On 06/23/2015 02:27 PM, Ludwig Krispenz wrote:

On 06/23/2015 11:44 AM, Oleg Fayans wrote:
It looks like the second issue was caused by not running ipa service on vm-244.idm.lab.eng.brq.redhat.com. However, after manual start of the ipa service on thios node, I was still unable to setup the segment:

[11:38:39]ofayans@vm-069:~]$ ipa topologysegment-add realm
Left node: vm-244.idm.lab.eng.brq.redhat.com
Right node: vm-069.idm.lab.eng.brq.redhat.com
Connectivity [both]:
Segment name [vm-244.idm.lab.eng.brq.redhat.com-vm-069.idm.lab.eng.brq.redhat.com]: ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('Ticket not yet valid', -1765328351)
I don't know, what this specific error is, but in the dirsrv log, which seems to be from vm-244, we have:

set_krb5_creds - Could not get initial credentials for principal [ldap/vm-244.idm.lab.eng.brq.redhat....@idm.lab.eng.brq.redhat.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)

so is your kdc running ?

The weirdest thing is: I actually deleted this replica on master before. This host is not shown among hosts, but the corresponding topology segment was not deleted. This is how it looks on master:

[15:40:59]ofayans@vm-069:~]$ ipa host-find
---------------
2 hosts matched
---------------
  Host name: vm-069.idm.lab.eng.brq.redhat.com
Principal name: host/vm-069.idm.lab.eng.brq.redhat....@idm.lab.eng.brq.redhat.com
  Password: False
  Keytab: True
  Managed by: vm-069.idm.lab.eng.brq.redhat.com
SSH public key fingerprint: EA:D2:75:A7:A8:E2:2E:6D:83:DE:6F:7F:87:3F:DE:55 (ssh-ed25519), B2:79:ED:4B:94:11:03:94:E2:61:07:2C:EA:A4:87:BF (ecdsa-sha2-nistp256),
9C:45:86:FA:DC:BC:5F:F7:1D:B1:38:DC:FC:FB:04:19 (ssh-rsa)

  Host name: vm-086.idm.lab.eng.brq.redhat.com
Principal name: host/vm-086.idm.lab.eng.brq.redhat....@idm.lab.eng.brq.redhat.com
  Password: False
  Keytab: True
  Managed by: vm-086.idm.lab.eng.brq.redhat.com
SSH public key fingerprint: EA:D2:75:A7:A8:E2:2E:6D:83:DE:6F:7F:87:3F:DE:55 (ssh-ed25519), B2:79:ED:4B:94:11:03:94:E2:61:07:2C:EA:A4:87:BF (ecdsa-sha2-nistp256),
9C:45:86:FA:DC:BC:5F:F7:1D:B1:38:DC:FC:FB:04:19 (ssh-rsa)
----------------------------
Number of entries returned 2
----------------------------
[15:41:07]ofayans@vm-069:~]$ ipa topologysegment-find realm
------------------
2 segments matched
------------------
  Segment name: 086-to-069
  Left node: vm-086.idm.lab.eng.brq.redhat.com
  Right node: vm-069.idm.lab.eng.brq.redhat.com
  Connectivity: both

  Segment name: 127-to-244
  Left node: vm-127.idm.lab.eng.brq.redhat.com
  Right node: vm-244.idm.lab.eng.brq.redhat.com
  Connectivity: both
----------------------------
Number of entries returned 2
----------------------------
[15:41:19]ofayans@vm-069:~]$

I'll re-build the packages and try to record all the steps to reproduce this issue today.


I don't know


The dirsrv error log of this node is attached.


On 06/23/2015 11:27 AM, Oleg Fayans wrote:
Hi Ludwig, team,

I have a couple of issues with the topology plugin.

1. I was able to remove the middle node in a line topology, which resulted in disconnecting a segment. I had
master - replica1 - replica2 -  replica3 - replica4
I removed replica2 with a standard `ipa-replica-manage del`
And it resulted in the following topology:

[13:13:08]ofayans@vm-086:~]$ ipa topologysegment-find realm
------------------
2 segments matched
------------------
  Segment name: 086-to-069
  Left node: vm-086.idm.lab.eng.brq.redhat.com
  Right node: vm-069.idm.lab.eng.brq.redhat.com
  Connectivity: both

  Segment name: 127-to-244
  Left node: vm-127.idm.lab.eng.brq.redhat.com
  Right node: vm-244.idm.lab.eng.brq.redhat.com
  Connectivity: both
----------------------------
Number of entries returned 2
----------------------------

We should probably prohibit such scenarios.

2. When I subsequently tried to create a link between the two segments manually, I bumped into the following error:

[[13:17:02]ofayans@vm-069:~]$ ipa topologysegment-add realm
Left node: vm-069.idm.lab.eng.brq.redhat.com
Right node: vm-244.idm.lab.eng.brq.redhat.com
Connectivity [both]:
Segment name [vm-069.idm.lab.eng.brq.redhat.com-vm-244.idm.lab.eng.brq.redhat.com]: 069-to-244 ipa: ERROR: invalid 'rightnode': right node is not a topology node: vm-244.idm.lab.eng.brq.redhat.com








--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to