[Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

Fri Jan 22 03:48:01 UTC 2016

Here are the results for that aci search using a non gssapi bind by directory manager on the old master that we are attempting to join agains.  I don't see anything in this list that would indicate that some users should or should not have access through a certain method.  Unless one of those sasl config settings is doing it ?

[root at dc2-ipa-dev-nvan ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: ALL
#

# config
dn: cn=config
cn: config
objectClass: top
objectClass: extensibleObject
objectClass: nsslapdConfig
nsslapd-backendconfig: cn=config,cn=userRoot,cn=ldbm database,cn=plugins,cn=co
 nfig
nsslapd-backendconfig: cn=config,cn=ipaca,cn=ldbm database,cn=plugins,cn=confi
 g
nsslapd-backendconfig: cn=config,cn=changelog,cn=ldbm database,cn=plugins,cn=c
 onfig
nsslapd-betype: ldbm database
nsslapd-privatenamespaces: cn=schema
nsslapd-privatenamespaces:
nsslapd-privatenamespaces: cn=monitor
nsslapd-privatenamespaces: cn=config
nsslapd-plugin: cn=binary syntax,cn=plugins,cn=config
nsslapd-plugin: cn=bit string syntax,cn=plugins,cn=config
nsslapd-plugin: cn=boolean syntax,cn=plugins,cn=config
nsslapd-plugin: cn=case exact string syntax,cn=plugins,cn=config
nsslapd-plugin: cn=case ignore string syntax,cn=plugins,cn=config
nsslapd-plugin: cn=country string syntax,cn=plugins,cn=config
nsslapd-plugin: cn=delivery method syntax,cn=plugins,cn=config
nsslapd-plugin: cn=distinguished name syntax,cn=plugins,cn=config
nsslapd-plugin: cn=enhanced guide syntax,cn=plugins,cn=config
nsslapd-plugin: cn=facsimile telephone number syntax,cn=plugins,cn=config
nsslapd-plugin: cn=fax syntax,cn=plugins,cn=config
nsslapd-plugin: cn=generalized time syntax,cn=plugins,cn=config
nsslapd-plugin: cn=guide syntax,cn=plugins,cn=config
nsslapd-plugin: cn=integer syntax,cn=plugins,cn=config
nsslapd-plugin: cn=jpeg syntax,cn=plugins,cn=config
nsslapd-plugin: cn=name and optional uid syntax,cn=plugins,cn=config
nsslapd-plugin: cn=numeric string syntax,cn=plugins,cn=config
nsslapd-plugin: cn=octet string syntax,cn=plugins,cn=config
nsslapd-plugin: cn=oid syntax,cn=plugins,cn=config
nsslapd-plugin: cn=postal address syntax,cn=plugins,cn=config
nsslapd-plugin: cn=printable string syntax,cn=plugins,cn=config
nsslapd-plugin: cn=telephone syntax,cn=plugins,cn=config
nsslapd-plugin: cn=teletex terminal identifier syntax,cn=plugins,cn=config
nsslapd-plugin: cn=telex number syntax,cn=plugins,cn=config
nsslapd-plugin: cn=octetstringmatch,cn=plugins,cn=config
nsslapd-plugin: cn=octetstringorderingmatch,cn=plugins,cn=config
nsslapd-plugin: cn=bitstringmatch,cn=plugins,cn=config
nsslapd-plugin: cn=bitwise plugin,cn=plugins,cn=config
nsslapd-plugin: cn=caseexactia5match,cn=plugins,cn=config
nsslapd-plugin: cn=caseexactmatch,cn=plugins,cn=config
nsslapd-plugin: cn=caseexactorderingmatch,cn=plugins,cn=config
nsslapd-plugin: cn=caseexactsubstringsmatch,cn=plugins,cn=config
nsslapd-plugin: cn=caseexactia5substringsmatch,cn=plugins,cn=config
nsslapd-plugin: cn=generalizedtimematch,cn=plugins,cn=config
nsslapd-plugin: cn=generalizedtimeorderingmatch,cn=plugins,cn=config
nsslapd-plugin: cn=booleanmatch,cn=plugins,cn=config
nsslapd-plugin: cn=caseignoreia5match,cn=plugins,cn=config
nsslapd-plugin: cn=caseignoreia5substringsmatch,cn=plugins,cn=config
nsslapd-plugin: cn=caseignorematch,cn=plugins,cn=config
nsslapd-plugin: cn=caseignoreorderingmatch,cn=plugins,cn=config
nsslapd-plugin: cn=caseignoresubstringsmatch,cn=plugins,cn=config
nsslapd-plugin: cn=caseignorelistmatch,cn=plugins,cn=config
nsslapd-plugin: cn=caseignorelistsubstringsmatch,cn=plugins,cn=config
nsslapd-plugin: cn=objectidentifiermatch,cn=plugins,cn=config
nsslapd-plugin: cn=directorystringfirstcomponentmatch,cn=plugins,cn=config
nsslapd-plugin: cn=objectidentifierfirstcomponentmatch,cn=plugins,cn=config
nsslapd-plugin: cn=distinguishednamematch,cn=plugins,cn=config
nsslapd-plugin: cn=integermatch,cn=plugins,cn=config
nsslapd-plugin: cn=integerorderingmatch,cn=plugins,cn=config
nsslapd-plugin: cn=integerfirstcomponentmatch,cn=plugins,cn=config
nsslapd-plugin: cn=internationalization plugin,cn=plugins,cn=config
nsslapd-plugin: cn=uniquemembermatch,cn=plugins,cn=config
nsslapd-plugin: cn=numericstringmatch,cn=plugins,cn=config
nsslapd-plugin: cn=numericstringorderingmatch,cn=plugins,cn=config
nsslapd-plugin: cn=numericstringsubstringsmatch,cn=plugins,cn=config
nsslapd-plugin: cn=telephonenumbermatch,cn=plugins,cn=config
nsslapd-plugin: cn=telephonenumbersubstringsmatch,cn=plugins,cn=config
nsslapd-requiresrestart: cn=config:nsslapd-port
nsslapd-requiresrestart: cn=config:nsslapd-secureport
nsslapd-requiresrestart: cn=config:nsslapd-ldapifilepath
nsslapd-requiresrestart: cn=config:nsslapd-ldapilisten
nsslapd-requiresrestart: cn=config:nsslapd-workingdir
nsslapd-requiresrestart: cn=config:nsslapd-plugin
nsslapd-requiresrestart: cn=config:nsslapd-sslclientauth
nsslapd-requiresrestart: cn=config:nsslapd-changelogdir
nsslapd-requiresrestart: cn=config:nsslapd-changelogsuffix
nsslapd-requiresrestart: cn=config:nsslapd-changelogmaxentries
nsslapd-requiresrestart: cn=config:nsslapd-changelogmaxage
nsslapd-requiresrestart: cn=config:nsslapd-db-locks
nsslapd-requiresrestart: cn=config:nsslapd-maxdescriptors
nsslapd-requiresrestart: cn=config:nsslapd-return-exact-case
nsslapd-requiresrestart: cn=config:nsslapd-schema-ignore-trailing-spaces
nsslapd-requiresrestart: cn=config,cn=ldbm:nsslapd-idlistscanlimit
nsslapd-requiresrestart: cn=config,cn=ldbm:nsslapd-parentcheck
nsslapd-requiresrestart: cn=config,cn=ldbm:nsslapd-dbcachesize
nsslapd-requiresrestart: cn=config,cn=ldbm:nsslapd-dbncache
nsslapd-requiresrestart: cn=config,cn=ldbm:nsslapd-cachesize
nsslapd-requiresrestart: cn=config,cn=ldbm:nsslapd-plugin
nsslapd-requiresrestart: cn=encryption,cn=config:nssslsessiontimeout
nsslapd-requiresrestart: cn=encryption,cn=config:nssslclientauth
nsslapd-requiresrestart: cn=encryption,cn=config:nsssl2
nsslapd-requiresrestart: cn=encryption,cn=config:nsssl3
nsslapd-auditlog-mode: 600
nsslapd-auditlog-logrotationsync-enabled: off
nsslapd-auditlog-logrotationsynchour: 0
nsslapd-auditlog-logrotationsyncmin: 0
nsslapd-auditlog-logrotationtime: 1
nsslapd-accesslog-mode: 600
nsslapd-accesslog-maxlogsperdir: 10
nsslapd-errorlog-level: 16384
nsslapd-errorlog-logging-enabled: on
nsslapd-errorlog-mode: 600
nsslapd-errorlog-logexpirationtime: 1
nsslapd-accesslog-logging-enabled: on
nsslapd-port: 389
nsslapd-workingdir: /var/log/dirsrv/slapd-DEV-mydomain-NET
nsslapd-maxthreadsperconn: 5
nsslapd-accesslog-logexpirationtime: 1
nsslapd-localuser: dirsrv
nsslapd-errorlog-logrotationsync-enabled: off
nsslapd-errorlog-logrotationsynchour: 0
nsslapd-errorlog-logrotationsyncmin: 0
nsslapd-errorlog-logrotationtime: 1
passwordInHistory: 6
passwordUnlock: on
passwordGraceLimit: 0
nsslapd-accesslog-logrotationsync-enabled: off
nsslapd-accesslog-logrotationsynchour: 0
nsslapd-accesslog-logrotationsyncmin: 0
nsslapd-accesslog-logrotationtime: 1
passwordMustChange: off
nsslapd-pwpolicy-local: off
nsslapd-auditlog-logmaxdiskspace: 100
nsslapd-sizelimit: 2000
nsslapd-auditlog-maxlogsize: 100
passwordWarning: 86400
nsslapd-readonly: off
nsslapd-sasl-mapping-fallback: on
nsslapd-threadnumber: 30
passwordLockout: off
nsslapd-enquote-sup-oc: off
nsslapd-localhost: dc2-ipa-dev-nvan.dev-mydomain.net
nsslapd-ioblocktimeout: 1800000
nsslapd-max-filter-nest-level: 40
nsslapd-errorlog-logmaxdiskspace: 100
passwordMinLength: 8
passwordMinDigits: 0
passwordMinAlphas: 0
passwordMinUppers: 0
passwordMinLowers: 0
passwordMinSpecials: 0
passwordMin8bit: 0
passwordMaxRepeats: 0
passwordMinCategories: 3
passwordMinTokenLength: 3
nsslapd-errorlog: /var/log/dirsrv/slapd-DEV-mydomain-NET/errors
nsslapd-auditlog-logexpirationtime: 1
nsslapd-schemacheck: on
nsslapd-schemamod: on
nsslapd-syntaxcheck: on
nsslapd-syntaxlogging: off
nsslapd-dn-validate-strict: off
nsslapd-ds4-compatible-schema: off
nsslapd-schema-ignore-trailing-spaces: off
nsslapd-schemareplace: replication-only
nsslapd-accesslog-logmaxdiskspace: 500
passwordMaxFailure: 3
nsslapd-accesslog: /var/log/dirsrv/slapd-DEV-mydomain-NET/access
nsslapd-lastmod: on
nsslapd-security: on
passwordMaxAge: 8640000
nsslapd-auditlog-logrotationtimeunit: day
passwordResetFailureCount: 600
passwordIsGlobalPolicy: off
passwordLegacyPolicy: on
passwordTrackUpdateTime: off
nsslapd-auditlog-maxlogsperdir: 1
nsslapd-errorlog-logexpirationtimeunit: month
nsslapd-groupevalnestlevel: 0
nsslapd-accesslog-logexpirationtimeunit: month
nsslapd-rootpw: {SSHA}dVkYQwrJNWRuX/ErfQCCtcEE1pOjkpm8sIUgDw==
passwordChange: on
nsslapd-accesslog-level: 256
nsslapd-errorlog-logrotationtimeunit: week
nsslapd-securePort: 636
nsslapd-certmap-basedn:
nsslapd-timelimit: 3600
nsslapd-errorlog-maxlogsize: 100
nsslapd-reservedescriptors: 64
nsslapd-svrtab:
passwordExp: off
nsslapd-accesscontrol: on
nsslapd-accesslog-logrotationtimeunit: day
passwordLockoutDuration: 3600
nsslapd-accesslog-maxlogsize: 100
nsslapd-idletimeout: 0
nsslapd-nagle: on
nsslapd-errorlog-logminfreediskspace: 5
nsslapd-auditlog-logging-enabled: off
nsslapd-auditlog-logging-hide-unhashed-pw: on
nsslapd-accesslog-logbuffering: on
nsslapd-csnlogging: on
nsslapd-auditlog-logexpirationtimeunit: month
nsslapd-allow-hashed-passwords: on
passwordCheckSyntax: off
nsslapd-listenhost:
nsslapd-snmp-index: 0
nsslapd-ldapifilepath: /var/run/slapd-DEV-mydomain-NET.socket
nsslapd-ldapilisten: on
nsslapd-ldapiautobind: on
nsslapd-ldapimaprootdn: cn=Directory Manager
nsslapd-ldapimaptoentries: on
nsslapd-ldapiuidnumbertype: uidNumber
nsslapd-ldapigidnumbertype: gidNumber
nsslapd-ldapientrysearchbase: dc=example,dc=com
nsslapd-anonlimitsdn: cn=anonymous-limits,cn=etc,dc=dev-mydomain,dc=net
nsslapd-counters: on
nsslapd-accesslog-logminfreediskspace: 5
nsslapd-errorlog-maxlogsperdir: 2
nsslapd-securelistenhost:
nsslapd-auditlog-logminfreediskspace: 5
nsslapd-rootdn: cn=Directory Manager
passwordMinAge: 0
nsslapd-auditlog: /var/log/dirsrv/slapd-DEV-mydomain-NET/audit
nsslapd-return-exact-case: on
nsslapd-result-tweak: off
nsslapd-plugin-binddn-tracking: off
nsslapd-moddn-aci: on
nsslapd-attribute-name-exceptions: off
nsslapd-maxbersize: 209715200
nsslapd-maxsasliosize: 2097152
nsslapd-versionstring: 389-Directory/1.3.4.5
nsslapd-referralmode:
nsslapd-maxdescriptors: 8192
nsslapd-conntablesize: 8192
nsslapd-SSLclientAuth: allowed
nsslapd-config: cn=config
nsslapd-instancedir: /var/lib/dirsrv/scripts-DEV-mydomain-NET
nsslapd-schemadir: /etc/dirsrv/slapd-DEV-mydomain-NET/schema
nsslapd-lockdir: /var/lock/dirsrv/slapd-DEV-mydomain-NET
nsslapd-tmpdir: /tmp
nsslapd-certdir: /etc/dirsrv/slapd-DEV-mydomain-NET
nsslapd-ldifdir: /var/lib/dirsrv/slapd-DEV-mydomain-NET/ldif
nsslapd-bakdir: /var/lib/dirsrv/slapd-DEV-mydomain-NET/bak
nsslapd-saslpath:
nsslapd-rundir: /var/run/dirsrv
nsslapd-rewrite-rfc1274: off
nsslapd-outbound-ldap-io-timeout: 300000
nsslapd-allow-unauthenticated-binds: off
nsslapd-require-secure-binds: off
nsslapd-allow-anonymous-access: on
nsslapd-localssf: 71
nsslapd-minssf: 0
nsslapd-minssf-exclude-rootdse: on
nsslapd-force-sasl-external: off
nsslapd-entryusn-global: on
nsslapd-entryusn-import-initval: next
nsslapd-allowed-to-delete-attrs: passwordadmindn nsslapd-listenhost nsslapd-se
 curelistenhost nsslapd-defaultnamingcontext
nsslapd-validate-cert: warn
nsslapd-pagedsizelimit: 0
nsslapd-defaultnamingcontext: dc=dev-mydomain,dc=net
nsslapd-disk-monitoring: off
nsslapd-disk-monitoring-threshold: 2097152
nsslapd-disk-monitoring-grace-period: 60
nsslapd-disk-monitoring-logging-critical: off
nsslapd-ndn-cache-enabled: on
nsslapd-ndn-cache-max-size: 20971520
nsslapd-allowed-sasl-mechanisms:
nsslapd-ignore-virtual-attrs: off
nsslapd-unhashed-pw-switch: on
nsslapd-sasl-max-buffer-size: 2097152
nsslapd-search-return-original-type-switch: off
nsslapd-enable-turbo-mode: on
nsslapd-connection-buffer: 1
nsslapd-connection-nocanon: on
nsslapd-plugin-logging: off
nsslapd-listen-backlog-size: 128
nsslapd-dynamic-plugins: off
nsslapd-cn-uses-dn-syntax-in-dns: off
nsslapd-malloc-mxfast: -10
nsslapd-malloc-trim-threshold: -10
nsslapd-malloc-mmap-threshold: -10
nsslapd-ignore-time-skew: off
nsslapd-global-backend-lock: off
nsslapd-maxsimplepaged-per-conn: -1
nsslapd-enable-nunc-stans: off
passwordStorageScheme: SSHA
passwordAdminDN:
nsslapd-rootpwstoragescheme: SSHA
nsslapd-errorlog-list:
nsslapd-accesslog-list: /var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160121-071658
nsslapd-accesslog-list: /var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160121-022556
nsslapd-accesslog-list: /var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160120-191523
nsslapd-accesslog-list: /var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160120-091819
nsslapd-accesslog-list: /var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160120-021415
nsslapd-accesslog-list: /var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160119-165941
nsslapd-accesslog-list: /var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160119-065036
nsslapd-accesslog-list: /var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160119-023133
nsslapd-accesslog-list: /var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160118-205128
nsslapd-auditlog-list:
nsslapd-ssl-check-hostname: on
nsslapd-hash-filters: off

# mapping tree, config
dn: cn=mapping tree,cn=config
cn: mapping tree
objectClass: top
objectClass: extensibleObject

# SNMP, config
dn: cn=SNMP,cn=config
cn: SNMP
nsSNMPEnabled: on
objectClass: top
objectClass: nsSNMP

# tasks, config
dn: cn=tasks,cn=config
cn: tasks
objectClass: top
objectClass: extensibleObject

# csusers, config
dn: ou=csusers,cn=config
objectClass: top
objectClass: organizationalUnit
ou: csusers

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
cn: Sync Request Control
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.9.1.1

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
cn: VLV Request Control
objectClass: top
objectClass: directoryServerFeature
oid: 2.16.840.1.113730.3.4.9

# dc\3Ddev-mydomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config
cn: dc=dev-mydomain,dc=net
cn: "dc=dev-mydomain,dc=net"
nsslapd-backend: userRoot
nsslapd-referral: ldap://dc1-ipa-dev-van.dev-mydomain.net:389/dc%3Ddev-mydomain%2Cdc%3Dnet
nsslapd-referral: ldap://dc1-ipa-dev-nvan.dev-mydomain.net:389/dc%3Ddev-mydomain%2Cdc%3Dnet
nsslapd-state: backend
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
cn: o=ipaca
nsslapd-backend: ipaca
nsslapd-referral: ldap://dc1-ipa-dev-nvan.dev-mydomain.net:389/o%3Dipaca
nsslapd-referral: ldap://dc1-ipa-dev-van.dev-mydomain.net:389/o%3Dipaca
nsslapd-state: Backend
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
cn: ldbm database
nsslapd-plugin-depends-on-type: Syntax
nsslapd-plugin-depends-on-type: matchingRule
nsslapd-pluginDescription: high-performance LDAP backend database plugin
nsslapd-pluginEnabled: on
nsslapd-pluginId: ldbm-backend
nsslapd-pluginInitfunc: ldbm_back_init
nsslapd-pluginPath: libback-ldbm
nsslapd-pluginType: database
nsslapd-pluginVendor: 389 Project
nsslapd-pluginVersion: 1.3.4.5
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
cn: Posix IDs
dnaExcludeScope: cn=provisioning,dc=dev-mydomain,dc=net
dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))
dnaMagicRegen: -1
dnaMaxValue: 1100
dnaNextValue: 1101
dnaScope: dc=dev-mydomain,dc=net
dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=dev-mydomain,dc=net
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn: userRoot
objectClass: top
objectClass: extensibleObject
objectClass: nsBackendInstance
nsslapd-suffix: dc=dev-mydomain,dc=net
nsslapd-cachesize: -1
nsslapd-cachememsize: 10485760
nsslapd-readonly: off
nsslapd-require-index: off
nsslapd-directory: /var/lib/dirsrv/slapd-DEV-mydomain-NET/db/userRoot
nsslapd-dncachememsize: 10485760

# search result
search: 2
result: 0 Success

# numResponses: 13
# numEntries: 12

-----Original Message-----
From: Rich Megginson [mailto:rmeggins at redhat.com] 
Sent: January-21-16 7:29 AM
To: Nathan Peters; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

On 01/21/2016 12:50 AM, Nathan Peters wrote:
> I don't know if this makes a difference too, but I performed the same checks on a different completely working and joined FreeIPA master, against other masters, and even against itself directly.
>
> It seems that no account, no keytab, and no host can see that mapping tree branch no matter who they search from or against if GSSAPI is used.
>
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com 
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Nathan Peters
> Sent: January-20-16 11:41 PM
> To: Rich Megginson; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails 
> with DuplicateEntry: This entry already exists
>
> All checks below were performed from the host we are trying to turn 
> into a replica and they were performed against the master who logs I 
> also show
>
> The first check was to kinit admin and try the search.  Surprisingly, the GSSAPI bind returns no results when we search that.  In my previous email you can see that the standard bind gets a result as admin for that search.
>
> Next, I tried as the host by kinit with its keytab.  Same result, nothing back.
>
> Finally I tried as my own personal admin user.  Same result, nothing back.
>
> For good measure, I tried a broad search against the base "cn=mydomain,cn=net" as each user as well and I'll spare you the ten thousand lines of screenshot but the results were as expected, several thousand entries in that tree.
> Although the output differed slightly.  This is the total as admin or 
> my personal user # numResponses: 3372 # numEntries: 3371
>
> and this is the total as the host keytab account
>
> # numResponses: 3371
> # numEntries: 3370
>
> To be even more thorough, I did searches farther and farther up the config tree using GSSAPI until I found something.  The only thing that is visible through GSSAPI searches is the base of the config tree.  Even the mapping tree branch doesn't seem to be visible.
>
> At the very bottom of this email is the results of the search against cn=config directly as the attempted new replica and as admin.  Admin gets about 50 results and the host only gets about 30 for some reason.  I get the same results as admin on my personal account so I've excluded those.
>
> So if I got all that right I was able to determine that only the base of the config tree is available using GSSAPI for any account, users for some reason get slightly more results than hosts, and all accounts can see the dc=mydomain,dc=net tree just fine using GSSAPI.
>
> So does that help shed some light on what the cause of this might be or why the server is not answering as expected?
>
> Is there some way I can adjust this so everyone can see the results they do using regular binds as they do using GSSAPI binds ?
>
> Is there some way I can check ACLS on stuff ?

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Viewing_the_ACIs_for_an_Entry.html

Note: There is a bug in the docs.  You have to also specify the suffix e.g. "-b cn=config", and make sure the search filter is quoted e.g. 
'(aci=*)'

If it is not aci related, I have no idea why you would get different results depending on if you did a simple bind vs. a gssapi bind with the same user that mapped to the same bind DN.