On 7/16/20 11:36 AM, David Harvey via FreeIPA-users wrote:
Hi again, just a gentle bump to keep this visible, any advice on it or
additional info I can provide?
On Tue, 14 Jul 2020 at 19:29, David Harvey <[email protected]
<mailto:[email protected]>> wrote:
Dear list,
I noted from TFM
<https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-solving_common_replication_conflicts>
that conflicting values have ldapSubEntry and nsds5ReplConflict
attributes, however it only mentioned removing the latter. Should we
in fact remove ldapsubentry as well when resolving these conflicts?
For the two conflicts I had, I noted:
1. cn: ipservices was identical apart from the aforementioned
attributes.
*laregly resolved but ldapsubentry still in place taking the newer
version over old
No need to remove the ldapsubentry objectclass.
2. I had a subtly different "cn: System: Read POSIX details of SMB
services". Conflicting entries (ipaPermDefaultAttr: uid vs
ipaPermDefaultAttr: uidnumber) which I assume to be a schema change
during upgrade that borked somehow?
* I haven't actioned this one yet given the discrepancy.
I have the following entry on ipa 4.8.4:
dn: cn=System: Read POSIX details of SMB
services,cn=permissions,cn=pbac,$BASEDN
cn: System: Read POSIX details of SMB services
ipaPermissionType: SYSTEM
ipaPermissionType: V2
ipaPermissionType: MANAGED
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
ipaPermTargetFilter: (objectclass=ipaservice)
ipaPermLocation: cn=services,cn=accounts,$BASEN
ipaPermBindRuleType: all
ipaPermRight: compare
ipaPermRight: search
ipaPermRight: read
ipaPermDefaultAttr: gidnumber
ipaPermDefaultAttr: ipantsecurityidentifier
ipaPermDefaultAttr: loginshell
ipaPermDefaultAttr: gecos
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: uid
ipaPermDefaultAttr: cn
ipaPermDefaultAttr: homedirectory
ipaPermDefaultAttr: uidnumber
=> To solve the conflict, you need to keep both uid and uidnumber in the
resulting entry.
This permission was added in ipa 4.8.0 but never modified after that
version. The conflict probably got created because of parallel upgrade
of the IPA servers. The recommendation when upgrading a topology is to
run sequential updates, please see [1]:
- update server 1
- wait a few minutes for replication to sync the changes
- update server 2
- wait a few minutes for replication to sync the changes
...
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/updating-migrating#update-ipa-yum
Recently upgraded packages in centos which took us from 4.7.6 (IIRC)
to 4.8.4.
Thanks as ever,
David
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
