I was able to resolve both issue. With DNA range it seems that the main
problem was the limited DNA range, after increasing it for each node the
creation of users and groups started working again.
And I was able to resolve the replication issue as well, there were
conflicts in LDAP that I was able to find using the ipa-healthcheck.
Michal
On 18. 10. 24 9:52, Michal Konecny wrote:
On 17. 10. 24 19:00, Rob Crittenden via FreeIPA-users wrote:
Michal Konecny via FreeIPA-users wrote:
Hi everyone,
I recently tried to redeploy Fedora ipa staging replicas ipa02 and
ipa03. It finished successfully without any errors. Later I tried to
add
a new group which ended up with
What does redeploy mean? There was an existing server 02 and 03 and you
uninstalled them and re-installed for some reason?
I removed 02 and 03 VMs completely and did the ipa-replica-install
from scratch (removing replication agreements from ipa01 first). The
reason behind it was problem with backups on those two. I opened issue
about that on freeipa ticket tracker
https://www.pagure.io/freeipa/issue/9679.
```
ipa: ERROR: Operations error: Allocation of a new value for range
cn=posix ids,cn=distributed numeric assignment
plugin,cn=plugins,cn=config failed! Unable to proceed.
```
So I continued with fixing the DNA ranges for ipa02.stg and ipa03.stg.
```
[root@ipa01 ~][STG]# ipa-replica-manage dnarange-show
ipa01.stg.iad2.fedoraproject.org: 162861501-162862500
ipa02.stg.iad2.fedoraproject.org: 162859501-162860000
ipa03.stg.iad2.fedoraproject.org: 162860001-162861000
```
The range for 02 is different than the ranges for 01 and 03. That may
not be the root cause but it would be a problem if it isn't in an IPA
idrange.
Here is the output from `ipa idrange-find`, it should be still in the
range.
```
----------------
2 ranges matched
----------------
Range name: STG.FEDORAPROJECT.ORG_id_range
First Posix ID of the range: 162800000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
Range name: STG.FEDORAPROJECT.ORG_subid_range
First Posix ID of the range: 2147483648
Number of IDs in the range: 2147352576
First RID of the corresponding RID range: 2147283648
Domain SID of the trusted domain: S-1-5-21-738065-838566-45797039
Range type: Active Directory domain range
----------------------------
Number of entries returned 2
----------------------------
```
rob
But the user still can't be created with the same issue and in the
`/var/log/dirsrv/slapd-STG-FEDORAPROJECT-ORG/errors` I found this:
```
[17/Oct/2024:13:24:53.387189861 +0000] - ERR - dna-plugin -
dna_get_remote_config_info - Using LDAP protocol, but the non-secure
port is not defined.
[17/Oct/2024:13:24:53.387866118 +0000] - ERR - dna-plugin -
dna_request_range: Unable to retrieve replica bind credentials.
[17/Oct/2024:13:24:59.981251454 +0000] - ERR - dna-plugin -
_dna_pre_op_add - Failed to allocate a new ID 1
[17/Oct/2024:13:24:59.983529484 +0000] - ERR -
agmt="cn=meToipa02.stg.iad2.fedoraproject.org" (ipa02:389) -
clcache_load_buffer - Can't locate CSN 67110c31000100300000 in the
changelog (DB rc=-12797). If replication stops, the consumer may
need to
be reinitialized.
[17/Oct/2024:13:24:59.984077706 +0000] - ERR -
agmt="cn=meToipa03.stg.iad2.fedoraproject.org" (ipa03:389) -
clcache_load_buffer - Can't locate CSN 67110c31000100300000 in the
changelog (DB rc=-12797). If replication stops, the consumer may
need to
be reinitialized.
[17/Oct/2024:13:24:59.984613345 +0000] - ERR - ipa_sidgen_add_post_op -
[file ipa_sidgen.c, line 128]: Missing target entry.
```
I did `ipa-manage-replica re-initializaze
--from=ipa01.stg.iad2.fedoraproject.org` on both ipa02 and ipa03, but
the issue is still there when trying to add new group.
I'm not sure what to try next. Could somebody help me with it?
Michal
P.S.: The playbook that is deploying the IPA in Fedora -
https://pagure.io/fedora-infra/ansible/blob/main/f/roles/ipa/server
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
