On 02/13/2014 12:55 PM, Bruno Henrique Barbosa wrote:
Hi everyone,
I've installed my IPA environment as it follows:
ipa01.example.com - master install
ipa02.example.com - replica install, as the guide says, with
ipa-replica-prepare on ipa01 and ipa-replica-install using gpg key
generated.
All good, environment is fine, can access both UI, but the underlying
problem is: I can edit and remove users from IPA using instance ipa02
(replica), but I CANNOT add users from that instance. In the UI, error
returned is:
IPA Error 4203
Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config
failed! Unable to proceed.
Via command-line, debug-enabled:
root@ipa02's password:
Last login: Thu Feb 13 15:36:34 2014
[root@ipa02 ~]# kinit admin
Password for [email protected]:
[root@ipa02 ~]# ipa-replica-manage list
ipa01.example.com: master
ipa02.example.com: master
[root@ipa02 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
02/13/14 15:37:48 02/14/14 15:37:29 krbtgt/[email protected]
02/13/14 15:38:03 02/14/14 15:37:29 ldap/[email protected]
[root@ipa02 ~]# ipa -d user-add usertest
ipa: DEBUG: importing all plugin modules in
'/usr/lib/python2.6/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: args=klist -V
ipa: DEBUG: stdout=Kerberos 5 version 1.10.3
ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
ipa: DEBUG: args=keyctl search @s user
ipa_session_cookie:[email protected]
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=keyctl_search: Required key not available
ipa: DEBUG: failed to find session_cookie in persistent storage for
principal '[email protected]'
ipa: INFO: trying https://ipa02.example.com/ipa/xml
ipa: DEBUG: NSSConnection init ipa02.example.com
ipa: DEBUG: Connecting: 192.168.0.2:0
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
Data:
Version: 3 (0x2)
Serial Number: 14 (0xe)
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Validity:
Not Before: Qua Fev 12 19:42:11 2014 UTC
Not After: Sáb Fev 13 19:42:11 2016 UTC
Subject: CN=ipa02.example.com,O=EXAMPLE.COM
Subject Public Key Info:
Public Key Algorithm:
Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
93:ce:2f:b4:3c:61:bd:ec:42:a2:cd:b2:44:1a:ad:14:
f0:50:89:d7:cc:5d:cf:96:db:0e:f5:39:4c:8d:26:b5:
47:9c:e6:77:86:1b:7a:ec:22:64:a2:f8:dd:67:fa:0f:
49:16:e9:9a:ca:d8:0e:d9:37:d6:0c:92:9c:a4:1f:b5:
43:e4:80:0f:80:de:a8:f4:4b:8f:97:db:24:08:9b:24:
e7:e8:7a:a7:f8:61:0d:c1:d0:6e:89:94:4b:9d:f3:65:
6a:a8:81:21:fc:7e:e8:72:5d:bb:0f:3e:bb:0c:ce:da:
58:34:b4:64:ed:ac:ab:17:2b:c6:75:87:6d:8d:8e:3f:
3f:56:82:f8:0c:f7:d7:a3:dc:73:b7:60:88:6f:f4:76:
db:d6:81:44:c7:04:7c:22:90:c6:f7:bc:0a:34:2a:28:
2a:15:46:9e:06:da:bd:42:10:c0:d3:c4:5e:81:88:6d:
6d:75:ad:3e:f0:a2:88:2e:3d:23:ce:19:a7:71:3c:0a:
c0:fa:bd:54:c5:c2:d5:f1:46:b1:74:80:65:31:dc:bb:
d5:01:86:de:f5:38:c6:cd:ad:2d:3a:32:17:4f:c7:d4:
2a:44:82:69:4a:ad:d2:1a:59:cb:bb:25:3b:86:50:fa:
c7:8c:ab:0f:bf:1f:82:39:c0:ba:7b:45:6e:b6:1f:fd
Exponent:
65537 (0x10001)
Signed Extensions: (5)
Name: Certificate Authority Key Identifier
Critical: False
Key ID:
7f:77:f3:aa:bc:9a:8a:97:0f:29:2c:b6:a4:ff:81:ea:
c3:9c:48:63
Serial Number: None
General Names: [0 total]
Name: Authority Information Access
Critical: False
Name: Certificate Key Usage
Critical: True
Usages:
Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Name: Extended Key Usage
Critical: False
Usages:
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Name: Certificate Subject Key ID
Critical: False
Data:
ba:bd:55:29:33:53:0c:6b:fb:54:2f:ce:ce:40:ce:4c:
55:7c:07:ec
Signature:
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
b5:b0:34:b0:4c:e0:97:42:55:2e:44:34:d0:b9:12:c1:
1d:60:57:a4:ae:e7:2e:22:74:a9:fd:64:99:2c:54:7d:
f0:b9:32:8e:bd:d5:71:c5:23:14:a1:82:3f:63:c1:bf:
7b:e3:e1:3c:32:95:ca:48:22:eb:56:98:2b:71:90:34:
9c:24:58:02:15:e2:ed:a8:81:11:bd:a9:1a:80:7d:a1:
23:d6:33:78:9b:1a:b6:42:43:49:7e:07:02:a4:7a:1b:
f5:8c:78:a2:23:27:66:be:5f:30:43:a0:46:9b:0e:8d:
76:9a:b0:6c:e6:ba:54:d2:9d:7a:24:ae:c9:7f:ee:bf:
5b:6b:b0:c2:3a:ac:d0:9d:cf:d6:36:ec:2b:6d:e9:c2:
df:ac:27:d6:63:0a:c0:0f:1b:bc:93:8f:0f:4c:62:ca:
f9:c1:10:94:77:5d:b8:ad:f5:b6:18:1c:26:bc:3d:70:
30:20:a3:7e:14:e3:a1:84:d4:9f:f8:73:4c:6d:59:a6:
8d:2b:e3:3f:b5:84:42:62:b9:90:23:dc:24:df:ed:42:
bc:ab:f4:a4:5e:9f:ed:7f:e3:f2:e5:f4:07:81:ac:7c:
c4:5d:34:6b:69:7b:6f:29:20:30:95:ef:d3:45:ad:83:
51:fb:72:cb:a4:eb:85:f3:f6:0d:2d:31:d8:8b:72:54
Fingerprint (MD5):
4e:06:54:a8:e4:62:8e:65:a1:7f:3c:31:01:4b:06:bf
Fingerprint (SHA1):
a2:43:5f:65:c0:61:13:cf:2c:9c:9d:32:72:d6:cc:78:
66:6e:f7:77
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=ipa02.example.com,O=EXAMPLE.COM"
ipa: DEBUG: handshake complete, peer = 192.168.0.2:443
ipa: DEBUG: received Set-Cookie
'ipa_session=eb4b207ba589878a328ee100b9ab16ae;
Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:58:46
GMT; Secure; HttpOnly'
ipa: DEBUG: storing cookie
'ipa_session=eb4b207ba589878a328ee100b9ab16ae;
Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:58:46
GMT; Secure; HttpOnly' for principal [email protected]
ipa: DEBUG: args=keyctl search @s user
ipa_session_cookie:[email protected]
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=keyctl_search: Required key not available
ipa: DEBUG: args=keyctl search @s user
ipa_session_cookie:[email protected]
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=keyctl_search: Required key not available
ipa: DEBUG: args=keyctl padd user ipa_session_cookie:[email protected] @s
ipa: DEBUG: stdout=227287872
ipa: DEBUG: stderr=
ipa: DEBUG: Created connection context.xmlclient
First name: usertest
Last name: testname
ipa: DEBUG: raw: user_add(u'usertest', givenname=u'usertest',
sn=u'testname', cn=u'usertest testname', uidnumber=999, gidnumber=999,
noprivate=False, all=False, raw=False, version=u'2.49', no_members=False)
ipa: DEBUG: user_add(u'usertest', givenname=u'usertest',
sn=u'testname', cn=u'usertest testname', displayname=u'usertest
testname', initials=u'ut', gecos=u'usertest testname',
krbprincipalname=u'[email protected]', random=False, uidnumber=999,
gidnumber=999, noprivate=False, all=False, raw=False, version=u'2.49',
no_members=False)
ipa: INFO: Forwarding 'user_add' to server
u'https://ipa02.example.com/ipa/xml'
ipa: DEBUG: NSSConnection init ipa02.example.com
ipa: DEBUG: Connecting: 192.168.0.2:0
ipa: DEBUG: handshake complete, peer = 192.168.0.2:443
ipa: DEBUG: received Set-Cookie
'ipa_session=d5dcde16a47612ec6debfc7ed42b5efb;
Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:59:04
GMT; Secure; HttpOnly'
ipa: DEBUG: storing cookie
'ipa_session=d5dcde16a47612ec6debfc7ed42b5efb;
Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:59:04
GMT; Secure; HttpOnly' for principal [email protected]
ipa: DEBUG: args=keyctl search @s user
ipa_session_cookie:[email protected]
ipa: DEBUG: stdout=227287872
ipa: DEBUG: stderr=
ipa: DEBUG: args=keyctl search @s user
ipa_session_cookie:[email protected]
ipa: DEBUG: stdout=227287872
ipa: DEBUG: stderr=
ipa: DEBUG: args=keyctl pupdate 227287872
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Caught fault 4203 from server
https://ipa02.example.com/ipa/xml: Operations error: Allocation of a
new value for range cn=posix ids,cn=distributed numeric assignment
plugin,cn=plugins,cn=config failed! Unable to proceed.
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Operations error: Allocation of a new value for range
cn=posix ids,cn=distributed numeric assignment
plugin,cn=plugins,cn=config failed! Unable to proceed.
Under the labs I did on IPA, I could resolve that by booting the
replica server, but this time I couldn't solve. Looking for
assistance, please!
Looks like problems with the DNA plugin.
Did you by any chance tried to install and untinstall replica for couple
dozen times?
I think we would need replica DS logs and the DNA plugin configuration
entries from primary and replica servers.
Thank you for any help you can provide in this situation!
Bruno Henrique Barbosa
Jr. Sys Admin
IT Department
Santos City Hall
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
