Ok, here are the logs and console session from those searches as admin and as 
the host on the new master against itself.  Same result, nothing in there.

See my email reply to Rich I sent a few minutes ago for the directory manager 
aci search results.

==========================================================================
GSSAPI search using admin on old master searching old master (current host)
==========================================================================

[root@dc2-ipa-dev-nvan ~]# kinit admin
Password for ad...@dev-mydomain.net:
[root@dc2-ipa-dev-nvan ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_swFzxQf
Default principal: ad...@dev-mydomain.net

Valid starting     Expires            Service principal
21/01/16 19:54:14  22/01/16 19:54:05  krbtgt/dev-mydomain....@dev-mydomain.net
[root@dc2-ipa-dev-nvan ~]# ldapsearch -Y GSSAPI -b 
"cn=replica,cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config"
SASL/GSSAPI authentication started
SASL username: ad...@dev-mydomain.net
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=replica,cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> 
with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 4
result: 0 Success

# numResponses: 1
[root@dc2-ipa-dev-nvan ~]# kdestroy

==========================================================================
GSSAPI search using host keytab on old master searching old master (current 
host)
==========================================================================


[root@dc2-ipa-dev-nvan ~]# kinit -k -t /etc/krb5.keytab
[root@dc2-ipa-dev-nvan ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_swFzxQf
Default principal: host/dc2-ipa-dev-nvan.dev-mydomain....@dev-mydomain.net

Valid starting     Expires            Service principal
21/01/16 19:54:53  22/01/16 19:54:53  krbtgt/dev-mydomain....@dev-mydomain.net
[root@dc2-ipa-dev-nvan ~]# ldapsearch -Y GSSAPI -b 
"cn=replica,cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config"
SASL/GSSAPI authentication started
SASL username: host/dc2-ipa-dev-nvan.dev-mydomain....@dev-mydomain.net
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=replica,cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> 
with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 4
result: 0 Success

# numResponses: 1
[root@dc2-ipa-dev-nvan ~]#


========================================================
logs from old master (current host) during search using host keytab
========================================================
[21/Jan/2016:19:55:15 -0800] conn=76103 op=1 BIND dn="" method=sasl version=3 
mech=GSSAPI
[21/Jan/2016:19:55:15 -0800] conn=76103 op=1 RESULT err=14 tag=97 nentries=0 
etime=0, SASL bind in progress
[21/Jan/2016:19:55:15 -0800] conn=76103 op=2 BIND dn="" method=sasl version=3 
mech=GSSAPI
[21/Jan/2016:19:55:15 -0800] conn=76103 op=2 RESULT err=14 tag=97 nentries=0 
etime=0, SASL bind in progress
[21/Jan/2016:19:55:15 -0800] conn=76103 op=3 BIND dn="" method=sasl version=3 
mech=GSSAPI
[21/Jan/2016:19:55:15 -0800] conn=76103 op=3 RESULT err=0 tag=97 nentries=0 
etime=0 
dn="fqdn=dc2-ipa-dev-nvan.dev-mydomain.net,cn=computers,cn=accounts,dc=dev-mydomain,dc=net"
[21/Jan/2016:19:55:15 -0800] conn=76103 op=4 SRCH 
base="cn=replica,cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" 
scope=2 filter="(objectClass=*)" attrs=ALL
[21/Jan/2016:19:55:15 -0800] conn=76103 op=4 RESULT err=0 tag=101 nentries=0 
etime=0
[21/Jan/2016:19:55:15 -0800] conn=76103 op=5 UNBIND
[21/Jan/2016:19:55:15 -0800] conn=76103 op=5 fd=273 closed - U1

===========================================================
logs from old master (current host) during search as admin
===========================================================
[21/Jan/2016:19:54:40 -0800] conn=76094 op=1 BIND dn="" method=sasl version=3 
mech=GSSAPI
[21/Jan/2016:19:54:40 -0800] conn=76094 op=1 RESULT err=14 tag=97 nentries=0 
etime=0, SASL bind in progress
[21/Jan/2016:19:54:40 -0800] conn=76094 op=2 BIND dn="" method=sasl version=3 
mech=GSSAPI
[21/Jan/2016:19:54:40 -0800] conn=76094 op=2 RESULT err=14 tag=97 nentries=0 
etime=0, SASL bind in progress
[21/Jan/2016:19:54:40 -0800] conn=76094 op=3 BIND dn="" method=sasl version=3 
mech=GSSAPI
[21/Jan/2016:19:54:40 -0800] conn=76094 op=3 RESULT err=0 tag=97 nentries=0 
etime=0 dn="uid=admin,cn=users,cn=accounts,dc=dev-mydomain,dc=net"
[21/Jan/2016:19:54:40 -0800] conn=76094 op=4 SRCH 
base="cn=replica,cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" 
scope=2 filter="(objectClass=*)" attrs=ALL
[21/Jan/2016:19:54:40 -0800] conn=76094 op=4 RESULT err=0 tag=101 nentries=0 
etime=0
[21/Jan/2016:19:54:40 -0800] conn=76094 op=5 UNBIND
[21/Jan/2016:19:54:40 -0800] conn=76094 op=5 fd=143 closed - U1


-----Original Message-----
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz
Sent: January-21-16 7:45 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with 
DuplicateEntry: This entry already exists


On 01/21/2016 08:50 AM, Nathan Peters wrote:
> I don't know if this makes a difference too, but I performed the same checks 
> on a different completely working and joined FreeIPA master, against other 
> masters, and even against itself directly.
>
> It seems that no account, no keytab, and no host can see that mapping tree 
> branch no matter who they search from or against if GSSAPI is used.
there should be no difference in the result, it should only depend on the acis 
and in one of your previous posts you said that you don't get a result bound as 
admin:
 >>>

[root@dc2-ipa-dev-van ~]# ldapsearch -Hldaps://dc2-ipa-dev-nvan.mydomain.net  
-b "cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" -D 
"uid=admin,cn=users,cn=accounts,dc=mydomain,dc=net" -W Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with 
scope subtree # filter: (objectclass=*) # requesting: ALL #

# search result
search: 2
result: 0 Success

# numResponses: 1
---snip---

So we know that for whatever reason, this particular DN cannot be searched from 
anyone other than directory manager.


<<<

so could you provide the result and log of a search with gssapi and directly 
bound to the same server. And as directory manager query the acis in the 
mapping tree entry

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to