On 11/08/2017 04:52 AM, Lachlan Musicman via FreeIPA-users wrote:
Hola,

I'm still trying to wrap my head around the master-replica concept.

From what I read in the documentation (Chapter 4 of https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/)

the replica should be able to take over as master should master go offline.

Our replica was set up with CA & without DNS - the same as master, and it seems to be working on the whole.

The problem I'm having is in the replication.
create user on master:

ipa user-add master_test_user --first=MT --last=ML

create user on replica:

ipa user-add replica_test_user --first=RT --last=RL

find user on master:

[root@vmpr-linuxidm ~]# ipa user-find test_user
---------------
2 users matched
---------------
   User login: master_test_user
   First name: MT
   Last name: ML
   Home directory: /home/master_test_user
   Login shell: /bin/bash
  Principal name: master_test_u...@unix.domain.com <mailto:master_test_u...@unix.domain.com>   Principal alias: master_test_u...@unix.domain.com <mailto:master_test_u...@unix.domain.com>   Email address: master_test_u...@domain.com <mailto:master_test_u...@domain.com>
   UID: 1718800021
   GID: 1718800021
   Account disabled: False

   User login: replica_test_user
   First name: RT
   Last name: RL
   Home directory: /home/replica_test_user
   Login shell: /bin/bash
  Principal name: replica_test_u...@unix.domain.com <mailto:replica_test_u...@unix.domain.com>   Principal alias: replica_test_u...@unix.domain.com <mailto:replica_test_u...@unix.domain.com>   Email address: replica_test_u...@domain.com <mailto:replica_test_u...@domain.com>
   UID: 1718850502
   GID: 1718850502
   Account disabled: False
----------------------------
Number of entries returned 2
----------------------------

find user on replica:
[root@vmdr-linuxidm ~]# ipa user-find test_user
--------------
1 user matched
--------------
   User login: replica_test_user
   First name: RT
   Last name: RL
   Home directory: /home/replica_test_user
   Login shell: /bin/bash
  Principal name: replica_test_u...@unix.domain.com <mailto:replica_test_u...@unix.domain.com>   Principal alias: replica_test_u...@unix.domain.com <mailto:replica_test_u...@unix.domain.com>   Email address: replica_test_u...@domain.com <mailto:replica_test_u...@domain.com>
   UID: 1718850502
   GID: 1718850502
   Account disabled: False
----------------------------
Number of entries returned 1
----------------------------

If I run ipa user-add on the replica, I see it upstream on master, but if I run ipa add-user on the master, that's not replicated down to the replica.

Also, ipa user-del (even with --no-preserve) works on master, but doesn't delete the user on the replica.

What has gone wrong?

Cheers
L.



------
"The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. "

/Greg Bloom/ @greggish https://twitter.com/greggish/status/873177525903609857


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


Hi,

you are describing a situation where the replication from replica to master is working (user created on replica can be seen on master), but the replication from master to replica is not.

The replication should always be bilateral, meaning that you have an issue. These documents [1] and [2] both contain information how to troubleshoot replication issues. You will need to start by looking at the directory server error logs.

HTH,
Flo.

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/#trouble-gen-replication

[2] https://www.freeipa.org/page/Troubleshooting#Directory_Server_issues
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to