these entries appear if the entry uid=xxxxx was added,
> simultaneously, on two servers. I think this can happen if a
> client tries to add an entry and if it doesn't get a response in
> some time retries on another server.
> to find out which client this is you need to check on which
> servers the entries were originally added and then see which
> client was doing it
>
>
> Sometime it is moderately harmful, because, for example HBAC stops
> working on specific server while doubles still present.
>
> Thanks in forward...
>
> WBR,
>
> Alexander Frolushkin
>
> Cell +79232508764
>
> Work +79232507764
>
> ------------------------------------------------------------------------
>
>
> Информация в этом сообщении предназначена исключительно для
> конкретных лиц, которым она адресована. В сообщении может
> содержаться конфиденциальная информация, которая не может быть
> раскрыта или использована кем-либо, кроме адресатов. Если вы не
> адресат этого сообщения, то использование, переадресация,
> копирование или распространение содержания сообщения или его части
> незаконно и запрещено. Если Вы получили это сообщение ошибочно,
> пожалуйста, незамедлительно сообщите отправителю об этом и удалите
> со всем содержимым само сообщение и любые возможные его копии и
> приложения.
>
> The information contained in this communication is intended solely
> for the use of the individual or entity to whom it is addressed
> and others authorized to receive it. It may contain confidential
> or legally privileged information. The contents may not be
> disclosed or used by anyone other than the addressee. If you are
> not the intended recipient(s), any use, disclosure, copying,
> distribution or any action taken or omitted to be taken in
> reliance on it is prohibited and may be unlawful. If you have
> received this communication in error please notify us immediately
> by responding to this email and then delete the e-mail and all
> attachments and any copies thereof.
>
> (c)20mf50
>
>
>
> ------------------------------------------------------------------------
>
>
> Информация в этом сообщении предназначена исключительно для
> конкретных лиц, которым она адресована. В сообщении может
> содержаться конфиденциальная информация, которая не может быть
> раскрыта или использована кем-либо, кроме адресатов. Если вы не
> адресат этого сообщения, то использование, переадресация,
> копирование или распространение содержания сообщения или его части
> незаконно и запрещено. Если Вы получили это сообщение ошибочно,
> пожалуйста, незамедлительно сообщите отправителю об этом и удалите
> со всем содержимым само сообщение и любые возможные его копии и
> приложения.
>
> The information contained in this communication is intended solely
> for the use of the individual or entity to whom it is addressed
> and others authorized to receive it. It may contain confidential
> or legally privileged information. The contents may not be
> disclosed or used by anyone other than the addressee. If you are
> not the intended recipient(s), any use, disclosure, copying,
> distribution or any action taken or omitted to be taken in
> reliance on it is prohibited and may be unlawful. If you have
> received this communication in error please notify us immediately
> by responding to this email and then delete the e-mail and all
> attachments and any copies thereof.
>
> (c)20mf50
>
>
> ------------------------------------------------------------------------
>
> Информация в этом сообщении предназначена исключительно для конкретных
> лиц, которым она адресована. В сообщении может содержаться
> конфиденциальная информация, которая не может быть раскрыта или
> использована кем-либо, кроме адресатов. Если вы не адресат этого
> сообщения, то использование, переадресация, копирование или
> распространение содержания сообщения или его части незаконно и
> запрещено. Если Вы получили это сообщение ошибочно, пожалуйста,
> незамедлительно сообщите отправителю об этом и удалите со всем
> содержимым само сообщение и любые возможные его копии и приложения.
>
> The information contained in this communication is intended solely for
> the use of the individual or entity to whom it is addressed and others
> authorized to receive it. It may contain confidential or legally
> privileged information. The contents may not be disclosed or used by
> anyone other than the addressee. If you are not the intended
> recipient(s), any use, disclosure, copying, distribution or any action
> taken or omitted to be taken in reliance on it is prohibited and may
> be unlawful. If you have received this communication in error please
> notify us immediately by responding to this email and then delete the
> e-mail and all attachments and any copies thereof.
>
> (c)20mf50
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150617/5d14c517/attachment.htm>
More information about the Freeipa-users
mailing list