Re: [Freeipa-users] Stock with a Master in read-only mode
On 05/26/2014 09:00 PM, Davis Goodman wrote: On Mon, May 26, 2014 at 1:17 PM, Davis Goodman davis.good...@digital-district.ca wrote: On Mon, May 26, 2014 at 4:22 AM, Martin Kosek mko...@redhat.com wrote: On 05/25/2014 09:44 PM, Davis Goodman wrote: On Wed, May 21, 2014 at 12:06 PM, Martin Kosek mko...@redhat.com wrote: On 05/21/2014 01:31 PM, Davis Goodman wrote: http://www.digital-district.ca/ On May 21, 2014, at 6:54 , Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 05/21/2014 09:12 AM, Davis Goodman wrote: On May 21, 2014, at 2:45 , Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 05/21/2014 08:36 AM, Davis Goodman wrote: Hi, Lately I’ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I’m getting this error. ldapdelete -x -D cn=Directory Manager -W cn=DNS,cn=freeipa02.mtl.domain.int ,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help. Any insights would be more than welcome. Davis Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an operation or an upgrade was interrupted and left the database put in read only mode? You can find out with this ldapsearch: ldapsearch -h `hostname` -D cn=Directory Manager -x -w kokos123 -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base Check for nsslapd-readonly, it should be put to off in normal operation. Martin Ok finally managed to modify the read-only flag. Could prepare my replicas and get them going. Everything seems fine but I’m getting this error while setting up the replicas. Should I be concerned about this one: Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20 [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation the rest seems to work fine. You need to check ipareplica-install.log to see the real error. I wonder if cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX and cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX exist. Martin The first one is there: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int memberPrincipal: HTTP/freeipa01.prs.ddistrict@ddistrict.int mailto:HTTP/freeipa01.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.prs.ddistrict@ddistrict.int mailto:HTTP/freeipa02.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.mtl.ddistrict@ddistrict.int mailto:HTTP/freeipa02.mtl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.chr.ddistrict@ddistrict.int mailto:HTTP/freeipa01.chr.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.bxl.ddistrict@ddistrict.int mailto:HTTP/freeipa01.bxl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.mtl.ddistrict@ddistrict.int mailto:HTTP/freeipa01.mtl.ddistrict@ddistrict.int cn: ipa-http-delegation objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top But not the second one: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int No such object (32) Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int Also what is strange is that I got the error only on one of the replicas, the other one went through without
Re: [Freeipa-users] Stock with a Master in read-only mode - SOLVED
On 05/27/2014 01:12 PM, Martin Kosek wrote: On 05/26/2014 09:00 PM, Davis Goodman wrote: On Mon, May 26, 2014 at 1:17 PM, Davis Goodman davis.good...@digital-district.ca wrote: On Mon, May 26, 2014 at 4:22 AM, Martin Kosek mko...@redhat.com wrote: On 05/25/2014 09:44 PM, Davis Goodman wrote: On Wed, May 21, 2014 at 12:06 PM, Martin Kosek mko...@redhat.com wrote: On 05/21/2014 01:31 PM, Davis Goodman wrote: http://www.digital-district.ca/ On May 21, 2014, at 6:54 , Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 05/21/2014 09:12 AM, Davis Goodman wrote: On May 21, 2014, at 2:45 , Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 05/21/2014 08:36 AM, Davis Goodman wrote: Hi, Lately I’ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I’m getting this error. ldapdelete -x -D cn=Directory Manager -W cn=DNS,cn=freeipa02.mtl.domain.int ,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help. Any insights would be more than welcome. Davis Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an operation or an upgrade was interrupted and left the database put in read only mode? You can find out with this ldapsearch: ldapsearch -h `hostname` -D cn=Directory Manager -x -w kokos123 -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base Check for nsslapd-readonly, it should be put to off in normal operation. Martin Ok finally managed to modify the read-only flag. Could prepare my replicas and get them going. Everything seems fine but I’m getting this error while setting up the replicas. Should I be concerned about this one: Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20 [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation the rest seems to work fine. You need to check ipareplica-install.log to see the real error. I wonder if cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX and cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX exist. Martin The first one is there: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int memberPrincipal: HTTP/freeipa01.prs.ddistrict@ddistrict.int mailto:HTTP/freeipa01.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.prs.ddistrict@ddistrict.int mailto:HTTP/freeipa02.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.mtl.ddistrict@ddistrict.int mailto:HTTP/freeipa02.mtl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.chr.ddistrict@ddistrict.int mailto:HTTP/freeipa01.chr.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.bxl.ddistrict@ddistrict.int mailto:HTTP/freeipa01.bxl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.mtl.ddistrict@ddistrict.int mailto:HTTP/freeipa01.mtl.ddistrict@ddistrict.int cn: ipa-http-delegation objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top But not the second one: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int No such object (32) Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int Also what is strange is that I got the error only on one of the
Re: [Freeipa-users] Stock with a Master in read-only mode
On 05/25/2014 09:44 PM, Davis Goodman wrote: On Wed, May 21, 2014 at 12:06 PM, Martin Kosek mko...@redhat.com wrote: On 05/21/2014 01:31 PM, Davis Goodman wrote: http://www.digital-district.ca/ On May 21, 2014, at 6:54 , Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 05/21/2014 09:12 AM, Davis Goodman wrote: On May 21, 2014, at 2:45 , Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 05/21/2014 08:36 AM, Davis Goodman wrote: Hi, Lately I’ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I’m getting this error. ldapdelete -x -D cn=Directory Manager -W cn=DNS,cn=freeipa02.mtl.domain.int ,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help. Any insights would be more than welcome. Davis Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an operation or an upgrade was interrupted and left the database put in read only mode? You can find out with this ldapsearch: ldapsearch -h `hostname` -D cn=Directory Manager -x -w kokos123 -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base Check for nsslapd-readonly, it should be put to off in normal operation. Martin Ok finally managed to modify the read-only flag. Could prepare my replicas and get them going. Everything seems fine but I’m getting this error while setting up the replicas. Should I be concerned about this one: Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20 [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation the rest seems to work fine. You need to check ipareplica-install.log to see the real error. I wonder if cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX and cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX exist. Martin The first one is there: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int memberPrincipal: HTTP/freeipa01.prs.ddistrict@ddistrict.int mailto:HTTP/freeipa01.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.prs.ddistrict@ddistrict.int mailto:HTTP/freeipa02.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.mtl.ddistrict@ddistrict.int mailto:HTTP/freeipa02.mtl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.chr.ddistrict@ddistrict.int mailto:HTTP/freeipa01.chr.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.bxl.ddistrict@ddistrict.int mailto:HTTP/freeipa01.bxl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.mtl.ddistrict@ddistrict.int mailto:HTTP/freeipa01.mtl.ddistrict@ddistrict.int cn: ipa-http-delegation objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top But not the second one: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int No such object (32) Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int Also what is strange is that I got the error only on one of the replicas, the other one went through without any hiccups. Ok, I think I misguided you with the second DN, the real DN should be cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int, see /usr/share/ipa/replica-s4u2proxy.ldif for the LDIF that is being
Re: [Freeipa-users] Stock with a Master in read-only mode
On Mon, May 26, 2014 at 4:22 AM, Martin Kosek mko...@redhat.com wrote: On 05/25/2014 09:44 PM, Davis Goodman wrote: On Wed, May 21, 2014 at 12:06 PM, Martin Kosek mko...@redhat.com wrote: On 05/21/2014 01:31 PM, Davis Goodman wrote: http://www.digital-district.ca/ On May 21, 2014, at 6:54 , Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 05/21/2014 09:12 AM, Davis Goodman wrote: On May 21, 2014, at 2:45 , Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 05/21/2014 08:36 AM, Davis Goodman wrote: Hi, Lately I’ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I’m getting this error. ldapdelete -x -D cn=Directory Manager -W cn=DNS,cn=freeipa02.mtl.domain.int ,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help. Any insights would be more than welcome. Davis Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an operation or an upgrade was interrupted and left the database put in read only mode? You can find out with this ldapsearch: ldapsearch -h `hostname` -D cn=Directory Manager -x -w kokos123 -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base Check for nsslapd-readonly, it should be put to off in normal operation. Martin Ok finally managed to modify the read-only flag. Could prepare my replicas and get them going. Everything seems fine but I’m getting this error while setting up the replicas. Should I be concerned about this one: Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20 [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation the rest seems to work fine. You need to check ipareplica-install.log to see the real error. I wonder if cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX and cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX exist. Martin The first one is there: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int memberPrincipal: HTTP/freeipa01.prs.ddistrict@ddistrict.int mailto:HTTP/freeipa01.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.prs.ddistrict@ddistrict.int mailto:HTTP/freeipa02.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.mtl.ddistrict@ddistrict.int mailto:HTTP/freeipa02.mtl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.chr.ddistrict@ddistrict.int mailto:HTTP/freeipa01.chr.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.bxl.ddistrict@ddistrict.int mailto:HTTP/freeipa01.bxl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.mtl.ddistrict@ddistrict.int mailto:HTTP/freeipa01.mtl.ddistrict@ddistrict.int cn: ipa-http-delegation objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top But not the second one: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int No such object (32) Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int Also what is strange is that I got the error only on one of the replicas, the other one went
Re: [Freeipa-users] Stock with a Master in read-only mode
On Mon, May 26, 2014 at 1:17 PM, Davis Goodman davis.good...@digital-district.ca wrote: On Mon, May 26, 2014 at 4:22 AM, Martin Kosek mko...@redhat.com wrote: On 05/25/2014 09:44 PM, Davis Goodman wrote: On Wed, May 21, 2014 at 12:06 PM, Martin Kosek mko...@redhat.com wrote: On 05/21/2014 01:31 PM, Davis Goodman wrote: http://www.digital-district.ca/ On May 21, 2014, at 6:54 , Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 05/21/2014 09:12 AM, Davis Goodman wrote: On May 21, 2014, at 2:45 , Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 05/21/2014 08:36 AM, Davis Goodman wrote: Hi, Lately I’ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I’m getting this error. ldapdelete -x -D cn=Directory Manager -W cn=DNS,cn=freeipa02.mtl.domain.int ,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help. Any insights would be more than welcome. Davis Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an operation or an upgrade was interrupted and left the database put in read only mode? You can find out with this ldapsearch: ldapsearch -h `hostname` -D cn=Directory Manager -x -w kokos123 -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base Check for nsslapd-readonly, it should be put to off in normal operation. Martin Ok finally managed to modify the read-only flag. Could prepare my replicas and get them going. Everything seems fine but I’m getting this error while setting up the replicas. Should I be concerned about this one: Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20 [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation the rest seems to work fine. You need to check ipareplica-install.log to see the real error. I wonder if cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX and cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX exist. Martin The first one is there: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int memberPrincipal: HTTP/freeipa01.prs.ddistrict@ddistrict.int mailto:HTTP/freeipa01.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.prs.ddistrict@ddistrict.int mailto:HTTP/freeipa02.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.mtl.ddistrict@ddistrict.int mailto:HTTP/freeipa02.mtl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.chr.ddistrict@ddistrict.int mailto:HTTP/freeipa01.chr.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.bxl.ddistrict@ddistrict.int mailto:HTTP/freeipa01.bxl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.mtl.ddistrict@ddistrict.int mailto:HTTP/freeipa01.mtl.ddistrict@ddistrict.int cn: ipa-http-delegation objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top But not the second one: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int No such object (32) Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int
Re: [Freeipa-users] Stock with a Master in read-only mode
On Wed, May 21, 2014 at 12:06 PM, Martin Kosek mko...@redhat.com wrote: On 05/21/2014 01:31 PM, Davis Goodman wrote: http://www.digital-district.ca/ On May 21, 2014, at 6:54 , Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 05/21/2014 09:12 AM, Davis Goodman wrote: On May 21, 2014, at 2:45 , Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 05/21/2014 08:36 AM, Davis Goodman wrote: Hi, Lately I’ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I’m getting this error. ldapdelete -x -D cn=Directory Manager -W cn=DNS,cn=freeipa02.mtl.domain.int ,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help. Any insights would be more than welcome. Davis Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an operation or an upgrade was interrupted and left the database put in read only mode? You can find out with this ldapsearch: ldapsearch -h `hostname` -D cn=Directory Manager -x -w kokos123 -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base Check for nsslapd-readonly, it should be put to off in normal operation. Martin Ok finally managed to modify the read-only flag. Could prepare my replicas and get them going. Everything seems fine but I’m getting this error while setting up the replicas. Should I be concerned about this one: Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20 [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation the rest seems to work fine. You need to check ipareplica-install.log to see the real error. I wonder if cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX and cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX exist. Martin The first one is there: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int memberPrincipal: HTTP/freeipa01.prs.ddistrict@ddistrict.int mailto:HTTP/freeipa01.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.prs.ddistrict@ddistrict.int mailto:HTTP/freeipa02.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.mtl.ddistrict@ddistrict.int mailto:HTTP/freeipa02.mtl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.chr.ddistrict@ddistrict.int mailto:HTTP/freeipa01.chr.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.bxl.ddistrict@ddistrict.int mailto:HTTP/freeipa01.bxl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.mtl.ddistrict@ddistrict.int mailto:HTTP/freeipa01.mtl.ddistrict@ddistrict.int cn: ipa-http-delegation objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top But not the second one: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int No such object (32) Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int Also what is strange is that I got the error only on one of the replicas, the other one went through without any hiccups. Ok, I think I misguided you with the second DN, the real DN should be
[Freeipa-users] Stock with a Master in read-only mode
Hi, Lately I’ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I’m getting this error. ldapdelete -x -D cn=Directory Manager -W cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help. Any insights would be more than welcome. Davis Davis Goodman Directeur Informatique | IT Manager 5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4 Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Stock with a Master in read-only mode
On 05/21/2014 08:36 AM, Davis Goodman wrote: Hi, Lately I’ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I’m getting this error. ldapdelete -x -D cn=Directory Manager -W cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help. Any insights would be more than welcome. Davis Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an operation or an upgrade was interrupted and left the database put in read only mode? You can find out with this ldapsearch: ldapsearch -h `hostname` -D cn=Directory Manager -x -w kokos123 -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base Check for nsslapd-readonly, it should be put to off in normal operation. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Stock with a Master in read-only mode
Right on, it is. What would be the ldapmodify command to change it. I’m not the most used with the syntax! -- Davis Goodman Directeur Informatique | IT Manager 5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4 Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 On May 21, 2014, at 2:45 , Martin Kosek mko...@redhat.com wrote: 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Stock with a Master in read-only mode
On May 21, 2014, at 2:45 , Martin Kosek mko...@redhat.com wrote: On 05/21/2014 08:36 AM, Davis Goodman wrote: Hi, Lately I’ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I’m getting this error. ldapdelete -x -D cn=Directory Manager -W cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help. Any insights would be more than welcome. Davis Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an operation or an upgrade was interrupted and left the database put in read only mode? You can find out with this ldapsearch: ldapsearch -h `hostname` -D cn=Directory Manager -x -w kokos123 -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base Check for nsslapd-readonly, it should be put to off in normal operation. Martin Ok finally managed to modify the read-only flag. Could prepare my replicas and get them going. Everything seems fine but I’m getting this error while setting up the replicas. Should I be concerned about this one: Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20 [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation the rest seems to work fine. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Stock with a Master in read-only mode
On 05/21/2014 09:12 AM, Davis Goodman wrote: On May 21, 2014, at 2:45 , Martin Kosek mko...@redhat.com wrote: On 05/21/2014 08:36 AM, Davis Goodman wrote: Hi, Lately I’ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I’m getting this error. ldapdelete -x -D cn=Directory Manager -W cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help. Any insights would be more than welcome. Davis Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an operation or an upgrade was interrupted and left the database put in read only mode? You can find out with this ldapsearch: ldapsearch -h `hostname` -D cn=Directory Manager -x -w kokos123 -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base Check for nsslapd-readonly, it should be put to off in normal operation. Martin Ok finally managed to modify the read-only flag. Could prepare my replicas and get them going. Everything seems fine but I’m getting this error while setting up the replicas. Should I be concerned about this one: Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20 [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation the rest seems to work fine. You need to check ipareplica-install.log to see the real error. I wonder if cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX and cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX exist. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Stock with a Master in read-only mode
On May 21, 2014, at 6:54 , Martin Kosek mko...@redhat.com wrote: On 05/21/2014 09:12 AM, Davis Goodman wrote: On May 21, 2014, at 2:45 , Martin Kosek mko...@redhat.com wrote: On 05/21/2014 08:36 AM, Davis Goodman wrote: Hi, Lately I’ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I’m getting this error. ldapdelete -x -D cn=Directory Manager -W cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help. Any insights would be more than welcome. Davis Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an operation or an upgrade was interrupted and left the database put in read only mode? You can find out with this ldapsearch: ldapsearch -h `hostname` -D cn=Directory Manager -x -w kokos123 -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base Check for nsslapd-readonly, it should be put to off in normal operation. Martin Ok finally managed to modify the read-only flag. Could prepare my replicas and get them going. Everything seems fine but I’m getting this error while setting up the replicas. Should I be concerned about this one: Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20 [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation the rest seems to work fine. You need to check ipareplica-install.log to see the real error. I wonder if cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX and cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX exist. Martin The first one is there: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int memberPrincipal: HTTP/freeipa01.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.mtl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.chr.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.bxl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.mtl.ddistrict@ddistrict.int cn: ipa-http-delegation objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top But not the second one: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int No such object (32) Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int Also what is strange is that I got the error only on one of the replicas, the other one went through without any hiccups. Thanks for the help. Davis -- Davis Goodman Directeur Informatique | IT Manager 5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4 Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Stock with a Master in read-only mode
On 05/21/2014 01:31 PM, Davis Goodman wrote: http://www.digital-district.ca/ On May 21, 2014, at 6:54 , Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 05/21/2014 09:12 AM, Davis Goodman wrote: On May 21, 2014, at 2:45 , Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 05/21/2014 08:36 AM, Davis Goodman wrote: Hi, Lately I’ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I’m getting this error. ldapdelete -x -D cn=Directory Manager -W cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help. Any insights would be more than welcome. Davis Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an operation or an upgrade was interrupted and left the database put in read only mode? You can find out with this ldapsearch: ldapsearch -h `hostname` -D cn=Directory Manager -x -w kokos123 -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base Check for nsslapd-readonly, it should be put to off in normal operation. Martin Ok finally managed to modify the read-only flag. Could prepare my replicas and get them going. Everything seems fine but I’m getting this error while setting up the replicas. Should I be concerned about this one: Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20 [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation the rest seems to work fine. You need to check ipareplica-install.log to see the real error. I wonder if cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX and cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX exist. Martin The first one is there: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int memberPrincipal: HTTP/freeipa01.prs.ddistrict@ddistrict.int mailto:HTTP/freeipa01.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.prs.ddistrict@ddistrict.int mailto:HTTP/freeipa02.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.mtl.ddistrict@ddistrict.int mailto:HTTP/freeipa02.mtl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.chr.ddistrict@ddistrict.int mailto:HTTP/freeipa01.chr.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.bxl.ddistrict@ddistrict.int mailto:HTTP/freeipa01.bxl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.mtl.ddistrict@ddistrict.int mailto:HTTP/freeipa01.mtl.ddistrict@ddistrict.int cn: ipa-http-delegation objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top But not the second one: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int No such object (32) Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int Also what is strange is that I got the error only on one of the replicas, the other one went through without any hiccups. Ok, I think I misguided you with the second DN, the real DN should be cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int, see /usr/share/ipa/replica-s4u2proxy.ldif for the LDIF that is being loaded. The key here is to check the error message of ldapmodify that was run on the