Hi, do you have a kerberos ticket for the "admin" user when the "ipa topologysuffix-show" command (or any other ipa command) is called? Some commands require admin privileges to access the data, and will not display anything if they are executed without an admin ticket. Please try with "kinit admin; ipa topologysuffix-show" and let us know if it solves the problem.
flo On Thu, Dec 30, 2021 at 2:29 PM Neal Harrington via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, > > I have managed to setup an IPA cluster which is still replicating changes > to users and CA's, but thinks it has no replication configured. I'm not > sure how I have managed this and have not been able to figure it out so > would appreciate any pointers anyone can provide. > > I setup an initial IPA server, successfully joined a further 5 and setup > the replication using the web based GUI with 3 being domain+ca and the > remaining 3 being just domain. All seemed good, a user created on one > server appeared on remote IPA servers and I left for Christmas. > > Returning for work yesterday and the web based GUI does not show any links > between the servers and will not let me add any with error "leftnode does > not support suffix 'domain'". However if I create or edit a user then it > appears on the other IPA servers and adding a new root CA also is visible > from all IPA servers. I can also successfully join client servers, and then > login to them with IPA based credentials. > > The "ipa topology*" commands show no suffixes or segments, however an LDAP > search does show the links as I set them up (output below). The only errors > I have seen in the logs are for things which google searches list as > "normal" - but I'm obviously missing something. Disabling firewall/selinux > does not seem to have any impact and DNS/reverse DNS is resolving correctly > from all the servers. The only difference to the guides is that FreeIPA is > not hosting the reverse zones itself - I'm using forwarders to my main DNS > servers which host those records - but I can't see that being related as > resolution is working. > > Any pointers for where to look and what to look for next greatly > appreciated. This is a fresh deploy, so I can wipe and restart if needed, > but I'd like to at least understand what is going on so I can avoid > repeating it in the future. > > versions installed : > ipa-client-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64 > ipa-server-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64 > ipa-server-dns-4.9.6-10.module+el8.5.0+719+4f06efb6.noarch > > # ipa topologysuffix-show > Suffix name: domain > ipa: ERROR: domain: suffix not found > # ipa topologysuffix-find --all > --------------------------- > 0 topology suffixes matched > --------------------------- > ---------------------------- > Number of entries returned 0 > ---------------------------- > # ipa topologysegment-find domain --all > ------------------ > 0 segments matched > ------------------ > ---------------------------- > Number of entries returned 0 > ---------------------------- > > > > $ ldapsearch -D "cn=directory manager" -W -b > "cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net" > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net> with scope > subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # topology, ipa, etc, ipa.mydomain.net > dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net > objectClass: top > objectClass: nsContainer > cn: topology > > # domain, topology, ipa, etc, ipa.mydomain.net > dn: cn=domain,cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net > objectClass: top > objectClass: iparepltopoconf > ipaReplTopoConfRoot: dc=ipa,dc=mydomain,dc=net > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof > idnssoaserial > entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount > nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn > krblasts > uccessfulauth krblastfailedauth krbloginfailedcount > nsds5ReplicaStripAttrs: modifiersName modifyTimestamp > internalModifiersName in > ternalModifyTimestamp > cn: domain > > # ca, topology, ipa, etc, ipa.mydomain.net > dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net > objectClass: top > objectClass: iparepltopoconf > ipaReplTopoConfRoot: o=ipaca > cn: ca > > # ipa1-c.ipa.mydomain.net-to-ipa2-c.ipa.mydomain.net, domain, topology, > ipa, et > c, ipa.mydomain.net > dn: cn=ipa1-c.ipa.mydomain.net-to-ipa2-c.ipa.mydomain.net > ,cn=domain,cn=topolog > y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net > ipaReplTopoSegmentDirection: both > objectClass: iparepltoposegment > objectClass: top > cn: ipa1-c.ipa.mydomain.net-to-ipa2-c.ipa.mydomain.net > ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net > ipaReplTopoSegmentRightNode: ipa2-c.ipa.mydomain.net > ipaReplTopoSegmentStatus: autogen > > # ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net, domain, topology, > ipa, et > c, ipa.mydomain.net > dn: cn=ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net > ,cn=domain,cn=topolog > y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net > ipaReplTopoSegmentDirection: both > objectClass: iparepltoposegment > objectClass: top > cn: ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net > ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net > ipaReplTopoSegmentRightNode: ipa1-b.ipa.mydomain.net > ipaReplTopoSegmentStatus: autogen > > # ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net, ca, topology, ipa, > etc, i > pa.mydomain.net > dn: cn=ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net > ,cn=ca,cn=topology,cn > =ipa,cn=etc,dc=ipa,dc=mydomain,dc=net > ipaReplTopoSegmentDirection: both > objectClass: iparepltoposegment > objectClass: top > cn: ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net > ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net > ipaReplTopoSegmentRightNode: ipa1-b.ipa.mydomain.net > ipaReplTopoSegmentStatus: autogen > > # ipa2-c.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net, domain, topology, > ipa, et > c, ipa.mydomain.net > dn: cn=ipa2-c.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net > ,cn=domain,cn=topolog > y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net > ipaReplTopoSegmentDirection: both > objectClass: iparepltoposegment > objectClass: top > cn: ipa2-c.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net > ipaReplTopoSegmentLeftNode: ipa2-c.ipa.mydomain.net > ipaReplTopoSegmentRightNode: ipa2-b.ipa.mydomain.net > ipaReplTopoSegmentStatus: autogen > > # ipa1-b.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net, domain, topology, > ipa, et > c, ipa.mydomain.net > dn: cn=ipa1-b.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net > ,cn=domain,cn=topolog > y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net > ipaReplTopoSegmentLeftNode: ipa1-b.ipa.mydomain.net > ipaReplTopoSegmentRightNode: ipa2-b.ipa.mydomain.net > ipaReplTopoSegmentDirection: both > cn: ipa1-b.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net > objectClass: iparepltoposegment > objectClass: top > > # ipa1-c.ipa.mydomain.net-to-ipa1-a.ipa.mydomain.net, domain, topology, > ipa, et > c, ipa.mydomain.net > dn: cn=ipa1-c.ipa.mydomain.net-to-ipa1-a.ipa.mydomain.net > ,cn=domain,cn=topolog > y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net > ipaReplTopoSegmentDirection: both > objectClass: iparepltoposegment > objectClass: top > cn: ipa1-c.ipa.mydomain.net-to-ipa1-a.ipa.mydomain.net > ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net > ipaReplTopoSegmentRightNode: ipa1-a.ipa.mydomain.net > ipaReplTopoSegmentStatus: autogen > > <SNIP several more links> > > # search result > search: 2 > result: 0 Success > > # numResponses: 17 > # numEntries: 16 > Follow us: > [image: Follow MyPhones on Facebook] <https://www.facebook.com/MyPhones17> > [image: Follow MyPhones on LinkedIn] > <https://www.linkedin.com/company/12015109> > [image: Follow MyPhones on Twitter] <https://twitter.com/MyPhones17> > Neal Harrington | System Administrator > Direct ‑ *01256831040* <01256831040> | Mobile ‑ *07849089832* > <07849089832> > Office* - 01494410000 | * <01494410000> *https://www.myphones.com* > <https://www.myphones.com/> > > > *** Please consider your environmental responsibility before printing this > e‑mail *** > > MyPhones.com is the trading name of Et Al Innovations Limited, registered in > the United Kingdom. > Company Number: 03718039 | VAT Registration Number: GB 697877637 > Registered Address: Glebe Farm, Down Street, Dummer, Basingstoke RG25 2AD > > > This message and any files transmitted with it is intended for the addressee > only and may contain information that is confidential and/or legally > privileged. > > Unauthorised use is strictly prohibited and may be unlawful. If you are not > the addressee, you should not read, copy, disclose or otherwise use this > message, including any picture or graphic and any attachment, > > except for the purpose of delivery to the addressee. We make every effort to > keep our network free from viruses. However, you do need to verify this > e‑mail and any attachments to it to be virus free as we can > > take no responsibility for any computer virus which might be transferred by > way of this e‑mail. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
