[Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
Nathan Peters
Nathan.Peters at globalrelay.net
Fri Jan 22 04:08:39 UTC 2016
Ok, here are the logs and console session from those searches as admin and as the host on the new master against itself. Same result, nothing in there.
See my email reply to Rich I sent a few minutes ago for the directory manager aci search results.
==========================================================================
GSSAPI search using admin on old master searching old master (current host)
==========================================================================
[root at dc2-ipa-dev-nvan ~]# kinit admin
Password for admin at DEV-mydomain.NET:
[root at dc2-ipa-dev-nvan ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_swFzxQf
Default principal: admin at DEV-mydomain.NET
Valid starting Expires Service principal
21/01/16 19:54:14 22/01/16 19:54:05 krbtgt/DEV-mydomain.NET at DEV-mydomain.NET
[root at dc2-ipa-dev-nvan ~]# ldapsearch -Y GSSAPI -b "cn=replica,cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config"
SASL/GSSAPI authentication started
SASL username: admin at DEV-mydomain.NET
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=replica,cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 4
result: 0 Success
# numResponses: 1
[root at dc2-ipa-dev-nvan ~]# kdestroy
==========================================================================
GSSAPI search using host keytab on old master searching old master (current host)
==========================================================================
[root at dc2-ipa-dev-nvan ~]# kinit -k -t /etc/krb5.keytab
[root at dc2-ipa-dev-nvan ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_swFzxQf
Default principal: host/dc2-ipa-dev-nvan.dev-mydomain.net at DEV-mydomain.NET
Valid starting Expires Service principal
21/01/16 19:54:53 22/01/16 19:54:53 krbtgt/DEV-mydomain.NET at DEV-mydomain.NET
[root at dc2-ipa-dev-nvan ~]# ldapsearch -Y GSSAPI -b "cn=replica,cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config"
SASL/GSSAPI authentication started
SASL username: host/dc2-ipa-dev-nvan.dev-mydomain.net at DEV-mydomain.NET
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=replica,cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 4
result: 0 Success
# numResponses: 1
[root at dc2-ipa-dev-nvan ~]#
========================================================
logs from old master (current host) during search using host keytab
========================================================
[21/Jan/2016:19:55:15 -0800] conn=76103 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[21/Jan/2016:19:55:15 -0800] conn=76103 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[21/Jan/2016:19:55:15 -0800] conn=76103 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[21/Jan/2016:19:55:15 -0800] conn=76103 op=2 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[21/Jan/2016:19:55:15 -0800] conn=76103 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI
[21/Jan/2016:19:55:15 -0800] conn=76103 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=dc2-ipa-dev-nvan.dev-mydomain.net,cn=computers,cn=accounts,dc=dev-mydomain,dc=net"
[21/Jan/2016:19:55:15 -0800] conn=76103 op=4 SRCH base="cn=replica,cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL
[21/Jan/2016:19:55:15 -0800] conn=76103 op=4 RESULT err=0 tag=101 nentries=0 etime=0
[21/Jan/2016:19:55:15 -0800] conn=76103 op=5 UNBIND
[21/Jan/2016:19:55:15 -0800] conn=76103 op=5 fd=273 closed - U1
===========================================================
logs from old master (current host) during search as admin
===========================================================
[21/Jan/2016:19:54:40 -0800] conn=76094 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[21/Jan/2016:19:54:40 -0800] conn=76094 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[21/Jan/2016:19:54:40 -0800] conn=76094 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[21/Jan/2016:19:54:40 -0800] conn=76094 op=2 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[21/Jan/2016:19:54:40 -0800] conn=76094 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI
[21/Jan/2016:19:54:40 -0800] conn=76094 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=dev-mydomain,dc=net"
[21/Jan/2016:19:54:40 -0800] conn=76094 op=4 SRCH base="cn=replica,cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL
[21/Jan/2016:19:54:40 -0800] conn=76094 op=4 RESULT err=0 tag=101 nentries=0 etime=0
[21/Jan/2016:19:54:40 -0800] conn=76094 op=5 UNBIND
[21/Jan/2016:19:54:40 -0800] conn=76094 op=5 fd=143 closed - U1
-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz
Sent: January-21-16 7:45 AM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
On 01/21/2016 08:50 AM, Nathan Peters wrote:
> I don't know if this makes a difference too, but I performed the same checks on a different completely working and joined FreeIPA master, against other masters, and even against itself directly.
>
> It seems that no account, no keytab, and no host can see that mapping tree branch no matter who they search from or against if GSSAPI is used.
there should be no difference in the result, it should only depend on the acis and in one of your previous posts you said that you don't get a result bound as admin:
>>>
[root at dc2-ipa-dev-van ~]# ldapsearch -Hldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" -D "uid=admin,cn=users,cn=accounts,dc=mydomain,dc=net" -W Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# search result
search: 2
result: 0 Success
# numResponses: 1
---snip---
So we know that for whatever reason, this particular DN cannot be searched from anyone other than directory manager.
<<<
so could you provide the result and log of a search with gssapi and directly bound to the same server. And as directory manager query the acis in the mapping tree entry
More information about the Freeipa-users
mailing list