On 02/13/2014 12:55 PM, Bruno Henrique Barbosa wrote:
Hi everyone,

I've installed my IPA environment as it follows:

ipa01.example.com - master install
ipa02.example.com - replica install, as the guide says, with ipa-replica-prepare on ipa01 and ipa-replica-install using gpg key generated.

All good, environment is fine, can access both UI, but the underlying problem is: I can edit and remove users from IPA using instance ipa02 (replica), but I CANNOT add users from that instance. In the UI, error returned is:

IPA Error 4203
Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.


Via command-line, debug-enabled:

root@ipa02's password:
Last login: Thu Feb 13 15:36:34 2014
[root@ipa02 ~]# kinit admin
Password for ad...@example.com:
[root@ipa02 ~]# ipa-replica-manage list
ipa01.example.com: master
ipa02.example.com: master
[root@ipa02 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@example.com

Valid starting     Expires            Service principal
02/13/14 15:37:48  02/14/14 15:37:29  krbtgt/example....@example.com
02/13/14 15:38:03  02/14/14 15:37:29  ldap/ipa02.example....@example.com
[root@ipa02 ~]# ipa -d user-add usertest
ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: args=klist -V
ipa: DEBUG: stdout=Kerberos 5 version 1.10.3

ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@example.com
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=keyctl_search: Required key not available

ipa: DEBUG: failed to find session_cookie in persistent storage for principal 'ad...@example.com'
ipa: INFO: trying https://ipa02.example.com/ipa/xml
ipa: DEBUG: NSSConnection init ipa02.example.com
ipa: DEBUG: Connecting: 192.168.0.2:0
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
Data:
        Version:       3 (0x2)
        Serial Number: 14 (0xe)
        Signature Algorithm:
            Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: CN=Certificate Authority,O=EXAMPLE.COM
        Validity:
            Not Before: Qua Fev 12 19:42:11 2014 UTC
            Not After:  Sáb Fev 13 19:42:11 2016 UTC
        Subject: CN=ipa02.example.com,O=EXAMPLE.COM
        Subject Public Key Info:
            Public Key Algorithm:
                Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    93:ce:2f:b4:3c:61:bd:ec:42:a2:cd:b2:44:1a:ad:14:
                    f0:50:89:d7:cc:5d:cf:96:db:0e:f5:39:4c:8d:26:b5:
                    47:9c:e6:77:86:1b:7a:ec:22:64:a2:f8:dd:67:fa:0f:
                    49:16:e9:9a:ca:d8:0e:d9:37:d6:0c:92:9c:a4:1f:b5:
                    43:e4:80:0f:80:de:a8:f4:4b:8f:97:db:24:08:9b:24:
                    e7:e8:7a:a7:f8:61:0d:c1:d0:6e:89:94:4b:9d:f3:65:
                    6a:a8:81:21:fc:7e:e8:72:5d:bb:0f:3e:bb:0c:ce:da:
                    58:34:b4:64:ed:ac:ab:17:2b:c6:75:87:6d:8d:8e:3f:
                    3f:56:82:f8:0c:f7:d7:a3:dc:73:b7:60:88:6f:f4:76:
                    db:d6:81:44:c7:04:7c:22:90:c6:f7:bc:0a:34:2a:28:
                    2a:15:46:9e:06:da:bd:42:10:c0:d3:c4:5e:81:88:6d:
                    6d:75:ad:3e:f0:a2:88:2e:3d:23:ce:19:a7:71:3c:0a:
                    c0:fa:bd:54:c5:c2:d5:f1:46:b1:74:80:65:31:dc:bb:
                    d5:01:86:de:f5:38:c6:cd:ad:2d:3a:32:17:4f:c7:d4:
                    2a:44:82:69:4a:ad:d2:1a:59:cb:bb:25:3b:86:50:fa:
                    c7:8c:ab:0f:bf:1f:82:39:c0:ba:7b:45:6e:b6:1f:fd
                Exponent:
                    65537 (0x10001)
    Signed Extensions: (5)
        Name:     Certificate Authority Key Identifier
        Critical: False
        Key ID:
            7f:77:f3:aa:bc:9a:8a:97:0f:29:2c:b6:a4:ff:81:ea:
            c3:9c:48:63
        Serial Number: None
        General Names: [0 total]

        Name:     Authority Information Access
        Critical: False

        Name:     Certificate Key Usage
        Critical: True
        Usages:
            Digital Signature
            Non-Repudiation
            Key Encipherment
            Data Encipherment

        Name:     Extended Key Usage
        Critical: False
        Usages:
            TLS Web Server Authentication Certificate
            TLS Web Client Authentication Certificate

        Name:     Certificate Subject Key ID
        Critical: False
        Data:
            ba:bd:55:29:33:53:0c:6b:fb:54:2f:ce:ce:40:ce:4c:
            55:7c:07:ec

    Signature:
        Signature Algorithm:
            Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Signature:
            b5:b0:34:b0:4c:e0:97:42:55:2e:44:34:d0:b9:12:c1:
            1d:60:57:a4:ae:e7:2e:22:74:a9:fd:64:99:2c:54:7d:
            f0:b9:32:8e:bd:d5:71:c5:23:14:a1:82:3f:63:c1:bf:
            7b:e3:e1:3c:32:95:ca:48:22:eb:56:98:2b:71:90:34:
            9c:24:58:02:15:e2:ed:a8:81:11:bd:a9:1a:80:7d:a1:
            23:d6:33:78:9b:1a:b6:42:43:49:7e:07:02:a4:7a:1b:
            f5:8c:78:a2:23:27:66:be:5f:30:43:a0:46:9b:0e:8d:
            76:9a:b0:6c:e6:ba:54:d2:9d:7a:24:ae:c9:7f:ee:bf:
            5b:6b:b0:c2:3a:ac:d0:9d:cf:d6:36:ec:2b:6d:e9:c2:
            df:ac:27:d6:63:0a:c0:0f:1b:bc:93:8f:0f:4c:62:ca:
            f9:c1:10:94:77:5d:b8:ad:f5:b6:18:1c:26:bc:3d:70:
            30:20:a3:7e:14:e3:a1:84:d4:9f:f8:73:4c:6d:59:a6:
            8d:2b:e3:3f:b5:84:42:62:b9:90:23:dc:24:df:ed:42:
            bc:ab:f4:a4:5e:9f:ed:7f:e3:f2:e5:f4:07:81:ac:7c:
            c4:5d:34:6b:69:7b:6f:29:20:30:95:ef:d3:45:ad:83:
            51:fb:72:cb:a4:eb:85:f3:f6:0d:2d:31:d8:8b:72:54
        Fingerprint (MD5):
            4e:06:54:a8:e4:62:8e:65:a1:7f:3c:31:01:4b:06:bf
        Fingerprint (SHA1):
            a2:43:5f:65:c0:61:13:cf:2c:9c:9d:32:72:d6:cc:78:
            66:6e:f7:77
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=ipa02.example.com,O=EXAMPLE.COM"
ipa: DEBUG: handshake complete, peer = 192.168.0.2:443
ipa: DEBUG: received Set-Cookie 'ipa_session=eb4b207ba589878a328ee100b9ab16ae; Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:58:46 GMT; Secure; HttpOnly' ipa: DEBUG: storing cookie 'ipa_session=eb4b207ba589878a328ee100b9ab16ae; Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:58:46 GMT; Secure; HttpOnly' for principal ad...@example.com ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@example.com
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=keyctl_search: Required key not available

ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@example.com
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=keyctl_search: Required key not available

ipa: DEBUG: args=keyctl padd user ipa_session_cookie:ad...@example.com @s
ipa: DEBUG: stdout=227287872

ipa: DEBUG: stderr=
ipa: DEBUG: Created connection context.xmlclient
First name: usertest
Last name: testname
ipa: DEBUG: raw: user_add(u'usertest', givenname=u'usertest', sn=u'testname', cn=u'usertest testname', uidnumber=999, gidnumber=999, noprivate=False, all=False, raw=False, version=u'2.49', no_members=False) ipa: DEBUG: user_add(u'usertest', givenname=u'usertest', sn=u'testname', cn=u'usertest testname', displayname=u'usertest testname', initials=u'ut', gecos=u'usertest testname', krbprincipalname=u'usert...@example.com', random=False, uidnumber=999, gidnumber=999, noprivate=False, all=False, raw=False, version=u'2.49', no_members=False) ipa: INFO: Forwarding 'user_add' to server u'https://ipa02.example.com/ipa/xml'
ipa: DEBUG: NSSConnection init ipa02.example.com
ipa: DEBUG: Connecting: 192.168.0.2:0
ipa: DEBUG: handshake complete, peer = 192.168.0.2:443
ipa: DEBUG: received Set-Cookie 'ipa_session=d5dcde16a47612ec6debfc7ed42b5efb; Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:59:04 GMT; Secure; HttpOnly' ipa: DEBUG: storing cookie 'ipa_session=d5dcde16a47612ec6debfc7ed42b5efb; Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:59:04 GMT; Secure; HttpOnly' for principal ad...@example.com ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@example.com
ipa: DEBUG: stdout=227287872

ipa: DEBUG: stderr=
ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@example.com
ipa: DEBUG: stdout=227287872

ipa: DEBUG: stderr=
ipa: DEBUG: args=keyctl pupdate 227287872
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Caught fault 4203 from server https://ipa02.example.com/ipa/xml: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.


Under the labs I did on IPA, I could resolve that by booting the replica server, but this time I couldn't solve. Looking for assistance, please!


Looks like problems with the DNA plugin.
Did you by any chance tried to install and untinstall replica for couple dozen times? I think we would need replica DS logs and the DNA plugin configuration entries from primary and replica servers.


Thank you for any help you can provide in this situation!

Bruno Henrique Barbosa
Jr. Sys Admin
IT Department
Santos City Hall




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to