Re: [Freeipa-users] IPA Replica cannot add user [SOLVED]
On 02/14/2014 01:49 PM, Martin Kosek wrote: Ok, this part seems ok then. I would then focus directly on DNA operation itself. DNA plugin says: [13/Feb/2014:15:32:02 -0200] dna-plugin - dna_request_range: Error sending range extension extended operation request to server ipa01.example.com:389 [error 53] [13/Feb/2014:15:32:02 -0200] dna-plugin - dna_pre_op: no more values available!! Error 53 should be Unwilling to perform. Are there any errors on master dirsrv errors log? Is any free number available on the master server? [master] $ ldapsearch -h `hostname` -D cn=Directory Manager -x -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' dnaNextValue dnaMaxValue Martin On 02/14/2014 12:36 PM, Bruno Henrique Barbosa wrote: Hi Martin, thanks for the help. Yes, I already did that test. Created a user on ipa01 (master), then he appeared on ipa02 (replica), in the replica, I modified his email address, it appeared back on master. Still, I cannot create a brand new user (or POSIX group) on ipa02. [root@ipa01 ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [root@ipa02 ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING Interesting on replica's /var/log/krb5kdc.log: [root@ipa02 ~]# cat /var/log/krb5kdc.log | grep Feb 13 15:31 Feb 13 15:31:13 ipa02 krb5kdc[1524](info): setting up network... Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 6: udp 0.0.0.0.88 (pktinfo) Feb 13 15:31:13 ipa02 krb5kdc[1524](info): skipping unrecognized local address family 17 Feb 13 15:31:13 ipa02 krb5kdc[1524](info): skipping unrecognized local address family 17 Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 8: tcp 0.0.0.0.88 Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 7: tcp ::.88 Feb 13 15:31:13 ipa02 krb5kdc[1524](info): set up 3 sockets Feb 13 15:31:13 ipa02 krb5kdc[1525](info): creating 4 worker processes Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 7 Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 8 Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 6 Feb 13 15:31:13 ipa02 krb5kdc[1535](info): commencing operation Feb 13 15:31:13 ipa02 krb5kdc[1533](info): commencing operation Feb 13 15:31:13 ipa02 krb5kdc[1536](info): commencing operation Feb 13 15:31:13 ipa02 krb5kdc[1534](info): commencing operation Feb 13 15:31:14 ipa02 krb5kdc[1534](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: NEEDED_PREAUTH: ldap/ipa02.example@example.com for krbtgt/example@example.com, Additional pre-authentication required Feb 13 15:31:14 ipa02 krb5kdc[1533](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392312674, etypes {rep=18 tkt=18 ses=18}, ldap/ipa02.example@example.com for krbtgt/example@example.com Feb 13 15:31:14 ipa02 krb5kdc[1536](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392312674, etypes {rep=18 tkt=18 ses=18}, ldap/ipa02.example@example.com for ldap/ipa01.example@example.com Feb 13 15:31:28 ipa02 krb5kdc[1536](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: NEEDED_PREAUTH: use...@example.com for krbtgt/example@example.com, Additional pre-authentication required Feb 13 15:31:28 ipa02 krb5kdc[1535](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392312688, etypes {rep=18 tkt=18 ses=18}, use...@example.com for krbtgt/example@example.com Feb 13 15:31:28 ipa02 krb5kdc[1535](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392312688, etypes {rep=18 tkt=18 ses=18}, use...@example.com for ldap/ipa02.example@example.com Running kinit -kt on replica, returns nothing on prompt, but populates /var/log/krb5kdc.log with: Feb 14 09:34:05 ipa02 krb5kdc[1536](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: NEEDED_PREAUTH: ldap/ipa02.example@example.com for krbtgt/example@example.com, Additional pre-authentication required Feb 14 09:34:05 ipa02 krb5kdc[1533](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392377645, etypes {rep=18 tkt=18 ses=18}, ldap/ipa02.example@example.com for krbtgt/example@example.com DNS is OK, resolving FQDN of both master and replica forward and reverse. Bruno Henrique Barbosa Jr. Sys Admin IT Department Santos City Hall - Mensagem original - De: Martin Kosek mko...@redhat.com Para: Bruno Henrique Barbosa bruno-barb...@prodesan.com.br, freeipa-users@redhat.com Enviadas: Sexta-feira, 14 de Fevereiro de 2014 5:51:49 Assunto: Re: [Freeipa-users] IPA Replica cannot add user On 02/13/2014 06:55 PM, Bruno Henrique Barbosa wrote: Hi everyone
Re: [Freeipa-users] IPA Replica cannot add user [SOLVED]
Martin Kosek wrote: On 02/14/2014 01:49 PM, Martin Kosek wrote: Bruno sent me the logs privately, let me just share the solution of this case with the list. The problem here was that master had only 1000 numbers allocated (chosen during IPA installation). Therefore, it had less than 1000 numbers free. When the replica asked for some free numbers from it, it refused to give any as it would lower it's pool of free numbers below 500 (dnaThreshold setting). Bruno was able to fix the issue with this command run on master: $ ldapmodify -h `hostname` -D cn=Directory Manager -x -W dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: dnaMaxValue dnaMaxValue: 5000 He should also run idrange-find to see if there is an IPA range listed and adjust it to match the DNA configuration. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Replica cannot add user
Hi Martin, thanks for the help. Yes, I already did that test. Created a user on ipa01 (master), then he appeared on ipa02 (replica), in the replica, I modified his email address, it appeared back on master. Still, I cannot create a brand new user (or POSIX group) on ipa02. [root@ipa01 ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [root@ipa02 ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING Interesting on replica's /var/log/krb5kdc.log: [root@ipa02 ~]# cat /var/log/krb5kdc.log | grep Feb 13 15:31 Feb 13 15:31:13 ipa02 krb5kdc[1524](info): setting up network... Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 6: udp 0.0.0.0.88 (pktinfo) Feb 13 15:31:13 ipa02 krb5kdc[1524](info): skipping unrecognized local address family 17 Feb 13 15:31:13 ipa02 krb5kdc[1524](info): skipping unrecognized local address family 17 Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 8: tcp 0.0.0.0.88 Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 7: tcp ::.88 Feb 13 15:31:13 ipa02 krb5kdc[1524](info): set up 3 sockets Feb 13 15:31:13 ipa02 krb5kdc[1525](info): creating 4 worker processes Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 7 Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 8 Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 6 Feb 13 15:31:13 ipa02 krb5kdc[1535](info): commencing operation Feb 13 15:31:13 ipa02 krb5kdc[1533](info): commencing operation Feb 13 15:31:13 ipa02 krb5kdc[1536](info): commencing operation Feb 13 15:31:13 ipa02 krb5kdc[1534](info): commencing operation Feb 13 15:31:14 ipa02 krb5kdc[1534](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: NEEDED_PREAUTH: ldap/ipa02.example@example.com for krbtgt/example@example.com, Additional pre-authentication required Feb 13 15:31:14 ipa02 krb5kdc[1533](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392312674, etypes {rep=18 tkt=18 ses=18}, ldap/ipa02.example@example.com for krbtgt/example@example.com Feb 13 15:31:14 ipa02 krb5kdc[1536](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392312674, etypes {rep=18 tkt=18 ses=18}, ldap/ipa02.example@example.com for ldap/ipa01.example@example.com Feb 13 15:31:28 ipa02 krb5kdc[1536](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: NEEDED_PREAUTH: use...@example.com for krbtgt/example@example.com, Additional pre-authentication required Feb 13 15:31:28 ipa02 krb5kdc[1535](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392312688, etypes {rep=18 tkt=18 ses=18}, use...@example.com for krbtgt/example@example.com Feb 13 15:31:28 ipa02 krb5kdc[1535](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392312688, etypes {rep=18 tkt=18 ses=18}, use...@example.com for ldap/ipa02.example@example.com Running kinit -kt on replica, returns nothing on prompt, but populates /var/log/krb5kdc.log with: Feb 14 09:34:05 ipa02 krb5kdc[1536](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: NEEDED_PREAUTH: ldap/ipa02.example@example.com for krbtgt/example@example.com, Additional pre-authentication required Feb 14 09:34:05 ipa02 krb5kdc[1533](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392377645, etypes {rep=18 tkt=18 ses=18}, ldap/ipa02.example@example.com for krbtgt/example@example.com DNS is OK, resolving FQDN of both master and replica forward and reverse. Bruno Henrique Barbosa Jr. Sys Admin IT Department Santos City Hall - Mensagem original - De: Martin Kosek mko...@redhat.com Para: Bruno Henrique Barbosa bruno-barb...@prodesan.com.br, freeipa-users@redhat.com Enviadas: Sexta-feira, 14 de Fevereiro de 2014 5:51:49 Assunto: Re: [Freeipa-users] IPA Replica cannot add user On 02/13/2014 06:55 PM, Bruno Henrique Barbosa wrote: Hi everyone, I've installed my IPA environment as it follows: ipa01.example.com - master install ipa02.example.com - replica install, as the guide says, with ipa-replica-prepare on ipa01 and ipa-replica-install using gpg key generated. All good, environment is fine, can access both UI, but the underlying problem is: I can edit and remove users from IPA using instance ipa02 (replica), but I CANNOT add users from that instance. In the UI, error returned is: IPA Error 4203 Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. Via command-line, debug-enabled: root@ipa02's password: Last login: Thu Feb 13 15:36:34 2014 [root@ipa02 ~]# kinit admin Password for ad...@example.com: [root@ipa02 ~]# ipa-replica-manage list ipa01.example.com: master ipa02.example.com: master [root@ipa02
Re: [Freeipa-users] IPA Replica cannot add user
Ok, this part seems ok then. I would then focus directly on DNA operation itself. DNA plugin says: [13/Feb/2014:15:32:02 -0200] dna-plugin - dna_request_range: Error sending range extension extended operation request to server ipa01.example.com:389 [error 53] [13/Feb/2014:15:32:02 -0200] dna-plugin - dna_pre_op: no more values available!! Error 53 should be Unwilling to perform. Are there any errors on master dirsrv errors log? Is any free number available on the master server? [master] $ ldapsearch -h `hostname` -D cn=Directory Manager -x -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' dnaNextValue dnaMaxValue Martin On 02/14/2014 12:36 PM, Bruno Henrique Barbosa wrote: Hi Martin, thanks for the help. Yes, I already did that test. Created a user on ipa01 (master), then he appeared on ipa02 (replica), in the replica, I modified his email address, it appeared back on master. Still, I cannot create a brand new user (or POSIX group) on ipa02. [root@ipa01 ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [root@ipa02 ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING Interesting on replica's /var/log/krb5kdc.log: [root@ipa02 ~]# cat /var/log/krb5kdc.log | grep Feb 13 15:31 Feb 13 15:31:13 ipa02 krb5kdc[1524](info): setting up network... Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 6: udp 0.0.0.0.88 (pktinfo) Feb 13 15:31:13 ipa02 krb5kdc[1524](info): skipping unrecognized local address family 17 Feb 13 15:31:13 ipa02 krb5kdc[1524](info): skipping unrecognized local address family 17 Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 8: tcp 0.0.0.0.88 Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 7: tcp ::.88 Feb 13 15:31:13 ipa02 krb5kdc[1524](info): set up 3 sockets Feb 13 15:31:13 ipa02 krb5kdc[1525](info): creating 4 worker processes Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 7 Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 8 Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 6 Feb 13 15:31:13 ipa02 krb5kdc[1535](info): commencing operation Feb 13 15:31:13 ipa02 krb5kdc[1533](info): commencing operation Feb 13 15:31:13 ipa02 krb5kdc[1536](info): commencing operation Feb 13 15:31:13 ipa02 krb5kdc[1534](info): commencing operation Feb 13 15:31:14 ipa02 krb5kdc[1534](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: NEEDED_PREAUTH: ldap/ipa02.example@example.com for krbtgt/example@example.com, Additional pre-authentication required Feb 13 15:31:14 ipa02 krb5kdc[1533](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392312674, etypes {rep=18 tkt=18 ses=18}, ldap/ipa02.example@example.com for krbtgt/example@example.com Feb 13 15:31:14 ipa02 krb5kdc[1536](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392312674, etypes {rep=18 tkt=18 ses=18}, ldap/ipa02.example@example.com for ldap/ipa01.example@example.com Feb 13 15:31:28 ipa02 krb5kdc[1536](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: NEEDED_PREAUTH: use...@example.com for krbtgt/example@example.com, Additional pre-authentication required Feb 13 15:31:28 ipa02 krb5kdc[1535](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392312688, etypes {rep=18 tkt=18 ses=18}, use...@example.com for krbtgt/example@example.com Feb 13 15:31:28 ipa02 krb5kdc[1535](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392312688, etypes {rep=18 tkt=18 ses=18}, use...@example.com for ldap/ipa02.example@example.com Running kinit -kt on replica, returns nothing on prompt, but populates /var/log/krb5kdc.log with: Feb 14 09:34:05 ipa02 krb5kdc[1536](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: NEEDED_PREAUTH: ldap/ipa02.example@example.com for krbtgt/example@example.com, Additional pre-authentication required Feb 14 09:34:05 ipa02 krb5kdc[1533](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.2: ISSUE: authtime 1392377645, etypes {rep=18 tkt=18 ses=18}, ldap/ipa02.example@example.com for krbtgt/example@example.com DNS is OK, resolving FQDN of both master and replica forward and reverse. Bruno Henrique Barbosa Jr. Sys Admin IT Department Santos City Hall - Mensagem original - De: Martin Kosek mko...@redhat.com Para: Bruno Henrique Barbosa bruno-barb...@prodesan.com.br, freeipa-users@redhat.com Enviadas: Sexta-feira, 14 de Fevereiro de 2014 5:51:49 Assunto: Re: [Freeipa-users] IPA Replica cannot add user On 02/13/2014 06:55 PM, Bruno Henrique Barbosa wrote: Hi everyone, I've installed my IPA
Re: [Freeipa-users] IPA Replica cannot add user
On 02/13/2014 06:55 PM, Bruno Henrique Barbosa wrote: Hi everyone, I've installed my IPA environment as it follows: ipa01.example.com - master install ipa02.example.com - replica install, as the guide says, with ipa-replica-prepare on ipa01 and ipa-replica-install using gpg key generated. All good, environment is fine, can access both UI, but the underlying problem is: I can edit and remove users from IPA using instance ipa02 (replica), but I CANNOT add users from that instance. In the UI, error returned is: IPA Error 4203 Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. Via command-line, debug-enabled: root@ipa02's password: Last login: Thu Feb 13 15:36:34 2014 [root@ipa02 ~]# kinit admin Password for ad...@example.com: [root@ipa02 ~]# ipa-replica-manage list ipa01.example.com: master ipa02.example.com: master [root@ipa02 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@example.com Valid starting Expires Service principal 02/13/14 15:37:48 02/14/14 15:37:29 krbtgt/example@example.com 02/13/14 15:38:03 02/14/14 15:37:29 ldap/ipa02.example@example.com [root@ipa02 ~]# ipa -d user-add usertest ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' ipa: DEBUG: args=klist -V ipa: DEBUG: stdout=Kerberos 5 version 1.10.3 ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' ipa: