On 02/14/2014 01:49 PM, Martin Kosek wrote:
> Ok, this part seems ok then. I would then focus directly on DNA operation
> itself.
>
> DNA plugin says:
>
> [13/Feb/2014:15:32:02 -0200] dna-plugin - dna_request_range: Error sending
> range extension extended operation request to server ipa01.example.com:389
> [error 53]
> [13/Feb/2014:15:32:02 -0200] dna-plugin - dna_pre_op: no more values
> available!!
>
> Error 53 should be Unwilling to perform. Are there any errors on master dirsrv
> errors log?
>
> Is any free number available on the master server?
>
> [master] $ ldapsearch -h `hostname` -D "cn=Directory Manager" -x -W -b
> 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
> dnaNextValue dnaMaxValue
>
> Martin
>
> On 02/14/2014 12:36 PM, Bruno Henrique Barbosa wrote:
>> Hi Martin, thanks for the help.
>>
>>
>> Yes, I already did that test. Created a user on ipa01 (master), then he
>> appeared on ipa02 (replica), in the replica, I modified his email address,
>> it appeared back on master. Still, I cannot create a brand new user (or
>> POSIX group) on ipa02.
>>
>>
>>
>> [root@ipa01 ~]# ipactl status
>> Directory Service: RUNNING
>> KDC Service: RUNNING
>> KPASSWD Service: RUNNING
>> MEMCACHE Service: RUNNING
>> HTTP Service: RUNNING
>> CA Service: RUNNING
>>
>>
>>
>> [root@ipa02 ~]# ipactl status
>> Directory Service: RUNNING
>> KDC Service: RUNNING
>> KPASSWD Service: RUNNING
>> MEMCACHE Service: RUNNING
>> HTTP Service: RUNNING
>>
>>
>>
>>
>> Interesting on replica's /var/log/krb5kdc.log:
>>
>>
>>
>> [root@ipa02 ~]# cat /var/log/krb5kdc.log | grep "Feb 13 15:31"
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): setting up network...
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 6: udp 0.0.0.0.88
>> (pktinfo)
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): skipping unrecognized local
>> address family 17
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): skipping unrecognized local
>> address family 17
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 8: tcp 0.0.0.0.88
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 7: tcp ::.88
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): set up 3 sockets
>> Feb 13 15:31:13 ipa02 krb5kdc[1525](info): creating 4 worker processes
>> Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 7
>> Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 8
>> Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 6
>> Feb 13 15:31:13 ipa02 krb5kdc[1535](info): commencing operation
>> Feb 13 15:31:13 ipa02 krb5kdc[1533](info): commencing operation
>> Feb 13 15:31:13 ipa02 krb5kdc[1536](info): commencing operation
>> Feb 13 15:31:13 ipa02 krb5kdc[1534](info): commencing operation
>> Feb 13 15:31:14 ipa02 krb5kdc[1534](info): AS_REQ (4 etypes {18 17 16 23})
>> 192.168.0.2: NEEDED_PREAUTH: ldap/ipa02.example@example.com for
>> krbtgt/example@example.com, Additional pre-authentication required
>> Feb 13 15:31:14 ipa02 krb5kdc[1533](info): AS_REQ (4 etypes {18 17 16 23})
>> 192.168.0.2: ISSUE: authtime 1392312674, etypes {rep=18 tkt=18 ses=18},
>> ldap/ipa02.example@example.com for krbtgt/example@example.com
>>
>>
>> Feb 13 15:31:14 ipa02 krb5kdc[1536](info): TGS_REQ (4 etypes {18 17 16 23})
>> 192.168.0.2: ISSUE: authtime 1392312674, etypes {rep=18 tkt=18 ses=18},
>> ldap/ipa02.example@example.com for ldap/ipa01.example@example.com
>>
>>
>> Feb 13 15:31:28 ipa02 krb5kdc[1536](info): AS_REQ (4 etypes {18 17 16 23})
>> 192.168.0.2: NEEDED_PREAUTH: use...@example.com for
>> krbtgt/example@example.com, Additional pre-authentication required
>> Feb 13 15:31:28 ipa02 krb5kdc[1535](info): AS_REQ (4 etypes {18 17 16 23})
>> 192.168.0.2: ISSUE: authtime 1392312688, etypes {rep=18 tkt=18 ses=18},
>> use...@example.com for krbtgt/example@example.com
>> Feb 13 15:31:28 ipa02 krb5kdc[1535](info): TGS_REQ (4 etypes {18 17 16 23})
>> 192.168.0.2: ISSUE: authtime 1392312688, etypes {rep=18 tkt=18 ses=18},
>> use...@example.com for ldap/ipa02.example@example.com
>>
>>
>>
>>
>> Running kinit -kt on replica, returns nothing on prompt, but populates
>> /var/log/krb5kdc.log with:
>>
>>
>>
>>
>> Feb 14 09:34:05 ipa02 krb5kdc[1536](info): AS_REQ (4 etypes {18 17 16 23})
>> 192.168.0.2: NEEDED_PREAUTH: ldap/ipa02.example@example.com for
>> krbtgt/example@example.com, Additional pre-authentication required
>> Feb 14 09:34:05 ipa02 krb5kdc[1533](info): AS_REQ (4 etypes {18 17 16 23})
>> 192.168.0.2: ISSUE: authtime 1392377645, etypes {rep=18 tkt=18 ses=18},
>> ldap/ipa02.example@example.com for krbtgt/example@example.com
>>
>>
>>
>>
>> DNS is OK, resolving FQDN of both master and replica forward and reverse.
>>
>>
>>
>> Bruno Henrique Barbosa
>>
>> Jr. Sys Admin
>> IT Department
>> Santos City Hall
>> - Mensagem original -
>>
>> De: "Martin Kosek"
>> Para: "Bruno Henrique Barbosa" ,
>> freeipa-users@redh