Performing a FreeIPA Replica install yields several errors regarding replication failure seemly surrounding GSSAPI.
The most impactful of these problems is that the newly built replica is unable to create new users/groups sighting:
ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.
To reproduce: Server1: ipa-server-install --idstart=3000 --idmax=50000 Server1: ipa-replica-prepare server2
server2: ipa-replica-install --setup-ca server2.gpg server2: ipa user-add test
Supplier 389 Error Log supplier.log
Consumer 389 Error Log consumer.log
associated ticket: https://fedorahosted.org/freeipa/ticket/2119
associated ticket: https://fedorahosted.org/freeipa/ticket/2120
Effected Versions:
Fedora 15 x86_64 FreeIPA 2.1.3 389 ds base 1.2.10-0.5.a5 389 ds base libs 1.2.10-0.5.a5
Corresponding Bugzilla ticket for 389 DS: https://bugzilla.redhat.com/show_bug.cgi?id=755119
Master side 389 errors: [23/Nov/2011:08:37:21 -0800] NSMMReplicationPlugin - agmt="cn=meToauthdev2.qai.expertcity.com" (authdev2:389): Schema replication update failed: Invalid syntax
Replica side 389 errors: [23/Nov/2011:08:38:25 -0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found)) [23/Nov/2011:08:38:25 -0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [23/Nov/2011:08:38:25 -0800] NSMMReplicationPlugin - agmt="cn=meToauthdev1.qai.expertcity.com" (authdev1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_498' not found))
While the logs still indicate the same failures, the cli problem itself seems to manifest when delay is present. Locally the errors generate, but the new user creation succeeds. When attempting to replicate from california to las vegas, or any other external location, the cli problem occurs in conjunction with the errors. This along with Rich's findings on kerberos race might explain why this problem has been difficult to reproduce.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=782979
Moving to next month iteration.
Fixed upstream in version 1.2.10.a7
Set minimum version to 1.2.10.1-1
master: dc5592a
ipa-2-2: c28c763
Metadata Update from @jraquino: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/02
Login to comment on this ticket.