[Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

Fri Jan 22 08:44:10 UTC 2016

On 01/22/2016 04:48 AM, Nathan Peters wrote:
> Here are the results for that aci search using a non gssapi bind by directory manager on the old master that we are attempting to join agains.  I don't see anything in this list that would indicate that some users should or should not have access through a certain method.  Unless one of those sasl config settings is doing it ?
>
> [root at dc2-ipa-dev-nvan ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)"
you need to request the aci attribute to see the acis:

ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci


> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (aci=*)
> # requesting: ALL
> #
>
> # config
> dn: cn=config
> cn: config
> objectClass: top
> objectClass: extensibleObject
> objectClass: nsslapdConfig
> nsslapd-backendconfig: cn=config,cn=userRoot,cn=ldbm database,cn=plugins,cn=co
>   nfig
> nsslapd-backendconfig: cn=config,cn=ipaca,cn=ldbm database,cn=plugins,cn=confi
>   g
> nsslapd-backendconfig: cn=config,cn=changelog,cn=ldbm database,cn=plugins,cn=c
>   onfig
> nsslapd-betype: ldbm database
> nsslapd-privatenamespaces: cn=schema
> nsslapd-privatenamespaces:
> nsslapd-privatenamespaces: cn=monitor
> nsslapd-privatenamespaces: cn=config
> nsslapd-plugin: cn=binary syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=bit string syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=boolean syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=case exact string syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=case ignore string syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=country string syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=delivery method syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=distinguished name syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=enhanced guide syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=facsimile telephone number syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=fax syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=generalized time syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=guide syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=integer syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=jpeg syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=name and optional uid syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=numeric string syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=octet string syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=oid syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=postal address syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=printable string syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=telephone syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=teletex terminal identifier syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=telex number syntax,cn=plugins,cn=config
> nsslapd-plugin: cn=octetstringmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=octetstringorderingmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=bitstringmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=bitwise plugin,cn=plugins,cn=config
> nsslapd-plugin: cn=caseexactia5match,cn=plugins,cn=config
> nsslapd-plugin: cn=caseexactmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=caseexactorderingmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=caseexactsubstringsmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=caseexactia5substringsmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=generalizedtimematch,cn=plugins,cn=config
> nsslapd-plugin: cn=generalizedtimeorderingmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=booleanmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=caseignoreia5match,cn=plugins,cn=config
> nsslapd-plugin: cn=caseignoreia5substringsmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=caseignorematch,cn=plugins,cn=config
> nsslapd-plugin: cn=caseignoreorderingmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=caseignoresubstringsmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=caseignorelistmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=caseignorelistsubstringsmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=objectidentifiermatch,cn=plugins,cn=config
> nsslapd-plugin: cn=directorystringfirstcomponentmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=objectidentifierfirstcomponentmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=distinguishednamematch,cn=plugins,cn=config
> nsslapd-plugin: cn=integermatch,cn=plugins,cn=config
> nsslapd-plugin: cn=integerorderingmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=integerfirstcomponentmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=internationalization plugin,cn=plugins,cn=config
> nsslapd-plugin: cn=uniquemembermatch,cn=plugins,cn=config
> nsslapd-plugin: cn=numericstringmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=numericstringorderingmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=numericstringsubstringsmatch,cn=plugins,cn=config
> nsslapd-plugin: cn=telephonenumbermatch,cn=plugins,cn=config
> nsslapd-plugin: cn=telephonenumbersubstringsmatch,cn=plugins,cn=config
> nsslapd-requiresrestart: cn=config:nsslapd-port
> nsslapd-requiresrestart: cn=config:nsslapd-secureport
> nsslapd-requiresrestart: cn=config:nsslapd-ldapifilepath
> nsslapd-requiresrestart: cn=config:nsslapd-ldapilisten
> nsslapd-requiresrestart: cn=config:nsslapd-workingdir
> nsslapd-requiresrestart: cn=config:nsslapd-plugin
> nsslapd-requiresrestart: cn=config:nsslapd-sslclientauth
> nsslapd-requiresrestart: cn=config:nsslapd-changelogdir
> nsslapd-requiresrestart: cn=config:nsslapd-changelogsuffix
> nsslapd-requiresrestart: cn=config:nsslapd-changelogmaxentries
> nsslapd-requiresrestart: cn=config:nsslapd-changelogmaxage
> nsslapd-requiresrestart: cn=config:nsslapd-db-locks
> nsslapd-requiresrestart: cn=config:nsslapd-maxdescriptors
> nsslapd-requiresrestart: cn=config:nsslapd-return-exact-case
> nsslapd-requiresrestart: cn=config:nsslapd-schema-ignore-trailing-spaces
> nsslapd-requiresrestart: cn=config,cn=ldbm:nsslapd-idlistscanlimit
> nsslapd-requiresrestart: cn=config,cn=ldbm:nsslapd-parentcheck
> nsslapd-requiresrestart: cn=config,cn=ldbm:nsslapd-dbcachesize
> nsslapd-requiresrestart: cn=config,cn=ldbm:nsslapd-dbncache
> nsslapd-requiresrestart: cn=config,cn=ldbm:nsslapd-cachesize
> nsslapd-requiresrestart: cn=config,cn=ldbm:nsslapd-plugin
> nsslapd-requiresrestart: cn=encryption,cn=config:nssslsessiontimeout
> nsslapd-requiresrestart: cn=encryption,cn=config:nssslclientauth
> nsslapd-requiresrestart: cn=encryption,cn=config:nsssl2
> nsslapd-requiresrestart: cn=encryption,cn=config:nsssl3
> nsslapd-auditlog-mode: 600
> nsslapd-auditlog-logrotationsync-enabled: off
> nsslapd-auditlog-logrotationsynchour: 0
> nsslapd-auditlog-logrotationsyncmin: 0
> nsslapd-auditlog-logrotationtime: 1
> nsslapd-accesslog-mode: 600
> nsslapd-accesslog-maxlogsperdir: 10
> nsslapd-errorlog-level: 16384
> nsslapd-errorlog-logging-enabled: on
> nsslapd-errorlog-mode: 600
> nsslapd-errorlog-logexpirationtime: 1
> nsslapd-accesslog-logging-enabled: on
> nsslapd-port: 389
> nsslapd-workingdir: /var/log/dirsrv/slapd-DEV-mydomain-NET
> nsslapd-maxthreadsperconn: 5
> nsslapd-accesslog-logexpirationtime: 1
> nsslapd-localuser: dirsrv
> nsslapd-errorlog-logrotationsync-enabled: off
> nsslapd-errorlog-logrotationsynchour: 0
> nsslapd-errorlog-logrotationsyncmin: 0
> nsslapd-errorlog-logrotationtime: 1
> passwordInHistory: 6
> passwordUnlock: on
> passwordGraceLimit: 0
> nsslapd-accesslog-logrotationsync-enabled: off
> nsslapd-accesslog-logrotationsynchour: 0
> nsslapd-accesslog-logrotationsyncmin: 0
> nsslapd-accesslog-logrotationtime: 1
> passwordMustChange: off
> nsslapd-pwpolicy-local: off
> nsslapd-auditlog-logmaxdiskspace: 100
> nsslapd-sizelimit: 2000
> nsslapd-auditlog-maxlogsize: 100
> passwordWarning: 86400
> nsslapd-readonly: off
> nsslapd-sasl-mapping-fallback: on
> nsslapd-threadnumber: 30
> passwordLockout: off
> nsslapd-enquote-sup-oc: off
> nsslapd-localhost: dc2-ipa-dev-nvan.dev-mydomain.net
> nsslapd-ioblocktimeout: 1800000
> nsslapd-max-filter-nest-level: 40
> nsslapd-errorlog-logmaxdiskspace: 100
> passwordMinLength: 8
> passwordMinDigits: 0
> passwordMinAlphas: 0
> passwordMinUppers: 0
> passwordMinLowers: 0
> passwordMinSpecials: 0
> passwordMin8bit: 0
> passwordMaxRepeats: 0
> passwordMinCategories: 3
> passwordMinTokenLength: 3
> nsslapd-errorlog: /var/log/dirsrv/slapd-DEV-mydomain-NET/errors
> nsslapd-auditlog-logexpirationtime: 1
> nsslapd-schemacheck: on
> nsslapd-schemamod: on
> nsslapd-syntaxcheck: on
> nsslapd-syntaxlogging: off
> nsslapd-dn-validate-strict: off
> nsslapd-ds4-compatible-schema: off
> nsslapd-schema-ignore-trailing-spaces: off
> nsslapd-schemareplace: replication-only
> nsslapd-accesslog-logmaxdiskspace: 500
> passwordMaxFailure: 3
> nsslapd-accesslog: /var/log/dirsrv/slapd-DEV-mydomain-NET/access
> nsslapd-lastmod: on
> nsslapd-security: on
> passwordMaxAge: 8640000
> nsslapd-auditlog-logrotationtimeunit: day
> passwordResetFailureCount: 600
> passwordIsGlobalPolicy: off
> passwordLegacyPolicy: on
> passwordTrackUpdateTime: off
> nsslapd-auditlog-maxlogsperdir: 1
> nsslapd-errorlog-logexpirationtimeunit: month
> nsslapd-groupevalnestlevel: 0
> nsslapd-accesslog-logexpirationtimeunit: month
> nsslapd-rootpw: {SSHA}dVkYQwrJNWRuX/ErfQCCtcEE1pOjkpm8sIUgDw==
> passwordChange: on
> nsslapd-accesslog-level: 256
> nsslapd-errorlog-logrotationtimeunit: week
> nsslapd-securePort: 636
> nsslapd-certmap-basedn:
> nsslapd-timelimit: 3600
> nsslapd-errorlog-maxlogsize: 100
> nsslapd-reservedescriptors: 64
> nsslapd-svrtab:
> passwordExp: off
> nsslapd-accesscontrol: on
> nsslapd-accesslog-logrotationtimeunit: day
> passwordLockoutDuration: 3600
> nsslapd-accesslog-maxlogsize: 100
> nsslapd-idletimeout: 0
> nsslapd-nagle: on
> nsslapd-errorlog-logminfreediskspace: 5
> nsslapd-auditlog-logging-enabled: off
> nsslapd-auditlog-logging-hide-unhashed-pw: on
> nsslapd-accesslog-logbuffering: on
> nsslapd-csnlogging: on
> nsslapd-auditlog-logexpirationtimeunit: month
> nsslapd-allow-hashed-passwords: on
> passwordCheckSyntax: off
> nsslapd-listenhost:
> nsslapd-snmp-index: 0
> nsslapd-ldapifilepath: /var/run/slapd-DEV-mydomain-NET.socket
> nsslapd-ldapilisten: on
> nsslapd-ldapiautobind: on
> nsslapd-ldapimaprootdn: cn=Directory Manager
> nsslapd-ldapimaptoentries: on
> nsslapd-ldapiuidnumbertype: uidNumber
> nsslapd-ldapigidnumbertype: gidNumber
> nsslapd-ldapientrysearchbase: dc=example,dc=com
> nsslapd-anonlimitsdn: cn=anonymous-limits,cn=etc,dc=dev-mydomain,dc=net
> nsslapd-counters: on
> nsslapd-accesslog-logminfreediskspace: 5
> nsslapd-errorlog-maxlogsperdir: 2
> nsslapd-securelistenhost:
> nsslapd-auditlog-logminfreediskspace: 5
> nsslapd-rootdn: cn=Directory Manager
> passwordMinAge: 0
> nsslapd-auditlog: /var/log/dirsrv/slapd-DEV-mydomain-NET/audit
> nsslapd-return-exact-case: on
> nsslapd-result-tweak: off
> nsslapd-plugin-binddn-tracking: off
> nsslapd-moddn-aci: on
> nsslapd-attribute-name-exceptions: off
> nsslapd-maxbersize: 209715200
> nsslapd-maxsasliosize: 2097152
> nsslapd-versionstring: 389-Directory/1.3.4.5
> nsslapd-referralmode:
> nsslapd-maxdescriptors: 8192
> nsslapd-conntablesize: 8192
> nsslapd-SSLclientAuth: allowed
> nsslapd-config: cn=config
> nsslapd-instancedir: /var/lib/dirsrv/scripts-DEV-mydomain-NET
> nsslapd-schemadir: /etc/dirsrv/slapd-DEV-mydomain-NET/schema
> nsslapd-lockdir: /var/lock/dirsrv/slapd-DEV-mydomain-NET
> nsslapd-tmpdir: /tmp
> nsslapd-certdir: /etc/dirsrv/slapd-DEV-mydomain-NET
> nsslapd-ldifdir: /var/lib/dirsrv/slapd-DEV-mydomain-NET/ldif
> nsslapd-bakdir: /var/lib/dirsrv/slapd-DEV-mydomain-NET/bak
> nsslapd-saslpath:
> nsslapd-rundir: /var/run/dirsrv
> nsslapd-rewrite-rfc1274: off
> nsslapd-outbound-ldap-io-timeout: 300000
> nsslapd-allow-unauthenticated-binds: off
> nsslapd-require-secure-binds: off
> nsslapd-allow-anonymous-access: on
> nsslapd-localssf: 71
> nsslapd-minssf: 0
> nsslapd-minssf-exclude-rootdse: on
> nsslapd-force-sasl-external: off
> nsslapd-entryusn-global: on
> nsslapd-entryusn-import-initval: next
> nsslapd-allowed-to-delete-attrs: passwordadmindn nsslapd-listenhost nsslapd-se
>   curelistenhost nsslapd-defaultnamingcontext
> nsslapd-validate-cert: warn
> nsslapd-pagedsizelimit: 0
> nsslapd-defaultnamingcontext: dc=dev-mydomain,dc=net
> nsslapd-disk-monitoring: off
> nsslapd-disk-monitoring-threshold: 2097152
> nsslapd-disk-monitoring-grace-period: 60
> nsslapd-disk-monitoring-logging-critical: off
> nsslapd-ndn-cache-enabled: on
> nsslapd-ndn-cache-max-size: 20971520
> nsslapd-allowed-sasl-mechanisms:
> nsslapd-ignore-virtual-attrs: off
> nsslapd-unhashed-pw-switch: on
> nsslapd-sasl-max-buffer-size: 2097152
> nsslapd-search-return-original-type-switch: off
> nsslapd-enable-turbo-mode: on
> nsslapd-connection-buffer: 1
> nsslapd-connection-nocanon: on
> nsslapd-plugin-logging: off
> nsslapd-listen-backlog-size: 128
> nsslapd-dynamic-plugins: off
> nsslapd-cn-uses-dn-syntax-in-dns: off
> nsslapd-malloc-mxfast: -10
> nsslapd-malloc-trim-threshold: -10
> nsslapd-malloc-mmap-threshold: -10
> nsslapd-ignore-time-skew: off
> nsslapd-global-backend-lock: off
> nsslapd-maxsimplepaged-per-conn: -1
> nsslapd-enable-nunc-stans: off
> passwordStorageScheme: SSHA
> passwordAdminDN:
> nsslapd-rootpwstoragescheme: SSHA
> nsslapd-errorlog-list:
> nsslapd-accesslog-list: /var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160121-071658
> nsslapd-accesslog-list: /var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160121-022556
> nsslapd-accesslog-list: /var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160120-191523
> nsslapd-accesslog-list: /var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160120-091819
> nsslapd-accesslog-list: /var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160120-021415
> nsslapd-accesslog-list: /var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160119-165941
> nsslapd-accesslog-list: /var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160119-065036
> nsslapd-accesslog-list: /var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160119-023133
> nsslapd-accesslog-list: /var/log/dirsrv/slapd-DEV-mydomain-NET/access.20160118-205128
> nsslapd-auditlog-list:
> nsslapd-ssl-check-hostname: on
> nsslapd-hash-filters: off
>
> # mapping tree, config
> dn: cn=mapping tree,cn=config
> cn: mapping tree
> objectClass: top
> objectClass: extensibleObject
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> cn: SNMP
> nsSNMPEnabled: on
> objectClass: top
> objectClass: nsSNMP
>
> # tasks, config
> dn: cn=tasks,cn=config
> cn: tasks
> objectClass: top
> objectClass: extensibleObject
>
> # csusers, config
> dn: ou=csusers,cn=config
> objectClass: top
> objectClass: organizationalUnit
> ou: csusers
>
> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
> cn: Sync Request Control
> objectClass: top
> objectClass: directoryServerFeature
> oid: 1.3.6.1.4.1.4203.1.9.1.1
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> cn: VLV Request Control
> objectClass: top
> objectClass: directoryServerFeature
> oid: 2.16.840.1.113730.3.4.9
>
> # dc\3Ddev-mydomain\2Cdc\3Dnet, mapping tree, config
> dn: cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config
> cn: dc=dev-mydomain,dc=net
> cn: "dc=dev-mydomain,dc=net"
> nsslapd-backend: userRoot
> nsslapd-referral: ldap://dc1-ipa-dev-van.dev-mydomain.net:389/dc%3Ddev-mydomain%2Cdc%3Dnet
> nsslapd-referral: ldap://dc1-ipa-dev-nvan.dev-mydomain.net:389/dc%3Ddev-mydomain%2Cdc%3Dnet
> nsslapd-state: backend
> objectClass: top
> objectClass: extensibleObject
> objectClass: nsMappingTree
>
> # o\3Dipaca, mapping tree, config
> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
> cn: o=ipaca
> nsslapd-backend: ipaca
> nsslapd-referral: ldap://dc1-ipa-dev-nvan.dev-mydomain.net:389/o%3Dipaca
> nsslapd-referral: ldap://dc1-ipa-dev-van.dev-mydomain.net:389/o%3Dipaca
> nsslapd-state: Backend
> objectClass: top
> objectClass: extensibleObject
> objectClass: nsMappingTree
>
> # ldbm database, plugins, config
> dn: cn=ldbm database,cn=plugins,cn=config
> cn: ldbm database
> nsslapd-plugin-depends-on-type: Syntax
> nsslapd-plugin-depends-on-type: matchingRule
> nsslapd-pluginDescription: high-performance LDAP backend database plugin
> nsslapd-pluginEnabled: on
> nsslapd-pluginId: ldbm-backend
> nsslapd-pluginInitfunc: ldbm_back_init
> nsslapd-pluginPath: libback-ldbm
> nsslapd-pluginType: database
> nsslapd-pluginVendor: 389 Project
> nsslapd-pluginVersion: 1.3.4.5
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> cn: Posix IDs
> dnaExcludeScope: cn=provisioning,dc=dev-mydomain,dc=net
> dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))
> dnaMagicRegen: -1
> dnaMaxValue: 1100
> dnaNextValue: 1101
> dnaScope: dc=dev-mydomain,dc=net
> dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=dev-mydomain,dc=net
> dnaThreshold: 500
> dnaType: uidNumber
> dnaType: gidNumber
> objectClass: top
> objectClass: extensibleObject
>
> # userRoot, ldbm database, plugins, config
> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> cn: userRoot
> objectClass: top
> objectClass: extensibleObject
> objectClass: nsBackendInstance
> nsslapd-suffix: dc=dev-mydomain,dc=net
> nsslapd-cachesize: -1
> nsslapd-cachememsize: 10485760
> nsslapd-readonly: off
> nsslapd-require-index: off
> nsslapd-directory: /var/lib/dirsrv/slapd-DEV-mydomain-NET/db/userRoot
> nsslapd-dncachememsize: 10485760
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 13
> # numEntries: 12
>
>
> -----Original Message-----
> From: Rich Megginson [mailto:rmeggins at redhat.com]
> Sent: January-21-16 7:29 AM
> To: Nathan Peters; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
>
> On 01/21/2016 12:50 AM, Nathan Peters wrote:
>> I don't know if this makes a difference too, but I performed the same checks on a different completely working and joined FreeIPA master, against other masters, and even against itself directly.
>>
>> It seems that no account, no keytab, and no host can see that mapping tree branch no matter who they search from or against if GSSAPI is used.
>>
>>
>> -----Original Message-----
>> From: freeipa-users-bounces at redhat.com
>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Nathan Peters
>> Sent: January-20-16 11:41 PM
>> To: Rich Megginson; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails
>> with DuplicateEntry: This entry already exists
>>
>> All checks below were performed from the host we are trying to turn
>> into a replica and they were performed against the master who logs I
>> also show
>>
>> The first check was to kinit admin and try the search.  Surprisingly, the GSSAPI bind returns no results when we search that.  In my previous email you can see that the standard bind gets a result as admin for that search.
>>
>> Next, I tried as the host by kinit with its keytab.  Same result, nothing back.
>>
>> Finally I tried as my own personal admin user.  Same result, nothing back.
>>
>> For good measure, I tried a broad search against the base "cn=mydomain,cn=net" as each user as well and I'll spare you the ten thousand lines of screenshot but the results were as expected, several thousand entries in that tree.
>> Although the output differed slightly.  This is the total as admin or
>> my personal user # numResponses: 3372 # numEntries: 3371
>>
>> and this is the total as the host keytab account
>>
>> # numResponses: 3371
>> # numEntries: 3370
>>
>> To be even more thorough, I did searches farther and farther up the config tree using GSSAPI until I found something.  The only thing that is visible through GSSAPI searches is the base of the config tree.  Even the mapping tree branch doesn't seem to be visible.
>>
>> At the very bottom of this email is the results of the search against cn=config directly as the attempted new replica and as admin.  Admin gets about 50 results and the host only gets about 30 for some reason.  I get the same results as admin on my personal account so I've excluded those.
>>
>> So if I got all that right I was able to determine that only the base of the config tree is available using GSSAPI for any account, users for some reason get slightly more results than hosts, and all accounts can see the dc=mydomain,dc=net tree just fine using GSSAPI.
>>
>> So does that help shed some light on what the cause of this might be or why the server is not answering as expected?
>>
>> Is there some way I can adjust this so everyone can see the results they do using regular binds as they do using GSSAPI binds ?
>>
>> Is there some way I can check ACLS on stuff ?
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Viewing_the_ACIs_for_an_Entry.html
>
> Note: There is a bug in the docs.  You have to also specify the suffix e.g. "-b cn=config", and make sure the search filter is quoted e.g.
> '(aci=*)'
>
> If it is not aci related, I have no idea why you would get different results depending on if you did a simple bind vs. a gssapi bind with the same user that mapped to the same bind DN.
>