Re: [Freeipa-users] Problem with replication after restore
On 03/09/2011 06:20 AM, tomasz.napier...@allegro.pl wrote: Hi, Recently we had to move our freeipa master into separate infrastructure. Because we use KVM, server was shutdown, gzipped, scped nad restored on other KVM host. It looks like since then replication stopped completely. On the slave I can see such entries in the logs: [04/Mar/2011:14:59:17 +0100] - slapd started. Listening on All Interfaces port 389 for LDAP requests [04/Mar/2011:14:59:17 +0100] - Listening on All Interfaces port 636 for LDAPS requests [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt=cn=meToMASTER636 (XXX:636): Missing data encountered [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt=cn=meToMASTER636 (XXX:636): Incremental update failed and requires administrator action Not sure what happened here. How long has the server been down? You will need to reinitialize the slave from the master. On the master [09/Mar/2011:00:00:00 +0100] NSMMReplicationPlugin - agmt=cn=meToSLAVE636 XXX:636): Incremental protocol: event update_window_opened should not occur in state wait_for_changes You can ignore this message. We have 389-ds-base-1.2.6.1-2.fc12.x86_64 ipa-server-1.2.2-3.fc12.x86_64 on both servers. How can I force synchronization to work? Regards, ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem with replication after restore
On 2011-03-09, at 15:09, Rich Megginson wrote: 8- [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt=cn=meToMASTER636 (XXX:636): Missing data encountered [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt=cn=meToMASTER636 (XXX:636): Incremental update failed and requires administrator action Not sure what happened here. How long has the server been down? You will need to reinitialize the slave from the master. Server was down for 2-3 hours. Currently slave has more recent data, because it is in our production environment (master is in backup DC) I don't have much experience with 389, and it seems that in FreeIPA setup 389 DS is in minimal form. So how can I reinitialize slave? Is there any chance to transfer changes form slave to master? Im afraid that loosing changes on slave would be a disaster (there were hundreds of users added) Regards, -- Tomasz Z. Napierała Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ Grupa Allegro Sp. z o.o. z siedzibą w Poznaniu, 60-324 Poznań, przy ul. Marcelińskiej 90, wpisana do rejestru przedsiębiorców prowadzonego przez Sąd Rejonowy Poznań - Nowe Miasto i Wilda, Wydział VIII Gospodarczy Krajowego Rejestru Sądowego pod numerem KRS 268796, o kapitale zakładowym w wysokości 33 474 500 zł, posiadająca numer identyfikacji podatkowej NIP: 5272525995. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem with replication after restore
On 03/09/2011 09:15 AM, tomasz.napier...@allegro.pl wrote: On 2011-03-09, at 15:09, Rich Megginson wrote: 8- [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt=cn=meToMASTER636 (XXX:636): Missing data encountered [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt=cn=meToMASTER636 (XXX:636): Incremental update failed and requires administrator action Not sure what happened here. How long has the server been down? You will need to reinitialize the slave from the master. Server was down for 2-3 hours. Currently slave has more recent data, because it is in our production environment (master is in backup DC) I don't have much experience with 389, and it seems that in FreeIPA setup 389 DS is in minimal form. So how can I reinitialize slave? Is there any chance to transfer changes form slave to master? Im afraid that loosing changes on slave would be a disaster (there were hundreds of users added) ipa-replica-manage - you would want to initialize the master from the slave. Please make a backup of your slave first. Regards, ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On Wed, 2011-03-09 at 14:42 -0500, Dmitri Pal wrote: On 03/09/2011 02:21 PM, Steven Jones wrote: Hi, I had/have already done the uninstall...and re-install. Also I registered a brand new 2nd client...that hasnt worked either.. How did you create the host record for it on the server? I didnt, I ran ipa-client-install from the client I have just run with the --uninstall flag and then re-run and its failing as the client record was not removed... Joining realm failed: Host is already joined So the un-install script/flag isnt removing the client/host regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Hi, I have gone into the webgui and manually removed the no1 client/host, it has now joined successfully... So Yes, the next issue regards On Wed, 2011-03-09 at 14:51 -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/09/2011 02:45 PM, Steven Jones wrote: I have setup a 2nd client I have the same resultbut it looks like the keytab is correct? however LDAP logins still dont work... Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz Could you please check the SSSD debug logs on that machine as well? It may be a different problem now. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk132iQACgkQeiVVYja6o6PMmwCfZutW0kF3eZKT9l9ZSs0gh0Zo x+gAnRtixQjNA8cZcZRZE0AQjxP38SdN =PBNu -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On 03/09/2011 03:09 PM, Steven Jones wrote: On Wed, 2011-03-09 at 14:42 -0500, Dmitri Pal wrote: On 03/09/2011 02:21 PM, Steven Jones wrote: Hi, I had/have already done the uninstall...and re-install. Also I registered a brand new 2nd client...that hasnt worked either.. How did you create the host record for it on the server? I didnt, I ran ipa-client-install from the client I have just run with the --uninstall flag and then re-run and its failing as the client record was not removed... Joining realm failed: Host is already joined So the un-install script/flag isnt removing the client/host We have a bug when it does not remove the keytab on the client. It is addressed but have not yet been in the build you are using. When you uninstall the machine tries to remove it keytab from the server (if it is accessible). If the server is not accessible for whatever reason you have to clean keytab on the host entry manually. I either via the ipa host commands or via ipa-rmkeytab remotely. The actual entry is not removed. 1) Run unsinstall on the client 2) Make sure that the host entry is clean. Remove it on the server and re-add again. 3) Remove the keytab file and cert on the client (these bugs are fixed https://fedorahosted.org/freeipa/ticket/1028 https://fedorahosted.org/freeipa/ticket/1029) 4) Install client again Everything should work. If not please send us the logs. regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
8--- 4) Install client again Everything should work. If not please send us the logs. Not sure which logs as Im losing track of so many suggestions/threadsbut, On the client the sssd.log is zero length, the sssd_ipa.ac.nz.log is zero length I just tried to add a local user and set a password and Im getting passwd: Authentication token manipulation error regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
I rebooted both clients and after the reboot they now do IPA authentication.. So client1 we did some work on and it wouldnt work until a rebootclient2 I did nothing to until I rebooted.then that also worked So I will make a third client and try that Are there rpms scripts for a rhel6ws?I could try that as well...also RHEL5 regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 10 March 2011 11:35 a.m. To: d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA 8--- 4) Install client again Everything should work. If not please send us the logs. Not sure which logs as Im losing track of so many suggestions/threadsbut, On the client the sssd.log is zero length, the sssd_ipa.ac.nz.log is zero length I just tried to add a local user and set a password and Im getting passwd: Authentication token manipulation error regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Steven Jones wrote: Ok, However I cant LDAP/Ipa authenticate stillon either client.. So what next? sssd handles logins, you can try turning up the log level on that (though I suspect it wasn't the reboot that fixed this but restarting sssd). As part of ipa-client-install sssd is restarted and tested via 'getent passwd admin'. This should be visible in /var/log/ipaclient-install.log. Did this command succeed? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users