[Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
Rich Megginson
rmeggins at redhat.com
Thu Jan 21 15:29:02 UTC 2016
On 01/21/2016 12:50 AM, Nathan Peters wrote:
> I don't know if this makes a difference too, but I performed the same checks on a different completely working and joined FreeIPA master, against other masters, and even against itself directly.
>
> It seems that no account, no keytab, and no host can see that mapping tree branch no matter who they search from or against if GSSAPI is used.
>
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Nathan Peters
> Sent: January-20-16 11:41 PM
> To: Rich Megginson; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
>
> All checks below were performed from the host we are trying to turn into a replica and they were performed against the master who logs I also show
>
> The first check was to kinit admin and try the search. Surprisingly, the GSSAPI bind returns no results when we search that. In my previous email you can see that the standard bind gets a result as admin for that search.
>
> Next, I tried as the host by kinit with its keytab. Same result, nothing back.
>
> Finally I tried as my own personal admin user. Same result, nothing back.
>
> For good measure, I tried a broad search against the base "cn=mydomain,cn=net" as each user as well and I'll spare you the ten thousand lines of screenshot but the results were as expected, several thousand entries in that tree.
> Although the output differed slightly. This is the total as admin or my personal user # numResponses: 3372 # numEntries: 3371
>
> and this is the total as the host keytab account
>
> # numResponses: 3371
> # numEntries: 3370
>
> To be even more thorough, I did searches farther and farther up the config tree using GSSAPI until I found something. The only thing that is visible through GSSAPI searches is the base of the config tree. Even the mapping tree branch doesn't seem to be visible.
>
> At the very bottom of this email is the results of the search against cn=config directly as the attempted new replica and as admin. Admin gets about 50 results and the host only gets about 30 for some reason. I get the same results as admin on my personal account so I've excluded those.
>
> So if I got all that right I was able to determine that only the base of the config tree is available using GSSAPI for any account, users for some reason get slightly more results than hosts, and all accounts can see the dc=mydomain,dc=net tree just fine using GSSAPI.
>
> So does that help shed some light on what the cause of this might be or why the server is not answering as expected?
>
> Is there some way I can adjust this so everyone can see the results they do using regular binds as they do using GSSAPI binds ?
>
> Is there some way I can check ACLS on stuff ?
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Viewing_the_ACIs_for_an_Entry.html
Note: There is a bug in the docs. You have to also specify the suffix
e.g. "-b cn=config", and make sure the search filter is quoted e.g.
'(aci=*)'
If it is not aci related, I have no idea why you would get different
results depending on if you did a simple bind vs. a gssapi bind with the
same user that mapped to the same bind DN.
>
> ===============
> search as admin
> ===============
> [nathan.peters at dc2-ipa-dev-van ~]$ klist Ticket cache: KEYRING:persistent:756600344:756600344
> Default principal: admin at MYDOMAIN.NET
>
> Valid starting Expires Service principal
> 20/01/16 22:53:18 21/01/16 22:53:08 krbtgt/MYDOMAIN.NET at MYDOMAIN.NET [nathan.peters at dc2-ipa-dev-van ~]$ ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config"
> SASL/GSSAPI authentication started
> SASL username: admin at MYDOMAIN.NET
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL #
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 1
>
> ============
> check host keytab
> ============
>
> [root at dc2-ipa-dev-van ipa]# klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- ----------------- --------------------------------------------------------
> 5 19/01/16 12:07:12 host/dc2-ipa-dev-van.mydomain.net at MYDOMAIN.NET
> 5 19/01/16 12:07:12 host/dc2-ipa-dev-van.mydomain.net at MYDOMAIN.NET
> 5 19/01/16 12:07:12 host/dc2-ipa-dev-van.mydomain.net at MYDOMAIN.NET
> 5 19/01/16 12:07:12 host/dc2-ipa-dev-van.mydomain.net at MYDOMAIN.NET
>
> ========
> kinit host keytab
> ========
>
> [root at dc2-ipa-dev-van ipa]# kinit -t /etc/krb5.keytab keytab specified, forcing -k [root at dc2-ipa-dev-van ipa]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_uwO1f2L
> Default principal: host/dc2-ipa-dev-van.mydomain.net at MYDOMAIN.NET
>
> Valid starting Expires Service principal
> 20/01/16 23:01:11 21/01/16 23:01:11 krbtgt/MYDOMAIN.NET at MYDOMAIN.NET [root at dc2-ipa-dev-van ipa]#
>
> =========
> ldap search against master as host
> ==========
> [root at dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config"
> SASL/GSSAPI authentication started
> SASL username: host/dc2-ipa-dev-van.mydomain.net at MYDOMAIN.NET
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL #
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 1
> [root at dc2-ipa-dev-van ipa]#
>
> ========
> ldap search against master as my personal domain admin account ======== [root at dc2-ipa-dev-van ipa]# kinit nathan.peters Password for nathan.peters at MYDOMAIN.NET:
> [root at dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config"
> SASL/GSSAPI authentication started
> SASL username: nathan.peters at MYDOMAIN.NET SASL SSF: 56 SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL #
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 1
>
>
>
> =======
> logs on master during attempt
> =======
>
> =====
> logs on master as admin
> =====
> [20/Jan/2016:22:55:22 -0800] conn=62398 fd=321 slot=321 SSL connection from 10.21.0.98 to 10.178.0.98
> [20/Jan/2016:22:55:22 -0800] conn=62398 TLS1.2 128-bit AES
> [20/Jan/2016:22:55:22 -0800] conn=62398 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
> [20/Jan/2016:22:55:22 -0800] conn=62398 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
> [20/Jan/2016:22:55:22 -0800] conn=62398 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
> [20/Jan/2016:22:55:22 -0800] conn=62398 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
> [20/Jan/2016:22:55:22 -0800] conn=62398 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
> [20/Jan/2016:22:55:22 -0800] conn=62398 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=mydomain,dc=net"
> [20/Jan/2016:22:55:22 -0800] conn=62398 op=3 SRCH base="cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL
> [20/Jan/2016:22:55:22 -0800] conn=62398 op=3 RESULT err=0 tag=101 nentries=0 etime=0
> [20/Jan/2016:22:55:22 -0800] conn=62398 op=4 UNBIND
> [20/Jan/2016:22:55:22 -0800] conn=62398 op=4 fd=321 closed - U1
>
> =====
> logs on master as the host we are trying to promote as a replica ======
> [20/Jan/2016:23:02:40 -0800] conn=62480 fd=153 slot=153 SSL connection from 10.21.0.98 to 10.178.0.98
> [20/Jan/2016:23:02:40 -0800] conn=62480 TLS1.2 128-bit AES
> [20/Jan/2016:23:02:40 -0800] conn=62480 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
> [20/Jan/2016:23:02:40 -0800] conn=62480 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
> [20/Jan/2016:23:02:40 -0800] conn=62480 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
> [20/Jan/2016:23:02:40 -0800] conn=62480 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
> [20/Jan/2016:23:02:40 -0800] conn=62480 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
> [20/Jan/2016:23:02:40 -0800] conn=62480 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=dc2-ipa-dev-van.mydomain.net,cn=computers,cn=accounts,dc=mydomain,dc=net"
> [20/Jan/2016:23:02:40 -0800] conn=62480 op=3 SRCH base="cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL
> [20/Jan/2016:23:02:40 -0800] conn=62480 op=3 RESULT err=0 tag=101 nentries=0 etime=0
> [20/Jan/2016:23:02:40 -0800] conn=62480 op=4 UNBIND
> [20/Jan/2016:23:02:40 -0800] conn=62480 op=4 fd=153 closed - U1
>
> =====
> logs on master as my personal user
> ======
> [20/Jan/2016:23:09:36 -0800] conn=62564 fd=318 slot=318 SSL connection from 10.21.0.98 to 10.178.0.98
> [20/Jan/2016:23:09:36 -0800] conn=62564 TLS1.2 128-bit AES
> [20/Jan/2016:23:09:36 -0800] conn=62564 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
> [20/Jan/2016:23:09:36 -0800] conn=62564 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
> [20/Jan/2016:23:09:36 -0800] conn=62564 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
> [20/Jan/2016:23:09:36 -0800] conn=62564 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
> [20/Jan/2016:23:09:36 -0800] conn=62564 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
> [20/Jan/2016:23:09:36 -0800] conn=62564 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=nathan.peters,cn=users,cn=accounts,dc=mydomain,dc=net"
> [20/Jan/2016:23:09:36 -0800] conn=62564 op=3 SRCH base="cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL
> [20/Jan/2016:23:09:36 -0800] conn=62564 op=3 RESULT err=0 tag=101 nentries=0 etime=0
> [20/Jan/2016:23:09:36 -0800] conn=62564 op=4 UNBIND
> [20/Jan/2016:23:09:36 -0800] conn=62564 op=4 fd=318 closed - U1
>
>
> ==========
> final searches against cn=mapping tree,cn=config and cn=config using host keytab and gssapi ==========
>
> [root at dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=mapping tree,cn=config"
> SASL/GSSAPI authentication started
> SASL username: host/dc2-ipa-dev-van.mydomain.net at mydomain.NET
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=mapping tree,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL #
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 1
> [root at dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=config" SASL/GSSAPI authentication started
> SASL username: host/dc2-ipa-dev-van.mydomain.net at mydomain.NET
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> cn: SNMP
> nsSNMPEnabled: on
> objectClass: top
> objectClass: nsSNMP
>
> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
> cn: Sync Request Control
> objectClass: top
> objectClass: directoryServerFeature
> oid: 1.3.6.1.4.1.4203.1.9.1.1
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> cn: VLV Request Control
> objectClass: top
> objectClass: directoryServerFeature
> oid: 2.16.840.1.113730.3.4.9
>
> # ipa_pwd_extop, plugins, config
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> cn: ipa_pwd_extop
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> cn: Posix IDs
> dnaMaxValue: 1100
> dnaNextValue: 1101
> dnaThreshold: 500
> dnaType: uidNumber
> dnaType: gidNumber
> objectClass: top
> objectClass: extensibleObject
>
> # config, ldbm database, plugins, config
> dn: cn=config,cn=ldbm database,cn=plugins,cn=config
> cn: config
> objectClass: top
> objectClass: extensibleObject
> nsslapd-directory: /var/lib/dirsrv/slapd-mydomain-NET/db
>
> # default indexes, config, ldbm database, plugins, config
> dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
> cn: default indexes
> objectClass: top
> objectClass: extensibleObject
>
> # aci, default indexes, config, ldbm database, plugins, config
> dn: cn=aci,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
> cn: aci
> objectClass: top
> objectClass: nsIndex
>
> # cn, default indexes, config, ldbm database, plugins, config
> dn: cn=cn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
> cn: cn
> objectClass: top
> objectClass: nsIndex
>
> # entryusn, default indexes, config, ldbm database, plugins, config
> dn: cn=entryusn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co nfig
> cn: entryusn
> objectClass: top
> objectClass: nsIndex
>
> # givenName, default indexes, config, ldbm database, plugins, config
> dn: cn=givenName,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=c onfig
> cn: givenName
> objectClass: top
> objectClass: nsIndex
>
> # mail, default indexes, config, ldbm database, plugins, config
> dn: cn=mail,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
> cn: mail
> objectClass: top
> objectClass: nsIndex
>
> # mailAlternateAddress, default indexes, config, ldbm database, plugins, config
> dn: cn=mailAlternateAddress,cn=default indexes,cn=config,cn=ldbm database,cn=p lugins,cn=config
> cn: mailAlternateAddress
> objectClass: top
> objectClass: nsIndex
>
> # mailHost, default indexes, config, ldbm database, plugins, config
> dn: cn=mailHost,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co nfig
> cn: mailHost
> objectClass: top
> objectClass: nsIndex
>
> # member, default indexes, config, ldbm database, plugins, config
> dn: cn=member,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=conf ig
> cn: member
> objectClass: top
> objectClass: nsIndex
>
> # memberOf, default indexes, config, ldbm database, plugins, config
> dn: cn=memberOf,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co nfig
> cn: memberOf
> objectClass: top
> objectClass: nsIndex
>
> # nsTombstoneCSN, default indexes, config, ldbm database, plugins, config
> dn: cn=nsTombstoneCSN,cn=default indexes,cn=config,cn=ldbm database,cn=plugins ,cn=config
> cn: nsTombstoneCSN
> objectClass: top
> objectClass: nsIndex
>
> # nsUniqueId, default indexes, config, ldbm database, plugins, config
> dn: cn=nsUniqueId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn= config
> cn: nsUniqueId
> objectClass: top
> objectClass: nsIndex
>
> # ntUniqueId, default indexes, config, ldbm database, plugins, config
> dn: cn=ntUniqueId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn= config
> cn: ntUniqueId
> objectClass: top
> objectClass: nsIndex
>
> # ntUserDomainId, default indexes, config, ldbm database, plugins, config
> dn: cn=ntUserDomainId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins ,cn=config
> cn: ntUserDomainId
> objectClass: top
> objectClass: nsIndex
>
> # numsubordinates, default indexes, config, ldbm database, plugins, config
> dn: cn=numsubordinates,cn=default indexes,cn=config,cn=ldbm database,cn=plugin s,cn=config
> cn: numsubordinates
> objectClass: top
> objectClass: nsIndex
>
> # objectclass, default indexes, config, ldbm database, plugins, config
> dn: cn=objectclass,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn =config
> cn: objectclass
> objectClass: top
> objectClass: nsIndex
>
> # owner, default indexes, config, ldbm database, plugins, config
> dn: cn=owner,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=confi g
> cn: owner
> objectClass: top
> objectClass: nsIndex
>
> # parentid, default indexes, config, ldbm database, plugins, config
> dn: cn=parentid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co nfig
> cn: parentid
> objectClass: top
> objectClass: nsIndex
>
> # seeAlso, default indexes, config, ldbm database, plugins, config
> dn: cn=seeAlso,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=con fig
> cn: seeAlso
> objectClass: top
> objectClass: nsIndex
>
> # sn, default indexes, config, ldbm database, plugins, config
> dn: cn=sn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
> cn: sn
> objectClass: top
> objectClass: nsIndex
>
> # targetuniqueid, default indexes, config, ldbm database, plugins, config
> dn: cn=targetuniqueid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins ,cn=config
> cn: targetuniqueid
> objectClass: top
> objectClass: nsIndex
>
> # telephoneNumber, default indexes, config, ldbm database, plugins, config
> dn: cn=telephoneNumber,cn=default indexes,cn=config,cn=ldbm database,cn=plugin s,cn=config
> cn: telephoneNumber
> objectClass: top
> objectClass: nsIndex
>
> # uid, default indexes, config, ldbm database, plugins, config
> dn: cn=uid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
> cn: uid
> objectClass: top
> objectClass: nsIndex
>
> # uniquemember, default indexes, config, ldbm database, plugins, config
> dn: cn=uniquemember,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,c n=config
> cn: uniquemember
> objectClass: top
> objectClass: nsIndex
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 31
> # numEntries: 30
>
> ========
> search against cn=config as admin using GSSAPI from host we are trying to turn into a replica ========= [root at dc2-ipa-dev-van ipa]# kinit admin Password for admin at MYDOMAIN.NET:
> [root at dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=config"
> SASL/GSSAPI authentication started
> SASL username: admin at MYDOMAIN.NET
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> cn: SNMP
> nsSNMPEnabled: on
> objectClass: top
> objectClass: nsSNMP
>
> # tasks, config
> dn: cn=tasks,cn=config
> cn: tasks
> objectClass: top
> objectClass: extensibleObject
>
> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
> cn: Sync Request Control
> objectClass: top
> objectClass: directoryServerFeature
> oid: 1.3.6.1.4.1.4203.1.9.1.1
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> cn: VLV Request Control
> objectClass: top
> objectClass: directoryServerFeature
> oid: 2.16.840.1.113730.3.4.9
>
> # ipa_pwd_extop, plugins, config
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> cn: ipa_pwd_extop
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
>
> # abort cleanallruv, tasks, config
> dn: cn=abort cleanallruv,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: abort cleanallruv
>
> # automember export updates, tasks, config
> dn: cn=automember export updates,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: automember export updates
>
> # automember map updates, tasks, config
> dn: cn=automember map updates,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: automember map updates
>
> # automember rebuild membership, tasks, config
> dn: cn=automember rebuild membership,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: automember rebuild membership
>
> # backup, tasks, config
> dn: cn=backup,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: backup
>
> # cleanallruv, tasks, config
> dn: cn=cleanallruv,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: cleanallruv
>
> # export, tasks, config
> dn: cn=export,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: export
>
> # fixup linked attributes, tasks, config
> dn: cn=fixup linked attributes,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: fixup linked attributes
>
> # fixup tombstones, tasks, config
> dn: cn=fixup tombstones,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: fixup tombstones
>
> # import, tasks, config
> dn: cn=import,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: import
>
> # index, tasks, config
> dn: cn=index,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: index
>
> # ipa-sidgen-task, tasks, config
> dn: cn=ipa-sidgen-task,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: ipa-sidgen-task
>
> # memberof task, tasks, config
> dn: cn=memberof task,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: memberof task
>
> # restore, tasks, config
> dn: cn=restore,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: restore
>
> # schema reload task, tasks, config
> dn: cn=schema reload task,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: schema reload task
>
> # syntax validate, tasks, config
> dn: cn=syntax validate,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: syntax validate
>
> # sysconfig reload, tasks, config
> dn: cn=sysconfig reload,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: sysconfig reload
>
> # upgradedb, tasks, config
> dn: cn=upgradedb,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: upgradedb
>
> # USN tombstone cleanup task, tasks, config
> dn: cn=USN tombstone cleanup task,cn=tasks,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: USN tombstone cleanup task
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> cn: Posix IDs
> dnaMaxValue: 1100
> dnaNextValue: 1101
> dnaThreshold: 500
> dnaType: uidNumber
> dnaType: gidNumber
> objectClass: top
> objectClass: extensibleObject
>
> # config, ldbm database, plugins, config
> dn: cn=config,cn=ldbm database,cn=plugins,cn=config
> cn: config
> objectClass: top
> objectClass: extensibleObject
> nsslapd-directory: /var/lib/dirsrv/slapd-mydomain-NET/db
>
> # default indexes, config, ldbm database, plugins, config
> dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
> cn: default indexes
> objectClass: top
> objectClass: extensibleObject
>
> # aci, default indexes, config, ldbm database, plugins, config
> dn: cn=aci,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
> cn: aci
> objectClass: top
> objectClass: nsIndex
>
> # cn, default indexes, config, ldbm database, plugins, config
> dn: cn=cn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
> cn: cn
> objectClass: top
> objectClass: nsIndex
>
> # entryusn, default indexes, config, ldbm database, plugins, config
> dn: cn=entryusn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co nfig
> cn: entryusn
> objectClass: top
> objectClass: nsIndex
>
> # givenName, default indexes, config, ldbm database, plugins, config
> dn: cn=givenName,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=c onfig
> cn: givenName
> objectClass: top
> objectClass: nsIndex
>
> # mail, default indexes, config, ldbm database, plugins, config
> dn: cn=mail,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
> cn: mail
> objectClass: top
> objectClass: nsIndex
>
> # mailAlternateAddress, default indexes, config, ldbm database, plugins, config
> dn: cn=mailAlternateAddress,cn=default indexes,cn=config,cn=ldbm database,cn=p lugins,cn=config
> cn: mailAlternateAddress
> objectClass: top
> objectClass: nsIndex
>
> # mailHost, default indexes, config, ldbm database, plugins, config
> dn: cn=mailHost,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co nfig
> cn: mailHost
> objectClass: top
> objectClass: nsIndex
>
> # member, default indexes, config, ldbm database, plugins, config
> dn: cn=member,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=conf ig
> cn: member
> objectClass: top
> objectClass: nsIndex
>
> # memberOf, default indexes, config, ldbm database, plugins, config
> dn: cn=memberOf,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co nfig
> cn: memberOf
> objectClass: top
> objectClass: nsIndex
>
> # nsTombstoneCSN, default indexes, config, ldbm database, plugins, config
> dn: cn=nsTombstoneCSN,cn=default indexes,cn=config,cn=ldbm database,cn=plugins ,cn=config
> cn: nsTombstoneCSN
> objectClass: top
> objectClass: nsIndex
>
> # nsUniqueId, default indexes, config, ldbm database, plugins, config
> dn: cn=nsUniqueId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn= config
> cn: nsUniqueId
> objectClass: top
> objectClass: nsIndex
>
> # ntUniqueId, default indexes, config, ldbm database, plugins, config
> dn: cn=ntUniqueId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn= config
> cn: ntUniqueId
> objectClass: top
> objectClass: nsIndex
>
> # ntUserDomainId, default indexes, config, ldbm database, plugins, config
> dn: cn=ntUserDomainId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins ,cn=config
> cn: ntUserDomainId
> objectClass: top
> objectClass: nsIndex
>
> # numsubordinates, default indexes, config, ldbm database, plugins, config
> dn: cn=numsubordinates,cn=default indexes,cn=config,cn=ldbm database,cn=plugin s,cn=config
> cn: numsubordinates
> objectClass: top
> objectClass: nsIndex
>
> # objectclass, default indexes, config, ldbm database, plugins, config
> dn: cn=objectclass,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn =config
> cn: objectclass
> objectClass: top
> objectClass: nsIndex
>
> # owner, default indexes, config, ldbm database, plugins, config
> dn: cn=owner,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=confi g
> cn: owner
> objectClass: top
> objectClass: nsIndex
>
> # parentid, default indexes, config, ldbm database, plugins, config
> dn: cn=parentid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co nfig
> cn: parentid
> objectClass: top
> objectClass: nsIndex
>
> # seeAlso, default indexes, config, ldbm database, plugins, config
> dn: cn=seeAlso,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=con fig
> cn: seeAlso
> objectClass: top
> objectClass: nsIndex
>
> # sn, default indexes, config, ldbm database, plugins, config
> dn: cn=sn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
> cn: sn
> objectClass: top
> objectClass: nsIndex
>
> # targetuniqueid, default indexes, config, ldbm database, plugins, config
> dn: cn=targetuniqueid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins ,cn=config
> cn: targetuniqueid
> objectClass: top
> objectClass: nsIndex
>
> # telephoneNumber, default indexes, config, ldbm database, plugins, config
> dn: cn=telephoneNumber,cn=default indexes,cn=config,cn=ldbm database,cn=plugin s,cn=config
> cn: telephoneNumber
> objectClass: top
> objectClass: nsIndex
>
> # uid, default indexes, config, ldbm database, plugins, config
> dn: cn=uid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
> cn: uid
> objectClass: top
> objectClass: nsIndex
>
> # uniquemember, default indexes, config, ldbm database, plugins, config
> dn: cn=uniquemember,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,c n=config
> cn: uniquemember
> objectClass: top
> objectClass: nsIndex
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 51
> # numEntries: 50
>
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Rich Megginson
> Sent: January-20-16 11:44 AM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
>
> On 01/20/2016 12:24 PM, Nathan Peters wrote:
>> Now we are starting to get somewhere (although a resolution still is
>> not visible) :)
>>
>> First, thank you Petr and Rob for your help on this issue. I apologize for our hard to parse server names. I'm not a fan of them myself and in earlier reports I had been reformatting everything nicely with dc1, dc2, dc3 etc. After having to submit so many reports I started to get lazy an thought it may be more helpful to see data closer to what we are actually using.
>>
>> Petr hit the nail on the head with the "does everyone who binds get the same result" question, which although it has not revealed a resolution, has revealed a bunch of really interesting facts about the process.
>>
>> Going back to the original logs that were running on the remote master during the replica installation attempt I see the following :
>>
>> [18/Jan/2016:09:28:32 -0800] conn=18732 fd=77 slot=77 connection from
>> 10.21.0.98 to 10.178.0.98
>>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=0 BIND dn="" method=sasl
>>> version=3 mech=GSSAPI
>>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=0 RESULT err=14 tag=97
>>> nentries=0 etime=0, SASL bind in progress
>>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=1 BIND dn="" method=sasl
>>> version=3 mech=GSSAPI
>>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=1 RESULT err=14 tag=97
>>> nentries=0 etime=0, SASL bind in progress
>>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=2 BIND dn="" method=sasl
>>> version=3 mech=GSSAPI
>>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=dc2-ipa-dev-van.mydomain.net,cn=computers,cn=accounts,dc=mydomain,dc=net"
>>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=3 SRCH
>>> base="cn=replication,cn=etc,dc=mydomain,dc=net" scope=0
>>> filter="(objectClass=*)" attrs=ALL
>>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=3 RESULT err=0 tag=101
>>> nentries=1 etime=0
>>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=4 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes objectClasses"
>>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=4 RESULT err=0 tag=101
>>> nentries=1 etime=0
>> So, conn18732 was opened with a bind dn of "" ? Is this supposed to happen?
> Yes. GSSAPI/SASL binds are multi-stage binds. You'll notice that the last stage is op=2, and the result has the full bind DN to which the kerberos principals mapped to. The dn="" until the last stage at which time the mapped DN is known and logged.
>
>> Here is what I see when I search that base using the same empty bind dn :
> nack - you have to first use "kinit myusername at MYDOMAIN", then use ldapsearch -Y GSSAPI ...., to do the bind in the same way to use GSSAPI.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list