<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, May 26, 2014 at 1:17 PM, Davis Goodman <span dir="ltr"><<a href="mailto:davis.goodman@digital-district.ca" target="_blank">davis.goodman@digital-district.ca</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><div><div class="h5"> <br><br><div class="gmail_quote">On Mon, May 26, 2014 at 4:22 AM, Martin Kosek <span dir="ltr"><<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div>On 05/25/2014 09:44 PM, Davis Goodman wrote:<br> > On Wed, May 21, 2014 at 12:06 PM, Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>> wrote:<br> ><br> >> On 05/21/2014 01:31 PM, Davis Goodman wrote:<br> >>><br> >>><br> >>><br> >>><br> >>> <<a href="http://www.digital-district.ca/" target="_blank">http://www.digital-district.ca/</a>><br> >>><br> >>> On May 21, 2014, at 6:54 , Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a><br> >>> <mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>>> wrote:<br> >>><br> >>>> On 05/21/2014 09:12 AM, Davis Goodman wrote:<br> >>>>><br> >>>>><br> >>>>><br> >>>>><br> >>>>> On May 21, 2014, at 2:45 , Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a><br> >>>>> <mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>>> wrote:<br> >>>>><br> >>>>>> On 05/21/2014 08:36 AM, Davis Goodman wrote:<br> >>>>>>> Hi,<br> >>>>>>><br> >>>>>>> Lately I’ve been having issues of replication between my server and<br> >> my 2<br> >>>>>>> replicas.<br> >>>>>>><br> >>>>>>> I decided I was going to delete my 2 replicas and start over keeping<br> >> my<br> >>>>>>> master intact.<br> >>>>>>><br> >>>>>>> I wasn`t successfull in getting all 3 servers to replicate to each<br> >> other. (<br> >>>>>>> it used to work)<br> >>>>>>><br> >>>>>>> I tried deleting 1 replica after the other one to always keep one<br> >> of the<br> >>>>>>> two available.<br> >>>>>>><br> >>>>>>> I had to delete manually the replica host on the master with a bunch<br> >> of<br> >>>>>>> ldapdelete command which worked fine.<br> >>>>>>><br> >>>>>>> But after many unsuccessful trials of getting everyone to sync I<br> >> decided to<br> >>>>>>> delete my two replicas.<br> >>>>>>><br> >>>>>>> I went back to my master to use the ldapdelete to remove both host`s<br> >>>>>>> records so that I could start over.<br> >>>>>>><br> >>>>>>> Unfortunately now I’m getting this error.<br> >>>>>>><br> >>>>>>> ldapdelete -x -D "cn=Directory Manager" -W<br> >>>>>>> cn=DNS,cn=<a href="http://freeipa02.mtl.domain.int" target="_blank">freeipa02.mtl.domain.int</a><br> >> ,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int<br> >>>>>>> Enter LDAP Password:<br> >>>>>>> ldap_delete: Server is unwilling to perform (53)<br> >>>>>>> additional info: database is read-only<br> >>>>>>><br> >>>>>>><br> >>>>>>><br> >>>>>>> I’m kinda stuck now with no replicas and no DNS. I could restore the<br> >> backup<br> >>>>>>> prior to the start of the operation but with a master in read-only<br> >> mode it<br> >>>>>>> wouldn’t of much help.<br> >>>>>>><br> >>>>>>> Any insights would be more than welcome.<br> >>>>>>><br> >>>>>>><br> >>>>>>> Davis<br> >>>>>><br> >>>>>> Hi Davis, did maybe some of your ipa-replica-manage crashed in a<br> >> middle of an<br> >>>>>> operation or an upgrade was interrupted and left the database put in<br> >> read only<br> >>>>>> mode?<br> >>>>>><br> >>>>>> You can find out with this ldapsearch:<br> >>>>>><br> >>>>>> ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 -b<br> >>>>>> 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base<br> >>>>>><br> >>>>>> Check for nsslapd-readonly, it should be put to "off" in normal<br> >> operation.<br> >>>>>><br> >>>>>> Martin<br> >>>>> Ok finally managed to modify the read-only flag.<br> >>>>><br> >>>>> Could prepare my replicas and get them going.<br> >>>>><br> >>>>> Everything seems fine but I’m getting this error while setting up the<br> >>>>> replicas. Should I be concerned about this one:<br> >>>>><br> >>>>> Update in progress<br> >>>>> Update in progress<br> >>>>> Update in progress<br> >>>>> Update in progress<br> >>>>> Update in progress<br> >>>>> Update in progress<br> >>>>> Update succeeded<br> >>>>> [23/31]: adding replication acis<br> >>>>> [24/31]: setting Auto Member configuration<br> >>>>> [25/31]: enabling S4U2Proxy delegation<br> >>>>> ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command<br> >>>>> '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H<br> >>>>> ldap://<a href="http://freeipa02.mtl.ddistrict.int:389" target="_blank">freeipa02.mtl.ddistrict.int:389</a> -x -D cn=Directory Manager -y<br> >>>>> /tmp/tmp4Svn9k' returned non-zero exit status 20<br> >>>>> [26/31]: initializing group membership<br> >>>>> [27/31]: adding master entry<br> >>>>> [28/31]: configuring Posix uid/gid generation<br> >>>>><br> >>>>><br> >>>>><br> >>>>> the rest seems to work fine.<br> >>>><br> >>>> You need to check ipareplica-install.log to see the real error.<br> >>>><br> >>>> I wonder if "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" and<br> >>>> "cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" exist.<br> >>>><br> >>>> Martin<br> >>>><br> >>><br> >>> The first one is there:<br> >>><br> >>> ldapsearch -D "cn=Directory Manager” -W -LLL -x -b<br> >>> cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int""<br> >>> dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int<br> >>> ipaAllowedTarget:<br> >> cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr<br> >>> ict,dc=int<br> >>> ipaAllowedTarget:<br> >> cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr<br> >>> ict,dc=int<br> >>> memberPrincipal: HTTP/<a href="mailto:freeipa01.prs.ddistrict.int@DDISTRICT.INT" target="_blank">freeipa01.prs.ddistrict.int@DDISTRICT.INT</a><br> >>> <mailto:<a href="mailto:HTTP" target="_blank">HTTP</a>/<a href="mailto:freeipa01.prs.ddistrict.int@DDISTRICT.INT" target="_blank">freeipa01.prs.ddistrict.int@DDISTRICT.INT</a>><br> >>> memberPrincipal: HTTP/<a href="mailto:freeipa02.prs.ddistrict.int@DDISTRICT.INT" target="_blank">freeipa02.prs.ddistrict.int@DDISTRICT.INT</a><br> >>> <mailto:<a href="mailto:HTTP" target="_blank">HTTP</a>/<a href="mailto:freeipa02.prs.ddistrict.int@DDISTRICT.INT" target="_blank">freeipa02.prs.ddistrict.int@DDISTRICT.INT</a>><br> >>> memberPrincipal: HTTP/<a href="mailto:freeipa02.mtl.ddistrict.int@DDISTRICT.INT" target="_blank">freeipa02.mtl.ddistrict.int@DDISTRICT.INT</a><br> >>> <mailto:<a href="mailto:HTTP" target="_blank">HTTP</a>/<a href="mailto:freeipa02.mtl.ddistrict.int@DDISTRICT.INT" target="_blank">freeipa02.mtl.ddistrict.int@DDISTRICT.INT</a>><br> >>> memberPrincipal: HTTP/<a href="mailto:freeipa01.chr.ddistrict.int@DDISTRICT.INT" target="_blank">freeipa01.chr.ddistrict.int@DDISTRICT.INT</a><br> >>> <mailto:<a href="mailto:HTTP" target="_blank">HTTP</a>/<a href="mailto:freeipa01.chr.ddistrict.int@DDISTRICT.INT" target="_blank">freeipa01.chr.ddistrict.int@DDISTRICT.INT</a>><br> >>> memberPrincipal: HTTP/<a href="mailto:freeipa01.bxl.ddistrict.int@DDISTRICT.INT" target="_blank">freeipa01.bxl.ddistrict.int@DDISTRICT.INT</a><br> >>> <mailto:<a href="mailto:HTTP" target="_blank">HTTP</a>/<a href="mailto:freeipa01.bxl.ddistrict.int@DDISTRICT.INT" target="_blank">freeipa01.bxl.ddistrict.int@DDISTRICT.INT</a>><br> >>> memberPrincipal: HTTP/<a href="mailto:freeipa01.mtl.ddistrict.int@DDISTRICT.INT" target="_blank">freeipa01.mtl.ddistrict.int@DDISTRICT.INT</a><br> >>> <mailto:<a href="mailto:HTTP" target="_blank">HTTP</a>/<a href="mailto:freeipa01.mtl.ddistrict.int@DDISTRICT.INT" target="_blank">freeipa01.mtl.ddistrict.int@DDISTRICT.INT</a>><br> >>> cn: ipa-http-delegation<br> >>> objectClass: ipaKrb5DelegationACL<br> >>> objectClass: groupOfPrincipals<br> >>> objectClass: top<br> >>><br> >>><br> >>> But not the second one:<br> >>><br> >>> ldapsearch -D "cn=Directory Manager” -W -LLL -x -b<br> >>> cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int""<br> >>> No such object (32)<br> >>> Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int<br> >>><br> >>><br> >>> Also what is strange is that I got the error only on one of the<br> >> replicas, the<br> >>> other one went through without any hiccups.<br> >><br> >> Ok, I think I misguided you with the second DN, the real DN should be<br> >> "cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int",<br> >> see<br> >> /usr/share/ipa/replica-s4u2proxy.ldif for the LDIF that is being loaded.<br> >><br> >> The key here is to check the error message of ldapmodify that was run on<br> >> the<br> >> failing replica, try to search in /var/log/ipareplica-install.log.<br> >><br> >> Martin<br> >><br> ><br> > Hi Martin,<br> ><br> > Finally got back on this problem.<br> ><br> > I seem to have a huge mess in my replication agreements between my servers.<br> > if I run the "ipa-replica-manage list-ruv on my master which is<br> > freeipa01.prs,<br> ><br> > I get this:<br> > [root@freeipa01 ~]# ipa-replica-manage list-ruv<br> > <a href="http://freeipa01.prs.ddistrict.int:389" target="_blank">freeipa01.prs.ddistrict.int:389</a>: 4<br> > <a href="http://freeipa01.mtl.ddistrict.int:389" target="_blank">freeipa01.mtl.ddistrict.int:389</a>: 16<br> > <a href="http://freeipa01.mtl.ddistrict.int:389" target="_blank">freeipa01.mtl.ddistrict.int:389</a>: 13<br> > <a href="http://freeipa01.mtl.ddistrict.int:389" target="_blank">freeipa01.mtl.ddistrict.int:389</a>: 12<br> > <a href="http://freeipa01.bxl.ddistrict.int:389" target="_blank">freeipa01.bxl.ddistrict.int:389</a>: 10<br> > <a href="http://freeipa01.chr.ddistrict.int:389" target="_blank">freeipa01.chr.ddistrict.int:389</a>: 8<br> > <a href="http://freeipa01.mtl.ddistrict.int:389" target="_blank">freeipa01.mtl.ddistrict.int:389</a>: 6<br> > <a href="http://freeipa02.prs.ddistrict.int:389" target="_blank">freeipa02.prs.ddistrict.int:389</a>: 3<br> > <a href="http://freeipa01.chr.ddistrict.int:389" target="_blank">freeipa01.chr.ddistrict.int:389</a>: 9<br> > <a href="http://freeipa02.mtl.ddistrict.int:389" target="_blank">freeipa02.mtl.ddistrict.int:389</a>: 17<br> > <a href="http://freeipa02.mtl.ddistrict.int:389" target="_blank">freeipa02.mtl.ddistrict.int:389</a>: 7<br> > <a href="http://freeipa02.mtl.ddistrict.int:389" target="_blank">freeipa02.mtl.ddistrict.int:389</a>: 11<br> > <a href="http://freeipa02.mtl.ddistrict.int:389" target="_blank">freeipa02.mtl.ddistrict.int:389</a>: 14<br> > <a href="http://freeipa02.mtl.ddistrict.int:389" target="_blank">freeipa02.mtl.ddistrict.int:389</a>: 15<br> > [root@freeipa01 ~]#<br> ><br> ><br> > I've tried to do the ipa-replica-manage clean-ruv on all ID's relating to<br> > freeipa02.mtl which is the one I'm having the most problems with and would<br> > like to start from scratch.<br> ><br> > running the ipa-replica-manage list-clean-ruv gives me this:<br> ><br> > [root@freeipa01 slapd-DDISTRICT-INT]# ipa-replica-manage list-clean-ruv<br> > CLEANALLRUV tasks<br> > RID 11: Not all replicas online, retrying in 160 seconds...<br> > RID 17: Not all replicas online, retrying in 640 seconds...<br> > RID 7: Waiting to process all the updates from the deleted replica...<br> ><br> > No abort CLEANALLRUV tasks running<br> > [root@freeipa01 slapd-DDISTRICT-INT]#<br> ><br> > I'm kinda stuck in a loop and not sure which way to go.<br> <br> </div></div>Check "ipa-replica-manage list" - some of the replicas listed here are not<br> active. You may have uninstalled a replica which is still pointed in this list.<br> <br> I think /var/log/dirsrv/slapd-YOUR-REALM/errors contain additional information<br> which replica is really not accessible.<br> <div><div><br> ><br> > I'm also stuck with a orphaned user in the WebUI which I see but can not<br> > delete, giving me the user doesn't exist.<br> ><br> > If I do an ldapsearch it seems incomplete:<br> > [root@freeipa01 ~]# ldapsearch -xLLL -D "cn=directory manager" -w XXXXXXX<br> > -b dc=ddistrict,dc=int | grep -i arobitaille<br> > dn: cn=arobitaille,cn=groups,cn=compat,dc=ddistrict,dc=int<br> > cn: arobitaille<br> > memberUid: arobitaille<br> > dn: uid=arobitaille,cn=users,cn=compat,dc=ddistrict,dc=int<br> > homeDirectory: /home/arobitaille<br> > uid: arobitaille<br> > member:<br> > nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=user<br> > member:<br> > nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=user<br> > dn:<br> > nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=users,cn<br> > homeDirectory: /home/arobitaille<br> > mepManagedEntry: cn=arobitaille,cn=groups,cn=accounts,dc=ddistrict,dc=int<br> > mail: <a href="mailto:arobitaille@digital-district.ca" target="_blank">arobitaille@digital-district.ca</a><br> > krbPrincipalName: <a href="mailto:arobitaille@DDISTRICT.INT" target="_blank">arobitaille@DDISTRICT.INT</a><br> > uid: arobitaille<br> > dn:<br> > cn=arobitaille+nsuniqueid=08165a02-dd3311e3-8982f534-a4dfcf64,cn=groups,cn<br> > cn: arobitaille<br> > description: User private group for arobitaille<br> > mepManagedBy: uid=arobitaille,cn=users,cn=accounts,dc=ddistrict,dc=int<br> <br> </div></div>This is a Directory Server replication conflict entry (notice the<br> nsuniqueid=08165a02-dd3311e3-8982f534-a4dfcf64 part), FreeIPA cannot manipulate<br> those. You can try deleting this record with ldapdelete utility or any LDAP gui<br> of choice.<br> <span><font color="#888888"><br> Martin<br> </font></span></blockquote></div><br></div></div>Hi Martin,<div><br></div><div>I finally after a couple of hours managed to re-instate replication through all my replica. It's all working fine. </div><div><br></div><div> Thanks for the insights.</div> <div><br></div><div>I just have one little orphaned user which has only the private group left behind.</div><div><br></div><div>I'm not sure, since I'm still a newbie with ldapmodify/ldapdelete, how to get rid of those 2 entries:</div> <div><br></div><div><p>[root@freeipa01 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=jdubreux,cn=groups,cn=accounts,dc=ddistrict,dc=int </p><p>dn: cn=jdubreux,cn=groups,cn=accounts,dc=ddistrict,dc=int</p> <p>ipaUniqueID: ac27027c-84da-11e3-a4c4-c21e595ecd39</p><p>mepManagedBy: uid=jdubreux,cn=users,cn=accounts,dc=ddistrict,dc=int</p><p>cn: jdubreux</p><p>objectClass: posixgroup</p><p> objectClass: ipaobject</p><p>objectClass: mepManagedEntry</p><p>objectClass: top</p><p>gidNumber: 871000045</p><p>description: User private group for jdubreux</p><p><br></p><p> [root@freeipa01 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=jdubreux,cn=groups,cn=compat,dc=ddistrict,dc=int </p><p>dn: cn=jdubreux,cn=groups,cn=compat,dc=ddistrict,dc=int</p><p>objectClass: posixGroup</p> <p>objectClass: top</p><p>gidNumber: 871000045</p><p>cn: jdubreux</p></div><div><br></div><div><br></div><div>After this I'm fully back on my feet!</div><div class=""><div><br></div><div><br></div>-- <br> <div dir="ltr"><span><font color="#888888"><div dir="ltr" style="color:rgb(34,34,34)"> <br></div><div dir="ltr" style="color:rgb(34,34,34)"><br></div><div dir="ltr" style="color:rgb(34,34,34)"><table style="font-family:Times" border="0" cellpadding="0" cellspacing="0"><tbody><tr><td style="padding-left:0px;font-size:8pt" valign="top"> <span style="font-family:Arial,sans-serif;font-size:9pt;font-weight:bold">Davis Goodman</span><br><span color="#B9B9B9" style="margin-top:0px;margin-bottom:0px;font-family:Arial,sans-serif;font-size:8pt">Directeur Informatique <font color="#B9B9B9" size="1"> |</font> IT Manager<br> </span></td> </tr></tbody></table><a href="http://www.digital-district.ca/" style="color:rgb(17,85,204);font-family:Times;font-size:medium" target="_blank"><img src="http://www.digital-district.fr/ddca/logo_dd_small.png" alt="Digital-District" title="Digital-District" align="middle" border="0" vspace="2"></a><table style="font-family:Times" cellpadding="2" cellspacing="1"> </table></div></font></span></div> </div></div></div> </blockquote></div>I believe I have found the syntax for removing the leftover private group but I have an error thrown at me:</div><div class="gmail_extra"><br></div><div class="gmail_extra"> <p class="">[root@freeipa01 ~]# ldapmodify -Y GSSAPI<<EOF </p> <p class="">dn: cn=jdubreux,cn=groups,cn=accounts,dc=ddistrict,dc=int</p> <p class="">changetype:modify</p> <p class="">delete: objectclass</p> <p class="">objectclass: mepManagedEntry</p> <p class=""><br></p> <p class="">delete:mepManagedBy</p> <p class="">EOF</p> <p class="">SASL/GSSAPI authentication started</p> <p class="">SASL username: <a href="mailto:admin@DDISTRICT.INT">admin@DDISTRICT.INT</a></p> <p class="">SASL SSF: 56</p> <p class="">SASL data security layer installed.</p> <p class="">modifying entry "cn=jdubreux,cn=groups,cn=accounts,dc=ddistrict,dc=int"</p> <p class=""><b>ldap_modify: Object class violation (65)</b></p> <p class=""><b><span class=""> </span>additional info: attribute "mepManagedBy" not allowed</b></p>This rings a bell?</div><div class="gmail_extra"><br></div><div class="gmail_extra">Version 3.0.0 of FreeIPA</div> <div class="gmail_extra"> <p class="">certmonger-0.61-3.el6.x86_64</p><p class=""> </p><p class="">389-ds-base-libs-1.2.11.15-32.el6_5.x86_64</p><div><br></div>-- <br><div dir="ltr"><span><font color="#888888"><div dir="ltr" style="color:rgb(34,34,34)"> <br></div><div dir="ltr" style="color:rgb(34,34,34)"><br></div><div dir="ltr" style="color:rgb(34,34,34)"><table style="font-family:Times" border="0" cellpadding="0" cellspacing="0"><tbody><tr><td style="padding-left:0px;font-size:8pt" valign="top"> <span style="font-family:Arial,sans-serif;font-size:9pt;font-weight:bold">Davis Goodman</span><br><span color="#B9B9B9" style="margin-top:0px;margin-bottom:0px;font-family:Arial,sans-serif;font-size:8pt">Directeur Informatique <font color="#B9B9B9" size="1"> |</font> IT Manager<br> </span></td> </tr></tbody></table><a href="http://www.digital-district.ca/" style="color:rgb(17,85,204);font-family:Times;font-size:medium" target="_blank"><img src="http://www.digital-district.fr/ddca/logo_dd_small.png" alt="Digital-District" title="Digital-District" align="middle" border="0" vspace="2"></a><table style="font-family:Times" cellpadding="2" cellspacing="1"> </table><br></div></font></span></div> </div></div>