Hi, On Wed, Oct 6, 2010 at 19:29, Nathan Kinder <nkin...@redhat.com> wrote: > On 10/06/2010 03:08 PM, Dan Scott wrote: >> >> I'm not sure which group this is referring to. Admins only contains 3 >> users, no nested groups. >> > > Do any other groups have a "member" attribute that points to your > "cn=admins" group's DN? The error message indicates that some other group > has your admins group as a member.
Yes, I do have another group of which admins is a member. I have removed it temporarily. Would this be a problem normally? Thanks, Dan > > -NGK >> >> The problem appears to be related to the users, rather than the >> groups. None of the users on ohm have a 'memberOf'. Curie has the >> correct memberOf attributes. >> >> The groups themselves appear to be correct on both servers. Both ohm >> and curie have groups which contain the correct 'member' attributes. >> So the problem appears to be that ohm contains groups with correct >> 'members', but none of the users have any 'memberOf's. >> >> Thanks, >> >> Dan >> >> On Wed, Oct 6, 2010 at 16:17, Rich Megginson<rmegg...@redhat.com> wrote: >> >>> >>> Dan Scott wrote: >>> >>>> >>>> Hi, >>>> >>>> ohm_admins.ldif and curie_admins.ldif attached. I added a '-h >>>> $hostname' to the command to ensure that I queried both servers. The >>>> results look identical to me, apart from the ordering. >>>> >>>> Thanks, >>>> >>>> Dan >>>> >>>> On Wed, Oct 6, 2010 at 15:34, Rob Crittenden<rcrit...@redhat.com> >>>> wrote: >>>> >>>> >>>>> >>>>> Dan Scott wrote: >>>>> >>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> On Wed, Oct 6, 2010 at 11:32, Simo Sorce<sso...@redhat.com> wrote: >>>>>> >>>>>> >>>>>>> >>>>>>> On Wed, 6 Oct 2010 10:26:48 -0400 >>>>>>> Dan Scott<danieljamessc...@gmail.com> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I have master and slave FreeIPA servers. I recently upgraded the >>>>>>>> slave >>>>>>>> by wiping, re-installing Fedora 13 and re-creating the replication >>>>>>>> using ipa-replica-prepare and ipa-replica-install. >>>>>>>> >>>>>>>> For some reason, the slave is having difficulty replicating the >>>>>>>> memberOf attribute. I can attach an LDAP viewer to the replica, and >>>>>>>> view the schema, but the memberOf attributes are missing. Also, the >>>>>>>> master server contains the lines: >>>>>>>> >>>>>>>> - Entry "cn=admins,cn=groups,cn=accounts,dc=example,dc=com" -- >>>>>>>> attribute "memberOf" not allowed >>>>>>>> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set >>>>>>>> referrals for replica dc=example,dc=com: 20 >>>>>>>> NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for >>>>>>>> replica dc=example,dc=com does not match the data in the changelog. >>>>>>>> Recreating the changelog file. This could affect replication with >>>>>>>> replica's consumers in which case the consumers should be >>>>>>>> reinitialized. >>>>>>>> [06/Oct/2010:09:58:33 -0400] - skipping cos definition cn=account >>>>>>>> inactivation,cn=accounts,dc=example,dc=com--no templates found >>>>>>>> >>>>>>>> The rest of the replication appears to be working correctly (as far >>>>>>>> as >>>>>>>> I can tell). >>>>>>>> >>>>>>>> I have tried using ipa-replica-manage init and synch to try to fix >>>>>>>> the >>>>>>>> replication, but I suspect this has something to do with the schema >>>>>>>> definition. >>>>>>>> >>>>>>>> Does anyone have any pointers/ideas for how I can fix this? >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> Dan, the memberof attribute is explicitly not replicated, and should >>>>>>> be >>>>>>> simply re-generated on the receiving replica when "member" attributes >>>>>>> are replicated. >>>>>>> >>>>>>> >>>>>> >>>>>> So does this imply that there is some corruption in the schema on the >>>>>> replica server? >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Are the IPA versions on the master and the replica the same ? >>>>>>> >>>>>>> >>>>>> >>>>>> They are both the same version: ipa-server-1.2.2-4.fc13.x86_64 >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Dan Scott >>>>>> >>>>>> >>>>> >>>>> It is complaining that memberOf isn't allowed in the admins group which >>>>> is >>>>> pretty strange. >>>>> >>>>> Can you show us the admins group out of the replica and master? >>>>> >>>>> ldapsearch -x -b 'cn=groups,cn=accounts,dc=example,dc=com' cn=admins >>>>> >>>>> >>> >>> Neither one has the inetUser objectclass which allows the use of >>> memberOf. >>> But why is it attempting to add memberOf to this entry which is itself a >>> group entry? Is this some sort of nested group? >>> >>>>> >>>>> thanks >>>>> >>>>> rob >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>> >>> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users