<html>
<head>
<meta content="text/html; charset=KOI8-R" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 06/17/2015 11:56 AM, Alexander
Frolushkin wrote:<br>
</div>
<blockquote
cite="mid:98fab373b0ae4b2e9663845d54883989@sib-ums03.Megafon.ru"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=KOI8-R">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Arial Narrow";
panose-1:2 11 6 6 2 2 2 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Текст выноски Знак";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;
mso-fareast-language:EN-US;}
span.a
{mso-style-name:"Текст выноски Знак";
mso-style-priority:99;
mso-style-link:"Текст выноски";
font-family:"Tahoma","sans-serif";
color:black;
mso-fareast-language:EN-US;}
span.10581
{mso-style-name:"&\#10581\,&\#10771\,&\#10821\,&\#10891\,&\#10901\,&\#10741\,&\#10991\,&\#10851\,&\#10861\,&\#10801\,&\#10471\,&\#10721";
mso-style-priority:99;
mso-style-link:"&\#1058\,&\#1077\,&\#1082\,&\#1089\,&\#1090\,&\#1074\,&\#1099\,&\#1085\,&\#1086\,&\#1080";
font-family:"Tahoma","sans-serif";
color:black;
mso-fareast-language:EN-US;}
p.1058, li.1058, div.1058
{mso-style-name:"&\#1058\,&\#1077\,&\#1082\,&\#1089\,&\#1090\,&\#1074\,&\#1099\,&\#1085\,&\#1086\,&\#1080";
mso-style-link:"&\#10581\,&\#10771\,&\#10821\,&\#10891\,&\#10901\,&\#10741\,&\#10991\,&\#10851\,&\#10861\,&\#10801\,&\#10471\,&\#10721";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;
mso-fareast-language:EN-US;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:2.0cm 42.5pt 2.0cm 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Will
this be enough?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">#
grep "conn=237 op=93" ./access<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">[17/Jun/2015:14:39:46
+0600] conn=237 op=93 ADD dn="cn=System: Manage Host
Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">[17/Jun/2015:14:39:46
+0600] conn=237 op=93 RESULT err=0 tag=105 nentries=0
etime=0 csn=555ac936000000140000</span></p>
</div>
</blockquote>
This operation is a replicated one and the CSN is from May 19th. So
why a replica (26) created today was initialized without that entry
? <br>
This updates was originated from replica20. Was it stopped and
restarted recently ?<br>
<br>
<blockquote
cite="mid:98fab373b0ae4b2e9663845d54883989@sib-ums03.Megafon.ru"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">#
grep "conn=293" ./access<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">[17/Jun/2015:15:33:04
+0600] conn=293 fd=75 slot=75 connection from 10.99.75.82 to
10.61.8.2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">[17/Jun/2015:15:33:04
+0600] conn=293 op=0 BIND dn="" method=sasl version=3
mech=GSSAPI<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">[17/Jun/2015:15:33:04
+0600] conn=293 op=0 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">[17/Jun/2015:15:33:04
+0600] conn=293 op=1 BIND dn="" method=sasl version=3
mech=GSSAPI<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">[17/Jun/2015:15:33:04
+0600] conn=293 op=1 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">[17/Jun/2015:15:33:04
+0600] conn=293 op=2 BIND dn="" method=sasl version=3
mech=GSSAPI<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">[17/Jun/2015:15:33:04
+0600] conn=293 op=2 RESULT err=0 tag=97 nentries=0 etime=0
dn=<a class="moz-txt-link-rfc2396E" href="mailto:krbprincipalname=ldap/msk-rhidm-03.unix.megafon.ru@unix.megafon.ru,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru">"krbprincipalname=ldap/msk-rhidm-03.unix.megafon.ru@unix.megafon.ru,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru"</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Arial
Narrow","sans-serif";color:#1F497D;mso-fareast-language:RU">WBR,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Arial
Narrow","sans-serif";color:#1F497D;mso-fareast-language:RU">Alexander
Frolushkin<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Arial
Narrow","sans-serif";color:#1F497D;mso-fareast-language:RU">Cell
+79232508764<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Arial
Narrow","sans-serif";color:#1F497D;mso-fareast-language:RU">Work
+79232507764<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext;mso-fareast-language:RU">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext;mso-fareast-language:RU">
Ludwig Krispenz [<a class="moz-txt-link-freetext" href="mailto:lkrispen@redhat.com">mailto:lkrispen@redhat.com</a>] <br>
<b>Sent:</b> Wednesday, June 17, 2015 3:53 PM<br>
<b>To:</b> thierry bordaz<br>
<b>Cc:</b> Alexander Frolushkin (SIB);
<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] replication
conflicts<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 06/17/2015 11:45 AM, thierry bordaz
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><br>
On 06/17/2015 11:22 AM, Alexander Frolushkin wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">This was a usual “ipa-replica-install
--setup-ca --setup-dns” and after that
ipa-adtrust-install.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">No DEL found:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># grep "cn=System: Manage Host
Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru"
./access</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">[17/Jun/2015:10:08:01 +0600] conn=2 op=89
SRCH base="cn=System: Manage Host
Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru"
scope=0 filter="(objectClass=*)" attrs="ipaPermRight
ipaPermTargetFilter ipaPermBindRuleType
ipaPermissionType cn objectClass memberOf member
ipaPermTarget ipaPermDefaultAttr ipaPermLocation
ipaPermIncludedAttr ipaPermExcludedAttr"</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">[17/Jun/2015:10:08:01 +0600] conn=2 op=91
ADD dn="cn=System: Manage Host
Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru"</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:RU"><br>
There is something I miss. </span><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";color:#1F497D;mso-fareast-language:RU"
lang="EN-US">conn=2 op=91 was a direct update on replica26
(not replicated) because it received its own
CSN=5580f3210000001a0000. But it created a conflict entry,
so at that time it existed the same entry (the one created
20150408070720Z) . So the direct update should have been
rejected.</span><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:RU"><o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:RU">I
think the search in op=89 did not return an entry, so it was
added in op 91, that seems to be ok, but then 4 hrs later
there is conn=237 adding it again.<br>
<br>
Alexander,<br>
<br>
could you get the complete </span><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";color:#1F497D;mso-fareast-language:RU"
lang="EN-US">'conn=237 op=93' and also the start of conn
293, to show where teh connection comes from<br>
<br>
</span><span style="font-size:12.0pt;font-family:"Times
New Roman","serif";mso-fareast-language:RU"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";color:#1F497D;mso-fareast-language:RU"
lang="EN-US"><br>
Would you check if the replicaID=26 is unique in the
topology (list-ruv for example) ?<br>
<br>
<br>
</span><span style="font-size:12.0pt;font-family:"Times
New Roman","serif";mso-fareast-language:RU"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">[17/Jun/2015:14:39:46
+0600] conn=237 op=93 ADD dn="cn=System: Manage Host
Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru"</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">It
is also possible this entry on affected servers was
previously duplicated and not correctly managed to delete
(more recent dup was deleted).
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Is
there any natural way to fix such issues? Maybe
ipa-replica-manage force-sync, or ipa-replica-manage
re-initialize on affected site servers from normal servers
could help?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt"
lang="EN-US">WBR,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt"
lang="EN-US">Alexander Frolushkin</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt"
lang="EN-US">Cell +79232508764</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt"
lang="EN-US">Work +79232507764</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext;mso-fareast-language:RU">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext;mso-fareast-language:RU">
thierry bordaz [<a moz-do-not-send="true"
href="mailto:tbordaz@redhat.com">mailto:tbordaz@redhat.com</a>]
<br>
<b>Sent:</b> Wednesday, June 17, 2015 3:15 PM<br>
<b>To:</b> Alexander Frolushkin (SIB)<br>
<b>Cc:</b> 'Ludwig Krispenz'; <a moz-do-not-send="true"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] replication
conflicts</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">Hello Alexander,<br>
<br>
How did you initialize that new replica 26.<br>
Either '<span style="color:#1F497D" lang="EN-US">cn=System:
Manage Host
Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru'</span>
was not part of the total init data, or a DEL of that entry
happened on replica 26 (before a new ADD) but the DEL was
not replicated to replica12.<br>
Would you check in replica26 access logs if that entry was
deleted ?<br>
<br>
thanks<br>
theirry<br>
<br>
On 06/17/2015 11:03 AM, Alexander Frolushkin wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">This
is correct, thank you for understanding and for helping!</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Replica
with id 26 was created today, this is our new server which
was included in domain just a few hours ago. Looks like
this dup came right after this new replica creation.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt">WBR,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Alexander
Frolushkin</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Cell
+79232508764</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Work
+79232507764</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext;mso-fareast-language:RU">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext;mso-fareast-language:RU">
Ludwig Krispenz [<a moz-do-not-send="true"
href="mailto:lkrispen@redhat.com">mailto:lkrispen@redhat.com</a>]
<br>
<b>Sent:</b> Wednesday, June 17, 2015 2:58 PM<br>
<b>To:</b> Alexander Frolushkin (SIB)<br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] replication
conflicts</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi,<br>
<br>
you did send the data directly to me, maybe not wanting to
share them to everyone. I'll continue discussion here,
trying to be careful.<br>
<br>
The "good" entry was created in April on replica 12 "0x0c"<br>
<span style="color:#1F497D" lang="EN-US">createTimestamp;vucsn-5524d42b0067000c0000:
20150408070720Z<br>
<br>
the "nsuniqueid" entry was created today on replica 26
"0x1a"<br>
createTimestamp;vucsn-5580f3210000001a0000:
20150617040801Z</span><br>
<br>
if the original entry would have existed on replica26 the
new add should have been rejected, if it was not there the
question is why.<br>
<br>
Do you have any additional info on replica 26, when was it
created, was it disconnected for some time ??<br>
<br>
Ludwig<o:p></o:p></p>
<div>
<p class="MsoNormal">On 06/17/2015 08:13 AM, Alexander
Frolushkin wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:windowtext"
lang="EN-US">Hello</span><span style="color:windowtext">.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext"
lang="EN-US">Another example</span><span
style="color:windowtext">.
</span><span style="color:windowtext" lang="EN-US">Today
appeared on servers of different site.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext"
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext"
lang="EN-US">Original LDIF:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># extended LDIF</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">#</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># LDAPv3</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># base <cn=System: Manage Host
Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru>
with scope subtree</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># filter: (objectclass=*)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># requesting: ALL</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">#</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># System: Manage Host Keytab, permissions,
pbac, unix.megafon.ru</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">dn: cn=System: Manage Host
Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">=ru</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ipaPermTargetFilter: (objectclass=ipahost)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ipaPermRight: write</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ipaPermBindRuleType: permission</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ipaPermissionType: V2</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ipaPermissionType: MANAGED</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ipaPermissionType: SYSTEM</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">cn: System: Manage Host Keytab</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">objectClass: ipapermission</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">objectClass: top</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">objectClass: groupofnames</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">objectClass: ipapermissionv2</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">member: cn=Host
Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">member: cn=Host
Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ipaPermDefaultAttr: krbprincipalkey</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ipaPermDefaultAttr: krblastpwdchange</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ipaPermLocation:
cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># search result</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">search: 2</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">result: 0 Success</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># numResponses: 2</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># numEntries: 1</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:windowtext"
lang="EN-US">Duplicate:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># extended LDIF</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">#</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># LDAPv3</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># base <cn=System: Manage Host
Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru>
with scope subtree</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># filter: (objectclass=*)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># requesting: ALL</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">#</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># System: Manage Host Keytab +
708bba65-14a611e5-8a48fd19-df27ff01, permissio</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ns, pbac, unix.megafon.ru</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">dn: cn=System: Manage Host
Keytab+nsuniqueid=708bba65-14a611e5-8a48fd19-df27ff</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">01,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ipaPermTargetFilter: (objectclass=ipahost)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ipaPermRight: write</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ipaPermBindRuleType: permission</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ipaPermissionType: V2</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ipaPermissionType: MANAGED</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ipaPermissionType: SYSTEM</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">cn: System: Manage Host Keytab</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">objectClass: ipapermission</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">objectClass: top</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">objectClass: groupofnames</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">objectClass: ipapermissionv2</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">member: cn=Host
Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">member: cn=Host
Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ipaPermDefaultAttr: krbprincipalkey</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ipaPermDefaultAttr: krblastpwdchange</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">ipaPermLocation:
cn=computers,cn=accounts,dc=unix,dc=megafon,dc=ru</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># search result</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">search: 2</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">result: 0 Success</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># numResponses: 2</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"># numEntries: 1</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">No other servers in IPA domain have such
duplicates.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt">WBR,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Alexander
Frolushkin</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Cell
+79232508764</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Work
+79232507764</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext;mso-fareast-language:RU">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext;mso-fareast-language:RU">
<a moz-do-not-send="true"
href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>
[<a moz-do-not-send="true"
href="mailto:freeipa-users-bounces@redhat.com">mailto:freeipa-users-bounces@redhat.com</a>]
<b>On Behalf Of </b>Ludwig Krispenz<br>
<b>Sent:</b> Tuesday, June 16, 2015 3:52 PM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] replication
conflicts</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 06/16/2015 11:42 AM, Alexander
Frolushkin wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US">Hello.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Just to remind if
somebody still not familiar with our IPA installation
</span><span style="font-family:Wingdings" lang="EN-US">J</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">We currently have
18 IPA servers in domain, on 8 sites in different
regions across the Russia.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">And now, our new
problem.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Regularly we
getting a nsds5ReplConflict records on some of our
servers, very often on servers from specific site.
Usually it is simply a doubles and we can remove the
renamed change to get everything back. But why do we
have them at all?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">May be someone
could explain, how we can detect the cause of this
replication conflicts?</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt">if you
are talking about having two "duplicate" entries,
<br>
one: uid=xxxxx,<suffix><br>
one: nsuniqueid=nnnnnnnn+uid=xxxxx,<suffix><br>
<br>
these entries appear if the entry uid=xxxxx was added,
simultaneously, on two servers. I think this can happen
if a client tries to add an entry and if it doesn't get
a response in some time retries on another server.<br>
to find out which client this is you need to check on
which servers the entries were originally added and then
see which client was doing it<br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Sometime it is
moderately harmful, because, for example HBAC stops
working on specific server while doubles still present.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Thanks in forward…</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">WBR,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Alexander
Frolushkin</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Cell
+79232508764</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Work
+79232507764</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt"> </span><o:p></o:p></p>
<div class="MsoNormal" style="text-align:center"
align="center"><span style="font-size:12.0pt">
<hr size="2" width="100%" align="center">
</span></div>
<p class="MsoNormal"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray;mso-fareast-language:RU"><br>
Информация в этом сообщении предназначена исключительно
для конкретных лиц, которым она адресована. В сообщении
может содержаться конфиденциальная информация, которая
не может быть раскрыта или использована кем-либо, кроме
адресатов. Если вы не адресат этого сообщения, то
использование, переадресация, копирование или
распространение содержания сообщения или его части
незаконно и запрещено. Если Вы получили это сообщение
ошибочно, пожалуйста, незамедлительно сообщите
отправителю об этом и удалите со всем содержимым само
сообщение и любые возможные его копии и приложения.<br>
<br>
The information contained in this communication is
intended solely for the use of the individual or entity
to whom it is addressed and others authorized to receive
it. It may contain confidential or legally privileged
information. The contents may not be disclosed or used
by anyone other than the addressee. If you are not the
intended recipient(s), any use, disclosure, copying,
distribution or any action taken or omitted to be taken
in reliance on it is prohibited and may be unlawful. If
you have received this communication in error please
notify us immediately by responding to this email and
then delete the e-mail and all attachments and any
copies thereof.<br>
<br>
(c)20mf50<br>
</span><span style="font-size:12.0pt"><br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt"> </span><o:p></o:p></p>
<div class="MsoNormal" style="text-align:center"
align="center"><span style="font-size:12.0pt">
<hr size="2" width="100%" align="center">
</span></div>
<p class="MsoNormal"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray;mso-fareast-language:RU"><br>
Информация в этом сообщении предназначена исключительно
для конкретных лиц, которым она адресована. В сообщении
может содержаться конфиденциальная информация, которая
не может быть раскрыта или использована кем-либо, кроме
адресатов. Если вы не адресат этого сообщения, то
использование, переадресация, копирование или
распространение содержания сообщения или его части
незаконно и запрещено. Если Вы получили это сообщение
ошибочно, пожалуйста, незамедлительно сообщите
отправителю об этом и удалите со всем содержимым само
сообщение и любые возможные его копии и приложения.<br>
<br>
The information contained in this communication is
intended solely for the use of the individual or entity
to whom it is addressed and others authorized to receive
it. It may contain confidential or legally privileged
information. The contents may not be disclosed or used
by anyone other than the addressee. If you are not the
intended recipient(s), any use, disclosure, copying,
distribution or any action taken or omitted to be taken
in reliance on it is prohibited and may be unlawful. If
you have received this communication in error please
notify us immediately by responding to this email and
then delete the e-mail and all attachments and any
copies thereof.<br>
<br>
(c)20mf50</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt"> </span><o:p></o:p></p>
<div class="MsoNormal" style="text-align:center"
align="center"><span style="font-size:12.0pt">
<hr size="2" width="100%" align="center">
</span></div>
<p class="MsoNormal"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray;mso-fareast-language:RU"><br>
Информация в этом сообщении предназначена исключительно
для конкретных лиц, которым она адресована. В сообщении
может содержаться конфиденциальная информация, которая не
может быть раскрыта или использована кем-либо, кроме
адресатов. Если вы не адресат этого сообщения, то
использование, переадресация, копирование или
распространение содержания сообщения или его части
незаконно и запрещено. Если Вы получили это сообщение
ошибочно, пожалуйста, незамедлительно сообщите отправителю
об этом и удалите со всем содержимым само сообщение и
любые возможные его копии и приложения.<br>
<br>
The information contained in this communication is
intended solely for the use of the individual or entity to
whom it is addressed and others authorized to receive it.
It may contain confidential or legally privileged
information. The contents may not be disclosed or used by
anyone other than the addressee. If you are not the
intended recipient(s), any use, disclosure, copying,
distribution or any action taken or omitted to be taken in
reliance on it is prohibited and may be unlawful. If you
have received this communication in error please notify us
immediately by responding to this email and then delete
the e-mail and all attachments and any copies thereof.<br>
<br>
(c)20mf50<br>
</span><span style="font-size:12.0pt"><br>
<br>
<br>
</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:RU"><o:p> </o:p></span></p>
<div class="MsoNormal" style="text-align:center" align="center"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:RU">
<hr size="2" width="100%" align="center">
</span></div>
<p class="MsoNormal"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray;mso-fareast-language:RU"><br>
Информация в этом сообщении предназначена исключительно для
конкретных лиц, которым она адресована. В сообщении может
содержаться конфиденциальная информация, которая не может
быть раскрыта или использована кем-либо, кроме адресатов.
Если вы не адресат этого сообщения, то использование,
переадресация, копирование или распространение содержания
сообщения или его части незаконно и запрещено. Если Вы
получили это сообщение ошибочно, пожалуйста, незамедлительно
сообщите отправителю об этом и удалите со всем содержимым
само сообщение и любые возможные его копии и приложения.<br>
<br>
The information contained in this communication is intended
solely for the use of the individual or entity to whom it is
addressed and others authorized to receive it. It may
contain confidential or legally privileged information. The
contents may not be disclosed or used by anyone other than
the addressee. If you are not the intended recipient(s), any
use, disclosure, copying, distribution or any action taken
or omitted to be taken in reliance on it is prohibited and
may be unlawful. If you have received this communication in
error please notify us immediately by responding to this
email and then delete the e-mail and all attachments and any
copies thereof.<br>
<br>
(c)20mf50</span><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:RU"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:RU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:RU"><o:p> </o:p></span></p>
</div>
<br>
<hr>
<font color="Gray" face="Arial" size="1"><br>
Информация в этом сообщении предназначена исключительно для
конкретных лиц, которым она адресована. В сообщении может
содержаться конфиденциальная информация, которая не может быть
раскрыта или использована кем-либо, кроме адресатов. Если вы не
адресат этого сообщения, то использование, переадресация,
копирование или распространение содержания сообщения или его
части незаконно и запрещено. Если Вы получили это сообщение
ошибочно, пожалуйста, незамедлительно сообщите отправителю об
этом и удалите со всем содержимым само сообщение и любые
возможные его копии и приложения.<br>
<br>
The information contained in this communication is intended
solely for the use of the individual or entity to whom it is
addressed and others authorized to receive it. It may contain
confidential or legally privileged information. The contents may
not be disclosed or used by anyone other than the addressee. If
you are not the intended recipient(s), any use, disclosure,
copying, distribution or any action taken or omitted to be taken
in reliance on it is prohibited and may be unlawful. If you have
received this communication in error please notify us
immediately by responding to this email and then delete the
e-mail and all attachments and any copies thereof.<br>
<br>
(c)20mf50<br>
</font>
</blockquote>
<br>
</body>
</html>