Re: [Freeipa-devel] [PATCH 0007] replica install fails with domain level 1
Hi Ludwig, Nope, I did not remove the replica2 (this time) I just used replica3 machine because I had it by hand. I'll re-run the whole procedure today to see if it reproduces On 06/01/2015 04:52 PM, Ludwig Krispenz wrote: Hi Oleg, On 06/01/2015 04:14 PM, Petr Vobornik wrote: On 06/01/2015 01:48 PM, Ludwig Krispenz wrote: On 06/01/2015 01:34 PM, Oleg Fayans wrote: So far I've bumped into problem, using the newly built packages: I've installed a master, a replica (replica1) Then replica3 (prepared on replica1), so, my topology looks like this: master = replica1 = replica3 However, the `ipa topologysegment-find` shows correct topology only on replicas (not on master) looks like replication from replica1 to master is not/nolonger working. will look into this. With the same topology, replication works for me. I've not done anything else related to topology after the installation. Maybe some other operations caused that. could it be that you had a replica2 which you had removed ? The second problem, is that the changes (like user creation) made on any of the nodes do not get replicate to other ones. The dirsrv logs are full of GSSAPI errors like this: Seems to be caused by the first issue. = [01/Jun/2015:07:04:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:09:47 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) = Full logs are attached I am using the 389-ds-base from mreynolds/389-ds-base dnf repo: root@testmaster:~]$ rpm -q 389-ds-base 389-ds-base-2015_03_11-1.fc21.x86_64 I used the one from mkosek/freeipa-master COPR: 389-ds-base-1.3.4.a1-20150512143653.git1bf67a4.fc17.src.rpm On 06/01/2015 11:19 AM, Oleg Fayans wrote: Woks for me too. Will perform extensive testing today, and report everything that I find. Thanks, Ludwig! On 05/29/2015 04:44 PM, Ludwig Krispenz wrote: This is a patch for the two issues reported in ticket #5035 https://fedorahosted.org/freeipa/ticket/5035 Works for me. I was able to install 2 replicas with domain level 1 in one topology. Code looks good to me as well. Tentative ACK (would be nice if it was skimmed by Thierry). -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0007] replica install fails with domain level 1
On 06/01/2015 03:10 PM, thierry bordaz wrote: On 06/01/2015 11:19 AM, Oleg Fayans wrote: Woks for me too. Will perform extensive testing today, and report everything that I find. Thanks, Ludwig! On 05/29/2015 04:44 PM, Ludwig Krispenz wrote: This is a patch for the two issues reported in ticket #5035 https://fedorahosted.org/freeipa/ticket/5035 Works for me. I was able to install 2 replicas with domain level 1 in one topology. Code looks good to me as well. Tentative ACK (would be nice if it was skimmed by Thierry). Sorry for the late feedback. This change looks good to me as well. ACK Pushed to master: faa4d0b6ea6e911c1098b070d1959b3106d5b5b2 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0007] replica install fails with domain level 1
On 06/01/2015 01:34 PM, Oleg Fayans wrote: So far I've bumped into problem, using the newly built packages: I've installed a master, a replica (replica1) Then replica3 (prepared on replica1), so, my topology looks like this: master = replica1 = replica3 However, the `ipa topologysegment-find` shows correct topology only on replicas (not on master) looks like replication from replica1 to master is not/nolonger working. will look into this. master: root@testmaster:~]$ ipa topologysegment-find Suffix name: realm - 1 segment matched - Segment name: replica1.zaeba.li-to-testmaster.zaeba.li Left node: replica1.zaeba.li Right node: testmaster.zaeba.li Connectivity: both Number of entries returned 1 replica1: ofayans@replica1:~]$ ipa topologysegment-find Suffix name: realm -- 2 segments matched -- Segment name: replica1.zaeba.li-to-replica3.zaeba.li Left node: replica1.zaeba.li Right node: replica3.zaeba.li Connectivity: both Segment name: replica1.zaeba.li-to-testmaster.zaeba.li Left node: replica1.zaeba.li Right node: testmaster.zaeba.li Connectivity: both Number of entries returned 2 replica3: ofayans@replica3:~]$ ipa topologysegment-find Suffix name: realm -- 2 segments matched -- Segment name: replica1.zaeba.li-to-replica3.zaeba.li Left node: replica1.zaeba.li Right node: replica3.zaeba.li Connectivity: both Segment name: replica1.zaeba.li-to-testmaster.zaeba.li Left node: replica1.zaeba.li Right node: testmaster.zaeba.li Connectivity: both Number of entries returned 2 The second problem, is that the changes (like user creation) made on any of the nodes do not get replicate to other ones. The dirsrv logs are full of GSSAPI errors like this: = [01/Jun/2015:07:04:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:09:47 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) = Full logs are attached I am using the 389-ds-base from mreynolds/389-ds-base dnf repo: root@testmaster:~]$ rpm -q 389-ds-base 389-ds-base-2015_03_11-1.fc21.x86_64 On 06/01/2015 11:19 AM, Oleg Fayans wrote: Woks for me too. Will perform extensive testing today, and report everything that I find. Thanks, Ludwig! On 05/29/2015 04:44 PM, Ludwig Krispenz wrote: This is a patch for the two issues reported in ticket #5035 https://fedorahosted.org/freeipa/ticket/5035 Works for me. I was able to install 2 replicas with domain level 1 in one topology. Code looks good to me as well. Tentative ACK (would be nice if it was skimmed by Thierry). -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0007] replica install fails with domain level 1
Woks for me too. Will perform extensive testing today, and report everything that I find. Thanks, Ludwig! On 05/29/2015 04:44 PM, Ludwig Krispenz wrote: This is a patch for the two issues reported in ticket #5035 https://fedorahosted.org/freeipa/ticket/5035 Works for me. I was able to install 2 replicas with domain level 1 in one topology. Code looks good to me as well. Tentative ACK (would be nice if it was skimmed by Thierry). -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0007] replica install fails with domain level 1
On 05/29/2015 04:44 PM, Ludwig Krispenz wrote: This is a patch for the two issues reported in ticket #5035 https://fedorahosted.org/freeipa/ticket/5035 Works for me. I was able to install 2 replicas with domain level 1 in one topology. Code looks good to me as well. Tentative ACK (would be nice if it was skimmed by Thierry). -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0007] replica install fails with domain level 1
On 06/01/2015 01:48 PM, Ludwig Krispenz wrote: On 06/01/2015 01:34 PM, Oleg Fayans wrote: So far I've bumped into problem, using the newly built packages: I've installed a master, a replica (replica1) Then replica3 (prepared on replica1), so, my topology looks like this: master = replica1 = replica3 However, the `ipa topologysegment-find` shows correct topology only on replicas (not on master) looks like replication from replica1 to master is not/nolonger working. will look into this. With the same topology, replication works for me. I've not done anything else related to topology after the installation. Maybe some other operations caused that. The second problem, is that the changes (like user creation) made on any of the nodes do not get replicate to other ones. The dirsrv logs are full of GSSAPI errors like this: Seems to be caused by the first issue. = [01/Jun/2015:07:04:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:09:47 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) = Full logs are attached I am using the 389-ds-base from mreynolds/389-ds-base dnf repo: root@testmaster:~]$ rpm -q 389-ds-base 389-ds-base-2015_03_11-1.fc21.x86_64 I used the one from mkosek/freeipa-master COPR: 389-ds-base-1.3.4.a1-20150512143653.git1bf67a4.fc17.src.rpm On 06/01/2015 11:19 AM, Oleg Fayans wrote: Woks for me too. Will perform extensive testing today, and report everything that I find. Thanks, Ludwig! On 05/29/2015 04:44 PM, Ludwig Krispenz wrote: This is a patch for the two issues reported in ticket #5035 https://fedorahosted.org/freeipa/ticket/5035 Works for me. I was able to install 2 replicas with domain level 1 in one topology. Code looks good to me as well. Tentative ACK (would be nice if it was skimmed by Thierry). -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0007] replica install fails with domain level 1
Hi Oleg, On 06/01/2015 04:14 PM, Petr Vobornik wrote: On 06/01/2015 01:48 PM, Ludwig Krispenz wrote: On 06/01/2015 01:34 PM, Oleg Fayans wrote: So far I've bumped into problem, using the newly built packages: I've installed a master, a replica (replica1) Then replica3 (prepared on replica1), so, my topology looks like this: master = replica1 = replica3 However, the `ipa topologysegment-find` shows correct topology only on replicas (not on master) looks like replication from replica1 to master is not/nolonger working. will look into this. With the same topology, replication works for me. I've not done anything else related to topology after the installation. Maybe some other operations caused that. could it be that you had a replica2 which you had removed ? The second problem, is that the changes (like user creation) made on any of the nodes do not get replicate to other ones. The dirsrv logs are full of GSSAPI errors like this: Seems to be caused by the first issue. = [01/Jun/2015:07:04:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:09:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Jun/2015:07:09:47 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) = Full logs are attached I am using the 389-ds-base from mreynolds/389-ds-base dnf repo: root@testmaster:~]$ rpm -q 389-ds-base 389-ds-base-2015_03_11-1.fc21.x86_64 I used the one from mkosek/freeipa-master COPR: 389-ds-base-1.3.4.a1-20150512143653.git1bf67a4.fc17.src.rpm On 06/01/2015 11:19 AM, Oleg Fayans wrote: Woks for me too. Will perform extensive testing today, and report everything that I find. Thanks, Ludwig! On 05/29/2015 04:44 PM, Ludwig Krispenz wrote: This is a patch for the two issues reported in ticket #5035 https://fedorahosted.org/freeipa/ticket/5035 Works for me. I was able to install 2 replicas with domain level 1 in one topology. Code looks good to me as well. Tentative ACK (would be nice if it was skimmed by Thierry). -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
