Re: Fixing limit on DNS searches
by Givaldo Lins
Thanks Bret.
Regarding the LDAP understanding, I feel likewise.
Thankfully there are some gods out there wishing to help mere mortals like us :)
Cheers
—
Givaldo Lins
> On Feb 15, 2018, at 11:06 AM, Bret Wortman <bret.wortman(a)damascusgrp.com> wrote:
>
> Welcome to the thread! Happy to share the pain.
>
> I really wish I understood LDAP more than I do. I hope our eventual answer solves both our problems.
>
> Cheers,
>
>
> Bret
>
>
>> On 02/15/2018 01:15 PM, Givaldo Lins via FreeIPA-users wrote:
>> Hi Flo
>>
>> Sorry for jumping into the thread like this, but I have been following this because I am facing the same issue, and in my case your train of thought makes completly sense. The only difference is that I used my account when searching the LDAP tree, except by the last one that I used the admin account.
>> I got these results:
>>
>> GSS-SPNEGO - numEntries: 5000
>> GSSAPI - numEntries: 5173
>> admin account: numEntries: 5000
>>
>> Also, when checking the access log, I noticed that after the BIND the result returns my user and not the anonymous-limit.
>>
>> My question is: What limit is being applied to me and where could I increase it?
>>
>> Thanks,
>>
>> Givaldo Lins | Linux Systems Administrator
>> GPG Fingerprint: A81A 14CC FA18 4273 9CC6 8945 BEDA 981C 9C4E 388A
>> Canada: +1 (604) 366-5482
>> Brasil: +55 (81) 98205-1735
>> skype: givaldolins
>>
>>
>> LinkedIn | Email
>>
>> ----- Mensagem original -----
>> De: "Florence Blanc-Renaud via FreeIPA-users" <freeipa-users(a)lists.fedorahosted.org>
>> Para: "FreeIPA users list" <freeipa-users(a)lists.fedorahosted.org>
>> Cc: "Bret Wortman" <bret.wortman(a)damascusgrp.com>, "Florence Blanc-Renaud" <flo(a)redhat.com>
>> Enviadas: Quinta-feira, 15 de fevereiro de 2018 9:27:48
>> Assunto: [Freeipa-users] Re: Fixing limit on DNS searches
>>
>>> On 02/15/2018 05:01 PM, Bret Wortman via FreeIPA-users wrote:
>>>> On 02/15/2018 09:29 AM, Florence Blanc-Renaud wrote:
>>>>> On 02/15/2018 02:40 PM, Bret Wortman via FreeIPA-users wrote:
>>>>>> On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
>>>>>>> On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote:
>>>>>>>
>>>>>>>> On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote:
>>>>>>>> On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users
>>>>>>>> wrote:
>>>>>>>>> On 02/14/2018 05:58 PM, Bret Wortman wrote:
>>>>>>>>>>> On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote:
>>>>>>>>>>>> On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote:
>>>>>>>>>>>> I did figure out that I can use
>>>>>>>>>>>>
>>>>>>>>>>>> # ldapsearch -D 'directory manager' -W -E pr=20000 -b
>>>>>>>>>>>> idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com
>>>>>>>>>>>>
>>>>>>>>>>>> to list out all the entries, but the format isn't what I'm
>>>>>>>>>>>> expecting.
>>>>>>>>>>>>
>>>>>>>>>>>> What I'm actually trying to do is move our whole
>>>>>>>>>>>> infrastructure from one set of old & busted servers to some
>>>>>>>>>>>> shiny new VMs. We'd like to extract the data and start fresh,
>>>>>>>>>>>> as our replication agreements just don't seem to be working as
>>>>>>>>>>>> expected. Changes to one don't always make it to the other and
>>>>>>>>>>>> vice versa. While I'd love to dig in and solve that, it's
>>>>>>>>>>>> easier right now to try to extract the data and reload it into
>>>>>>>>>>>> a new server, build new replicas, then unbind & re-bind every
>>>>>>>>>>>> client to the new server using ansible since we also lost our
>>>>>>>>>>>> internal CA in the process.
>>>>>>>>>>>>
>>>>>>>>>>>> So while our current configuration is a mess, we can't afford
>>>>>>>>>>>> to lose all the host/user/dns/hbac data in our servers. Thus,
>>>>>>>>>>>> I've been capturing the output to text using various ipa
>>>>>>>>>>>> *-find commands and have parsers to turn those back into new
>>>>>>>>>>>> entries on the fresh hosts. DNS is the only thing that's
>>>>>>>>>>>> holding me up.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Bret
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> On 02/14/2018 06:33 AM, Bret Wortman wrote:
>>>>>>>>>>>>> Also, this doesn't solve the fact that the Web UI always
>>>>>>>>>>>>> produces an error dialog whenever accessing our primary zone.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo
>>>>>>>>>>>>>> <natxo.asenjo(a)gmail.com <mailto:natxo.asenjo@gmail.com>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> the canonical way to do this is using ldap paging, with
>>>>>>>>>>>>>> ldapsearch you could try using the -E pr=xxxx
>>>>>>>>>>>>>> parameter, where
>>>>>>>>>>>>>> xxxx could be 1000 for instance. That way you know you
>>>>>>>>>>>>>> are always
>>>>>>>>>>>>>> under the limit imposed by the server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> if you use -E pr=1000/noprompt, it will not prompt to
>>>>>>>>>>>>>> continue, nicer for scripts obviously.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Groeten,
>>>>>>>>>>>>>> natxo
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> FreeIPA-users mailing list
>>>>>>>>>>>>>> --freeipa-users(a)lists.fedorahosted.org
>>>>>>>>>>>>>> To unsubscribe send an email
>>>>>>>>>>>>>> tofreeipa-users-leave(a)lists.fedorahosted.org
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> FreeIPA-users mailing list --
>>>>>>>>>>>> freeipa-users(a)lists.fedorahosted.org
>>>>>>>>>>>> To unsubscribe send an email to
>>>>>>>>>>>> freeipa-users-leave(a)lists.fedorahosted.org
>>>>>>>>>>>>
>>>>>>>>>>> Hi Bret,
>>>>>>>>>>>
>>>>>>>>>>> the search limits can be set at multiple levels:
>>>>>>>>>>> - for the whole 389-ds server
>>>>>>>>>>> nsslapd-sizelimit (in cn=config)
>>>>>>>>>>> nsslapd-lookthroughlimit (in cn=config,cn=ldbm
>>>>>>>>>>> database,cn=plugins,cn=config)
>>>>>>>>>>>
>>>>>>>>>>> - for operations performed through ipa * commands (or the webGUI):
>>>>>>>>>>> ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)
>>>>>>>>>>>
>>>>>>>>>>> - for each user:
>>>>>>>>>>> nssizelimit and nsLookThroughLimit attributes (in
>>>>>>>>>>> uid=$USER,cn=users,cn=accounts,$BASEDN)
>>>>>>>>>>>
>>>>>>>>>>> You are probably hitting one of these limits in your ipa *-find
>>>>>>>>>>> command.
>>>>>>>>>>>
>>>>>>>>>>> HTH,
>>>>>>>>>>> Flo
>>>>>>>>>>>
>>>>>>>>>> So I found almost all of these:
>>>>>>>>>>
>>>>>>>>>> # ldapsearch -D 'cn=directory manager' -W -b 'cn=config'
>>>>>>>>>> cn=config | grep nsslapd-sizelimit
>>>>>>>>>> nsslapd-sizelimit: 2000
>>>>>>>>>>
>>>>>>>>>> # ldapsearch -D 'cn=directory manager' -W -b 'cn=config,cn=ldbm
>>>>>>>>>> database,cn=plugins,cn=config' | grep lookthroughlimit
>>>>>>>>>> nsslapd-lookthroughlimit: 100000
>>>>>>>>>>
>>>>>>>>>> # ldapsearch -D 'cn=directory manager' -W -b
>>>>>>>>>> 'cn=ipaConfig,cn=etc,dc=damascusgrp,dc=com' | grep
>>>>>>>>>> ipaSearchRecordsLimit
>>>>>>>>>> ipaSearchRecordsLimit: 99999
>>>>>>>>>>
>>>>>>>>>> # ldapsearch -D 'cn=directory manager' -W -b
>>>>>>>>>> 'uid=admin,cn=users,cn=accounts,dc=damascusgrp,dc=com' | grep -i
>>>>>>>>>> limit
>>>>>>>>>> (returns data but nothing matches)
>>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> nsSizeLimit and nsLookThroughLimit are operational attributes,
>>>>>>>>> meaning that a standard ldapsearch will not return them. You need
>>>>>>>>> either to specifically request them by providing them in the
>>>>>>>>> attributes list:
>>>>>>>>>
>>>>>>>>> $ ldapsearch -D 'cn=directory manager' -W -b $BASE nssizelimit
>>>>>>>>> nslookthroughlimit
>>>>>>>>>
>>>>>>>>> or you can also specify + instead of the attributes in order to
>>>>>>>>> get all operational attributes:
>>>>>>>>> $ ldapsearch -D 'cn=directory manager' -W -b $BASE +
>>>>>>>>>
>>>>>>>>> HTH,
>>>>>>>>> Flo
>>>>>>>>>
>>>>>>>>>> The first doesn't seem to be something I can change. It's stuck
>>>>>>>>>> at 2000, but since my issue occurs at 5000, I'm not worried
>>>>>>>>>> about it. I believe that I'm missing something in the fourth
>>>>>>>>>> search that might point me toward the attributes you mentioned
>>>>>>>>>> but I'm not sure where.
>>>>>>>>>>
>>>>>>>> The 5000 limit rings a bell to me. It is the anonymous size limit.
>>>>>>>> Can you check:
>>>>>>>> $ ldapsearch -D 'cn=directory manager' -W -b cn=config -s base
>>>>>>>> nsslapd-anonlimitsdn
>>>>>>>>
>>>>>>>> it will provide you with a DN of the entry defining the anonymous
>>>>>>>> limits (usually cn=anonymous-limits,cn=etc,$BASEDN), then:
>>>>>>>>
>>>>>>>> $ ldapsearch -D 'cn=directory manager' -W -b
>>>>>>>> cn=anonymous-limits,cn=etc,$BASEDN nsSizeLimit nsLookThroughLimit
>>>>>>>>
>>>>>>>> Now we should check the access log
>>>>>>>> (/var/log/dirsrv/slapd-xxx/access) corresponding to your command
>>>>>>>> to retrieve the DNS entries, and ensure which user identity is
>>>>>>>> actually performing the search.
>>>>>>>>
>>>>>>>> Flo
>>>>>>>>> _______________________________________________
>>>>>>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>>>>>>> To unsubscribe send an email to
>>>>>>>>> freeipa-users-leave(a)lists.fedorahosted.org
>>>>>>> Both those limits are 5000.
>>>>>>>
>>>>>>> What should I be looking for in the access log? It gets a lot of
>>>>>>> traffic and narrowing down exactly which entry represents the
>>>>>>> original search is challenging. I'd rather not post the whole thing
>>>>>>> because it's pretty large & noisy.
>>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> you can perform the ipa dnsrecord-find --all command, while tail'ing
>>>>>> the access log. I will be interested in the lines containing the
>>>>>> SEARCH with a err=4 (size limit exceeded). For this SEARCH, please
>>>>>> note the connection number (conn=xx) and find the BIND for the same
>>>>>> connection number (it will be located before the SEARCH). For each
>>>>>> line (BIND and SEARCH) both the operation and the RESULT are
>>>>>> interesting, for instance when doing ipa user-find:
>>>>>>
>>>>>> [date] conn=514 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO
>>>>>> [date] conn=514 op=0 RESULT err=0 tag=97 nentries=0
>>>>>> etime=0.0004754873 dn="uid=admin,cn=users,cn=accounts,$BASEDN"
>>>>>> ...
>>>>>> [date] conn=514 op=2 SRCH base="cn=users,cn=accounts,$BASEDN"
>>>>>> scope=1 filter="(objectClass=posixaccount)" attrs="krbCanonicalName
>>>>>> loginShell sshpubkeyfp gidNumber homeDirectory uidNumber uid
>>>>>> givenName title sn krbPrincipalName mail nsAccountLock
>>>>>> telephoneNumber ipaSshPubKey"
>>>>>> [date] conn=514 op=2 RESULT err=0 tag=101 nentries=6 etime=0.0006313857
>>>>>>
>>>>>> Flo
>>>>>>
>>>>>>> Bret
>>>>>>> _______________________________________________
>>>>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>>>>> To unsubscribe send an email to
>>>>>>> freeipa-users-leave(a)lists.fedorahosted.org
>>>>>> _______________________________________________
>>>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahos
>>>>> Is this what you're after?
>>>>>
>>>>> conn=121474 op=0 SRCH base="" scope=0 filter="(objectClass=*)"
>>>>> attrs="* altServer naming Contexts supportedControl
>>>>> supportedExtension supportedFeatures supportedLDAPVersion
>>>>> supportedSASLMechanisms domaincontrollerfunctionality
>>>>> defaultnamingcontext lastusn highestcommittedusn aci"
>>>>> conn=121474 op=0 RESULT err=0 tag=101 nentries=1 etime=0
>>>>> conn=121474 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
>>>>> conn=121474 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind
>>>>> in progress
>>>>> conn=121474 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
>>>>> conn=121474 op=2 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind
>>>>> in progress
>>>>> conn=121474 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI
>>>>> conn=121474 op=3 RESULT err=0 tag=101 nentries=0 etime=0
>>>>> dn="fqdn=loader4.my.net,cn=computers,cn=accoutns,dc=my,dc=net"
>>>>> :
>>>>> conn=121474 op=3033 SRCH base="cn=accounts,dc=my,dc=net" scope=2
>>>>> filter="(&(objectClass=ipaHost)(fqdn=sfile6.my.net))"
>>>>> attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey
>>>>> ipaUniqueID"
>>>>> conn=121474 op=3033 RESULT err=0 tag=101 nentries=1 etime=0 notes=P
>>>>> pr_idx=0 pr_cookie=-1
>>>>> _______________________________________________
>>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>>> To unsubscribe send an email to
>>>>> freeipa-users-leave(a)lists.fedorahosted.org
>>>> Hi,
>>>>
>>>> the command ipa dnsrecord-find should create a trace similar to the
>>>> following:
>>>>
>>>> [date] conn=538 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO
>>>> [date] conn=538 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0004778829
>>>> dn="uid=admin,cn=users,cn=accounts,$BASEDN"
>>>> ...
>>>> [date] conn=538 op=7 SRCH base="idnsname=$ZONE,cn=dns,$BASEDN" scope=2
>>>> filter="(&(objectClass=top)(objectClass=idnsrecord))" attrs="pTRRecord
>>>> APLRecord SigRecord nAPTRRecord HIPRecord kXRecord aRecord aFSDBRecord
>>>> hInfoRecord sRVRecord mDRecord certRecord nSECRecord idnsName
>>>> tXTRecord DHCIDRecord dSRecord dNameRecord TLSARecord mXRecord
>>>> sSHFPRecord cNAMERecord IPSECKEYRecord aAAARecord rRSIGRecord RPRecord
>>>> DLVRecord URIRecord mInfoRecord KeyRecord a6Record nXTRecord LocRecord
>>>> nSRecord SPFRecord"
>>>> [date] conn=538 op=7 RESULT err=0 tag=101 nentries=11 etime=0.0005895601
>>>>
>>>> In your case, since the search results are truncated, there will
>>>> probably be err=4 (size limit exceeded) or err=11 (admin limit
>>>> exceeded), and nentries= the limit you are hitting.
>>>>
>>>> Please keep in mind that 389-ds access log is buffered, it may get
>>>> some time between the event and its logging in the file.
>>>>
>>>> Flo
>>> Okay, found it.
>>>
>>> conn=128104 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO
>>> conn=128104 op=0 RESULT err=0 tag=97 nentries=0 etime=0
>>> dn="uid-admin,cn=users,cn=accoutns,dc=my,dc=net"
>>> ...
>>> conn=128104 op=7 SRCH base="idnsname=my.net,cn=dns,dc=my,dc=net" scope=2
>>> filter="(&(objectClass=top)(objectClass=idnsrecord))" attrs="sSHFPRecord
>>> HIPRecord SPFRecord kXRecord nXTRecord mXRecord aAAARecord mDRecord
>>> aRecord DLVReocrd TLSARecord * pTRRecord SigRecord idnsname aFSDBRecord
>>> APLRecord URIRecord nAPTRRecord nSRecord LocRecord dNameRecord RPRecrod
>>> DHCIDRecord IPSECKEYRecord rSIGRecord hInfoRecord cNAMERecord certRecord
>>> sRVRecord dSRecord tXTRecord nSECRecord a6Record KeyRecord mInfoRecord
>>> aci""
>>> conn=128104 op=7 RESULT err=11 tag=101 nentries=5000 etime=2
>>>
>>> It was going to our other IPA server in the pair and I didn't notice
>>> that I was doing my "ipa dnsrecord-find" from my workstation, not one of
>>> the servers.
>>>
>>> So it looks like I'm getting an admin limit exceeded. What's the best
>>> way to proceed?
>> Hi,
>>
>> just to be sure, can you perform equivalent ldapsearch with GSS-SPNEGO /
>> GSSAPI and plain bind:
>> kinit admin
>> ldapsearch -Y GSS-SPNEGO -b idnsname=my.net,cn=dns,dc=my,dc=net
>> "(&(objectClass=top)(objectClass=idnsrecord))"
>>
>> kinit admin
>> ldapsearch -Y GSSAPI -b idnsname=my.net,cn=dns,dc=my,dc=net
>> "(&(objectClass=top)(objectClass=idnsrecord))"
>>
>> ldapsearch -D uid=admin,cn=users,cn=accounts,dc=my,dc=net -W -b
>> idnsname=my.net,cn=dns,dc=my,dc=net
>> "(&(objectClass=top)(objectClass=idnsrecord))"
>>
>> I would like to see if the auth mechanism has any impact on the limits
>> and number of returned entries.
>> Flo
>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>
6 years, 3 months
Re: Exclude only one command on SUDO ?
by Brian Candler
On 15/02/2018 04:04, freeipa-users-request(a)lists.fedorahosted.org wrote:
>> I wanted to ask if there is any way to exclude only one sudo commands
>> and allow all the others.
>>
>> For example, I want to exclude "passwd" command but allow all the others
>> without need to write each of the one by one.
> This is more a sudo question than an IPA question but it is not
> recommended to even try this.
For example, there would be nothing to stop them doing:
sudo sh -c passwd
or:
echo passwd | sudo sh
And there are many commands which will let you get out to a shell,
directly or indirectly.
6 years, 3 months
wildcard ssl on free-ipa 3.1
by Umarzuki Mochlis
Hi,
Is it possible to apply wildcard SSL on v3.1 to be able to migrate to
recent free-ipa?
Reason being that, I need to backdate date to year before self-signed expired.
I have not been able to renew certificate so far.
Thanks.
6 years, 3 months
debugging enabled, suppressing output
by Jim Richard
As far as I can tell I have not enabled debugging but when I do a ipactl restart I see:
[root@sso-109:(NYM) etc]$ ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
debugging enabled, suppressing output.
Restarting krb5kdc Service
Restarting kadmin Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
FreeIPA 4.5 on CentOS 7.4
Thanks !
6 years, 3 months
Apache HTTPD with kerberized NFS4 document root
by Ray
Hi there,
I'm trying to make Apache to access a kerberized document root on CentOS
7 using gssproxy. So far without success. On the web server machine
(=NFS client) I configured a gss-proxy config file:
# cat /etc/gssproxy/99-nfs-client.conf
[service/nfs-client]
mechs = krb5
cred_store = keytab:/etc/krb5.keytab
cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
cred_usage = initiate
allow_any_uid = yes
trusted = yes
euid = 0
In addition to this I set up a credentials cache
/var/lib/gssproxy/clients/krb5cc_<httpd uid>
The Apache user is managed using FreeIPA and is a member of the exported
directory's group that shall be used as document root, hence it should
have access permissions to the directory and kinit for "apache" shows no
ticket.
However, when I "su -s /bin/bash apache" and try to access the
NFS-mounted directory, I get permission denied (even with SELinux
temporarily disabled).
Right now, I do not see how I can proceed and there's not much meat on
the Google-bone for this specific topic. Can someone here point me into
the right direction?
* Is the config outlined the correct way to achieve what I want to do?
* Is there a way to debug the issue I'm furrently facing?
Best,
Ray
6 years, 3 months
Exclude only one command on SUDO ?
by Jim Ntosas
Hello team!
I wanted to ask if there is any way to exclude only one sudo commands and
allow all the others.
For example, I want to exclude "passwd" command but allow all the others
without need to write each of the one by one.
Thank you in advance for your time
Jim
6 years, 3 months
Re: IPA-Server Deletion issues
by Jamal Mahmoud
Thank you Thierry for your help!
I just deleted all the entries and hey presto! Oxygen is no longer
lingering around. Except that in my defaultServerList entry, oxygen is
still there, i have a feeling that is affecting something somewhere, or
will in the future. Would anyone know how to fix this?
after running:
ldapsearch -LLL -D "cn=directory manager" -W -b "dc=eggvfx,dc=ie"
"(objectclass=*)" | grep oxygen
The output is:
defaultServerList: oxygen.eggvfx.ie nitrogen.eggvfx.ie lithium.eggvfx.ie
Thanks again for your help!
Jamal
<http://www.egg.ie/>
*Jamal Mahmoud* / Pipeline TD
jamal.mahmoud(a)egg.ie
35 Fitzwilliam Street Upper, Dublin.
P: +353 1 6345440
[image: Twitter] <https://twitter.com/EggPost> [image: Facebook]
<https://www.facebook.com/egg.post/> [image: LinkedIn]
<http://www.linkedin.com/in/jamalmahmoud> [image: Vimeo]
<https://vimeo.com/user9887735>
On 14 February 2018 at 16:20, thierry bordaz <tbordaz(a)redhat.com> wrote:
> I think it is okay to do the delete.
> topology plugin is a reader of master container and should take into
> account those changes. Now it may require a restart.
>
> Just for your information I will be out of the office tonight being back
> Feb 23rd
>
> best regards
> thierry
>
> On 02/14/2018 04:25 PM, Jamal Mahmoud wrote:
>
> Would it hurt to try running those ldapdelete commands? or would that make
> it worse?
>
> Thanks for your help Thierry,
>
> <http://www.egg.ie/>
>
> *Jamal Mahmoud* / Pipeline TD
> jamal.mahmoud(a)egg.ie
>
> 35 Fitzwilliam Street Upper, Dublin.
> P: +353 1 6345440 <+353%201%20634%205440>
>
> [image: Twitter] <https://twitter.com/EggPost> [image: Facebook]
> <https://www.facebook.com/egg.post/> [image: LinkedIn]
> <http://www.linkedin.com/in/jamalmahmoud> [image: Vimeo]
> <https://vimeo.com/user9887735>
>
>
>
>
> On 14 February 2018 at 14:56, thierry bordaz <tbordaz(a)redhat.com> wrote:
>
>> Hummm... to be honest I have not the skill of support guys to get rid of
>> conflicts in IPA :(
>>
>> Removing the conflicts entries under 'masters' should relax topology
>> plugin to accept deletion of the segments.
>> You may ping again freeipa-users to get more advice how to repair a
>> topology with conflicts entries.
>>
>> We know that we have a former server that is a conflict entry under
>> 'master'.
>> Also that it exists segments to that server, likely because topology
>> plugin hit the same issues than others IPA CLI.
>>
>> On 02/14/2018 03:43 PM, Jamal Mahmoud wrote:
>>
>> Haha! I almost went ahead and ran those deletes without thinking! Sick of
>> oxygen at this point!
>> Okay so I grepped oxygen from that output file and if i'm not mistaken
>> there are references to it in the topology.
>>
>> dn: cn=nitrogen.eggvfx.ie-to-oxygen.eggvfx.ie,cn=domain,cn=topol
>> ogy,cn=ipa,cn=
>> cn: nitrogen.eggvfx.ie-to-oxygen.eggvfx.ie
>> ipaReplTopoSegmentRightNode: oxygen.eggvfx.ie
>> dn: cn=nitrogen.eggvfx.ie-to-oxygen.eggvfx.ie,cn=ca,cn=topology,
>> cn=ipa,cn=etc,
>> cn: nitrogen.eggvfx.ie-to-oxygen.eggvfx.ie
>> ipaReplTopoSegmentRightNode: oxygen.eggvfx.ie
>> dn: cn=oxygen.eggvfx.ie+nsuniqueid=562f6f20-04de11e8-a003fb96-
>> 902b0a77,cn=mast
>> cn: oxygen.eggvfx.ie
>>
>>
>> I see that some of the lines have been truncated but you can see the
>> start of some lines point to segment nodes with Nitrogen, is it okay still
>> to run this ldapdelete?
>>
>>
>> <http://www.egg.ie/>
>>
>> *Jamal Mahmoud* / Pipeline TD
>> jamal.mahmoud(a)egg.ie
>>
>> 35 Fitzwilliam Street Upper, Dublin.
>> P: +353 1 6345440 <+353%201%20634%205440>
>>
>> [image: Twitter] <https://twitter.com/EggPost> [image: Facebook]
>> <https://www.facebook.com/egg.post/> [image: LinkedIn]
>> <http://www.linkedin.com/in/jamalmahmoud> [image: Vimeo]
>> <https://vimeo.com/user9887735>
>>
>>
>>
>>
>> On 14 February 2018 at 14:37, thierry bordaz <tbordaz(a)redhat.com> wrote:
>>
>>> Okay,
>>>
>>> So master 'oxygen' was a conflicts as well as all its services (NTP,
>>> KDC...).
>>> My understanding is that 'oxygen' is no longer part of the topology. So
>>> I think removing all its children and then the master would solve your
>>> issue.
>>>
>>> ldapdelete -D "cn=directory manager" -W "cn=oxygen.eggvfx.ie+nsuniquei
>>> d=562f6f20-04de11e8-a003fb96-902b0a77,cn=masters,cn=ipa,cn=e
>>> tc,dc=eggvfx,dc=ie"
>>>
>>>
>>>
>>> ldapdelete -D "cn=directory manager" -W "cn=NTP+nsuniqueid=65aeb78a-04
>>> de11e8-a003fb96-902b0a77,cn=oxygen.eggvfx.ie+nsuniqueid=562f
>>> 6f20-04de11e8-a003fb96-902b0a77,cn=masters,cn=ipa,cn=etc,dc=
>>> eggvfx,dc=ie"
>>>
>>> ldapdelete -D "cn=directory manager" -W "cn=KDC+nsuniqueid=65aeb78c-04
>>> de11e8-a003fb96-902b0a77,cn=oxygen.eggvfx.ie+nsuniqueid=562f
>>> 6f20-04de11e8-a003fb96-902b0a77,cn=masters,cn=ipa,cn=etc,dc=
>>> eggvfx,dc=ie"
>>>
>>> ldapdelete -D "cn=directory manager" -W "cn=KPASSWD+nsuniqueid=65aeb78
>>> d-04de11e8-a003fb96-902b0a77,cn=oxygen.eggvfx.ie+nsuniqueid=
>>> 562f6f20-04de11e8-a003fb96-902b0a77,cn=masters,cn=ipa,cn=etc
>>> ,dc=eggvfx,dc=ie"
>>>
>>> ldapdelete -D "cn=directory manager" -W "cn=HTTP+nsuniqueid=72cba68b-0
>>> 4de11e8-a003fb96-902b0a77,cn=oxygen.eggvfx.ie+nsuniqueid=562
>>> f6f20-04de11e8-a003fb96-902b0a77,cn=masters,cn=ipa,cn=etc,dc
>>> =eggvfx,dc=ie"
>>>
>>> ldapdelete -D "cn=directory manager" -W "cn=OTPD+nsuniqueid=72cba68c-0
>>> 4de11e8-a003fb96-902b0a77,cn=oxygen.eggvfx.ie+nsuniqueid=562
>>> f6f20-04de11e8-a003fb96-902b0a77,cn=masters,cn=ipa,cn=etc,dc
>>> =eggvfx,dc=ie"
>>>
>>> ldapdelete -D "cn=directory manager" -W "cn=KEYS+nsuniqueid=72cba68d-0
>>> 4de11e8-a003fb96-902b0a77,cn=oxygen.eggvfx.ie+nsuniqueid=562
>>> f6f20-04de11e8-a003fb96-902b0a77,cn=masters,cn=ipa,cn=etc,dc
>>> =eggvfx,dc=ie"
>>>
>>> But before doing that I would first check if it remains reference to
>>> oxygen somewhere.
>>>
>>> ldapsearch -LLL -D "cn=directory manager" -W -b "dc=eggvfx,dc=ie"
>>> "(objectclass=*)" > /tmp/all_db
>>>
>>> then search for 'oxygen' into /tmp/all_db and check it appears only in
>>> those conflict entries.
>>>
>>>
>>> On 02/14/2018 03:22 PM, Jamal Mahmoud wrote:
>>>
>>> Here it is! If there is anything else don't hesitate to ask me!
>>>
>>> [root@lithium ~]# ldapsearch -D "cn=directory manager" -W -b
>>> "cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" "(nsds5ReplConflict=*)" dn
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie> with scope subtree
>>> # filter: (nsds5ReplConflict=*)
>>> # requesting: dn
>>> #
>>>
>>> # oxygen.eggvfx.ie + 562f6f20-04de11e8-a003fb96-902b0a77, masters, ipa,
>>> etc, eg
>>> gvfx.ie
>>> dn: cn=oxygen.eggvfx.ie+nsuniqueid=562f6f20-04de11e8-a003fb96-90
>>> 2b0a77,cn=mast
>>> ers,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>
>>> # NTP + 65aeb78a-04de11e8-a003fb96-902b0a77, oxygen.eggvfx.ie +
>>> 562f6f20-04de11
>>> e8-a003fb96-902b0a77, masters, ipa, etc, eggvfx.ie
>>> dn: cn=NTP+nsuniqueid=65aeb78a-04de11e8-a003fb96-902b0a77,cn=oxy
>>> gen.eggvfx.ie+
>>> nsuniqueid=562f6f20-04de11e8-a003fb96-902b0a77,cn=masters,c
>>> n=ipa,cn=etc,dc=eg
>>> gvfx,dc=ie
>>>
>>> # KDC + 65aeb78c-04de11e8-a003fb96-902b0a77, oxygen.eggvfx.ie +
>>> 562f6f20-04de11
>>> e8-a003fb96-902b0a77, masters, ipa, etc, eggvfx.ie
>>> dn: cn=KDC+nsuniqueid=65aeb78c-04de11e8-a003fb96-902b0a77,cn=oxy
>>> gen.eggvfx.ie+
>>> nsuniqueid=562f6f20-04de11e8-a003fb96-902b0a77,cn=masters,c
>>> n=ipa,cn=etc,dc=eg
>>> gvfx,dc=ie
>>>
>>> # KPASSWD + 65aeb78d-04de11e8-a003fb96-902b0a77, oxygen.eggvfx.ie +
>>> 562f6f20-04
>>> de11e8-a003fb96-902b0a77, masters, ipa, etc, eggvfx.ie
>>> dn: cn=KPASSWD+nsuniqueid=65aeb78d-04de11e8-a003fb96-902b0a77,cn
>>> =oxygen.eggvfx
>>> .ie+nsuniqueid=562f6f20-04de11e8-a003fb96-902b0a77,cn=maste
>>> rs,cn=ipa,cn=etc,d
>>> c=eggvfx,dc=ie
>>>
>>> # HTTP + 72cba68b-04de11e8-a003fb96-902b0a77, oxygen.eggvfx.ie +
>>> 562f6f20-04de1
>>> 1e8-a003fb96-902b0a77, masters, ipa, etc, eggvfx.ie
>>> dn: cn=HTTP+nsuniqueid=72cba68b-04de11e8-a003fb96-902b0a77,cn=ox
>>> ygen.eggvfx.ie
>>> +nsuniqueid=562f6f20-04de11e8-a003fb96-902b0a77,cn=masters,
>>> cn=ipa,cn=etc,dc=e
>>> ggvfx,dc=ie
>>>
>>> # OTPD + 72cba68c-04de11e8-a003fb96-902b0a77, oxygen.eggvfx.ie +
>>> 562f6f20-04de1
>>> 1e8-a003fb96-902b0a77, masters, ipa, etc, eggvfx.ie
>>> dn: cn=OTPD+nsuniqueid=72cba68c-04de11e8-a003fb96-902b0a77,cn=ox
>>> ygen.eggvfx.ie
>>> +nsuniqueid=562f6f20-04de11e8-a003fb96-902b0a77,cn=masters,
>>> cn=ipa,cn=etc,dc=e
>>> ggvfx,dc=ie
>>>
>>> # KEYS + 72cba68d-04de11e8-a003fb96-902b0a77, oxygen.eggvfx.ie +
>>> 562f6f20-04de1
>>> 1e8-a003fb96-902b0a77, masters, ipa, etc, eggvfx.ie
>>> dn: cn=KEYS+nsuniqueid=72cba68d-04de11e8-a003fb96-902b0a77,cn=ox
>>> ygen.eggvfx.ie
>>> +nsuniqueid=562f6f20-04de11e8-a003fb96-902b0a77,cn=masters,
>>> cn=ipa,cn=etc,dc=e
>>> ggvfx,dc=ie
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 8
>>> # numEntries: 7
>>>
>>> Many Thanks,
>>>
>>> <http://www.egg.ie/>
>>>
>>> *Jamal Mahmoud* / Pipeline TD
>>> jamal.mahmoud(a)egg.ie
>>>
>>> 35 Fitzwilliam Street Upper, Dublin
>>> <https://maps.google.com/?q=35+Fitzwilliam+Street+Upper,+Dublin&entry=gmai...>
>>> .
>>> P: +353 1 6345440 <+353%201%20634%205440>
>>>
>>> [image: Twitter] <https://twitter.com/EggPost> [image: Facebook]
>>> <https://www.facebook.com/egg.post/> [image: LinkedIn]
>>> <http://www.linkedin.com/in/jamalmahmoud> [image: Vimeo]
>>> <https://vimeo.com/user9887735>
>>>
>>>
>>>
>>>
>>> On 14 February 2018 at 14:00, thierry bordaz <tbordaz(a)redhat.com> wrote:
>>>
>>>> Jamal,
>>>>
>>>> sorry to iterate but I would like to have a complete view before
>>>> deleting entries.
>>>>
>>>> What is the outpout of
>>>> ldapsearch -D "cn=directory manager" -W -b
>>>> "cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" "(nsds5ReplConflict=*)" dn
>>>>
>>>>
>>>> On 02/14/2018 02:43 PM, Jamal Mahmoud wrote:
>>>>
>>>> Oh i see! Here is the output from that command:
>>>>
>>>> [root@lithium ~]# ldapsearch -D "cn=directory manager" -W -b
>>>> "cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
>>>> "(|(objectclass=*)(objectclass=nstombstone)(objectclass=ldapsubentry))"
>>>> Enter LDAP Password:
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base <cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie> with scope subtree
>>>> # filter: (|(objectclass=*)(objectclass=nstombstone)(objectclass=ldaps
>>>> ubentry))
>>>> # requesting: ALL
>>>> #
>>>>
>>>> # masters, ipa, etc, eggvfx.ie
>>>> dn: cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>> objectClass: nsContainer
>>>> objectClass: top
>>>> cn: masters
>>>>
>>>> # nitrogen.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=nitrogen.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>> ipaMaxDomainLevel: 1
>>>> ipaMinDomainLevel: 0
>>>> ipaReplTopoManagedSuffix: dc=eggvfx,dc=ie
>>>> ipaReplTopoManagedSuffix: o=ipaca
>>>> cn: nitrogen.eggvfx.ie
>>>> objectClass: top
>>>> objectClass: nsContainer
>>>> objectClass: ipaReplTopoManagedServer
>>>> objectClass: ipaConfigObject
>>>> objectClass: ipaSupportedDomainLevelConfig
>>>>
>>>> # 4184b79c-efc211e7-a445c156-0137f91d, lithium.eggvfx.ie, masters,
>>>> ipa, etc, eg
>>>> gvfx.ie
>>>> dn: nsuniqueid=4184b79c-efc211e7-a445c156-0137f91d,cn=lithium.eggvfx.ie
>>>> ,cn=mas
>>>> ters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>> nstombstonecsn: 5a4b902b001c00070000
>>>> nsParentUniqueId: 0ae096b3-9c8a11e7-917dfdf1-4323123d
>>>> ipaMaxDomainLevel: 1
>>>> ipaMinDomainLevel: 0
>>>> ipaReplTopoManagedSuffix: dc=eggvfx,dc=ie
>>>> cn: lithium.eggvfx.ie
>>>> objectClass: top
>>>> objectClass: nsContainer
>>>> objectClass: ipaReplTopoManagedServer
>>>> objectClass: ipaConfigObject
>>>> objectClass: ipaSupportedDomainLevelConfig
>>>> objectClass: nsTombstone
>>>>
>>>> # NTP, nitrogen.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=NTP,cn=nitrogen.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=egg
>>>> vfx,dc=ie
>>>> cn: NTP
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 45
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>>
>>>> # KDC, nitrogen.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=KDC,cn=nitrogen.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=egg
>>>> vfx,dc=ie
>>>> cn: KDC
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 10
>>>> ipaConfigString: kdcProxyEnabled
>>>> ipaConfigString: pkinitEnabled
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>>
>>>> # KPASSWD, nitrogen.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=KPASSWD,cn=nitrogen.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc
>>>> =eggvfx,dc=ie
>>>> cn: KPASSWD
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 20
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>>
>>>> # HTTP, nitrogen.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=HTTP,cn=nitrogen.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eg
>>>> gvfx,dc=ie
>>>> cn: HTTP
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 40
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>>
>>>> # OTPD, nitrogen.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=OTPD,cn=nitrogen.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eg
>>>> gvfx,dc=ie
>>>> cn: OTPD
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 80
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>>
>>>> # KEYS, nitrogen.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=KEYS,cn=nitrogen.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eg
>>>> gvfx,dc=ie
>>>> cn: KEYS
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 41
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>>
>>>> # CA, nitrogen.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=CA,cn=nitrogen.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggv
>>>> fx,dc=ie
>>>> cn: CA
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 50
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>>
>>>> # DNS, nitrogen.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=DNS,cn=nitrogen.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=egg
>>>> vfx,dc=ie
>>>> cn: DNS
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 30
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>>
>>>> # DNSKeySync, nitrogen.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=DNSKeySync,cn=nitrogen.eggvfx.ie,cn=masters,cn=ipa,cn=etc
>>>> ,dc=eggvfx,dc=
>>>> ie
>>>> cn: DNSKeySync
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 110
>>>> ipaConfigString: dnssecVersion 1
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>>
>>>> # lithium.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=lithium.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>> objectClass: top
>>>> objectClass: nsContainer
>>>> objectClass: ipaReplTopoManagedServer
>>>> objectClass: ipaConfigObject
>>>> objectClass: ipaSupportedDomainLevelConfig
>>>> cn: lithium.eggvfx.ie
>>>> ipaReplTopoManagedSuffix: dc=eggvfx,dc=ie
>>>> ipaReplTopoManagedSuffix: o=ipaca
>>>> ipaMinDomainLevel: 0
>>>> ipaMaxDomainLevel: 1
>>>>
>>>> # NTP, lithium.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=NTP,cn=lithium.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggv
>>>> fx,dc=ie
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 45
>>>> cn: NTP
>>>>
>>>> # KDC, lithium.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=KDC,cn=lithium.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggv
>>>> fx,dc=ie
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 10
>>>> ipaConfigString: kdcProxyEnabled
>>>> ipaConfigString: pkinitEnabled
>>>> cn: KDC
>>>>
>>>> # KPASSWD, lithium.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=KPASSWD,cn=lithium.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=
>>>> eggvfx,dc=ie
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 20
>>>> cn: KPASSWD
>>>>
>>>> # HTTP, lithium.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=HTTP,cn=lithium.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=egg
>>>> vfx,dc=ie
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 40
>>>> cn: HTTP
>>>>
>>>> # OTPD, lithium.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=OTPD,cn=lithium.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=egg
>>>> vfx,dc=ie
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 80
>>>> cn: OTPD
>>>>
>>>> # KEYS, lithium.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=KEYS,cn=lithium.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=egg
>>>> vfx,dc=ie
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 41
>>>> cn: KEYS
>>>>
>>>> # CA, lithium.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=CA,cn=lithium.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 50
>>>> ipaConfigString: caRenewalMaster
>>>> cn: CA
>>>>
>>>> # DNS, lithium.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=DNS,cn=lithium.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggv
>>>> fx,dc=ie
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 30
>>>> cn: DNS
>>>>
>>>> # DNSKeySync, lithium.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=DNSKeySync,cn=lithium.eggvfx.ie,cn=masters,cn=ipa,cn=etc,
>>>> dc=eggvfx,dc=i
>>>> e
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 110
>>>> ipaConfigString: dnssecVersion 1
>>>> cn: DNSKeySync
>>>>
>>>> # oxygen.eggvfx.ie + 562f6f20-04de11e8-a003fb96-902b0a77, masters,
>>>> ipa, etc, eg
>>>> gvfx.ie
>>>> dn: cn=oxygen.eggvfx.ie+nsuniqueid=562f6f20-04de11e8-a003fb96-90
>>>> 2b0a77,cn=mast
>>>> ers,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>> objectClass: top
>>>> objectClass: nsContainer
>>>> objectClass: ipaReplTopoManagedServer
>>>> objectClass: ipaConfigObject
>>>> objectClass: ipaSupportedDomainLevelConfig
>>>> cn: oxygen.eggvfx.ie
>>>> ipaReplTopoManagedSuffix: dc=eggvfx,dc=ie
>>>> ipaReplTopoManagedSuffix: o=ipaca
>>>> ipaMinDomainLevel: 0
>>>> ipaMaxDomainLevel: 1
>>>>
>>>> # NTP + 65aeb78a-04de11e8-a003fb96-902b0a77, oxygen.eggvfx.ie +
>>>> 562f6f20-04de11
>>>> e8-a003fb96-902b0a77, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=NTP+nsuniqueid=65aeb78a-04de11e8-a003fb96-902b0a77,cn=oxy
>>>> gen.eggvfx.ie+
>>>> nsuniqueid=562f6f20-04de11e8-a003fb96-902b0a77,cn=masters,c
>>>> n=ipa,cn=etc,dc=eg
>>>> gvfx,dc=ie
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 45
>>>> cn: NTP
>>>>
>>>> # KDC + 65aeb78c-04de11e8-a003fb96-902b0a77, oxygen.eggvfx.ie +
>>>> 562f6f20-04de11
>>>> e8-a003fb96-902b0a77, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=KDC+nsuniqueid=65aeb78c-04de11e8-a003fb96-902b0a77,cn=oxy
>>>> gen.eggvfx.ie+
>>>> nsuniqueid=562f6f20-04de11e8-a003fb96-902b0a77,cn=masters,c
>>>> n=ipa,cn=etc,dc=eg
>>>> gvfx,dc=ie
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 10
>>>> ipaConfigString: kdcProxyEnabled
>>>> ipaConfigString: pkinitEnabled
>>>> cn: KDC
>>>>
>>>> # KPASSWD + 65aeb78d-04de11e8-a003fb96-902b0a77, oxygen.eggvfx.ie +
>>>> 562f6f20-04
>>>> de11e8-a003fb96-902b0a77, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=KPASSWD+nsuniqueid=65aeb78d-04de11e8-a003fb96-902b0a77,cn
>>>> =oxygen.eggvfx
>>>> .ie+nsuniqueid=562f6f20-04de11e8-a003fb96-902b0a77,cn=maste
>>>> rs,cn=ipa,cn=etc,d
>>>> c=eggvfx,dc=ie
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 20
>>>> cn: KPASSWD
>>>>
>>>> # HTTP + 72cba68b-04de11e8-a003fb96-902b0a77, oxygen.eggvfx.ie +
>>>> 562f6f20-04de1
>>>> 1e8-a003fb96-902b0a77, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=HTTP+nsuniqueid=72cba68b-04de11e8-a003fb96-902b0a77,cn=ox
>>>> ygen.eggvfx.ie
>>>> +nsuniqueid=562f6f20-04de11e8-a003fb96-902b0a77,cn=masters,
>>>> cn=ipa,cn=etc,dc=e
>>>> ggvfx,dc=ie
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 40
>>>> cn: HTTP
>>>>
>>>> # OTPD + 72cba68c-04de11e8-a003fb96-902b0a77, oxygen.eggvfx.ie +
>>>> 562f6f20-04de1
>>>> 1e8-a003fb96-902b0a77, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=OTPD+nsuniqueid=72cba68c-04de11e8-a003fb96-902b0a77,cn=ox
>>>> ygen.eggvfx.ie
>>>> +nsuniqueid=562f6f20-04de11e8-a003fb96-902b0a77,cn=masters,
>>>> cn=ipa,cn=etc,dc=e
>>>> ggvfx,dc=ie
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 80
>>>> cn: OTPD
>>>>
>>>> # KEYS + 72cba68d-04de11e8-a003fb96-902b0a77, oxygen.eggvfx.ie +
>>>> 562f6f20-04de1
>>>> 1e8-a003fb96-902b0a77, masters, ipa, etc, eggvfx.ie
>>>> dn: cn=KEYS+nsuniqueid=72cba68d-04de11e8-a003fb96-902b0a77,cn=ox
>>>> ygen.eggvfx.ie
>>>> +nsuniqueid=562f6f20-04de11e8-a003fb96-902b0a77,cn=masters,
>>>> cn=ipa,cn=etc,dc=e
>>>> ggvfx,dc=ie
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 41
>>>> cn: KEYS
>>>>
>>>> # CA, oxygen.eggvfx.ie + 562f6f20-04de11e8-a003fb96-902b0a77, masters,
>>>> ipa, etc
>>>> , eggvfx.ie
>>>> dn: cn=CA,cn=oxygen.eggvfx.ie+nsuniqueid=562f6f20-04de11e8-a003f
>>>> b96-902b0a77,c
>>>> n=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 50
>>>> cn: CA
>>>>
>>>> # DNS, oxygen.eggvfx.ie + 562f6f20-04de11e8-a003fb96-902b0a77,
>>>> masters, ipa, et
>>>> c, eggvfx.ie
>>>> dn: cn=DNS,cn=oxygen.eggvfx.ie+nsuniqueid=562f6f20-04de11e8-a003
>>>> fb96-902b0a77,
>>>> cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 30
>>>> cn: DNS
>>>>
>>>> # DNSKeySync, oxygen.eggvfx.ie + 562f6f20-04de11e8-a003fb96-902b0a77,
>>>> masters,
>>>> ipa, etc, eggvfx.ie
>>>> dn: cn=DNSKeySync,cn=oxygen.eggvfx.ie+nsuniqueid=562f6f20-04de11
>>>> e8-a003fb96-90
>>>> 2b0a77,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>> objectClass: nsContainer
>>>> objectClass: ipaConfigObject
>>>> objectClass: top
>>>> ipaConfigString: enabledService
>>>> ipaConfigString: startOrder 110
>>>> ipaConfigString: dnssecVersion 1
>>>> cn: DNSKeySync
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 0 Success
>>>>
>>>> # numResponses: 33
>>>> # numEntries: 32
>>>>
>>>>
>>>> <http://www.egg.ie/>
>>>>
>>>> *Jamal Mahmoud* / Pipeline TD
>>>> jamal.mahmoud(a)egg.ie
>>>>
>>>> 35 Fitzwilliam Street Upper, Dublin
>>>> <https://maps.google.com/?q=35+Fitzwilliam+Street+Upper,+Dublin&entry=gmai...>
>>>> .
>>>> P: +353 1 6345440 <+353%201%20634%205440>
>>>>
>>>> [image: Twitter] <https://twitter.com/EggPost> [image: Facebook]
>>>> <https://www.facebook.com/egg.post/> [image: LinkedIn]
>>>> <http://www.linkedin.com/in/jamalmahmoud> [image: Vimeo]
>>>> <https://vimeo.com/user9887735>
>>>>
>>>>
>>>>
>>>>
>>>> On 14 February 2018 at 13:39, thierry bordaz <tbordaz(a)redhat.com>
>>>> wrote:
>>>>
>>>>> Jamal,
>>>>>
>>>>> sorry I was not clear. Before deleting it can you provide
>>>>>
>>>>> ldapsearch -D "cn=directory manager" -W -b
>>>>> "cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
>>>>> "(|(objectclass=*)(objectclass=nstombstone)(objectclass=ldap
>>>>> subentry))"
>>>>>
>>>>> On 02/14/2018 02:30 PM, Jamal Mahmoud wrote:
>>>>>
>>>>> Thank you Thierry, so from hat i understand is that if i delete oxygen
>>>>> from the entries, it should be resolved? how do i go about deleting it
>>>>> though? Not sure where to look/command to run.
>>>>>
>>>>> Thanks again,
>>>>> Jamal
>>>>>
>>>>> On Wed 14 Feb 2018 at 13:27, thierry bordaz <tbordaz(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Jamal,
>>>>>>
>>>>>> The problem comes from a conflict entry
>>>>>>
>>>>>> dn: cn=nitrogen.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>>>> cn;vucsn-5a2841c1000200070000;mdcsn-5a2841c1000200070000:
>>>>>> nitrogen.eggvfx.ie
>>>>>>
>>>>>> dn: cn=lithium.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>>>> cn;vucsn-5a4b93bc0002000b0000;mdcsn-5a4b93bc0002000b0000:
>>>>>> lithium.eggvfx.ie
>>>>>>
>>>>>> dn: cn=oxygen.eggvfx.ie+nsuniqueid=562f6f20-04de11e8-a003fb96-90
>>>>>> 2b0a77,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>>>> cn;vucsn-5a6ef6390002000d0000;mdcsn-5a6ef6390002000d0000:
>>>>>> oxygen.eggvfx.ie
>>>>>> nsds5ReplConflict;vucsn-5a6ef6390002000d0000: namingConflict cn=
>>>>>> oxygen.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>>>>
>>>>>> There are 3 masters, but oxygen is a conflict entry. IPA CLI is using
>>>>>> its 'cn' value to retrieve (cn=oxygen.eggvfx.ie conctenated with
>>>>>> cn=masters,...)
>>>>>>
>>>>>> oxygen was added in parallel on two hosts. Making the one added on
>>>>>> ReplicaId=0x000d a conflict.
>>>>>> Later oxygen was removed but the dangling conflict has not been clean
>>>>>> up. I suspect this dangling master should be present on all servers
>>>>>>
>>>>>> ldapsearch -D "cn=directory manager" -W -b
>>>>>> "cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" "(nsds5ReplConflict=*)"
>>>>>>
>>>>>>
>>>>>> Conflicts are visible to regular search and IPA is fighting with them
>>>>>> (this is going to be fixed).
>>>>>> If this entry is the only conflict in the 'master' container and
>>>>>> without any children, I think you may delete it.
>>>>>>
>>>>>> best regards
>>>>>> theirry
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 02/14/2018 12:31 PM, Jamal Mahmoud wrote:
>>>>>>
>>>>>> Sure thing Thierry!
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------
>>>>>> ---------------------------------------------------------------
>>>>>> For the First Command:
>>>>>> ------------------------------------------------------------
>>>>>> ---------------------------------------------------------------
>>>>>>
>>>>>> [root@lithium ~]# ldapsearch -D "cn=directory manager" -W -b
>>>>>> "cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" -s one 'objectclass=*'
>>>>>> nscpentrywsi
>>>>>> Enter LDAP Password:
>>>>>> # extended LDIF
>>>>>> #
>>>>>> # LDAPv3
>>>>>> # base <cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie> with scope oneLevel
>>>>>> # filter: objectclass=*
>>>>>> # requesting: nscpentrywsi
>>>>>> #
>>>>>>
>>>>>> # nitrogen.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>>>> dn: cn=nitrogen.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>>>> nscpentrywsi: dn: cn=nitrogen.eggvfx.ie,cn=maste
>>>>>> rs,cn=ipa,cn=etc,dc=eggvfx,dc=
>>>>>> ie
>>>>>> nscpentrywsi: entryid: 551
>>>>>> nscpentrywsi: parentid: 522
>>>>>> nscpentrywsi: createTimestamp;vucsn-5a2841c1000200070000:
>>>>>> 20171206191415Z
>>>>>> nscpentrywsi: creatorsName;vucsn-5a2841c1000200070000: cn=Directory
>>>>>> Manager
>>>>>> nscpentrywsi: ipaMaxDomainLevel;vucsn-5a2841c1000200070000: 1
>>>>>> nscpentrywsi: ipaMinDomainLevel;vucsn-5a2841c1000200070000: 0
>>>>>> nscpentrywsi: ipaReplTopoManagedSuffix;vucsn-5a2841c1000200070000:
>>>>>> dc=eggvfx,d
>>>>>> c=ie
>>>>>> nscpentrywsi: ipaReplTopoManagedSuffix;vucsn-5a2841f5000000070000:
>>>>>> o=ipaca
>>>>>> nscpentrywsi: cn;vucsn-5a2841c1000200070000;mdcsn-5a2841c1000200070000:
>>>>>> nitrog
>>>>>> en.eggvfx.ie
>>>>>> nscpentrywsi: objectClass;vucsn-5a2841c1000200070000: top
>>>>>> nscpentrywsi: objectClass;vucsn-5a2841c1000200070000: nsContainer
>>>>>> nscpentrywsi: objectClass;vucsn-5a2841c1000200070000:
>>>>>> ipaReplTopoManagedServer
>>>>>> nscpentrywsi: objectClass;vucsn-5a2841c1000200070000: ipaConfigObject
>>>>>> nscpentrywsi: objectClass;vucsn-5a2841c1000200070000:
>>>>>> ipaSupportedDomainLevelC
>>>>>> onfig
>>>>>> nscpentrywsi: modifiersName;adcsn-5a2841f500
>>>>>> 0000070001;vucsn-5a2841f5000000070
>>>>>> 001: cn=Directory Manager
>>>>>> nscpentrywsi: modifyTimestamp;adcsn-5a2841f5
>>>>>> 000000070002;vucsn-5a2841f50000000
>>>>>> 70002: 20171206191507Z
>>>>>> nscpentrywsi: nsUniqueId: 9fa0a6a0-dab911e7-9b12a63c-96e53ac2
>>>>>> nscpentrywsi: entryusn: 2
>>>>>> nscpentrywsi: numSubordinates: 9
>>>>>>
>>>>>> # lithium.eggvfx.ie, masters, ipa, etc, eggvfx.ie
>>>>>> dn: cn=lithium.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>>>> nscpentrywsi: dn: cn=lithium.eggvfx.ie,cn=master
>>>>>> s,cn=ipa,cn=etc,dc=eggvfx,dc=i
>>>>>> e
>>>>>> nscpentrywsi: entryusn;adcsn-5a4b93f60000000
>>>>>> b0003;vucsn-5a4b93f60000000b0003:
>>>>>> 54
>>>>>> nscpentrywsi: modifyTimestamp;adcsn-5a4b93f6
>>>>>> 0000000b0002;vucsn-5a4b93f60000000
>>>>>> b0002: 20180102141420Z
>>>>>> nscpentrywsi: modifiersName;adcsn-5a4b93f600
>>>>>> 00000b0001;vucsn-5a4b93f60000000b0
>>>>>> 001: cn=Directory Manager
>>>>>> nscpentrywsi: objectClass;vucsn-5a4b93bc0002000b0000: top
>>>>>> nscpentrywsi: objectClass;vucsn-5a4b93bc0002000b0000: nsContainer
>>>>>> nscpentrywsi: objectClass;vucsn-5a4b93bc0002000b0000:
>>>>>> ipaReplTopoManagedServer
>>>>>> nscpentrywsi: objectClass;vucsn-5a4b93bc0002000b0000: ipaConfigObject
>>>>>> nscpentrywsi: objectClass;vucsn-5a4b93bc0002000b0000:
>>>>>> ipaSupportedDomainLevelC
>>>>>> onfig
>>>>>> nscpentrywsi: cn;vucsn-5a4b93bc0002000b0000;mdcsn-5a4b93bc0002000b0000:
>>>>>> lithiu
>>>>>> m.eggvfx.ie
>>>>>> nscpentrywsi: ipaReplTopoManagedSuffix;vucsn-5a4b93bc0002000b0000:
>>>>>> dc=eggvfx,d
>>>>>> c=ie
>>>>>> nscpentrywsi: ipaReplTopoManagedSuffix;vucsn-5a4b93f60000000b0000:
>>>>>> o=ipaca
>>>>>> nscpentrywsi: ipaMinDomainLevel;vucsn-5a4b93bc0002000b0000: 0
>>>>>> nscpentrywsi: ipaMaxDomainLevel;vucsn-5a4b93bc0002000b0000: 1
>>>>>> nscpentrywsi: creatorsName;vucsn-5a4b93bc0002000b0000: cn=Directory
>>>>>> Manager
>>>>>> nscpentrywsi: createTimestamp;vucsn-5a4b93bc0002000b0000:
>>>>>> 20180102141322Z
>>>>>> nscpentrywsi: nsUniqueId: 118be292-efc711e7-be76b1c8-a90c608b
>>>>>> nscpentrywsi: parentid: 522
>>>>>> nscpentrywsi: entryid: 855
>>>>>> nscpentrywsi: numSubordinates: 9
>>>>>>
>>>>>> # oxygen.eggvfx.ie + 562f6f20-04de11e8-a003fb96-902b0a77, masters,
>>>>>> ipa, etc, eg
>>>>>> gvfx.ie
>>>>>> dn: cn=oxygen.eggvfx.ie+nsuniqueid=562f6f20-04de11e8-a003fb96-90
>>>>>> 2b0a77,cn=mast
>>>>>> ers,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>>>> nscpentrywsi: dn: cn=oxygen.eggvfx.ie+nsuniqueid
>>>>>> =562f6f20-04de11e8-a003fb96-90
>>>>>> 2b0a77,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>>>> nscpentrywsi: entryusn;adcsn-5a6ef6850000000
>>>>>> d0003;vucsn-5a6ef6850000000d0003:
>>>>>> 9656
>>>>>> nscpentrywsi: modifyTimestamp;adcsn-5a6ef685
>>>>>> 0000000d0002;vucsn-5a6ef6850000000
>>>>>> d0002: 20180129102411Z
>>>>>> nscpentrywsi: modifiersName;adcsn-5a6ef68500
>>>>>> 00000d0001;vucsn-5a6ef6850000000d0
>>>>>> 001: cn=Directory Manager
>>>>>> nscpentrywsi: objectClass;vucsn-5a6ef6390002000d0000: top
>>>>>> nscpentrywsi: objectClass;vucsn-5a6ef6390002000d0000: nsContainer
>>>>>> nscpentrywsi: objectClass;vucsn-5a6ef6390002000d0000:
>>>>>> ipaReplTopoManagedServer
>>>>>> nscpentrywsi: objectClass;vucsn-5a6ef6390002000d0000: ipaConfigObject
>>>>>> nscpentrywsi: objectClass;vucsn-5a6ef6390002000d0000:
>>>>>> ipaSupportedDomainLevelC
>>>>>> onfig
>>>>>> nscpentrywsi: cn;vucsn-5a6ef6390002000d0000;mdcsn-5a6ef6390002000d0000:
>>>>>> oxygen
>>>>>> .eggvfx.ie
>>>>>> nscpentrywsi: ipaReplTopoManagedSuffix;vucsn-5a6ef6390002000d0000:
>>>>>> dc=eggvfx,d
>>>>>> c=ie
>>>>>> nscpentrywsi: ipaReplTopoManagedSuffix;vucsn-5a6ef6850000000d0000:
>>>>>> o=ipaca
>>>>>> nscpentrywsi: ipaMinDomainLevel;vucsn-5a6ef6390002000d0000: 0
>>>>>> nscpentrywsi: ipaMaxDomainLevel;vucsn-5a6ef6390002000d0000: 1
>>>>>> nscpentrywsi: creatorsName;vucsn-5a6ef6390002000d0000: cn=Directory
>>>>>> Manager
>>>>>> nscpentrywsi: createTimestamp;vucsn-5a6ef6390002000d0000:
>>>>>> 20180129102255Z
>>>>>> nscpentrywsi: nsUniqueId;mdcsn-5a6ef6390002000d0000:
>>>>>> 562f6f20-04de11e8-a003fb9
>>>>>> 6-902b0a77
>>>>>> nscpentrywsi: parentid: 522
>>>>>> nscpentrywsi: entryid: 947
>>>>>> nscpentrywsi: nsds5ReplConflict;vucsn-5a6ef6390002000d0000:
>>>>>> namingConflict cn=
>>>>>> oxygen.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>>>> nscpentrywsi: numSubordinates: 9
>>>>>>
>>>>>> # search result
>>>>>> search: 2
>>>>>> result: 0 Success
>>>>>>
>>>>>> # numResponses: 4
>>>>>> # numEntries: 3
>>>>>>
>>>>>> ------------------------------------------------------------
>>>>>> ---------------------------------------------------------------
>>>>>> For the second command:
>>>>>> ------------------------------------------------------------
>>>>>> ---------------------------------------------------------------
>>>>>>
>>>>>> [root@lithium ~]# ldapsearch -D "cn=directory manager" -W -b "cn=
>>>>>> oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>,cn=m
>>>>>> asters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" -s base 'objectclass=*'
>>>>>> nscpentrywsi
>>>>>> Enter LDAP Password:
>>>>>> # extended LDIF
>>>>>> #
>>>>>> # LDAPv3
>>>>>> # base <cn=oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>,cn=m
>>>>>> asters,cn=ipa,cn=etc,dc=eggvfx,dc=ie> with scope baseObject
>>>>>> # filter: objectclass=*
>>>>>> # requesting: nscpentrywsi
>>>>>> #
>>>>>>
>>>>>> # search result
>>>>>> search: 2
>>>>>> result: 32 No such object
>>>>>> matchedDN: cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
>>>>>>
>>>>>> # numResponses: 1
>>>>>>
>>>>>> ------------------------------------------------------------
>>>>>> ---------------------------------------------------------------
>>>>>> Hope some of that makes sense, thanks for the quick response by the
>>>>>> way!
>>>>>>
>>>>>> Many Thanks,
>>>>>> Jamal
>>>>>>
>>>>>>
>>>>>> <http://www.egg.ie/>
>>>>>>
>>>>>> *Jamal Mahmoud* / Pipeline TD
>>>>>> jamal.mahmoud(a)egg.ie
>>>>>>
>>>>>> 35 Fitzwilliam Street Upper, Dublin
>>>>>> <https://maps.google.com/?q=35+Fitzwilliam%0D+Street+Upper,+Dublin&entry=g...>
>>>>>> .
>>>>>> P: +353 1 6345440 <+353%201%20634%205440>
>>>>>>
>>>>>> [image: Twitter] <https://twitter.com/EggPost> [image: Facebook]
>>>>>> <https://www.facebook.com/egg.post/> [image: LinkedIn]
>>>>>> <http://www.linkedin.com/in/jamalmahmoud> [image: Vimeo]
>>>>>> <https://vimeo.com/user9887735>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 14 February 2018 at 11:17, thierry bordaz <tbordaz(a)redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Jamal,
>>>>>>>
>>>>>>> Regarding the 'unwilling to perform' I think it may topology plugin
>>>>>>> that prevents you to isolate a host. Would the del isolate a host ?
>>>>>>>
>>>>>>> Regarding the 'server not found'. My understanding is that the
>>>>>>> problems weird things come from
>>>>>>>
>>>>>>> [13/Feb/2018:09:14:47.828827335 +0000] conn=192208 op=3 SRCH
>>>>>>> base="cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" scope=1
>>>>>>> filter="(objectClass=top)" attrs="ipaMaxDomainLevel cn ipaMinDomainLevel
>>>>>>> ipaReplTopoManagedSuffix ipaLocation ipaServiceWeight"
>>>>>>> [13/Feb/2018:09:14:47.829400972 +0000] conn=192208 op=3 RESULT
>>>>>>> err=0 tag=101 nentries=3 etime=0
>>>>>>>
>>>>>>> [13/Feb/2018:09:14:47.845769945 +0000] conn=192208 op=5 SRCH
>>>>>>> base="cn=nitrogen.eggvfx.ie <http://nitrogen.eggvfx.ie>
>>>>>>> <http://nitrogen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
>>>>>>> scope=0 filter="(objectClass=*)" attrs=""
>>>>>>> [13/Feb/2018:09:14:47.845875163 +0000] conn=192208 op=5 RESULT
>>>>>>> err=0 tag=101 nentries=1 etime=0
>>>>>>>
>>>>>>> [13/Feb/2018:09:14:47.855353962 +0000] conn=192208 op=13 SRCH
>>>>>>> base="cn=lithium.eggvfx.ie <http://lithium.eggvfx.ie>
>>>>>>> <http://lithium.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
>>>>>>> scope=0 filter="(objectClass=*)" attrs=""
>>>>>>> [13/Feb/2018:09:14:47.855449266 +0000] conn=192208 op=13 RESULT
>>>>>>> err=0 tag=101 nentries=1 etime=0
>>>>>>>
>>>>>>> [13/Feb/2018:09:14:47.864790724 +0000] conn=192208 op=21 SRCH
>>>>>>> base="cn=oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>
>>>>>>> <http://oxygen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
>>>>>>> scope=0 filter="(objectClass=*)" attrs=""
>>>>>>> [13/Feb/2018:09:14:47.864996898 +0000] conn=192208 op=21 RESULT
>>>>>>> err=32 tag=101 nentries=0 etime=0
>>>>>>>
>>>>>>>
>>>>>>> Could you provide (directly) the result of the following commands
>>>>>>>
>>>>>>> ldapsearch -D "cn=directory manager" -W -b "
>>>>>>> "cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" -s one 'objectclass=*'
>>>>>>> nscpentrywsi
>>>>>>>
>>>>>>>
>>>>>>> ldapsearch -D "cn=directory manager" -W -b ""cn=oxygen.eggvfx.ie
>>>>>>> <http://oxygen.eggvfx.ie> <http://oxygen.eggvfx.ie>,cn=m
>>>>>>> asters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" -s base 'objectclass=*'
>>>>>>> nscpentrywsi
>>>>>>>
>>>>>>> Best regards
>>>>>>> thierry
>>>>>>> On 02/14/2018 10:52 AM, Jamal Mahmoud wrote:
>>>>>>>
>>>>>>> Thank you Rob!
>>>>>>> I can confirm that when i try to even view the server from the UI
>>>>>>> the same error message appears (server not found) in a dialog box, so
>>>>>>> wherever the UI is querying from, it originates from the same place. I
>>>>>>> would also like to mention that while i was trying to remove the topology
>>>>>>> segments from oxygen to nitrogen there is another error that appears. I
>>>>>>> don't know how to remove a segment in the CLI (i tried and couldn't figure
>>>>>>> it out) but the output from the web UI is attached below. I believe this is
>>>>>>> normal behaviour if the server were active.
>>>>>>>
>>>>>>> IPA Error 4203: DatabaseError
>>>>>>> Server is unwilling to perform: Removal of Segment disconnects
>>>>>>> topology.Deletion not allowed.
>>>>>>>
>>>>>>> I've attached images explaining what i mean.
>>>>>>> [image: Inline images 1][image: Inline images 2][image: Inline
>>>>>>> images 3][image: Inline images 4]
>>>>>>> I hope this helps you and Thierry!
>>>>>>>
>>>>>>> Many Thanks,
>>>>>>> Jamal
>>>>>>>
>>>>>>> <http://www.egg.ie/>
>>>>>>>
>>>>>>> *Jamal Mahmoud* / Pipeline TD
>>>>>>> jamal.mahmoud(a)egg.ie
>>>>>>>
>>>>>>> 35 Fitzwilliam Street Upper, Dublin
>>>>>>> <https://maps.google.com/?q=35%0D+Fitzwilliam+Street+Upper,%0D+Dublin&entr...>
>>>>>>> .
>>>>>>> P: +353 1 6345440 <+353%201%20634%205440>
>>>>>>>
>>>>>>> [image: Twitter] <https://twitter.com/EggPost> [image: Facebook]
>>>>>>> <https://www.facebook.com/egg.post/> [image: LinkedIn]
>>>>>>> <http://www.linkedin.com/in/jamalmahmoud> [image: Vimeo]
>>>>>>> <https://vimeo.com/user9887735>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 13 February 2018 at 21:14, Rob Crittenden <rcritten(a)redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Jamal Mahmoud via FreeIPA-users wrote:
>>>>>>>> > Hi Rob,
>>>>>>>> >
>>>>>>>> > I've isolated the output on lithium when i ran
>>>>>>>> > ipa-replica-manage del oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>
>>>>>>>> > --force --cleanup
>>>>>>>> > It's quite heavy still but here it is
>>>>>>>>
>>>>>>>> This is helpful. It shows that oxygen is being looked for in the IPA
>>>>>>>> masters location, cn=masters and is returning err=32, not found.
>>>>>>>>
>>>>>>>> What I don't know is why or where this query is coming from.
>>>>>>>>
>>>>>>>> There are several queries that look like they might originate in the
>>>>>>>> 389-ds topology plugin but I couldn't find where and I'm not
>>>>>>>> familiar
>>>>>>>> with it in general. Queries like:
>>>>>>>>
>>>>>>>> SRCH base="cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" scope=1
>>>>>>>> filter="(objectClass=top)" attrs="ipaMaxDomainLevel cn
>>>>>>>> ipaMinDomainLevel
>>>>>>>> ipaReplTopoManagedSuffix ipaLocation ipaServiceWeight"
>>>>>>>>
>>>>>>>> I'm not entirely sure when you invoke ipa-replica-manage if it is
>>>>>>>> calling the topology plugin under the hood or not. It almost
>>>>>>>> certainly
>>>>>>>> is when you use the UI.
>>>>>>>>
>>>>>>>> I'm cc'ing someone who knows this better.
>>>>>>>>
>>>>>>>> rob
>>>>>>>>
>>>>>>>> >
>>>>>>>> > [13/Feb/2018:09:14:45.823204160 +0000] conn=192207 fd=155
>>>>>>>> slot=155 SSL
>>>>>>>> > connection from 192.168.94.4 to 192.168.94.4
>>>>>>>> > [13/Feb/2018:09:14:46.027998523 +0000] conn=192207 TLS1.2
>>>>>>>> 256-bit AES-GCM
>>>>>>>> > [13/Feb/2018:09:14:46.031226897 +0000] conn=45 op=31409 SRCH
>>>>>>>> > base="dc=eggvfx,dc=ie" scope=2
>>>>>>>> > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbpri
>>>>>>>> ncipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias
>>>>>>>> =krbtgt/EGGVFX.IE(a)EGGVFX.IE
>>>>>>>> > <mailto:EGGVFX.IE@EGGVFX.IE>)(krbPrincipalName:caseIgnoreIA5
>>>>>>>> Match:=krbtgt/EGGVFX.IE@EGGVFX.IE
>>>>>>>> > <mailto:EGGVFX.IE@EGGVFX.IE>)))" attrs="krbPrincipalName
>>>>>>>> > krbCanonicalName krbUPEnabled krbPrincipalKey
>>>>>>>> krbTicketPolicyReference
>>>>>>>> > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>>>>>>>> > krbPrincipalType krbPwdHistory krbLastPwdChange
>>>>>>>> krbPrincipalAliases
>>>>>>>> > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
>>>>>>>> > krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
>>>>>>>> krbObjectReferences
>>>>>>>> > krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
>>>>>>>> > passwordHistory ipaKrbAuthzData ipaUserAuthType
>>>>>>>> ipatokenRadiusConfigLink
>>>>>>>> > objectClass"
>>>>>>>> > [13/Feb/2018:09:14:46.031713683 +0000] conn=45 op=31409 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=1 etime=0
>>>>>>>> > [13/Feb/2018:09:14:46.032193288 +0000] conn=45 op=31410 SRCH
>>>>>>>> > base="dc=eggvfx,dc=ie" scope=2
>>>>>>>> > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbpri
>>>>>>>> ncipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/
>>>>>>>> lithium.eggvfx.ie(a)EGGVFX.IE
>>>>>>>> > <mailto:lithium.eggvfx.ie@EGGVFX.IE>)(krbPrincipalName:caseI
>>>>>>>> gnoreIA5Match:=ldap/lithium.eggvfx.ie@EGGVFX.IE
>>>>>>>> > <mailto:lithium.eggvfx.ie@EGGVFX.IE>)))" attrs="krbPrincipalName
>>>>>>>> > krbCanonicalName krbUPEnabled krbPrincipalKey
>>>>>>>> krbTicketPolicyReference
>>>>>>>> > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>>>>>>>> > krbPrincipalType krbPwdHistory krbLastPwdChange
>>>>>>>> krbPrincipalAliases
>>>>>>>> > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
>>>>>>>> > krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
>>>>>>>> krbObjectReferences
>>>>>>>> > krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
>>>>>>>> > passwordHistory ipaKrbAuthzData ipaUserAuthType
>>>>>>>> ipatokenRadiusConfigLink
>>>>>>>> > objectClass"
>>>>>>>> > [13/Feb/2018:09:14:46.032529772 +0000] conn=45 op=31410 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=1 etime=0
>>>>>>>> > [13/Feb/2018:09:14:46.032696842 +0000] conn=45 op=31411 SRCH
>>>>>>>> > base="cn=EGGVFX.IE <http://EGGVFX.IE>,cn=kerberos
>>>>>>>> ,dc=eggvfx,dc=ie"
>>>>>>>> > scope=0 filter="(objectClass=krbticketpolicyaux)"
>>>>>>>> > attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
>>>>>>>> > [13/Feb/2018:09:14:46.032904807 +0000] conn=45 op=31411 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=1 etime=0
>>>>>>>> > [13/Feb/2018:09:14:46.033085928 +0000] conn=45 op=31412 SRCH
>>>>>>>> > base="dc=eggvfx,dc=ie" scope=2
>>>>>>>> > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbpri
>>>>>>>> ncipal))(krbPrincipalName=admin(a)EGGVFX.IE
>>>>>>>> > <mailto:admin@EGGVFX.IE>))" attrs="krbPrincipalName
>>>>>>>> krbCanonicalName
>>>>>>>> > krbUPEnabled krbPrincipalKey krbTicketPolicyReference
>>>>>>>> > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>>>>>>>> > krbPrincipalType krbPwdHistory krbLastPwdChange
>>>>>>>> krbPrincipalAliases
>>>>>>>> > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
>>>>>>>> > krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
>>>>>>>> krbObjectReferences
>>>>>>>> > krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
>>>>>>>> > passwordHistory ipaKrbAuthzData ipaUserAuthType
>>>>>>>> ipatokenRadiusConfigLink
>>>>>>>> > objectClass"
>>>>>>>> > [13/Feb/2018:09:14:46.033377257 +0000] conn=45 op=31412 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=1 etime=0
>>>>>>>> > [13/Feb/2018:09:14:46.033555617 +0000] conn=45 op=31413 SRCH
>>>>>>>> > base="cn=EGGVFX.IE <http://EGGVFX.IE>,cn=kerberos
>>>>>>>> ,dc=eggvfx,dc=ie"
>>>>>>>> > scope=0 filter="(objectClass=krbticketpolicyaux)"
>>>>>>>> > attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
>>>>>>>> > [13/Feb/2018:09:14:46.033714662 +0000] conn=45 op=31413 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=1 etime=0
>>>>>>>> > [13/Feb/2018:09:14:46.034731567 +0000] conn=192207 op=0 BIND
>>>>>>>> dn=""
>>>>>>>> > method=sasl version=3 mech=GSSAPI
>>>>>>>> > [13/Feb/2018:09:14:46.776688499 +0000] conn=192207 op=0 RESULT
>>>>>>>> err=14
>>>>>>>> > tag=97 nentries=0 etime=1, SASL bind in progress
>>>>>>>> > [13/Feb/2018:09:14:46.777340050 +0000] conn=192207 op=1 BIND
>>>>>>>> dn=""
>>>>>>>> > method=sasl version=3 mech=GSSAPI
>>>>>>>> > [13/Feb/2018:09:14:46.779800986 +0000] conn=192207 op=1 RESULT
>>>>>>>> err=14
>>>>>>>> > tag=97 nentries=0 etime=0, SASL bind in progress
>>>>>>>> > [13/Feb/2018:09:14:46.780131803 +0000] conn=192207 op=2 BIND
>>>>>>>> dn=""
>>>>>>>> > method=sasl version=3 mech=GSSAPI
>>>>>>>> > [13/Feb/2018:09:14:46.781745436 +0000] conn=192207 op=2 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=97 nentries=0 etime=0
>>>>>>>> > dn="uid=admin,cn=users,cn=accounts,dc=eggvfx,dc=ie"
>>>>>>>> > [13/Feb/2018:09:14:46.782496366 +0000] conn=192207 op=3 SRCH
>>>>>>>> > base="cn=mapping tree,cn=config" scope=2
>>>>>>>> > filter="(|(&(objectClass=nsds5ReplicationAgreement)(nsDS5Rep
>>>>>>>> licaRoot=dc=eggvfx,dc=ie))(objectClass=nsDSWindowsReplicatio
>>>>>>>> nAgreement))"
>>>>>>>> > attrs=ALL
>>>>>>>> > [13/Feb/2018:09:14:46.784970100 +0000] conn=192207 op=3 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=1 etime=0
>>>>>>>> > [13/Feb/2018:09:14:46.786072700 +0000] conn=192207 op=4 SRCH
>>>>>>>> > base="cn=schema" scope=0 filter="(objectClass=*)"
>>>>>>>> attrs="attributeTypes
>>>>>>>> > objectClasses"
>>>>>>>> > [13/Feb/2018:09:14:46.992758156 +0000] conn=192207 op=4 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=1 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.274654147 +0000] conn=192208 fd=156
>>>>>>>> slot=156
>>>>>>>> > connection from local to /var/run/slapd-EGGVFX-IE.socket
>>>>>>>> > [13/Feb/2018:09:14:47.275257858 +0000] conn=192208 AUTOBIND
>>>>>>>> > dn="cn=Directory Manager"
>>>>>>>> > [13/Feb/2018:09:14:47.275266840 +0000] conn=192208 op=0 BIND
>>>>>>>> > dn="cn=Directory Manager" method=sasl version=3 mech=EXTERNAL
>>>>>>>> > [13/Feb/2018:09:14:47.275307838 +0000] conn=192208 op=0 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=97 nentries=0 etime=0 dn="cn=Directory Manager"
>>>>>>>> > [13/Feb/2018:09:14:47.286719997 +0000] conn=192208 op=1 SRCH
>>>>>>>> > base="cn=Domain Level,cn=ipa,cn=etc,dc=eggvfx,dc=ie" scope=0
>>>>>>>> > filter="(objectClass=*)" attrs="ipaDomainLevel"
>>>>>>>> > [13/Feb/2018:09:14:47.286848507 +0000] conn=192208 op=1 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=1 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.287228472 +0000] conn=192208 op=2 SRCH
>>>>>>>> > base="cn=schema" scope=0 filter="(objectClass=*)"
>>>>>>>> attrs="attributeTypes
>>>>>>>> > objectClasses"
>>>>>>>> > [13/Feb/2018:09:14:47.464093684 +0000] conn=192208 op=2 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=1 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.828827335 +0000] conn=192208 op=3 SRCH
>>>>>>>> > base="cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" scope=1
>>>>>>>> > filter="(objectClass=top)" attrs="ipaMaxDomainLevel cn
>>>>>>>> ipaMinDomainLevel
>>>>>>>> > ipaReplTopoManagedSuffix ipaLocation ipaServiceWeight"
>>>>>>>> > [13/Feb/2018:09:14:47.829400972 +0000] conn=192208 op=3 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=3 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.834510410 +0000] conn=192208 op=4 SRCH
>>>>>>>> > base="cn=topology,cn=ipa,cn=etc,dc=eggvfx,dc=ie" scope=1
>>>>>>>> > filter="(objectClass=iparepltopoconf)" attrs="* cn
>>>>>>>> ipaReplTopoConfRoot aci"
>>>>>>>> > [13/Feb/2018:09:14:47.834813555 +0000] conn=192208 op=4 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=2 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.845769945 +0000] conn=192208 op=5 SRCH
>>>>>>>> > base="cn=nitrogen.eggvfx.ie
>>>>>>>> > <http://nitrogen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggv
>>>>>>>> fx,dc=ie"
>>>>>>>> > scope=0 filter="(objectClass=*)" attrs=""
>>>>>>>> > [13/Feb/2018:09:14:47.845875163 +0000] conn=192208 op=5 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=1 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.846499455 +0000] conn=192208 op=6 SRCH
>>>>>>>> > base="cn=nitrogen.eggvfx.ie
>>>>>>>> > <http://nitrogen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggv
>>>>>>>> fx,dc=ie"
>>>>>>>> > scope=2 filter="(cn=CA)" attrs="ipaConfigString cn"
>>>>>>>> > [13/Feb/2018:09:14:47.846716314 +0000] conn=192208 op=6 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=1 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.847775298 +0000] conn=192208 op=7 SRCH
>>>>>>>> > base="cn=nitrogen.eggvfx.ie
>>>>>>>> > <http://nitrogen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggv
>>>>>>>> fx,dc=ie"
>>>>>>>> > scope=2 filter="(|(cn=HTTP)(cn=KDC)(cn=KPASSWD))"
>>>>>>>> attrs="ipaConfigString cn"
>>>>>>>> > [13/Feb/2018:09:14:47.848157025 +0000] conn=192208 op=7 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=3 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.850013297 +0000] conn=192208 op=8 SRCH
>>>>>>>> > base="cn=nitrogen.eggvfx.ie
>>>>>>>> > <http://nitrogen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggv
>>>>>>>> fx,dc=ie"
>>>>>>>> > scope=2 filter="(|(cn=DNS)(cn=DNSKeySync))"
>>>>>>>> attrs="ipaConfigString cn"
>>>>>>>> > [13/Feb/2018:09:14:47.850305924 +0000] conn=192208 op=8 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=2 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.851655036 +0000] conn=192208 op=9 SRCH
>>>>>>>> > base="cn=nitrogen.eggvfx.ie
>>>>>>>> > <http://nitrogen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggv
>>>>>>>> fx,dc=ie"
>>>>>>>> > scope=2 filter="(cn=NTP)" attrs="ipaConfigString cn"
>>>>>>>> > [13/Feb/2018:09:14:47.851833457 +0000] conn=192208 op=9 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=1 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.852812885 +0000] conn=192208 op=10 SRCH
>>>>>>>> > base="cn=computers,cn=accounts,dc=eggvfx,dc=ie" scope=2
>>>>>>>> > filter="(&(memberOf=cn=adtrust
>>>>>>>> > agents,cn=sysaccounts,cn=etc,dc=eggvfx,dc=ie)(fqdn=nitrogen.
>>>>>>>> eggvfx.ie
>>>>>>>> > <http://nitrogen.eggvfx.ie>))" attrs="* aci"
>>>>>>>> > [13/Feb/2018:09:14:47.853031311 +0000] conn=192208 op=10 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=0 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.853536363 +0000] conn=192208 op=11 SRCH
>>>>>>>> > base="cn=nitrogen.eggvfx.ie
>>>>>>>> > <http://nitrogen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggv
>>>>>>>> fx,dc=ie"
>>>>>>>> > scope=2 filter="(cn=KRA)" attrs="ipaConfigString cn"
>>>>>>>> > [13/Feb/2018:09:14:47.853649454 +0000] conn=192208 op=11 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=0 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.854114915 +0000] conn=192208 op=12 SRCH
>>>>>>>> > base="cn=nitrogen.eggvfx.ie
>>>>>>>> > <http://nitrogen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggv
>>>>>>>> fx,dc=ie"
>>>>>>>> > scope=2 filter="(cn=ADTRUST)" attrs="ipaConfigString cn"
>>>>>>>> > [13/Feb/2018:09:14:47.854224953 +0000] conn=192208 op=12 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=0 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.855353962 +0000] conn=192208 op=13 SRCH
>>>>>>>> > base="cn=lithium.eggvfx.ie
>>>>>>>> > <http://lithium.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvf
>>>>>>>> x,dc=ie"
>>>>>>>> > scope=0 filter="(objectClass=*)" attrs=""
>>>>>>>> > [13/Feb/2018:09:14:47.855449266 +0000] conn=192208 op=13 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=1 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.855936058 +0000] conn=192208 op=14 SRCH
>>>>>>>> > base="cn=lithium.eggvfx.ie
>>>>>>>> > <http://lithium.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvf
>>>>>>>> x,dc=ie"
>>>>>>>> > scope=2 filter="(cn=CA)" attrs="ipaConfigString cn"
>>>>>>>> > [13/Feb/2018:09:14:47.856125343 +0000] conn=192208 op=14 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=1 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.857152859 +0000] conn=192208 op=15 SRCH
>>>>>>>> > base="cn=lithium.eggvfx.ie
>>>>>>>> > <http://lithium.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvf
>>>>>>>> x,dc=ie"
>>>>>>>> > scope=2 filter="(|(cn=HTTP)(cn=KDC)(cn=KPASSWD))"
>>>>>>>> attrs="ipaConfigString cn"
>>>>>>>> > [13/Feb/2018:09:14:47.857517597 +0000] conn=192208 op=15 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=3 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.859268273 +0000] conn=192208 op=16 SRCH
>>>>>>>> > base="cn=lithium.eggvfx.ie
>>>>>>>> > <http://lithium.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvf
>>>>>>>> x,dc=ie"
>>>>>>>> > scope=2 filter="(|(cn=DNS)(cn=DNSKeySync))"
>>>>>>>> attrs="ipaConfigString cn"
>>>>>>>> > [13/Feb/2018:09:14:47.859490110 +0000] conn=192208 op=16 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=2 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.860775424 +0000] conn=192208 op=17 SRCH
>>>>>>>> > base="cn=lithium.eggvfx.ie
>>>>>>>> > <http://lithium.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvf
>>>>>>>> x,dc=ie"
>>>>>>>> > scope=2 filter="(cn=NTP)" attrs="ipaConfigString cn"
>>>>>>>> > [13/Feb/2018:09:14:47.860938889 +0000] conn=192208 op=17 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=1 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.861949875 +0000] conn=192208 op=18 SRCH
>>>>>>>> > base="cn=computers,cn=accounts,dc=eggvfx,dc=ie" scope=2
>>>>>>>> > filter="(&(memberOf=cn=adtrust
>>>>>>>> > agents,cn=sysaccounts,cn=etc,dc=eggvfx,dc=ie)(fqdn=lithium.e
>>>>>>>> ggvfx.ie
>>>>>>>> > <http://lithium.eggvfx.ie>))" attrs="* aci"
>>>>>>>> > [13/Feb/2018:09:14:47.862121230 +0000] conn=192208 op=18 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=0 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.862930080 +0000] conn=192208 op=19 SRCH
>>>>>>>> > base="cn=lithium.eggvfx.ie
>>>>>>>> > <http://lithium.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvf
>>>>>>>> x,dc=ie"
>>>>>>>> > scope=2 filter="(cn=KRA)" attrs="ipaConfigString cn"
>>>>>>>> > [13/Feb/2018:09:14:47.863048094 +0000] conn=192208 op=19 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=0 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.863563059 +0000] conn=192208 op=20 SRCH
>>>>>>>> > base="cn=lithium.eggvfx.ie
>>>>>>>> > <http://lithium.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvf
>>>>>>>> x,dc=ie"
>>>>>>>> > scope=2 filter="(cn=ADTRUST)" attrs="ipaConfigString cn"
>>>>>>>> > [13/Feb/2018:09:14:47.863674190 +0000] conn=192208 op=20 RESULT
>>>>>>>> err=0
>>>>>>>> > tag=101 nentries=0 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.864790724 +0000] conn=192208 op=21 SRCH
>>>>>>>> > base="cn=oxygen.eggvfx.ie
>>>>>>>> > <http://oxygen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx
>>>>>>>> ,dc=ie"
>>>>>>>> > scope=0 filter="(objectClass=*)" attrs=""
>>>>>>>> > [13/Feb/2018:09:14:47.864996898 +0000] conn=192208 op=21 RESULT
>>>>>>>> err=32
>>>>>>>> > tag=101 nentries=0 etime=0
>>>>>>>> > [13/Feb/2018:09:14:47.918001361 +0000] conn=192207 op=5 UNBIND
>>>>>>>> > [13/Feb/2018:09:14:47.918035786 +0000] conn=192207 op=5 fd=155
>>>>>>>> closed - U1
>>>>>>>> > [13/Feb/2018:09:14:47.922593141 +0000] conn=192208 op=22 UNBIND
>>>>>>>> > [13/Feb/2018:09:14:47.922617042 +0000] conn=192208 op=22 fd=156
>>>>>>>> closed - U1
>>>>>>>> >
>>>>>>>> > For verbosity's sake i haven't done this on nitrogen also, unless
>>>>>>>> it is
>>>>>>>> > required, if so let me know! I've also attached an image of the
>>>>>>>> output
>>>>>>>> > from the command itself to show you the seemingly useless error
>>>>>>>> message.
>>>>>>>> > Thanks again,
>>>>>>>> > Jamal Mahmoud
>>>>>>>> >
>>>>>>>> > <http://www.egg.ie/>
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > *Jamal Mahmoud* / Pipeline TD
>>>>>>>> > jamal.mahmoud(a)egg.ie <mailto:jamal.mahmoud@egg.ie>
>>>>>>>> >
>>>>>>>> > 35 Fitzwilliam Street Upper, Dublin
>>>>>>>> <https://maps.google.com/?q=35+Fitzwilliam+Street+Upper,+Dublin&entry=gmai...>
>>>>>>>> .
>>>>>>>> > P: +353 1 6345440 <%2B353%201%206345440>
>>>>>>>> >
>>>>>>>> > Twitter <https://twitter.com/EggPost> Facebook
>>>>>>>> > <https://www.facebook.com/egg.post/> LinkedIn
>>>>>>>> > <http://www.linkedin.com/in/jamalmahmoud> Vimeo
>>>>>>>> > <https://vimeo.com/user9887735>
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > On 12 February 2018 at 20:27, Rob Crittenden <rcritten(a)redhat.com
>>>>>>>> > <mailto:rcritten@redhat.com>> wrote:
>>>>>>>> >
>>>>>>>> > Jamal Mahmoud wrote:
>>>>>>>> > > Sure thing,
>>>>>>>> > > Output on* lithium*:
>>>>>>>> > >
>>>>>>>> > > [root@lithium ~]# ipa-replica-manage del oxygen.eggvfx.ie <
>>>>>>>> http://oxygen.eggvfx.ie>
>>>>>>>> > > <http://oxygen.eggvfx.ie> --force --cleanup
>>>>>>>> > > oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>
>>>>>>>> > <http://oxygen.eggvfx.ie>: server not found
>>>>>>>> >
>>>>>>>> > What is baffling me the most is that the string 'server not
>>>>>>>> found' is
>>>>>>>> > not to be found in the IPA source. I can't tell where that is
>>>>>>>> being
>>>>>>>> > generated.
>>>>>>>> >
>>>>>>>> > Can you provide a snippet of the 389-ds access log when you
>>>>>>>> request the
>>>>>>>> > deletion? That is in /var/log/dirsrv/slapd-REALM/access
>>>>>>>> >
>>>>>>>> > Note that the log is write buffered so the content may not
>>>>>>>> appear
>>>>>>>> > immediately.
>>>>>>>> >
>>>>>>>> > Seeing the queries being made and what the responses/errors
>>>>>>>> are might
>>>>>>>> > give me some ideas.
>>>>>>>> >
>>>>>>>> > rob
>>>>>>>> >
>>>>>>>> > >
>>>>>>>> > >
>>>>>>>> > > [root@lithium ~]# ipa domainlevel-get
>>>>>>>> > > -----------------------
>>>>>>>> > > Current domain level: 1
>>>>>>>> > > -----------------------
>>>>>>>> > >
>>>>>>>> > >
>>>>>>>> > > Output on *nitrogen*:
>>>>>>>> > >
>>>>>>>> > > [root@nitrogen ~]# ipa-replica-manage del oxygen.eggvfx.ie
>>>>>>>> <http://oxygen.eggvfx.ie>
>>>>>>>> > > <http://oxygen.eggvfx.ie> --force --cleanup
>>>>>>>> > > oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>
>>>>>>>> > <http://oxygen.eggvfx.ie>: server not found
>>>>>>>> > >
>>>>>>>> > >
>>>>>>>> > > [root@nitrogen ~]# ipa domainlevel-get
>>>>>>>> > > -----------------------
>>>>>>>> > > Current domain level: 1
>>>>>>>> > > -----------------------
>>>>>>>> > >
>>>>>>>> > > I hope this helps,
>>>>>>>> > >
>>>>>>>> > > Jamal
>>>>>>>> > >
>>>>>>>> > > <http://www.egg.ie/>
>>>>>>>> > >
>>>>>>>> > >
>>>>>>>> > >
>>>>>>>> > > *Jamal Mahmoud* / Pipeline TD
>>>>>>>> > > jamal.mahmoud(a)egg.ie <mailto:jamal.mahmoud@egg.ie>
>>>>>>>> > <mailto:jamal.mahmoud@egg.ie <mailto:jamal.mahmoud@egg.ie>>
>>>>>>>> > >
>>>>>>>> > > 35 Fitzwilliam Street Upper, Dublin
>>>>>>>> <https://maps.google.com/?q=35+Fitzwilliam+Street+Upper,+Dublin&entry=gmai...>
>>>>>>>> .
>>>>>>>> > > P: +353 1 6345440 <%2B353%201%206345440>
>>>>>>>> <tel:%2B353%201%206345440>
>>>>>>>> > >
>>>>>>>> > > Twitter <https://twitter.com/EggPost> Facebook
>>>>>>>> > > <https://www.facebook.com/egg.post/
>>>>>>>> > <https://www.facebook.com/egg.post/>> LinkedIn
>>>>>>>> > > <http://www.linkedin.com/in/jamalmahmoud
>>>>>>>> > <http://www.linkedin.com/in/jamalmahmoud>> Vimeo
>>>>>>>> > > <https://vimeo.com/user9887735>
>>>>>>>> > >
>>>>>>>> > >
>>>>>>>> > > On 7 February 2018 at 20:34, Rob Crittenden <
>>>>>>>> rcritten(a)redhat.com <mailto:rcritten@redhat.com>
>>>>>>>> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
>>>>>>>> wrote:
>>>>>>>> > >
>>>>>>>> > > Jamal Mahmoud via FreeIPA-users wrote:
>>>>>>>> > > > Hi Rob,
>>>>>>>> > > >
>>>>>>>> > > > Just wondering if you had time to look at this issue
>>>>>>>> for me? Still stuck
>>>>>>>> > > > in a state of limbo with this IDM and i have run out
>>>>>>>> of options. Any
>>>>>>>> > > > help in resolving this issue would be appreciated.
>>>>>>>> > >
>>>>>>>> > > A few more questions.
>>>>>>>> > >
>>>>>>>> > > What is the output of: ipa domainlevel-get
>>>>>>>> > >
>>>>>>>> > > Can you show the full output of ipa-replica-manage del
>>>>>>>> oxygen... --force
>>>>>>>> > > --cleanup
>>>>>>>> > >
>>>>>>>> > > And on what master are you running that?
>>>>>>>> > >
>>>>>>>> > > rob
>>>>>>>> > >
>>>>>>>> > > >
>>>>>>>> > > > Many Thanks,
>>>>>>>> > > > Jamal
>>>>>>>> > > >
>>>>>>>> > > >
>>>>>>>> > > > On 1 February 2018 at 17:04, Jamal Mahmoud <
>>>>>>>> jamal.mahmoud(a)egg.ie <mailto:jamal.mahmoud@egg.ie>
>>>>>>>> > <mailto:jamal.mahmoud@egg.ie <mailto:jamal.mahmoud@egg.ie>>
>>>>>>>> > > > <mailto:jamal.mahmoud@egg.ie <mailto:
>>>>>>>> jamal.mahmoud(a)egg.ie>
>>>>>>>> > <mailto:jamal.mahmoud@egg.ie <mailto:jamal.mahmoud@egg.ie>>>>
>>>>>>>> wrote:
>>>>>>>> > > >
>>>>>>>> > > > Sorry about the lack of clarification Rob!
>>>>>>>> > > >
>>>>>>>> > > > I have 3 servers, all running CentOS 7.4, FreeIPA
>>>>>>>> > version 4.5.0. the
>>>>>>>> > > > hostnames are lithium, nitrogen and the recently
>>>>>>>> > deceased oxygen.
>>>>>>>> > > > all are masters under the same Realm which is
>>>>>>>> EGGVFX.IE
>>>>>>>> > <http://EGGVFX.IE> <http://EGGVFX.IE>
>>>>>>>> > > > <http://EGGVFX.IE>
>>>>>>>> > > >
>>>>>>>> > > > The "server not found" error is exactly what
>>>>>>>> shows when
>>>>>>>> > i try to
>>>>>>>> > > > delete the server from command line or the Web
>>>>>>>> UI.
>>>>>>>> > > >
>>>>>>>> > > > When i run ipa-replica-manage list -v `hostname`
>>>>>>>> this is
>>>>>>>> > the output
>>>>>>>> > > > from the servers:
>>>>>>>> > > >
>>>>>>>> > > > Lithium Output:
>>>>>>>> > > > root@lithium# ipa-replica-manage list -v
>>>>>>>> `hostname`
>>>>>>>> > > > nitrogen.eggvfx.ie <http://nitrogen.eggvfx.ie>
>>>>>>>> > <http://nitrogen.eggvfx.ie>
>>>>>>>> > > <http://nitrogen.eggvfx.ie>: replica
>>>>>>>> > > > last init status: 0 Total update succeeded
>>>>>>>> > > > last init ended: 2018-02-01 10:51:14+00:00
>>>>>>>> > > > last update status: Error (0) Replica acquired
>>>>>>>> > successfully:
>>>>>>>> > > > Incremental update succeeded
>>>>>>>> > > > last update ended: 2018-02-01 16:24:37+00:00
>>>>>>>> > > >
>>>>>>>> > > > Nitrogen Output:
>>>>>>>> > > > root@nitrogen# ipa-replica-manage list -v
>>>>>>>> `hostname`
>>>>>>>> > > > lithium.eggvfx.ie <http://lithium.eggvfx.ie>
>>>>>>>> > <http://lithium.eggvfx.ie>
>>>>>>>> > > <http://lithium.eggvfx.ie>: replica
>>>>>>>> > > > last init status: None
>>>>>>>> > > > last init ended: 1970-01-01 00:00:00+00:00
>>>>>>>> > > > last update status: Error (0) Replica acquired
>>>>>>>> > successfully:
>>>>>>>> > > > Incremental update succeeded
>>>>>>>> > > > last update ended: 2018-02-01 10:48:18+00:00
>>>>>>>> > > > oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>
>>>>>>>> > <http://oxygen.eggvfx.ie>
>>>>>>>> > > <http://oxygen.eggvfx.ie>: replica
>>>>>>>> > > > last init status: None
>>>>>>>> > > > last init ended: 1970-01-01 00:00:00+00:00
>>>>>>>> > > > last update status: Error (-1) Problem
>>>>>>>> connecting to
>>>>>>>> > replica -
>>>>>>>> > > > LDAP error: Can't contact LDAP server (connection
>>>>>>>> error)
>>>>>>>> > > > last update
>>>>>>>>
>>>>>>> --
>>>>> Many Thanks,
>>>>> Jamal Mahmoud
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
6 years, 3 months
Trusted AD users can no longer authenticate via SSH
by Alexandre Pitre
Earlier this week, users reported they could no longer ssh to freeipa
joined servers using their AD login. After some inverstigation, it was
discovered if krb5_validate was set to false in the sssd.conf, AD ssh login
would start working again.
One of our IPA server is showing these errors in /var/log/messages:
Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.823685558 +0000]
- ERR - is_allowed_to_access_attr - [file ipa_pwd_extop.c, line 786]:
slapi_access_allowed does not allow READ to ipaProtectedOperation;read_keys!
Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.826357278 +0000]
- ERR - ipapwd_getkeytab - [file ipa_pwd_extop.c, line 1646]: Not allowed
to retrieve keytab on [IPA$(a)DOMAIN.COM] as user [fqdn=
ipaserver.ipa.domain.com,cn=computers,cn=accounts,dc=ipa,dc=domain,dc=com]!
Feb 13 20:53:28 ipaserver sssd: Failed to parse result: Insufficient access
rights
Feb 13 20:53:28 ipaserver sssd: Failed to get keytab
I could paste the the debug logs from sssd but I'm pretty sure that error
in /var/log/messages is the root cause preventing AD ssh login. I did some
research and couldn't find anything revelant.
Any ideas how to fix this ?
Thanks
--
Alexandre Pitre
alexandre.pitre(a)gmail.com
6 years, 3 months