freeipa

Clone
Source Code
GIT

#2128 "force-sync, re-initialize and del" options for ipa-replica-manage fail against AD.
Closed: Fixed None Opened 12 years ago by mkosek.

Closed: Fixed
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=754973

Description of problem:
"force-sync, re-initialize and del" fail against AD. On the same setup I
created a standard replica and these options for ipa-replica-manage work as
expected.

Version-Release number of selected component (if applicable):
ipa-server-2.1.3-9.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. [root@decepticons ~]# ipa-replica-manage force-sync --from
dhcp201-112.englab.pnq.redhat.com



Actual results:
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code
may provide more information (Server
krbtgt/ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM not found in Kerberos
database)
[root@decepticons ~]#

Expected results:
force-sync and other options (re-initialize and del) are successful.

Additional info:

Against AD:
[root@decepticons ~]# kinit admin
Password for admin@LAB.ENG.PNQ.REDHAT.COM:


[root@decepticons ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@LAB.ENG.PNQ.REDHAT.COM

Valid starting     Expires            Service principal
11/18/11 16:34:56  11/19/11 16:34:54
krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM
[root@decepticons ~]#


[root@decepticons ~]# ipa-replica-manage list
decepticons.lab.eng.pnq.redhat.com: master
[root@decepticons ~]#


[root@decepticons ~]# ipa-replica-manage connect --winsync --passsync=password
--cacert=/root/wincertnew.cer dhcp201-112.englab.pnq.redhat.com --binddn
"cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" --bindpw
Secret123 -v -p Secret123
Added CA certificate /root/wincertnew.cer to certificate database for
decepticons.lab.eng.pnq.redhat.com
INFO:root:AD Suffix is: DC=englab,DC=pnq,DC=redhat,DC=com
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 0 Replica acquired
successfully: Incremental update started: start: 20111118110522Z: end:
20111118110522Z
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update succeeded
Connected 'decepticons.lab.eng.pnq.redhat.com' to
'dhcp201-112.englab.pnq.redhat.com'
[root@decepticons ~]#


[root@decepticons ~]# ipa-replica-manage list
decepticons.lab.eng.pnq.redhat.com: master
dhcp201-112.englab.pnq.redhat.com: winsync
[root@decepticons ~]#


[root@decepticons ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@LAB.ENG.PNQ.REDHAT.COM

Valid starting     Expires            Service principal
11/18/11 16:34:56  11/19/11 16:34:54
krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM
11/18/11 16:35:04  11/19/11 16:34:54
ldap/decepticons.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
[root@decepticons ~]#


[root@decepticons ~]# ipa-replica-manage force-sync --from
dhcp201-112.englab.pnq.redhat.com
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code
may provide more information (Server
krbtgt/ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM not found in Kerberos
database)
[root@decepticons ~]#





Against standard replica:

[root@decepticons ~]# /usr/sbin/ipa-replica-manage re-initialize --from
sideswipe.lab.eng.pnq.redhat.com
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update succeeded
[root@decepticons ~]#


[root@decepticons ~]# /usr/sbin/ipa-replica-manage force-sync --from
sideswipe.lab.eng.pnq.redhat.com
[root@decepticons ~]# echo $?
0
[root@decepticons ~]#


[root@decepticons ~]# ipa-replica-manage del sideswipe.lab.eng.pnq.redhat.com
[root@decepticons ~]# echo $?
0
[root@decepticons ~]#


[root@decepticons ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@LAB.ENG.PNQ.REDHAT.COM

Valid starting     Expires            Service principal
11/18/11 17:06:58  11/19/11 17:06:56
krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM
11/18/11 17:07:07  11/19/11 17:06:56
ldap/decepticons.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
11/18/11 17:07:43  11/19/11 17:06:56
ldap/sideswipe.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
[root@decepticons ~]#

I'm seeing a slightly different error, but it may be that another change has masked the original problem.

The problem I'm seeing is that we are binding over SSL and we haven't loaded the AD CA cert. We haven't because we don't have it any more (it is only in the 389-ds NSS database). I'm not yet sure if we want to set that as a PEM or try to repoint to the 389-ds DB, I'm leaning towards the PEM file. We'll need to either extract this on the fly or store it in some common place.

The problem stemmed from the fact that we were trying to contact the AD server at all. It is unaware of our presence. The winsync plugin handles synchronization so we only need to work with the local instance for winsync.

I also require that the user be root when creating a winsync agreement because we need to update the 389-ds NSS db.

Moving to next month iteration.

master: 31f00f9[[BR]]
ipa-2-2: fefbdce

Metadata Update from @mkosek:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/02
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=754973
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.