[Freeipa-users] replication again :-(
Janelle
janellenicole80 at gmail.com
Thu May 21 13:54:12 UTC 2015
On 5/21/15 6:46 AM, Ludwig Krispenz wrote:
>
> On 05/21/2015 03:28 PM, Janelle wrote:
>> I think I found the problem.
>>
>> There was a lone replica running in another DC. It was installed as a
>> replica some time ago with all the others. Think of this -- the
>> original config had 5 servers, one of them was this server. Then the
>> other 4 servers were RE-BUILT from scratch, so all the replication
>> agreements were changed AND - this is the important part - the 5th
>> server was never added back in. BUT - the 5th server was left running
>> and never told it that it was not a member anymore. It still thought
>> it had a replication agreement with original "server 1", but server 1
>> knew otherwise.
>>
>> Now, although the first 4 servers were rebuilt, the same domain,
>> realm, AND passwords were used.
>>
>> I am guessing that somehow, this 5th server keeps trying to interject
>> its info into the ring of 4 servers, kind of forcing its way in.
>> Somehow, because the original credentials still work (but certs are
>> all different) is leaving the first 4 servers with a "can't decode"
>> issue.
>>
>> There should be some security checks so this can't happen. It should
>> also be easy to replicate.
>>
>> Now I have to go re-initialize all the servers from a good server, so
>> everyone is happy again. The "problem" server has been shutdown
>> completely. (and yes, there were actually 3 of them in my scenario -
>> I just used 1 to simplify my example - but that explains the 3 CSNs
>> that just kept "appearing")
>>
>> What concerns me most about this - were the servers outside of the
>> "good ring" somehow able to inject data into replication which might
>> have been causing bad data??? This is bad if it is true.
> it depends a bit on what you mean by rebuilt from scratch.
> A replication session needs to meet three conditions to be able to
> send data:
> - the supplier side needs to be able to authenticate and the
> authenticated users has to be in the list of binddns of the replica
> - the data generation of supplier and consumer side need to be the
> same (they all have to have the same common origin)
> - the supplier needs to have the changes (CSNs) to be able to position
> in its changelog to send updates
>
> now if you have 5 servers, forget about one of them and do not change
> the credentials in the others and do not reinitialize the database by
> an ldif import to generate a new database generation, the fifth server
> will still be able to connect and eventually send updates - how should
> the other servers know that this one is no longer a "good" one
>>
>> ~Janelle
>>
>
To clarify "rebuilt from scratch":
ipa-server-install --uninstall --unattended
yum remove 389-ds-* certmonger-* freeipa-*
reboot
yum install freeipa-server
ipa-server-install
The reason for the uninstalls is to clear out all "leftover" folders and
certs.
Also run are:
rm -f /var/lib/sss/db/*
rm -rf /etc/ipa
rm -rf /var/log/dirsrv/
But those are before the re-install.
So the 5th server was left running, and yes, the "admin" username and PW
are the same, so that may be how it is happening, regardless of
certificates being different.
~Janelle
More information about the Freeipa-users
mailing list