[Freeipa-users] Re: master - replica relationship

2017-11-08 Thread dbischof--- via FreeIPA-users 

Hola,

On Wed, 8 Nov 2017, Lachlan Musicman via FreeIPA-users wrote:


I'm still trying to wrap my head around the master-replica concept.

From what I read in the documentation (Chapter 4 of 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/

)

the replica should be able to take over as master should master go 
offline.


Our replica was set up with CA & without DNS - the same as master, and 
it seems to be working on the whole.


The problem I'm having is in the replication. create user on master:

ipa user-add master_test_user --first=MT --last=ML

create user on replica:

ipa user-add replica_test_user --first=RT --last=RL

find user on master:

[root@vmpr-linuxidm ~]# ipa user-find test_user
---
2 users matched
---
[...]
find user on replica:
[root@vmdr-linuxidm ~]# ipa user-find test_user
--
1 user matched
--
[...]
If I run ipa user-add on the replica, I see it upstream on master, but 
if I run ipa add-user on the master, that's not replicated down to the 
replica.


Also, ipa user-del (even with --no-preserve) works on master, but 
doesn't delete the user on the replica.


What has gone wrong?


I had something similar recently (replica not "talking" to master). It 
turned out that replication refused to work in both directions for reasons 
still unknown to me. Finally, i had to reinstall my replica 
(ipa-replica-install --setup-ca) to make replication work again:


---
root@poolsrv:~# ipa topologysegment-find
Suffix name: domain
-
1 segment matched
-
  Segment name: o201.example.org-to-poolsrv.example.org
  Left node: o201.example.org
  Right node: poolsrv.example.org
  Connectivity: both

Number of entries returned 1

root@poolsrv:~# ipa topologysegment-find
Suffix name: ca
-
1 segment matched
-
  Segment name: o201.example.org-to-poolsrv.example.org
  Left node: o201.example.org
  Right node: poolsrv.example.org
  Connectivity: both

Number of entries returned 1

---

"Connectivity" is now "both" but used to be "left-right". I also had a lot 
of errors in the poolsrv (replica) directory server log referring to 
NSMMReplicationPlugin. You may want to check this in order to diagnose the 
problem.


Maybe, the augurs know a better way to fix this than to reinstall.


Mit freundlichen Gruessen/With best regards,

--Daniel.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: master - replica relationship

2017-11-08 Thread Florence Blanc-Renaud via FreeIPA-users 

On 11/08/2017 04:52 AM, Lachlan Musicman via FreeIPA-users wrote:

Hola,

I'm still trying to wrap my head around the master-replica concept.

 From what I read in the documentation (Chapter 4 of 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/)


the replica should be able to take over as master should master go offline.

Our replica was set up with CA & without DNS - the same as master, and 
it seems to be working on the whole.


The problem I'm having is in the replication.
create user on master:

ipa user-add master_test_user --first=MT --last=ML

create user on replica:

ipa user-add replica_test_user --first=RT --last=RL

find user on master:

[root@vmpr-linuxidm ~]# ipa user-find test_user
---
2 users matched
---
   User login: master_test_user
   First name: MT
   Last name: ML
   Home directory: /home/master_test_user
   Login shell: /bin/bash
   Principal name: master_test_u...@unix.domain.com 

   Principal alias: master_test_u...@unix.domain.com 

   Email address: master_test_u...@domain.com 


   UID: 1718800021
   GID: 1718800021
   Account disabled: False

   User login: replica_test_user
   First name: RT
   Last name: RL
   Home directory: /home/replica_test_user
   Login shell: /bin/bash
   Principal name: replica_test_u...@unix.domain.com 

   Principal alias: replica_test_u...@unix.domain.com 

   Email address: replica_test_u...@domain.com 


   UID: 1718850502
   GID: 1718850502
   Account disabled: False

Number of entries returned 2


find user on replica:
[root@vmdr-linuxidm ~]# ipa user-find test_user
--
1 user matched
--
   User login: replica_test_user
   First name: RT
   Last name: RL
   Home directory: /home/replica_test_user
   Login shell: /bin/bash
   Principal name: replica_test_u...@unix.domain.com 

   Principal alias: replica_test_u...@unix.domain.com 

   Email address: replica_test_u...@domain.com 


   UID: 1718850502
   GID: 1718850502
   Account disabled: False

Number of entries returned 1


If I run ipa user-add on the replica, I see it upstream on master, but 
if I run ipa add-user on the master, that's not replicated down to the 
replica.


Also, ipa user-del (even with --no-preserve) works on master, but 
doesn't delete the user on the replica.


What has gone wrong?

Cheers
L.



--
"The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic 
civics is the insistence that we cannot ignore the truth, nor should we 
panic about it. It is a shared consciousness that our institutions have 
failed and our ecosystem is collapsing, yet we are still here — and we 
are creative agents who can shape our destinies. Apocalyptic civics is 
the conviction that the only way out is through, and the only way 
through is together. "


/Greg Bloom/ @greggish 
https://twitter.com/greggish/status/873177525903609857



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org



Hi,

you are describing a situation where the replication from replica to 
master is working (user created on replica can be seen on master), but 
the replication from master to replica is not.


The replication should always be bilateral, meaning that you have an 
issue. These documents [1] and [2] both contain information how to 
troubleshoot replication issues. You will need to start by looking at 
the directory server error logs.


HTH,
Flo.

[1] 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/#trouble-gen-replication


[2] https://www.freeipa.org/page/Troubleshooting#Directory_Server_issues
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org