Re: [Freeipa-users] IPA Replica cannot add user [SOLVED]

2014-02-17 Thread Rob Crittenden 

Martin Kosek wrote:

On 02/14/2014 01:49 PM, Martin Kosek wrote:

Bruno sent me the logs privately, let me just share the solution of this case
with the list. The problem here was that master had only 1000 numbers allocated
(chosen during IPA installation). Therefore, it had less than 1000 numbers free.

When the replica asked for some free numbers from it, it refused to give any as
it would lower it's pool of free numbers below 500 (dnaThreshold setting).

Bruno was able to fix the issue with this command run on master:

$ ldapmodify -h `hostname` -D "cn=Directory Manager" -x -W
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: dnaMaxValue
dnaMaxValue: 5000


He should also run idrange-find to see if there is an IPA range listed 
and adjust it to match the DNA configuration.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA Replica cannot add user [SOLVED]

2014-02-17 Thread Martin Kosek 
On 02/14/2014 01:49 PM, Martin Kosek wrote:
> Ok, this part seems ok then. I would then focus directly on DNA operation 
> itself.
> 
> DNA plugin says:
> 
> [13/Feb/2014:15:32:02 -0200] dna-plugin - dna_request_range: Error sending
> range extension extended operation request to server ipa01.example.com:389
> [error 53]
> [13/Feb/2014:15:32:02 -0200] dna-plugin - dna_pre_op: no more values 
> available!!
> 
> Error 53 should be Unwilling to perform. Are there any errors on master dirsrv
> errors log?
> 
> Is any free number available on the master server?
> 
> [master] $ ldapsearch -h `hostname` -D "cn=Directory Manager" -x -W -b
> 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
> dnaNextValue dnaMaxValue
> 
> Martin
> 
> On 02/14/2014 12:36 PM, Bruno Henrique Barbosa wrote:
>> Hi Martin, thanks for the help. 
>>
>>
>> Yes, I already did that test. Created a user on ipa01 (master), then he 
>> appeared on ipa02 (replica), in the replica, I modified his email address, 
>> it appeared back on master. Still, I cannot create a brand new user (or 
>> POSIX group) on ipa02. 
>>
>>
>>
>> [root@ipa01 ~]# ipactl status 
>> Directory Service: RUNNING 
>> KDC Service: RUNNING 
>> KPASSWD Service: RUNNING 
>> MEMCACHE Service: RUNNING 
>> HTTP Service: RUNNING 
>> CA Service: RUNNING 
>>
>>
>>
>> [root@ipa02 ~]# ipactl status 
>> Directory Service: RUNNING 
>> KDC Service: RUNNING 
>> KPASSWD Service: RUNNING 
>> MEMCACHE Service: RUNNING 
>> HTTP Service: RUNNING 
>>
>>
>>
>>
>> Interesting on replica's /var/log/krb5kdc.log: 
>>
>>
>>
>> [root@ipa02 ~]# cat /var/log/krb5kdc.log | grep "Feb 13 15:31" 
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): setting up network... 
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 6: udp 0.0.0.0.88 
>> (pktinfo) 
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): skipping unrecognized local 
>> address family 17 
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): skipping unrecognized local 
>> address family 17 
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 8: tcp 0.0.0.0.88 
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): listening on fd 7: tcp ::.88 
>> Feb 13 15:31:13 ipa02 krb5kdc[1524](info): set up 3 sockets 
>> Feb 13 15:31:13 ipa02 krb5kdc[1525](info): creating 4 worker processes 
>> Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 7 
>> Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 8 
>> Feb 13 15:31:13 ipa02 krb5kdc[1525](info): closing down fd 6 
>> Feb 13 15:31:13 ipa02 krb5kdc[1535](info): commencing operation 
>> Feb 13 15:31:13 ipa02 krb5kdc[1533](info): commencing operation 
>> Feb 13 15:31:13 ipa02 krb5kdc[1536](info): commencing operation 
>> Feb 13 15:31:13 ipa02 krb5kdc[1534](info): commencing operation 
>> Feb 13 15:31:14 ipa02 krb5kdc[1534](info): AS_REQ (4 etypes {18 17 16 23}) 
>> 192.168.0.2: NEEDED_PREAUTH: ldap/ipa02.example@example.com for 
>> krbtgt/example@example.com, Additional pre-authentication required 
>> Feb 13 15:31:14 ipa02 krb5kdc[1533](info): AS_REQ (4 etypes {18 17 16 23}) 
>> 192.168.0.2: ISSUE: authtime 1392312674, etypes {rep=18 tkt=18 ses=18}, 
>> ldap/ipa02.example@example.com for krbtgt/example@example.com 
>>
>>
>> Feb 13 15:31:14 ipa02 krb5kdc[1536](info): TGS_REQ (4 etypes {18 17 16 23}) 
>> 192.168.0.2: ISSUE: authtime 1392312674, etypes {rep=18 tkt=18 ses=18}, 
>> ldap/ipa02.example@example.com for ldap/ipa01.example@example.com 
>>
>>
>> Feb 13 15:31:28 ipa02 krb5kdc[1536](info): AS_REQ (4 etypes {18 17 16 23}) 
>> 192.168.0.2: NEEDED_PREAUTH: use...@example.com for 
>> krbtgt/example@example.com, Additional pre-authentication required 
>> Feb 13 15:31:28 ipa02 krb5kdc[1535](info): AS_REQ (4 etypes {18 17 16 23}) 
>> 192.168.0.2: ISSUE: authtime 1392312688, etypes {rep=18 tkt=18 ses=18}, 
>> use...@example.com for krbtgt/example@example.com 
>> Feb 13 15:31:28 ipa02 krb5kdc[1535](info): TGS_REQ (4 etypes {18 17 16 23}) 
>> 192.168.0.2: ISSUE: authtime 1392312688, etypes {rep=18 tkt=18 ses=18}, 
>> use...@example.com for ldap/ipa02.example@example.com 
>>
>>
>>
>>
>> Running kinit -kt on replica, returns nothing on prompt, but populates 
>> /var/log/krb5kdc.log with: 
>>
>>
>>
>>
>> Feb 14 09:34:05 ipa02 krb5kdc[1536](info): AS_REQ (4 etypes {18 17 16 23}) 
>> 192.168.0.2: NEEDED_PREAUTH: ldap/ipa02.example@example.com for 
>> krbtgt/example@example.com, Additional pre-authentication required 
>> Feb 14 09:34:05 ipa02 krb5kdc[1533](info): AS_REQ (4 etypes {18 17 16 23}) 
>> 192.168.0.2: ISSUE: authtime 1392377645, etypes {rep=18 tkt=18 ses=18}, 
>> ldap/ipa02.example@example.com for krbtgt/example@example.com 
>>
>>
>>
>>
>> DNS is OK, resolving FQDN of both master and replica forward and reverse. 
>>
>>
>>
>> Bruno Henrique Barbosa 
>>
>> Jr. Sys Admin 
>> IT Department 
>> Santos City Hall 
>> - Mensagem original -
>>
>> De: "Martin Kosek"  
>> Para: "Bruno Henrique Barbosa" , 
>> freeipa-users@redh