[Freeipa-users] UPDATE: NOT Resolved After All -- sudo NOPASSWD for a single command

2017-02-23 Thread Auerbach, Steven 
Yes, I implemented in Policy -> Sudo -> Sudo Commands as:
Sudo Command:  NOPASSWD: /sbin/vgs

The script (executed by a non-root, administrative group user on an enrolled 
host) specifies:
….
hostname >> statresults.txt
cat /etc/redhat-release >> statresults.txt
uname -r >> statresults.txt
printf "\n " >> statresults.txt
sudo vgs >> statresults.txt
…..
Running the script I still was prompted for a password.

RESEARCH AND CORRECTION:
In the sssd.conf file on the enrolled host I found an invalid pointer to 
“ipa_server=”  directive which I corrected and added sudo to the “services=” 
directive.  One or both of those changes corrected the situation and vgs runs 
under sudo without a password prompt.

FURTHER CORRECTION:
The sssd.conf changes did NOT resolve the issue.  The password must have been 
cached from a prior script run when I re-ran it. I am being prompted for 
password by the sudo line again.


From: Jason B. Nance [mailto:ja...@tresgeek.net]
Sent: Wednesday, February 22, 2017 11:59 AM
To: Auerbach, Steven <steven.auerb...@flbog.edu>
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] sudo NOPASSWD for a single command


We have a script stored on a particular server in our realm that executes a 
number of non-privileged commands and are wanting to add /sbin/vgs command. The 
script uses SSH to then execute the same set of commands on all the servers in 
the realm.
The owner of the script is in the administrator group and there are sudoer 
commands for the administrator group in general.  We need to place a rule for 
this one command for either this group or the script owner to run NOPASSWD.
Where and how would I specify that in the IPA admin console?
Have you tried creating your command in IPA as "NOPASSWD: /sbin/vgs" (Policy -> 
Sudo -> Sudo Commands)?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] UPDATE: Resolved sudo NOPASSWD for a single command

2017-02-23 Thread Auerbach, Steven 
Yes, I implemented in Policy -> Sudo -> Sudo Commands as:
Sudo Command:  NOPASSWD: /sbin/vgs

The script (executed by a non-root, administrative group user on an enrolled 
host) specifies:
….
hostname >> statresults.txt
cat /etc/redhat-release >> statresults.txt
uname -r >> statresults.txt
printf "\n " >> statresults.txt
sudo vgs >> statresults.txt
…..
Running the script I still was prompted for a password.

RESEARCH AND CORRECTION:
In the sssd.conf file on the enrolled host I found an invalid pointer to 
“ipa_server=”  directive which I corrected and added sudo to the “services=” 
directive.  One or both of those changes corrected the situation and vgs runs 
under sudo without a password prompt.

From: Jason B. Nance [mailto:ja...@tresgeek.net]
Sent: Wednesday, February 22, 2017 11:59 AM
To: Auerbach, Steven <steven.auerb...@flbog.edu>
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] sudo NOPASSWD for a single command


We have a script stored on a particular server in our realm that executes a 
number of non-privileged commands and are wanting to add /sbin/vgs command. The 
script uses SSH to then execute the same set of commands on all the servers in 
the realm.
The owner of the script is in the administrator group and there are sudoer 
commands for the administrator group in general.  We need to place a rule for 
this one command for either this group or the script owner to run NOPASSWD.
Where and how would I specify that in the IPA admin console?
Have you tried creating your command in IPA as "NOPASSWD: /sbin/vgs" (Policy -> 
Sudo -> Sudo Commands)?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Recall: sudo NOPASSWD for a single command

2017-02-23 Thread Auerbach, Steven 
Auerbach, Steven would like to recall the message, "[Freeipa-users] sudo 
NOPASSWD for a single command".

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo NOPASSWD for a single command

2017-02-23 Thread Auerbach, Steven 
Yes, I implemented in Policy -> Sudo -> Sudo Commands as:
Sudo Command:  NOPASSWD: /sbin/vgs

The script (executed by a non-root, administrative group user on an enrolled 
host) specifies:
….
hostname >> statresults.txt
cat /etc/redhat-release >> statresults.txt
uname -r >> statresults.txt
printf "\n " >> statresults.txt
sudo vgs >> statresults.txt
…..
Running the script I still was prompted for a password. So I guess this does 
not work.

From: Jason B. Nance [mailto:ja...@tresgeek.net]
Sent: Wednesday, February 22, 2017 11:59 AM
To: Auerbach, Steven <steven.auerb...@flbog.edu>
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] sudo NOPASSWD for a single command


We have a script stored on a particular server in our realm that executes a 
number of non-privileged commands and are wanting to add /sbin/vgs command. The 
script uses SSH to then execute the same set of commands on all the servers in 
the realm.
The owner of the script is in the administrator group and there are sudoer 
commands for the administrator group in general.  We need to place a rule for 
this one command for either this group or the script owner to run NOPASSWD.
Where and how would I specify that in the IPA admin console?
Have you tried creating your command in IPA as "NOPASSWD: /sbin/vgs" (Policy -> 
Sudo -> Sudo Commands)?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] sudo NOPASSWD for a single command

2017-02-22 Thread Auerbach, Steven 
We have a script stored on a particular server in our realm that executes a 
number of non-privileged commands and are wanting to add /sbin/vgs command. The 
script uses SSH to then execute the same set of commands on all the servers in 
the realm.

The owner of the script is in the administrator group and there are sudoer 
commands for the administrator group in general.  We need to place a rule for 
this one command for either this group or the script owner to run NOPASSWD.

Where and how would I specify that in the IPA admin console?

Steven Auerbach
Systems Administrator

State University System of Florida
Board of Governors
325 W. Gaines Street, Suite 1625
Tallahassee, Florida 32399
(850) 245-9592
steven.auerb...@flbog.edu | 
www.flbog.edu
[email_sig]

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Odd Password Issue Across the realm

2016-07-21 Thread Auerbach, Steven 
We have our IPA set up as master-master and we have about 25 clients in realm 
(including the IPA servers themselves).

We have a single user who changed his unexpired password using the passwd 
command logged on to one of the registered clients.

Thereafter, when he logs on to any of the client servers in the realm with the 
exception of one, his new password is accepted.  On only one client server his 
new password is not accepted.  That client server will only let him in with a 
password that was in effect 2 password changes in the past.

I believe that there is no sync problem between the IPA Masters because I 
changed the admin password on one of them (IPA Master) yesterday and it was 
available immediately after a logout to sign on as admin to the other master 
with the new password.

Are we instructing users with the wrong command for changing an unexpired 
password?  If not, where would we turn to rectify this issue that this one user 
has with the one IPA client server?

Steven Auerbach
Systems Administrator

State University System of Florida
Board of Governors
325 West Gaines Street, Suite 1625C
Tallahassee, Florida 32399
(850) 245-9592
steven.auerb...@flbog.edu | www.flbog.edu
[BOG-wordmark-wideFOR EMAIL-color]

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA active-active node failure

2016-06-27 Thread Auerbach, Steven 
We have an active-active dual-node IPA.  The second node stopped accepting 
logins thru the Web GUI.  I rebooted the server. Now it is really botched.

Directory service will not restart:
# service ipa restart
Restarting Directory Service
Shutting down dirsrv:
domain-LOCAL... server already stopped   [FAILED]
  *** Error: 1 instance(s) unsuccessfully stopped  [FAILED]
Starting dirsrv:
domain-LOCAL...  [FAILED]
  *** Error: 1 instance(s) failed to start
Failed to restart Directory Service: Command '/sbin/service dirsrv restart ' 
returned non-zero exit status 1

Web service is running enough to load the "Identity Management" banner then 
pops up an "unknown error" dialog box.

How do we reset the directory server (kill a pid file?) to get this working and 
re-synchronize with our other node?  I really am concerned with a single point 
of failure for all our users

Steven Auerbach
Systems Administrator

State University System of Florida
Board of Governors
325 West Gaines Street, Suite 1625C
Tallahassee, Florida 32399
(850) 245-9592
steven.auerb...@flbog.edu | www.flbog.edu
[BOG-wordmark-wideFOR EMAIL-color]

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] I think I have an issue, but maybe not.....Is IPA Replica Clean-up Needed?

2016-03-03 Thread Auerbach, Steven 
We have IPA set up in active-active mode.  The first node (ipa01) logs errors 
regularly (every few minutes) that seem to be based upon an attempt to 
communicate with a replica that no longer exists.

Feb 25 14:38:04 ipa01 named[2161]: LDAP query timed out. Try to adjust 
"timeout" parameter
Feb 25 14:38:04 ipa01 named[2161]: LDAP query timed out. Try to adjust 
"timeout" parameter
Feb 25 14:38:14 ipa01 named[2161]: LDAP query timed out. Try to adjust 
"timeout" parameter
Feb 25 14:38:14 ipa01 named[2161]: LDAP query timed out. Try to adjust 
"timeout" parameter
Feb 25 14:38:22 ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure.  Minor 
code may provide more information (Cannot contact any KDC for <> 
'<>.LOCAL')
Feb 25 14:38:35 ipa01 named[2161]: LDAP query timed out. Try to adjust 
"timeout" parameter
Feb 25 14:38:35 ipa01 named[2161]: LDAP query timed out. Try to adjust 
"timeout" parameter
Feb 25 14:38:45 ipa01 named[2161]: LDAP query timed out. Try to adjust 
"timeout" parameter
Feb 25 14:38:45 ipa01 named[2161]: LDAP query timed out. Try to adjust 
"timeout" parameter
Feb 25 14:38:45 ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure.  Minor 
code may provide more information (Server 
ldap/ipa02.<>.local@<>.LOCAL not found in Kerberos database)

The only place I found any references to the server ipa02 is in dse.ldif files 
in the /etc/dirsrv/slapd-<>-LOCAL/ folders

Quoted from dse.ldif:
dn: cn=replica,cn=dc\3D<>\2Cdc\3Dlocal,cn=mapping tree,cn=config
cn: replica
nsDS5Flags: 1
objectClass: top
objectClass: nsds5replica
objectClass: extensibleobject
nsDS5ReplicaType: 3
nsDS5ReplicaRoot: dc=<>,dc=local
nsds5ReplicaLegacyConsumer: off
nsDS5ReplicaId: 4
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDN: 
krbprincipalname=ldap/ipa02.<>.local@<>.LOCAL,cn=services,cn=accounts,dc=<>,dc=local
nsDS5ReplicaBindDN: 
krbprincipalname=ldap/ipa-r02.<>.local@<>.LOCAL,cn=services,cn=accounts,dc=<>,dc=local
creatorsName: cn=directory manager
modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config
createTimestamp: 20130924144354Z
modifyTimestamp: 20160225194116Z
nsState:: BADcWM9WAAEAZQADAA==
nsDS5ReplicaName: a5641a0e-252711e3-96afcc83-6ff9b802
numSubordinates: 1


When I execute "ipa-replica-manage list" from either the master or replica 
server I get the same response:
ipa01.<>.local: master
ipa-r02.<>.local: master

and when I execute "ipa-csreplica-manage list" from either the master or the 
replica server I get the same response:
ipa01.<>.local: master
ipa-r02.<>.local: CA not configured

I would have expected one of these commands to include the "ipa02" server as 
well since it is in the dse.ldif file.

I know we are configured in "active-active" mode and that the CA is only on 
ipa01.

>From an operating perspective, identity management operations (including 
>signing on to the browser-based interface and updates made one server showing 
>up on the other) from the replica (ipa-r02) are much faster than from the 
>master (ipa01). I am guessing that this is because any task executing on the 
>replica has only a replica pointer to the master, whereas any operation on the 
>master that tries to replicate has to timeout on the invalid pointer to 
>"ipa02" before it can actually communicate with the replica (ipa-r02).  Of 
>course my intuition could be completely wrong and my actual understanding of 
>how this process works is nil.

I would like to clean up this environment before I hand the reins over to the 
next person on my team.

So my questions are:

1)Is there a way to remove the invalid pointer without having to disrupt 
services on the ipa01?

2)Do I need to clean this up in this location at all?

Thanks for your interest.


Steven Auerbach, Systems Administrator
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA Replicant Clean-up Needed?

2016-02-25 Thread Auerbach, Steven 
My IPA LDAP/CS Master logs errors regularly (every few minutes) that seem o be 
based upon an attempt to communicate with a replica that no longer exists.

Feb 25 14:38:04 ipa01 named[2161]: LDAP query timed out. Try to adjust 
"timeout" parameter
Feb 25 14:38:04 ipa01 named[2161]: LDAP query timed out. Try to adjust 
"timeout" parameter
Feb 25 14:38:14 ipa01 named[2161]: LDAP query timed out. Try to adjust 
"timeout" parameter
Feb 25 14:38:14 ipa01 named[2161]: LDAP query timed out. Try to adjust 
"timeout" parameter
Feb 25 14:38:22 ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure.  Minor 
code may provide more information (Cannot contact any KDC for realm 
'REALM.LOCAL')
Feb 25 14:38:35 ipa01 named[2161]: LDAP query timed out. Try to adjust 
"timeout" parameter
Feb 25 14:38:35 ipa01 named[2161]: LDAP query timed out. Try to adjust 
"timeout" parameter
Feb 25 14:38:45 ipa01 named[2161]: LDAP query timed out. Try to adjust 
"timeout" parameter
Feb 25 14:38:45 ipa01 named[2161]: LDAP query timed out. Try to adjust 
"timeout" parameter
Feb 25 14:38:45 ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure.  Minor 
code may provide more information (Server ldap/ipa02.realm.local@REALM.LOCAL 
not found in Kerberos database)

The only place I found any references to the server ipa02 is in dse.ldif files 
in the /etc/dirsrv/slapd-REALM-LOCAL/ folders

Quote from dse.ldif:
dn: cn=replica,cn=dc\3Drealm\2Cdc\3Dlocal,cn=mapping tree,cn=config
cn: replica
nsDS5Flags: 1
objectClass: top
objectClass: nsds5replica
objectClass: extensibleobject
nsDS5ReplicaType: 3
nsDS5ReplicaRoot: dc=realm,dc=local
nsds5ReplicaLegacyConsumer: off
nsDS5ReplicaId: 4
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDN: krbprincipalname=ldap/ipa02.realm.local@REALM.LOCAL,cn=servi
ces,cn=accounts,dc=fbog,dc=local
nsDS5ReplicaBindDN: krbprincipalname=ldap/ipa-r02.realm.local@REALM.LOCAL,cn=ser
vices,cn=accounts,dc=realm,dc=local
creatorsName: cn=directory manager
modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config
createTimestamp: 20130924144354Z
modifyTimestamp: 20160225194116Z
nsState:: BADcWM9WAAEAZQADAA==
nsDS5ReplicaName: a5641a0e-252711e3-96afcc83-6ff9b802
numSubordinates: 1


When I execute "ipa-replica-manage list" from either the master or replica 
server I get the same response:
ipa01.realm.local: master
ipa-r02.realm.local: master

and when I execute "ipa-csreplica-manage list" from either the master or the 
replica server I get the same response:
ipa01.fbog.local: master
ipa-r02.fbog.local: CA not configured

I know we are configured in "multi-master" mode and that the CA is only on the 
master. I would have expected one of these commands to include the "ipa02" 
server as well since it is in the dse.ldif file.


>From an operating perspective, identity management operations (including 
>signing on to the browser-based interface and updates made one server showing 
>up on the other) from the replica (ipa-r02) are much faster than from the 
>master (ipa01). I am intuiting that this is because any task executing on the 
>replica has only a replica pointer to the master, whereas any operation on the 
>master that tries to replicate has to timeout on the invalid pointer to 
>"ipa02" before it can actually communicate with the replica (ipa-r02).  Of 
>course my intuition could be completely wrong and my actual understanding of 
>how this process works is nil.

I would like to clean up this environment, however, before I hand the reins 
over to the next person on my team.

So my question is: What is the best way to remove the invalid pointer without 
having to disrupt services on the master?


Steven Auerbach
Systems Administrator

State University System of Florida
Board of Governors
325 West Gaines Street, Suite 1625C
Tallahassee, Florida 32399
(850) 245-9592
steven.auerb...@flbog.edu | www.flbog.edu
[BOG-wordmark-wideFOR EMAIL-color]

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replication not happening for user password changes even after increasing the nsslapd-sasl-max-buffers to 2M

2015-02-06 Thread Auerbach, Steven 
Ran the suggested command from the primary (master) IPA:
[root@ipaN1 ~]# ipa-replica-manage list -v ipaN1..local
ipa-N2..local: replica
  last init status: None
  last init ended: None
  last update status: -1  - LDAP error: Can't contact LDAP server
  last update ended: None

Then ran it from the replicant IPA:
[root@ipa-N2 ~]# ipa-replica-manage list -v ipa-N2..local
Directory Manager password: entered it as required 

ipaN1..local: replica
  last init status: None
  last init ended: None
  last update status: 0 Replica acquired successfully: Incremental update 
succeeded
  last update ended: 2015-02-06 14:10:43+00:00


Not sure if the last update status is current state or last line of a log 
when an update was attempted, but double checked this morning that the user in 
question from yesterday still showed up with an unmatched password expiration 
date in the GUI of the replicant IPA.

So we stopped all IPA-related services on the master (# service ipa stop) 
waited a few, then restarted them (# service ipa start). Re-ran the query and 
the last update status message had not changed.

We ran an ldapsearch on each IPA server querying for nsds5ReplConflict and each 
responded the same:
# search result
search: 2
result: 0 Success

# numResponses: 1

Now we looked at the /etc/resolv.conf on the primary IP and found:
search localdomain
nameserver 8.8.8.8

so we manually edited the file (IPA primary is .206 and IPA replicant is .207):
search .local
nameserver 10.200.23.206
nameserver 10.200.23.207

and rebooted the server.

When it came back up we checked the /etc/resolv.conf and it had changed back to 
the values as before the manual edit.  I have never seen this resolver 
configuration file self-change behavior before on any Linux server and it 
confuses me. We edited the file again and rebooted again and it changed again.

Interestingly after the third reboot, where the /etc/resolv.conf ultimately 
looked like this:
[root@ipaN1 ~]# cat /etc/resolv.conf
  
search localdomain
nameserver 127.0.0.1 8.8.8.8

I was unable to ping an outside name:
[root@ipaN1 ~]# ping yahoo.com
ping: unknown host yahoo.com

But I was able to ping the IPA replicant:
[root@ipaN1 ~]# ping ipa-N2..local
PING ipa-N2..local (10.200.23.207) 56(84) bytes of data.
64 bytes from ipaN2..local (10.200.23.207): icmp_seq=1 ttl=64 time=0.136 ms
64 bytes from ipaN2..local (10.200.23.207): icmp_seq=2 ttl=64 time=0.206 ms
64 bytes from ipaN2..local (10.200.23.207): icmp_seq=3 ttl=64 time=0.182 ms 

Just for chance I ran the query again and voila:
[root@ipaN1 ~]# ipa-replica-manage list -v ipaN1..local 
 
ipa-N2..local: replica
  last init status: None
  last init ended: None
  last update status: 0 Replica acquired successfully: Incremental update 
started
  last update ended: None


Replication took place.  I checked the user in question through GUI on the IPA 
replicant and the password expiration now matches the IPA primary.

What made the update finally happen?
Why if the /etc/resolv.conf rewriting? Should it point to outside interfaces of 
localhost / localdomain? 
Will replication continue across future changes or will I have to massage this 
every time?

This is so strange.


Steven Auerbach
Systems Administrator
State University System of Florida
Board of Governors
325 West Gaines Street
Tallahassee, Florida 32399
(850) 245-9592 | Fax (850) 245-0419
steven.auerb...@flbog.edu | www.flbog.edu




-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Thursday, February 05, 2015 4:10 PM
To: Auerbach, Steven; IPA User Maillist (freeipa-users@redhat.com)
Cc: Ouellet, Dan
Subject: Re: [Freeipa-users] Replication not happening for user password 
changes even after increasing the nsslapd-sasl-max-buffers to 2M

Auerbach, Steven wrote:
 A user contacted me today for a password reset.  I made the reset on 
 the ipa-primary. The user opened a terminal session on an SSH Client 
 to a server in the realm and logged in. They received the required 
 immediate password change requirement and did so. They can log off and 
 log back on that same server with their new password.  They attempted 
 to open a terminal shell to another server in the realm. Their new 
 password is not accepted.
 
  
 
 Both servers the user is attempting to connect to have the nameserver 
 resolution in the same order (resolv.conf).
 
  
 
 On the ipa-primary their password expiration is 90 days from today.  
 On the ipa-replicant the password expiration is about 60 days out (I 
 did this with them Jan 13^th also but they lost their password.). It 
 has been an hour since the user logged on to the server and made their 
 required change.
 
  
 
 2 questions arise:
 
 How to safely update replicant with the password change without 
 changing the primary/replicant

[Freeipa-users] Replication not happening for user password changes even after increasing the nsslapd-sasl-max-buffers to 2M

2015-02-05 Thread Auerbach, Steven 
A user contacted me today for a password reset.  I made the reset on the 
ipa-primary. The user opened a terminal session on an SSH Client to a server in 
the realm and logged in. They received the required immediate password change 
requirement and did so. They can log off and log back on that same server with 
their new password.  They attempted to open a terminal shell to another server 
in the realm. Their new password is not accepted.

Both servers the user is attempting to connect to have the nameserver 
resolution in the same order (resolv.conf).

On the ipa-primary their password expiration is 90 days from today.  On the 
ipa-replicant the password expiration is about 60 days out (I did this with 
them Jan 13th also but they lost their password.). It has been an hour 
since the user logged on to the server and made their required change.

2 questions arise:
How to safely update replicant with the password change without changing the 
primary/replicant replationship order?
How to force the other server to refer to the ipa-primary to validate the 
password?

Thanks


Steven Auerbach
Systems Administrator
State University System of Florida
Board of Governors
325 West Gaines Street
Tallahassee, Florida 32399
(850) 245-9592 | Fax (850) 245-0419
steven.auerb...@flbog.edu | www.flbog.edu
[BOG-wordmark-wideFOR EMAIL-color]

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] IPA-Server v3.0 Replication Broken

2015-01-29 Thread Auerbach, Steven 
We have a pair of IPA Servers for our network. Our servers  are Oracle Linux 6 
x86_64 with the ipa-server.3.0.X packages [up to date as distributed by Oracle 
Linux].

Recently we noticed that the master (IPA01) is replicating fine to the 
designated replicant. But changes that are made on the replicant do not get 
back to the master.

This is true when ipa-clients register (if the registration script grabs the 
replicant for registration then the host enrollment and DNS will not make it 
back to the master.
This is true when users make a password change. If the password process grabs 
the master then replication to the replicant is fine, but if the change process 
grabs the replicant it will not make it back to the master. Then the user login 
is broken.
This is true when, in the IPA Admin Web Interface we delete a host entry or DNS 
record. If done on the master the change replicates to the replicant. If the 
change is made on the replicant it does not make it to the master.

We have not found anything in the documentation that helps us understand where 
to proceed or what to do to diagnose the replication problem. We have tried 
removing the replicant from the IPA server configuration and powering off the 
box, creating a new server and reconstructing a new replica on that new server. 
The problem persists. We suspect the issue lies in some configuration somewhere 
on the master, but know not where to go next.

Anyone have a similar experience and overcome it? We will take any advice we 
can get!

With appreciation and respect;

Steven Auerbach
Systems Administrator
State University System of Florida
Board of Governors
325 West Gaines Street
Tallahassee, Florida 32399
(850) 245-9592 | Fax (850) 245-0419
www.flbog.edu
[BOG-wordmark-wideFOR EMAIL-color]

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project