AD -> FreeIPA sync incomplete
by Theodor van Nahl
Hello,
I do have a running `winsync` setup, which is working for most users. The only thing that is missing are
* the groups: I've tried to activate the group sync using ldapmodify (setting `nsds7NewWinGroupSyncEnabled: true`), but the attribute apparently is set to `false` automatically and I cannot find logs that indicate problems.
* every administrative users: It seems that every user with `adminCount: 1` on AD is not sync to FreeIPA, but I cannot find any reason for that nor is anything mentioned in the logs regarding those users.
Do you have an idea what's wrong with my configuration or how to get logs that could indicate the problem?
Best regards,
Theodor van Nahl
4 years, 9 months
ipa ca renewal master and ipa replica
by Rob Verduijn
Hello,
I was doing some rtfm for migration of an ipa ca-renewal master to a
different system.
I figured that the docs on migrating from rhel7 to rhel8 would be a nice
help for me to migrate from one centos7 to another centos 7 system.
Something in the docs gave me pause.
In the doc in chapter 17.4 instruction 4
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
It states that on replicas at the bottom of the file
/etc/httpd/conf.d/ipa-pki-proxy.conf
you should uncomment the rewrite rule and ensure it points to the 'ca
renewal master'
However on the centos 7 freeipa replica it points to the replica.
Is the configuration on the centos7 freeipa replica incorrect ?
Or is the instruction from redhat in need of updates ?
If it's the first, then the installation packages of freeipa on centos need
some attention, because I didn't configure that line as such.
Cheers
Rob
4 years, 9 months
Replacing IPA v3.0.0-51 on OEL6 with IPA v4.6.4-10 on OEL7: Making the newest replica the master
by Auerbach, Steven
I am struggling through this. I have a new server built and IPA 4.6.4-10 installed. I made it a replica from the v3.0.0-51 master.
Ipa-replica-manage shows 3 ipa servers, the original 2 v3.0.0-51 servers and the new ipa v4.6.4-10 server. But when I poll for replication agreements I get no answer.
From <server1> I issued the following commands:
$ sudo ipa-replica-manage list
Directory Manager password:
<server1>.mydomain.local: master
<server2>.mydomain.local: master
<server3 - new>.mydomain.local: master
$ sudo ipa-replica-manage list <server2>
[sudo] password for <user>:
Cannot find servername in public server list
$ sudo ipa-replica-manage list <server3>
[sudo] password for <user>:
Cannot find servername in public server list
$ ldapsearch -x -D 'cn=directory manager' -W -b 'cn=mapping tree,cn=config'
Enter LDAP Password:
There is an extensive response that includes:
# dc\3Dmydomain\2Cdc\3Dlocal, mapping tree, config
.
.
nsslapd-referral: ldap://<server3>.mydomain..local:389/dc%3Dmydomain%2Cdc%3Dlocal
nsslapd-referral: ldap://<server2>.mydomain.local:389/dc%3Dmydomain%2Cdc%3Dlocal
# replica, dc\3Dmydomain\2Cdc\3Dlocal, mapping tree, config
dn: cn=replica,cn=dc\3Dmydomain\2Cdc\3Dlocal,cn=mapping tree,cn=config
cn: replica
nsDS5Flags: 1
objectClass: top
objectClass: nsds5replica
objectClass: extensibleobject
nsDS5ReplicaType: 3
nsDS5ReplicaRoot: dc=mydomain,dc=local
nsds5ReplicaLegacyConsumer: off
nsDS5ReplicaId: 4
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDN: krbprincipalname=ldap/<invalid, removed server that should not even appear here>.mydomain.local(a)MYDOMAIN.LOCAL,cn=services,cn=accounts,dc=mydomain,dc=local
nsDS5ReplicaBindDN: krbprincipalname=ldap/<server2>.mydomain.local(a)MYDOMAIN.LOCAL,cn=services,cn=accounts,dc=mydomain,dc=local
nsDS5ReplicaBindDN: krbprincipalname=ldap/<server3>.mydomain.local(a)MYDOMAIN.LOCAL,cn=services,cn=accounts,dc=mydomain,dc=local
nsState:: BAAAAAAAAAA+CUNdAAAAAGEAAAAAAAAAkgAAAAAAAAAEAAAAAAAAAA==
nsDS5ReplicaName: a5641a0e-252711e3-96afcc83-6ff9b802
nsds5ReplicaChangeCount: 3768023
nsds5replicareapactive: 0
# meTo<server2>.mydomain.local, replica, dc\3Dmydomain\2Cdc\3Dlocal, mapping tree, config
dn: cn=meTo<server2>.mydomain.local,cn=replica,cn=dc\3Dmydomain\2Cdc\3Dlocal,cn=mapping tree,cn=config
cn: meTo<server2>.mydomain.local
objectClass: nsds5replicationagreement
objectClass: top
nsDS5ReplicaTransportInfo: LDAP
description: me to <server2>.mydomain.local
nsDS5ReplicaRoot: dc=mydomain,dc=local
nsDS5ReplicaHost: <server2>.mydomain.local
nsds5replicaTimeout: 120
nsDS5ReplicaPort: 389
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserialentryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicaBindMethod: SASL/GSSAPI
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsds50ruv: {replicageneration} 5241a52a000000040000
nsds50ruv: {replica 7 ldap://<server2>.mydomain.local:389} 54c80f57000000070000 5d271a1b000700070000
nsds50ruv: {replica 4 ldap://<server1>.mydomain.local:389} 5241a584000800040000 5d271866000300040000
nsds50ruv: {replica 8 ldap://<server3>.mydomain.local:389} 5d166840000000080000 5d270db6000500080000
nsruvReplicaLastModified: {replica 7 ldap://<server2>.mydomain.local:389} 00000000
nsruvReplicaLastModified: {replica 4 ldap://<server1>.mydomain.local:389} 00000000
nsruvReplicaLastModified: {replica 8 ldap://<server3>.mydomain.local:389} 00000000
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20190801154606Z
nsds5replicaLastUpdateEnd: 20190801154607Z
nsds5replicaChangesSentSinceStartup:: NDo2MDAvMjI1MjE1OSA4OjM1OS8wIA==
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0
# meTo<server3>.mydomain.local, replica, dc\3Dmydomain\2Cdc\3Dlocal, mapping tree, config
dn: cn=meTo<server3>.mydomain.local,cn=replica,cn=dc\3Dmydomain\2Cdc\3Dlocal,cn=mapping tree,cn=config
cn: meTo<server3>.mydomain.local
objectClass: nsds5replicationagreement
objectClass: top
nsDS5ReplicaTransportInfo: LDAP
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
ternalModifyTimestamp
nsDS5ReplicaRoot: dc=mydomain,dc=local
nsDS5ReplicaHost: <server3>.mydomain.local
nsds5replicaTimeout: 120
nsDS5ReplicaPort: 389
nsDS5ReplicaBindMethod: SASL/GSSAPI
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserialentryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
description: me to <server3>.mydomain.local
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsds50ruv: {replicageneration} 5241a52a000000040000
nsds50ruv: {replica 8 ldap://<server3>.mydomain.local:389} 5d166840000000080000 5d271a1b000000080000
nsds50ruv: {replica 4 ldap://<server1>.mydomain.local:389} 5241a584000800040000 5d271866000300040000
nsds50ruv: {replica 7 ldap://<server2>.mydomain.local:389} 54c80f57000000070000 5d2717a3000300070000
nsruvReplicaLastModified: {replica 8 ldap://<server3>.mydomain.local:389} 00000000
nsruvReplicaLastModified: {replica 4 ldap://<server1>.mydomain.local:389} 00000000
nsruvReplicaLastModified: {replica 7 ldap://<server2>.mydomain.local:389} 00000000
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20190801154606Z
nsds5replicaLastUpdateEnd: 20190801154607Z
nsds5replicaChangesSentSinceStartup:: NDo2MDAvMTkyNTgzNyA3OjUxMi8wIA==
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
Are there no replication agreements between these servers or is there something missing in "public server list" that the agreements cannot be found?
I imagine that all parts need to be seeing each other properly at this point before I even begin to try and make <server3> the new ultimate master. I will then add a <server4> ipa server and replicate it from <server3> once it is the master and retire <server1> and <server2>. At least that is the scope of the project.
Steven Auerbach
Assistant Director of Information Systems
Information Technology & Security
State University System of Florida
Board of Governors
325 W. Gaines Street, Suite 1625
Tallahassee, Florida 32399
(850) 245-9592
Steven.auerbach(a)flbog.edu<mailto:Steven.auerbach@flbog.edu> | www.flbog.edu<http://www.flbog.edu/>
[email_sig]
4 years, 9 months
ipa-replica-install ERROR
by Boudjoudad Abdelkader
Hi,
I'm trying to install an IPA server replica from but i have the issue
below, i did:
- Remove the IP of ipa server master from /etc/hosts
- Check if there is a problem with ipa-client-install (working fine)
- dig IP-ipa-server (resolved)
Non of these steps works!
I did some researches and it looks like this is a bug, is there a
workaround ?
ERROR:
WARNING: conflicting time&date synchronization service 'chronyd' will be
disabled in favor of ntpd
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: ERROR The host name freeipa-replica.example.com does
not match the primary host name
freeipa-replica.example.com.x.yy.zzz.in-addr.arpa. Please check /etc/hosts
or DNS name resolution
ipapython.admintool: ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
Thanks,
4 years, 9 months