Hi, I have managed to setup an IPA cluster which is still replicating changes to users and CA's, but thinks it has no replication configured. I'm not sure how I have managed this and have not been able to figure it out so would appreciate any pointers anyone can provide.
I setup an initial IPA server, successfully joined a further 5 and setup the replication using the web based GUI with 3 being domain+ca and the remaining 3 being just domain. All seemed good, a user created on one server appeared on remote IPA servers and I left for Christmas. Returning for work yesterday and the web based GUI does not show any links between the servers and will not let me add any with error "leftnode does not support suffix 'domain'". However if I create or edit a user then it appears on the other IPA servers and adding a new root CA also is visible from all IPA servers. I can also successfully join client servers, and then login to them with IPA based credentials. The "ipa topology*" commands show no suffixes or segments, however an LDAP search does show the links as I set them up (output below). The only errors I have seen in the logs are for things which google searches list as "normal" - but I'm obviously missing something. Disabling firewall/selinux does not seem to have any impact and DNS/reverse DNS is resolving correctly from all the servers. The only difference to the guides is that FreeIPA is not hosting the reverse zones itself - I'm using forwarders to my main DNS servers which host those records - but I can't see that being related as resolution is working. Any pointers for where to look and what to look for next greatly appreciated. This is a fresh deploy, so I can wipe and restart if needed, but I'd like to at least understand what is going on so I can avoid repeating it in the future. versions installed : ipa-client-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64 ipa-server-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64 ipa-server-dns-4.9.6-10.module+el8.5.0+719+4f06efb6.noarch # ipa topologysuffix-show Suffix name: domain ipa: ERROR: domain: suffix not found # ipa topologysuffix-find --all --------------------------- 0 topology suffixes matched --------------------------- ---------------------------- Number of entries returned 0 ---------------------------- # ipa topologysegment-find domain --all ------------------ 0 segments matched ------------------ ---------------------------- Number of entries returned 0 ---------------------------- $ ldapsearch -D "cn=directory manager" -W -b "cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net> with scope subtree # filter: (objectclass=*) # requesting: ALL # # topology, ipa, etc, ipa.mydomain.net dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net objectClass: top objectClass: nsContainer cn: topology # domain, topology, ipa, etc, ipa.mydomain.net dn: cn=domain,cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net objectClass: top objectClass: iparepltopoconf ipaReplTopoConfRoot: dc=ipa,dc=mydomain,dc=net nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts uccessfulauth krblastfailedauth krbloginfailedcount nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in ternalModifyTimestamp cn: domain # ca, topology, ipa, etc, ipa.mydomain.net dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net objectClass: top objectClass: iparepltopoconf ipaReplTopoConfRoot: o=ipaca cn: ca # ipa1-c.ipa.mydomain.net-to-ipa2-c.ipa.mydomain.net, domain, topology, ipa, et c, ipa.mydomain.net dn: cn=ipa1-c.ipa.mydomain.net-to-ipa2-c.ipa.mydomain.net,cn=domain,cn=topolog y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net ipaReplTopoSegmentDirection: both objectClass: iparepltoposegment objectClass: top cn: ipa1-c.ipa.mydomain.net-to-ipa2-c.ipa.mydomain.net ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net ipaReplTopoSegmentRightNode: ipa2-c.ipa.mydomain.net ipaReplTopoSegmentStatus: autogen # ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net, domain, topology, ipa, et c, ipa.mydomain.net dn: cn=ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net,cn=domain,cn=topolog y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net ipaReplTopoSegmentDirection: both objectClass: iparepltoposegment objectClass: top cn: ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net ipaReplTopoSegmentRightNode: ipa1-b.ipa.mydomain.net ipaReplTopoSegmentStatus: autogen # ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net, ca, topology, ipa, etc, i pa.mydomain.net dn: cn=ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net,cn=ca,cn=topology,cn =ipa,cn=etc,dc=ipa,dc=mydomain,dc=net ipaReplTopoSegmentDirection: both objectClass: iparepltoposegment objectClass: top cn: ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net ipaReplTopoSegmentRightNode: ipa1-b.ipa.mydomain.net ipaReplTopoSegmentStatus: autogen # ipa2-c.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net, domain, topology, ipa, et c, ipa.mydomain.net dn: cn=ipa2-c.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net,cn=domain,cn=topolog y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net ipaReplTopoSegmentDirection: both objectClass: iparepltoposegment objectClass: top cn: ipa2-c.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net ipaReplTopoSegmentLeftNode: ipa2-c.ipa.mydomain.net ipaReplTopoSegmentRightNode: ipa2-b.ipa.mydomain.net ipaReplTopoSegmentStatus: autogen # ipa1-b.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net, domain, topology, ipa, et c, ipa.mydomain.net dn: cn=ipa1-b.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net,cn=domain,cn=topolog y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net ipaReplTopoSegmentLeftNode: ipa1-b.ipa.mydomain.net ipaReplTopoSegmentRightNode: ipa2-b.ipa.mydomain.net ipaReplTopoSegmentDirection: both cn: ipa1-b.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net objectClass: iparepltoposegment objectClass: top # ipa1-c.ipa.mydomain.net-to-ipa1-a.ipa.mydomain.net, domain, topology, ipa, et c, ipa.mydomain.net dn: cn=ipa1-c.ipa.mydomain.net-to-ipa1-a.ipa.mydomain.net,cn=domain,cn=topolog y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net ipaReplTopoSegmentDirection: both objectClass: iparepltoposegment objectClass: top cn: ipa1-c.ipa.mydomain.net-to-ipa1-a.ipa.mydomain.net ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net ipaReplTopoSegmentRightNode: ipa1-a.ipa.mydomain.net ipaReplTopoSegmentStatus: autogen <SNIP several more links> # search result search: 2 result: 0 Success # numResponses: 17 # numEntries: 16 Follow us: Neal Harrington | System Administrator Direct - 01256831040 | Mobile - 07849089832 Office - 01494410000 | https://www.myphones.com *** Please consider your environmental responsibility before printing this e-mail *** MyPhones.com is the trading name of Et Al Innovations Limited, registered in the United Kingdom. Company Number: 03718039 | VAT Registration Number: GB 697877637 Registered Address: Glebe Farm, Down Street, Dummer, Basingstoke RG25 2AD This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential and/or legally privileged. Unauthorised use is strictly prohibited and may be unlawful. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, including any picture or graphic and any attachment, except for the purpose of delivery to the addressee. We make every effort to keep our network free from viruses. However, you do need to verify this e-mail and any attachments to it to be virus free as we can take no responsibility for any computer virus which might be transferred by way of this e-mail.
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
