Re: [Freeipa-users] Replication problems with having more than one replica?
On 06/15/2012 12:12 AM, Steven Jones wrote: I have the forward zone (ods.vuw.ac.nz) setup in IPA but the reverse zone(s) is meant to be slaved back to the MS AD masters (vuw.ac.nz) and 10/8 and (130.195./16). What should the reverse/ PTR zone setup look like? ie if I had a flat file aka bind and named.conf its straightforward I can just look at the file(s), and that a reverse zone file is created on the salve however I have no screenhots or anything to indicate if I have setup that reverse function correctly. For instance there is nothing in /var/named/slaves, I have assumed that the slave data from the AD masters is actually held in the LDAP.so how do I prove that? AFAIK there is no special requirement. Any host name for IPA server should translate to IP addresses. PTR records for those IP addresses should point back to A/ records used during original name->IP translation. (PTR should point to A records, not CNAME records.) Actually it doesn't matter where records are stored, as long as DNS translation via servers configured in /etc/resolv.conf is functional. Also I notice when I create a zone using the dns ui it creates a file called 0.3.70.10, but when I add a replica it creates another zone file 3.70.10 and populates itwhich it shouldnt as the MS AD is the master.yet I used --no-reverse in the replica command... I'm not sure if I understood it correctly. Where are the files created? Can you post them to the list? Petr^2 Spacek regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Simo Sorce [s...@redhat.com] Sent: Thursday, 14 June 2012 11:50 p.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users Subject: RE: [Freeipa-users] Replication problems with having more than one replica? On Thu, 2012-06-14 at 03:00 +, Steven Jones wrote: Hi, 3 log sets from /var/log/dirsrv/slapd Looking at the first server's error log it looks like one of your replicas has a wrong PTR record and GSSAPI cannot therefore find the right ticket. Make sure your DNS is properly set up (or /etc/hosts entries) for all the servers. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication problems with having more than one replica?
I have the forward zone (ods.vuw.ac.nz) setup in IPA but the reverse zone(s) is meant to be slaved back to the MS AD masters (vuw.ac.nz) and 10/8 and (130.195./16). What should the reverse/ PTR zone setup look like? ie if I had a flat file aka bind and named.conf its straightforward I can just look at the file(s), and that a reverse zone file is created on the salve however I have no screenhots or anything to indicate if I have setup that reverse function correctly. For instance there is nothing in /var/named/slaves, I have assumed that the slave data from the AD masters is actually held in the LDAP.so how do I prove that? Also I notice when I create a zone using the dns ui it creates a file called 0.3.70.10, but when I add a replica it creates another zone file 3.70.10 and populates itwhich it shouldnt as the MS AD is the master.yet I used --no-reverse in the replica command... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Simo Sorce [s...@redhat.com] Sent: Thursday, 14 June 2012 11:50 p.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users Subject: RE: [Freeipa-users] Replication problems with having more than one replica? On Thu, 2012-06-14 at 03:00 +, Steven Jones wrote: > Hi, > > 3 log sets from /var/log/dirsrv/slapd Looking at the first server's error log it looks like one of your replicas has a wrong PTR record and GSSAPI cannot therefore find the right ticket. Make sure your DNS is properly set up (or /etc/hosts entries) for all the servers. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication problems with having more than one replica?
On Thu, 2012-06-14 at 03:00 +, Steven Jones wrote: > Hi, > > 3 log sets from /var/log/dirsrv/slapd Looking at the first server's error log it looks like one of your replicas has a wrong PTR record and GSSAPI cannot therefore find the right ticket. Make sure your DNS is properly set up (or /etc/hosts entries) for all the servers. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication problems with having more than one replica?
On Thu, 2012-06-14 at 01:56 +, Steven Jones wrote: > Hi, > > I have done a restart numerous times demonstrating that named does not > survive "service ipa restart" or a reboot.. FWIW you do not need to restart all IPA component, just dirsrv. > I have just done it again on ipam001 (master) and created a user and > that user doesnt appear on the second replica...but does on the frst > replica. > > I have also service ipa restart's ipa002 (1st replica) and ipam003 > (2nd replica) numerous times to no avail. > > So restarting isnt a fix right now, not for my setup anyway. Please provide DS logs, if you are having replication errors they should show up in the logs. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication problems with having more than one replica?
Hi, I have done a restart numerous times demonstrating that named does not survive "service ipa restart" or a reboot.. I have just done it again on ipam001 (master) and created a user and that user doesnt appear on the second replica...but does on the frst replica. I have also service ipa restart's ipa002 (1st replica) and ipam003 (2nd replica) numerous times to no avail. So restarting isnt a fix right now, not for my setup anyway. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Simo Sorce [s...@redhat.com] Sent: Thursday, 14 June 2012 1:34 p.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Replication problems with having more than one replica? On Wed, 2012-06-13 at 23:06 +, Steven Jones wrote: > OK, > > I have got ipa3 back in as a replica, however when I add a user to ipa1 > (master) it flows to ipa2 (1st replica) but not to ipa3 (2nd replica) which I > just added > > When I add a user to ipa2, it flows to ipa1 but not ipa3 > > When I add a user to ipa3 it doesnt flow to 1 or 2. > > When I run ipa-manage-replica list on all three IPA servers I see all three > are listed as masters. If you reinstalled #3 but did not restart #1 after you deleted the previous #3 replica then replication will not work. Restart #1 (assuming the replication topology is 1-3) and replication will commence. This is an issue with re-install of a replica that we are going to address as soon as possible, meanwhile the workaround is to restart the master you are going to replicate from after you run a ipa-replica-manage del Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication problems with having more than one replica?
On Wed, 2012-06-13 at 23:06 +, Steven Jones wrote: > OK, > > I have got ipa3 back in as a replica, however when I add a user to ipa1 > (master) it flows to ipa2 (1st replica) but not to ipa3 (2nd replica) which I > just added > > When I add a user to ipa2, it flows to ipa1 but not ipa3 > > When I add a user to ipa3 it doesnt flow to 1 or 2. > > When I run ipa-manage-replica list on all three IPA servers I see all three > are listed as masters. If you reinstalled #3 but did not restart #1 after you deleted the previous #3 replica then replication will not work. Restart #1 (assuming the replication topology is 1-3) and replication will commence. This is an issue with re-install of a replica that we are going to address as soon as possible, meanwhile the workaround is to restart the master you are going to replicate from after you run a ipa-replica-manage del Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication problems with having more than one replica?
OK, I have got ipa3 back in as a replica, however when I add a user to ipa1 (master) it flows to ipa2 (1st replica) but not to ipa3 (2nd replica) which I just added When I add a user to ipa2, it flows to ipa1 but not ipa3 When I add a user to ipa3 it doesnt flow to 1 or 2. When I run ipa-manage-replica list on all three IPA servers I see all three are listed as masters. ?? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 14 June 2012 10:14 a.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Replication problems with having more than one replica? because Im trying to clean out the old "memory" of the ex-replica first...I have to do that before I can re-add it for some reason. All I have is the manual so Im doing my best to repair a system that seems unstableso I was advised to make a new replica key as the original one used to initially make a replication agreement was no good. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 14 June 2012 10:08 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Replication problems with having more than one replica? Steven Jones wrote: > steps > > == > 1) Fresh replica key > 2) attempt to join with the ipa-manage-replica key command this fails > 3) Check the 2nd servers dirsrv is running (service dirsrv status), if not > start it with service dirsrv start > 4) run ipa-replica-manage force-sync -from ipa1 on ipa2 > 5) Check the 2nd servers dirsrv is still running > 6) On Ipa1 (the master) run ipa-replica-manage del ipam002 > 7) run ipa-server-install --uninstall on ipam002 > 8) run ipa-server-install and this seems to succeed I still don't understand. What is step #1? You add a new replica by doign an ipa-replica-prepare and ipa-replica-instal. Is that what you mean? I don't understand why ipa-replica-manage would come into play when adding a new replica. > > So far 1 to 2 and 2 to 1 replication is running HOWEVER replication on 2 to 3 > does NOT work.1 to 3 does and 3 to 1 does. I tried running > ipa-replica-manage force-sync --from ipam1 but this wont sync, yet it used > to. > == > > So when adding 2 back in replication 1 to 3 breaks.so I tried removing 3 > and re-adding and that failed.I get a GSSAPI error If you delete a replica you need to restart the dirsrv service on any masters it was connected to. 389-ds caches the GSSAPI credentials and re-installing a replica will generate new ones which won't get picked up until a restart. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication problems with having more than one replica?
because Im trying to clean out the old "memory" of the ex-replica first...I have to do that before I can re-add it for some reason. All I have is the manual so Im doing my best to repair a system that seems unstableso I was advised to make a new replica key as the original one used to initially make a replication agreement was no good. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 14 June 2012 10:08 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Replication problems with having more than one replica? Steven Jones wrote: > steps > > == > 1) Fresh replica key > 2) attempt to join with the ipa-manage-replica key command this fails > 3) Check the 2nd servers dirsrv is running (service dirsrv status), if not > start it with service dirsrv start > 4) run ipa-replica-manage force-sync -from ipa1 on ipa2 > 5) Check the 2nd servers dirsrv is still running > 6) On Ipa1 (the master) run ipa-replica-manage del ipam002 > 7) run ipa-server-install --uninstall on ipam002 > 8) run ipa-server-install and this seems to succeed I still don't understand. What is step #1? You add a new replica by doign an ipa-replica-prepare and ipa-replica-instal. Is that what you mean? I don't understand why ipa-replica-manage would come into play when adding a new replica. > > So far 1 to 2 and 2 to 1 replication is running HOWEVER replication on 2 to 3 > does NOT work.1 to 3 does and 3 to 1 does. I tried running > ipa-replica-manage force-sync --from ipam1 but this wont sync, yet it used > to. > == > > So when adding 2 back in replication 1 to 3 breaks.so I tried removing 3 > and re-adding and that failed.I get a GSSAPI error If you delete a replica you need to restart the dirsrv service on any masters it was connected to. 389-ds caches the GSSAPI credentials and re-installing a replica will generate new ones which won't get picked up until a restart. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication problems with having more than one replica?
Steven Jones wrote: steps == 1) Fresh replica key 2) attempt to join with the ipa-manage-replica key command this fails 3) Check the 2nd servers dirsrv is running (service dirsrv status), if not start it with service dirsrv start 4) run ipa-replica-manage force-sync -from ipa1 on ipa2 5) Check the 2nd servers dirsrv is still running 6) On Ipa1 (the master) run ipa-replica-manage del ipam002 7) run ipa-server-install --uninstall on ipam002 8) run ipa-server-install and this seems to succeed I still don't understand. What is step #1? You add a new replica by doign an ipa-replica-prepare and ipa-replica-instal. Is that what you mean? I don't understand why ipa-replica-manage would come into play when adding a new replica. So far 1 to 2 and 2 to 1 replication is running HOWEVER replication on 2 to 3 does NOT work.1 to 3 does and 3 to 1 does. I tried running ipa-replica-manage force-sync --from ipam1 but this wont sync, yet it used to. == So when adding 2 back in replication 1 to 3 breaks.so I tried removing 3 and re-adding and that failed.I get a GSSAPI error If you delete a replica you need to restart the dirsrv service on any masters it was connected to. 389-ds caches the GSSAPI credentials and re-installing a replica will generate new ones which won't get picked up until a restart. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication problems with having more than one replica?
steps == 1) Fresh replica key 2) attempt to join with the ipa-manage-replica key command this fails 3) Check the 2nd servers dirsrv is running (service dirsrv status), if not start it with service dirsrv start 4) run ipa-replica-manage force-sync -from ipa1 on ipa2 5) Check the 2nd servers dirsrv is still running 6) On Ipa1 (the master) run ipa-replica-manage del ipam002 7) run ipa-server-install --uninstall on ipam002 8) run ipa-server-install and this seems to succeed So far 1 to 2 and 2 to 1 replication is running HOWEVER replication on 2 to 3 does NOT work.1 to 3 does and 3 to 1 does. I tried running ipa-replica-manage force-sync --from ipam1 but this wont sync, yet it used to. == So when adding 2 back in replication 1 to 3 breaks.so I tried removing 3 and re-adding and that failed.I get a GSSAPI error regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 14 June 2012 9:54 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Replication problems with having more than one replica? Steven Jones wrote: > Hi, > > Has anyone seen replication issues when you have more than one replica? > > If I have ipa1 as the master and 2 as the replica I am OK, if I add ipa3 as a > second replica 1 to 3 works both ways, and 2 to 1 works but not 1 to 2 > > I removed and re-added 2 and find that 3 now no longer works > We need details. What doesn't work? How did you remove and re-add 2? Are any errors logged when this happens? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication problems with having more than one replica?
Steven Jones wrote: Hi, Has anyone seen replication issues when you have more than one replica? If I have ipa1 as the master and 2 as the replica I am OK, if I add ipa3 as a second replica 1 to 3 works both ways, and 2 to 1 works but not 1 to 2 I removed and re-added 2 and find that 3 now no longer works We need details. What doesn't work? How did you remove and re-add 2? Are any errors logged when this happens? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Replication problems with having more than one replica?
Hi, Has anyone seen replication issues when you have more than one replica? If I have ipa1 as the master and 2 as the replica I am OK, if I add ipa3 as a second replica 1 to 3 works both ways, and 2 to 1 works but not 1 to 2 I removed and re-added 2 and find that 3 now no longer works regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
