On 02/14/2014 01:49 PM, Martin Kosek wrote:
> Ok, this part seems ok then. I would then focus directly on DNA operation 
> itself.
> 
> DNA plugin says:
> 
> [13/Feb/2014:15:32:02 -0200] dna-plugin - dna_request_range: Error sending
> range extension extended operation request to server ipa01.example.com:389
> [error 53]
> [13/Feb/2014:15:32:02 -0200] dna-plugin - dna_pre_op: no more values 
> available!!
> 
> Error 53 should be Unwilling to perform. Are there any errors on master dirsrv
> errors log?
> 
> Is any free number available on the master server?
> 
> [master] $ ldapsearch -h `hostname` -D "cn=Directory Manager" -x -W -b
> 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
> dnaNextValue dnaMaxValue
> 
> Martin
> 
> On 02/14/2014 12:36 PM, Bruno Henrique Barbosa wrote:
>> Hi Martin, thanks for the help. 
>>
>>
>> Yes, I already did that test. Created a user on ipa01 (master), then he 
>> appeared on ipa02 (replica), in the replica, I modified his email address, 
>> it appeared back on master. Still, I cannot create a brand new user (or 
>> POSIX group) on ipa02. 
>>
>>
>>
>> [root@ipa01 ~]# ipactl status 
>> Directory Service: RUNNING 
>> KDC Service: RUNNING 
>> KPASSWD Service: RUNNING 
>> MEMCACHE Service: RUNNING 
>> HTTP Service: RUNNING 
>> CA Service: RUNNING 
>>
>>
>>
>> [root@ipa02 ~]# ipactl status 
>> Directory Service: RUNNING 
>> KDC Service: RUNNING 
>> KPASSWD Service: RUNNING 
>> MEMCACHE Service: RUNNING 
>> HTTP Service: RUNNING 
>>
>>
>>
>>
>> Interesting on replica's /var/log/krb5kdc.log: 
>>
>>
>>
>> [root@ipa02 ~]# cat /var/log/krb5kdc.log | grep "Feb 13 15:31" 
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): setting up network... 
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 6: udp 0.0.0.0.88 
>> (pktinfo) 
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): skipping unrecognized local 
>> address family 17 
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): skipping unrecognized local 
>> address family 17 
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 8: tcp 0.0.0.0.88 
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 7: tcp ::.88 
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): set up 3 sockets 
>> Feb 13 15:31:13 ipa02 krb5kdc[1525](info): creating 4 worker processes 
>> Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 7 
>> Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 8 
>> Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 6 
>> Feb 13 15:31:13 ipa02 krb5kdc[1535](info): commencing operation 
>> Feb 13 15:31:13 ipa02 krb5kdc[1533](info): commencing operation 
>> Feb 13 15:31:13 ipa02 krb5kdc[1536](info): commencing operation 
>> Feb 13 15:31:13 ipa02 krb5kdc[1534](info): commencing operation 
>> Feb 13 15:31:14 ipa02 krb5kdc[1534](info): AS_REQ (4 etypes {18 17 16 23}) 
>> 192.168.0.2: NEEDED_PREAUTH: ldap/ipa02.example....@example.com for 
>> krbtgt/example....@example.com, Additional pre-authentication required 
>> Feb 13 15:31:14 ipa02 krb5kdc[1533](info): AS_REQ (4 etypes {18 17 16 23}) 
>> 192.168.0.2: ISSUE: authtime 1392312674, etypes {rep=18 tkt=18 ses=18}, 
>> ldap/ipa02.example....@example.com for krbtgt/example....@example.com 
>>
>>
>> Feb 13 15:31:14 ipa02 krb5kdc[1536](info): TGS_REQ (4 etypes {18 17 16 23}) 
>> 192.168.0.2: ISSUE: authtime 1392312674, etypes {rep=18 tkt=18 ses=18}, 
>> ldap/ipa02.example....@example.com for ldap/ipa01.example....@example.com 
>>
>>
>> Feb 13 15:31:28 ipa02 krb5kdc[1536](info): AS_REQ (4 etypes {18 17 16 23}) 
>> 192.168.0.2: NEEDED_PREAUTH: use...@example.com for 
>> krbtgt/example....@example.com, Additional pre-authentication required 
>> Feb 13 15:31:28 ipa02 krb5kdc[1535](info): AS_REQ (4 etypes {18 17 16 23}) 
>> 192.168.0.2: ISSUE: authtime 1392312688, etypes {rep=18 tkt=18 ses=18}, 
>> use...@example.com for krbtgt/example....@example.com 
>> Feb 13 15:31:28 ipa02 krb5kdc[1535](info): TGS_REQ (4 etypes {18 17 16 23}) 
>> 192.168.0.2: ISSUE: authtime 1392312688, etypes {rep=18 tkt=18 ses=18}, 
>> use...@example.com for ldap/ipa02.example....@example.com 
>>
>>
>>
>>
>> Running kinit -kt on replica, returns nothing on prompt, but populates 
>> /var/log/krb5kdc.log with: 
>>
>>
>>
>>
>> Feb 14 09:34:05 ipa02 krb5kdc[1536](info): AS_REQ (4 etypes {18 17 16 23}) 
>> 192.168.0.2: NEEDED_PREAUTH: ldap/ipa02.example....@example.com for 
>> krbtgt/example....@example.com, Additional pre-authentication required 
>> Feb 14 09:34:05 ipa02 krb5kdc[1533](info): AS_REQ (4 etypes {18 17 16 23}) 
>> 192.168.0.2: ISSUE: authtime 1392377645, etypes {rep=18 tkt=18 ses=18}, 
>> ldap/ipa02.example....@example.com for krbtgt/example....@example.com 
>>
>>
>>
>>
>> DNS is OK, resolving FQDN of both master and replica forward and reverse. 
>>
>>
>>
>> Bruno Henrique Barbosa 
>>
>> Jr. Sys Admin 
>> IT Department 
>> Santos City Hall 
>> ----- Mensagem original -----
>>
>> De: "Martin Kosek" <mko...@redhat.com> 
>> Para: "Bruno Henrique Barbosa" <bruno-barb...@prodesan.com.br>, 
>> freeipa-users@redhat.com 
>> Enviadas: Sexta-feira, 14 de Fevereiro de 2014 5:51:49 
>> Assunto: Re: [Freeipa-users] IPA Replica cannot add user 
>>
>> On 02/13/2014 06:55 PM, Bruno Henrique Barbosa wrote: 
>>>
>>>
>>>
>>> Hi everyone, 
>>>
>>>
>>> I've installed my IPA environment as it follows: 
>>>
>>>
>>> ipa01.example.com - master install 
>>> ipa02.example.com - replica install, as the guide says, with 
>>> ipa-replica-prepare on ipa01 and ipa-replica-install using gpg key 
>>> generated. 
>>>
>>>
>>> All good, environment is fine, can access both UI, but the underlying 
>>> problem is: I can edit and remove users from IPA using instance ipa02 
>>> (replica), but I CANNOT add users from that instance. In the UI, error 
>>> returned is: 
>>>
>>>
>>> IPA Error 4203 
>>> Operations error: Allocation of a new value for range cn=posix 
>>> ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! 
>>> Unable to proceed. 
>>>
>>>
>>>
>>>
>>> Via command-line, debug-enabled: 
>>>
>>>
>>> root@ipa02's password: 
>>> Last login: Thu Feb 13 15:36:34 2014 
>>> [root@ipa02 ~]# kinit admin 
>>> Password for ad...@example.com: 
>>> [root@ipa02 ~]# ipa-replica-manage list 
>>> ipa01.example.com: master 
>>> ipa02.example.com: master 
>>> [root@ipa02 ~]# klist 
>>> Ticket cache: FILE:/tmp/krb5cc_0 
>>> Default principal: ad...@example.com 
>>>
>>>
>>> Valid starting Expires Service principal 
>>> 02/13/14 15:37:48 02/14/14 15:37:29 krbtgt/example....@example.com 
>>> 02/13/14 15:38:03 02/14/14 15:37:29 ldap/ipa02.example....@example.com 
>>> [root@ipa02 ~]# ipa -d user-add usertest 
>>> ipa: DEBUG: importing all plugin modules in 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins'... 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' 
>>> ipa: DEBUG: args=klist -V 
>>> ipa: DEBUG: stdout=Kerberos 5 version 1.10.3 
>>>
>>>
>>> ipa: DEBUG: stderr= 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' 
>>> ipa: DEBUG: importing plugin module 
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' 
>>> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@example.com 
>>> ipa: DEBUG: stdout= 
>>> ipa: DEBUG: stderr=keyctl_search: Required key not available 
>>>
>>>
>>> ipa: DEBUG: failed to find session_cookie in persistent storage for 
>>> principal 'ad...@example.com' 
>>> ipa: INFO: trying https://ipa02.example.com/ipa/xml 
>>> ipa: DEBUG: NSSConnection init ipa02.example.com 
>>> ipa: DEBUG: Connecting: 192.168.0.2:0 
>>> ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False 
>>> Data: 
>>> Version: 3 (0x2) 
>>> Serial Number: 14 (0xe) 
>>> Signature Algorithm: 
>>> Algorithm: PKCS #1 SHA-256 With RSA Encryption 
>>> Issuer: CN=Certificate Authority,O=EXAMPLE.COM 
>>> Validity: 
>>> Not Before: Qua Fev 12 19:42:11 2014 UTC 
>>> Not After: Sáb Fev 13 19:42:11 2016 UTC 
>>> Subject: CN=ipa02.example.com,O=EXAMPLE.COM 
>>> Subject Public Key Info: 
>>> Public Key Algorithm: 
>>> Algorithm: PKCS #1 RSA Encryption 
>>> RSA Public Key: 
>>> Modulus: 
>>> 93:ce:2f:b4:3c:61:bd:ec:42:a2:cd:b2:44:1a:ad:14: 
>>> f0:50:89:d7:cc:5d:cf:96:db:0e:f5:39:4c:8d:26:b5: 
>>> 47:9c:e6:77:86:1b:7a:ec:22:64:a2:f8:dd:67:fa:0f: 
>>> 49:16:e9:9a:ca:d8:0e:d9:37:d6:0c:92:9c:a4:1f:b5: 
>>> 43:e4:80:0f:80:de:a8:f4:4b:8f:97:db:24:08:9b:24: 
>>> e7:e8:7a:a7:f8:61:0d:c1:d0:6e:89:94:4b:9d:f3:65: 
>>> 6a:a8:81:21:fc:7e:e8:72:5d:bb:0f:3e:bb:0c:ce:da: 
>>> 58:34:b4:64:ed:ac:ab:17:2b:c6:75:87:6d:8d:8e:3f: 
>>> 3f:56:82:f8:0c:f7:d7:a3:dc:73:b7:60:88:6f:f4:76: 
>>> db:d6:81:44:c7:04:7c:22:90:c6:f7:bc:0a:34:2a:28: 
>>> 2a:15:46:9e:06:da:bd:42:10:c0:d3:c4:5e:81:88:6d: 
>>> 6d:75:ad:3e:f0:a2:88:2e:3d:23:ce:19:a7:71:3c:0a: 
>>> c0:fa:bd:54:c5:c2:d5:f1:46:b1:74:80:65:31:dc:bb: 
>>> d5:01:86:de:f5:38:c6:cd:ad:2d:3a:32:17:4f:c7:d4: 
>>> 2a:44:82:69:4a:ad:d2:1a:59:cb:bb:25:3b:86:50:fa: 
>>> c7:8c:ab:0f:bf:1f:82:39:c0:ba:7b:45:6e:b6:1f:fd 
>>> Exponent: 
>>> 65537 (0x10001) 
>>> Signed Extensions: (5) 
>>> Name: Certificate Authority Key Identifier 
>>> Critical: False 
>>> Key ID: 
>>> 7f:77:f3:aa:bc:9a:8a:97:0f:29:2c:b6:a4:ff:81:ea: 
>>> c3:9c:48:63 
>>> Serial Number: None 
>>> General Names: [0 total] 
>>>
>>>
>>> Name: Authority Information Access 
>>> Critical: False 
>>>
>>>
>>> Name: Certificate Key Usage 
>>> Critical: True 
>>> Usages: 
>>> Digital Signature 
>>> Non-Repudiation 
>>> Key Encipherment 
>>> Data Encipherment 
>>>
>>>
>>> Name: Extended Key Usage 
>>> Critical: False 
>>> Usages: 
>>> TLS Web Server Authentication Certificate 
>>> TLS Web Client Authentication Certificate 
>>>
>>>
>>> Name: Certificate Subject Key ID 
>>> Critical: False 
>>> Data: 
>>> ba:bd:55:29:33:53:0c:6b:fb:54:2f:ce:ce:40:ce:4c: 
>>> 55:7c:07:ec 
>>>
>>>
>>> Signature: 
>>> Signature Algorithm: 
>>> Algorithm: PKCS #1 SHA-256 With RSA Encryption 
>>> Signature: 
>>> b5:b0:34:b0:4c:e0:97:42:55:2e:44:34:d0:b9:12:c1: 
>>> 1d:60:57:a4:ae:e7:2e:22:74:a9:fd:64:99:2c:54:7d: 
>>> f0:b9:32:8e:bd:d5:71:c5:23:14:a1:82:3f:63:c1:bf: 
>>> 7b:e3:e1:3c:32:95:ca:48:22:eb:56:98:2b:71:90:34: 
>>> 9c:24:58:02:15:e2:ed:a8:81:11:bd:a9:1a:80:7d:a1: 
>>> 23:d6:33:78:9b:1a:b6:42:43:49:7e:07:02:a4:7a:1b: 
>>> f5:8c:78:a2:23:27:66:be:5f:30:43:a0:46:9b:0e:8d: 
>>> 76:9a:b0:6c:e6:ba:54:d2:9d:7a:24:ae:c9:7f:ee:bf: 
>>> 5b:6b:b0:c2:3a:ac:d0:9d:cf:d6:36:ec:2b:6d:e9:c2: 
>>> df:ac:27:d6:63:0a:c0:0f:1b:bc:93:8f:0f:4c:62:ca: 
>>> f9:c1:10:94:77:5d:b8:ad:f5:b6:18:1c:26:bc:3d:70: 
>>> 30:20:a3:7e:14:e3:a1:84:d4:9f:f8:73:4c:6d:59:a6: 
>>> 8d:2b:e3:3f:b5:84:42:62:b9:90:23:dc:24:df:ed:42: 
>>> bc:ab:f4:a4:5e:9f:ed:7f:e3:f2:e5:f4:07:81:ac:7c: 
>>> c4:5d:34:6b:69:7b:6f:29:20:30:95:ef:d3:45:ad:83: 
>>> 51:fb:72:cb:a4:eb:85:f3:f6:0d:2d:31:d8:8b:72:54 
>>> Fingerprint (MD5): 
>>> 4e:06:54:a8:e4:62:8e:65:a1:7f:3c:31:01:4b:06:bf 
>>> Fingerprint (SHA1): 
>>> a2:43:5f:65:c0:61:13:cf:2c:9c:9d:32:72:d6:cc:78: 
>>> 66:6e:f7:77 
>>> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer 
>>> ipa: DEBUG: cert valid True for "CN=ipa02.example.com,O=EXAMPLE.COM" 
>>> ipa: DEBUG: handshake complete, peer = 192.168.0.2:443 
>>> ipa: DEBUG: received Set-Cookie 
>>> 'ipa_session=eb4b207ba589878a328ee100b9ab16ae; Domain=ipa02.example.com; 
>>> Path=/ipa; Expires=Thu, 13 Feb 2014 17:58:46 GMT; Secure; HttpOnly' 
>>> ipa: DEBUG: storing cookie 'ipa_session=eb4b207ba589878a328ee100b9ab16ae; 
>>> Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:58:46 GMT; 
>>> Secure; HttpOnly' for principal ad...@example.com 
>>> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@example.com 
>>> ipa: DEBUG: stdout= 
>>> ipa: DEBUG: stderr=keyctl_search: Required key not available 
>>>
>>>
>>> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@example.com 
>>> ipa: DEBUG: stdout= 
>>> ipa: DEBUG: stderr=keyctl_search: Required key not available 
>>>
>>>
>>> ipa: DEBUG: args=keyctl padd user ipa_session_cookie:ad...@example.com @s 
>>> ipa: DEBUG: stdout=227287872 
>>>
>>>
>>> ipa: DEBUG: stderr= 
>>> ipa: DEBUG: Created connection context.xmlclient 
>>> First name: usertest 
>>> Last name: testname 
>>> ipa: DEBUG: raw: user_add(u'usertest', givenname=u'usertest', 
>>> sn=u'testname', cn=u'usertest testname', uidnumber=999, gidnumber=999, 
>>> noprivate=False, all=False, raw=False, version=u'2.49', no_members=False) 
>>> ipa: DEBUG: user_add(u'usertest', givenname=u'usertest', sn=u'testname', 
>>> cn=u'usertest testname', displayname=u'usertest testname', initials=u'ut', 
>>> gecos=u'usertest testname', krbprincipalname=u'usert...@example.com', 
>>> random=False, uidnumber=999, gidnumber=999, noprivate=False, all=False, 
>>> raw=False, version=u'2.49', no_members=False) 
>>> ipa: INFO: Forwarding 'user_add' to server 
>>> u'https://ipa02.example.com/ipa/xml' 
>>> ipa: DEBUG: NSSConnection init ipa02.example.com 
>>> ipa: DEBUG: Connecting: 192.168.0.2:0 
>>> ipa: DEBUG: handshake complete, peer = 192.168.0.2:443 
>>> ipa: DEBUG: received Set-Cookie 
>>> 'ipa_session=d5dcde16a47612ec6debfc7ed42b5efb; Domain=ipa02.example.com; 
>>> Path=/ipa; Expires=Thu, 13 Feb 2014 17:59:04 GMT; Secure; HttpOnly' 
>>> ipa: DEBUG: storing cookie 'ipa_session=d5dcde16a47612ec6debfc7ed42b5efb; 
>>> Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:59:04 GMT; 
>>> Secure; HttpOnly' for principal ad...@example.com 
>>> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@example.com 
>>> ipa: DEBUG: stdout=227287872 
>>>
>>>
>>> ipa: DEBUG: stderr= 
>>> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@example.com 
>>> ipa: DEBUG: stdout=227287872 
>>>
>>>
>>> ipa: DEBUG: stderr= 
>>> ipa: DEBUG: args=keyctl pupdate 227287872 
>>> ipa: DEBUG: stdout= 
>>> ipa: DEBUG: stderr= 
>>> ipa: DEBUG: Caught fault 4203 from server 
>>> https://ipa02.example.com/ipa/xml: Operations error: Allocation of a new 
>>> value for range cn=posix ids,cn=distributed numeric assignment 
>>> plugin,cn=plugins,cn=config failed! Unable to proceed. 
>>> ipa: DEBUG: Destroyed connection context.xmlclient 
>>> ipa: ERROR: Operations error: Allocation of a new value for range cn=posix 
>>> ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! 
>>> Unable to proceed. 
>>>
>>>
>>>
>>>
>>> Under the labs I did on IPA, I could resolve that by booting the replica 
>>> server, but this time I couldn't solve. Looking for assistance, please! 
>>>
>>>
>>> Thank you for any help you can provide in this situation! 
>>>
>>>
>>> Bruno Henrique Barbosa 
>>> Jr. Sys Admin 
>>> IT Department 
>>> Santos City Hall 
>>
>> Hello Bruno, 
>>
>> I saw the logs you sent to Dmitri. It seems to me that the replication link 
>> is 
>> broken, thus replica DNA plugin cannot acquire DNA ranges from master, thus 
>> it 
>> has no available range, thus adding users fails as DS cannot allocate UID 
>> and GID. 
>>
>> I think your replication will be broken as well, did you verify that users 
>> you 
>> delete/modify on replica are also deleted/modified on master? 
>>
>> I think the root cause is this log: 
>>
>> [13/Feb/2014:15:31:11 -0200] set_krb5_creds - Could not get initial 
>> credentials 
>> for principal [ldap/ipa02.example....@example.com] in keytab 
>> [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for 
>> requested 
>> realm) 
>>
>> Is your KDC running? 
>>
>> [replica] # ipactl status 
>>
>> You can also try to kinit manually to debug: 
>>
>> [replica] # kinit -kt /etc/dirsrv/ds.keytab 
>> ldap/ipa02.example....@example.com 
>>
>> If it does not succeed, neither it'd succeed for the DS. 
>>
>> I would also recommend checking that DNS is sane. You can find some pointers 
>> here: 
>> http://www.freeipa.org/page/Troubleshooting#DNS_Issues 
>>
>> HTH, 
>> Martin 

Bruno sent me the logs privately, let me just share the solution of this case
with the list. The problem here was that master had only 1000 numbers allocated
(chosen during IPA installation). Therefore, it had less than 1000 numbers free.

When the replica asked for some free numbers from it, it refused to give any as
it would lower it's pool of free numbers below 500 (dnaThreshold setting).

Bruno was able to fix the issue with this command run on master:

$ ldapmodify -h `hostname` -D "cn=Directory Manager" -x -W
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: dnaMaxValue
dnaMaxValue: 5000

Martin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to