On 02/13/2014 06:55 PM, Bruno Henrique Barbosa wrote: > > > > Hi everyone, > > > I've installed my IPA environment as it follows: > > > ipa01.example.com - master install > ipa02.example.com - replica install, as the guide says, with > ipa-replica-prepare on ipa01 and ipa-replica-install using gpg key generated. > > > All good, environment is fine, can access both UI, but the underlying problem > is: I can edit and remove users from IPA using instance ipa02 (replica), but > I CANNOT add users from that instance. In the UI, error returned is: > > > IPA Error 4203 > Operations error: Allocation of a new value for range cn=posix > ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! > Unable to proceed. > > > > > Via command-line, debug-enabled: > > > root@ipa02's password: > Last login: Thu Feb 13 15:36:34 2014 > [root@ipa02 ~]# kinit admin > Password for [email protected]: > [root@ipa02 ~]# ipa-replica-manage list > ipa01.example.com: master > ipa02.example.com: master > [root@ipa02 ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > > Valid starting Expires Service principal > 02/13/14 15:37:48 02/14/14 15:37:29 krbtgt/[email protected] > 02/13/14 15:38:03 02/14/14 15:37:29 ldap/[email protected] > [root@ipa02 ~]# ipa -d user-add usertest > ipa: DEBUG: importing all plugin modules in > '/usr/lib/python2.6/site-packages/ipalib/plugins'... > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' > ipa: DEBUG: args=klist -V > ipa: DEBUG: stdout=Kerberos 5 version 1.10.3 > > > ipa: DEBUG: stderr= > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' > ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:[email protected] > ipa: DEBUG: stdout= > ipa: DEBUG: stderr=keyctl_search: Required key not available > > > ipa: DEBUG: failed to find session_cookie in persistent storage for principal > '[email protected]' > ipa: INFO: trying https://ipa02.example.com/ipa/xml > ipa: DEBUG: NSSConnection init ipa02.example.com > ipa: DEBUG: Connecting: 192.168.0.2:0 > ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False > Data: > Version: 3 (0x2) > Serial Number: 14 (0xe) > Signature Algorithm: > Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: CN=Certificate Authority,O=EXAMPLE.COM > Validity: > Not Before: Qua Fev 12 19:42:11 2014 UTC > Not After: Sáb Fev 13 19:42:11 2016 UTC > Subject: CN=ipa02.example.com,O=EXAMPLE.COM > Subject Public Key Info: > Public Key Algorithm: > Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > 93:ce:2f:b4:3c:61:bd:ec:42:a2:cd:b2:44:1a:ad:14: > f0:50:89:d7:cc:5d:cf:96:db:0e:f5:39:4c:8d:26:b5: > 47:9c:e6:77:86:1b:7a:ec:22:64:a2:f8:dd:67:fa:0f: > 49:16:e9:9a:ca:d8:0e:d9:37:d6:0c:92:9c:a4:1f:b5: > 43:e4:80:0f:80:de:a8:f4:4b:8f:97:db:24:08:9b:24: > e7:e8:7a:a7:f8:61:0d:c1:d0:6e:89:94:4b:9d:f3:65: > 6a:a8:81:21:fc:7e:e8:72:5d:bb:0f:3e:bb:0c:ce:da: > 58:34:b4:64:ed:ac:ab:17:2b:c6:75:87:6d:8d:8e:3f: > 3f:56:82:f8:0c:f7:d7:a3:dc:73:b7:60:88:6f:f4:76: > db:d6:81:44:c7:04:7c:22:90:c6:f7:bc:0a:34:2a:28: > 2a:15:46:9e:06:da:bd:42:10:c0:d3:c4:5e:81:88:6d: > 6d:75:ad:3e:f0:a2:88:2e:3d:23:ce:19:a7:71:3c:0a: > c0:fa:bd:54:c5:c2:d5:f1:46:b1:74:80:65:31:dc:bb: > d5:01:86:de:f5:38:c6:cd:ad:2d:3a:32:17:4f:c7:d4: > 2a:44:82:69:4a:ad:d2:1a:59:cb:bb:25:3b:86:50:fa: > c7:8c:ab:0f:bf:1f:82:39:c0:ba:7b:45:6e:b6:1f:fd > Exponent: > 65537 (0x10001) > Signed Extensions: (5) > Name: Certificate Authority Key Identifier > Critical: False > Key ID: > 7f:77:f3:aa:bc:9a:8a:97:0f:29:2c:b6:a4:ff:81:ea: > c3:9c:48:63 > Serial Number: None > General Names: [0 total] > > > Name: Authority Information Access > Critical: False > > > Name: Certificate Key Usage > Critical: True > Usages: > Digital Signature > Non-Repudiation > Key Encipherment > Data Encipherment > > > Name: Extended Key Usage > Critical: False > Usages: > TLS Web Server Authentication Certificate > TLS Web Client Authentication Certificate > > > Name: Certificate Subject Key ID > Critical: False > Data: > ba:bd:55:29:33:53:0c:6b:fb:54:2f:ce:ce:40:ce:4c: > 55:7c:07:ec > > > Signature: > Signature Algorithm: > Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > b5:b0:34:b0:4c:e0:97:42:55:2e:44:34:d0:b9:12:c1: > 1d:60:57:a4:ae:e7:2e:22:74:a9:fd:64:99:2c:54:7d: > f0:b9:32:8e:bd:d5:71:c5:23:14:a1:82:3f:63:c1:bf: > 7b:e3:e1:3c:32:95:ca:48:22:eb:56:98:2b:71:90:34: > 9c:24:58:02:15:e2:ed:a8:81:11:bd:a9:1a:80:7d:a1: > 23:d6:33:78:9b:1a:b6:42:43:49:7e:07:02:a4:7a:1b: > f5:8c:78:a2:23:27:66:be:5f:30:43:a0:46:9b:0e:8d: > 76:9a:b0:6c:e6:ba:54:d2:9d:7a:24:ae:c9:7f:ee:bf: > 5b:6b:b0:c2:3a:ac:d0:9d:cf:d6:36:ec:2b:6d:e9:c2: > df:ac:27:d6:63:0a:c0:0f:1b:bc:93:8f:0f:4c:62:ca: > f9:c1:10:94:77:5d:b8:ad:f5:b6:18:1c:26:bc:3d:70: > 30:20:a3:7e:14:e3:a1:84:d4:9f:f8:73:4c:6d:59:a6: > 8d:2b:e3:3f:b5:84:42:62:b9:90:23:dc:24:df:ed:42: > bc:ab:f4:a4:5e:9f:ed:7f:e3:f2:e5:f4:07:81:ac:7c: > c4:5d:34:6b:69:7b:6f:29:20:30:95:ef:d3:45:ad:83: > 51:fb:72:cb:a4:eb:85:f3:f6:0d:2d:31:d8:8b:72:54 > Fingerprint (MD5): > 4e:06:54:a8:e4:62:8e:65:a1:7f:3c:31:01:4b:06:bf > Fingerprint (SHA1): > a2:43:5f:65:c0:61:13:cf:2c:9c:9d:32:72:d6:cc:78: > 66:6e:f7:77 > ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer > ipa: DEBUG: cert valid True for "CN=ipa02.example.com,O=EXAMPLE.COM" > ipa: DEBUG: handshake complete, peer = 192.168.0.2:443 > ipa: DEBUG: received Set-Cookie > 'ipa_session=eb4b207ba589878a328ee100b9ab16ae; Domain=ipa02.example.com; > Path=/ipa; Expires=Thu, 13 Feb 2014 17:58:46 GMT; Secure; HttpOnly' > ipa: DEBUG: storing cookie 'ipa_session=eb4b207ba589878a328ee100b9ab16ae; > Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:58:46 GMT; > Secure; HttpOnly' for principal [email protected] > ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:[email protected] > ipa: DEBUG: stdout= > ipa: DEBUG: stderr=keyctl_search: Required key not available > > > ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:[email protected] > ipa: DEBUG: stdout= > ipa: DEBUG: stderr=keyctl_search: Required key not available > > > ipa: DEBUG: args=keyctl padd user ipa_session_cookie:[email protected] @s > ipa: DEBUG: stdout=227287872 > > > ipa: DEBUG: stderr= > ipa: DEBUG: Created connection context.xmlclient > First name: usertest > Last name: testname > ipa: DEBUG: raw: user_add(u'usertest', givenname=u'usertest', sn=u'testname', > cn=u'usertest testname', uidnumber=999, gidnumber=999, noprivate=False, > all=False, raw=False, version=u'2.49', no_members=False) > ipa: DEBUG: user_add(u'usertest', givenname=u'usertest', sn=u'testname', > cn=u'usertest testname', displayname=u'usertest testname', initials=u'ut', > gecos=u'usertest testname', krbprincipalname=u'[email protected]', > random=False, uidnumber=999, gidnumber=999, noprivate=False, all=False, > raw=False, version=u'2.49', no_members=False) > ipa: INFO: Forwarding 'user_add' to server > u'https://ipa02.example.com/ipa/xml' > ipa: DEBUG: NSSConnection init ipa02.example.com > ipa: DEBUG: Connecting: 192.168.0.2:0 > ipa: DEBUG: handshake complete, peer = 192.168.0.2:443 > ipa: DEBUG: received Set-Cookie > 'ipa_session=d5dcde16a47612ec6debfc7ed42b5efb; Domain=ipa02.example.com; > Path=/ipa; Expires=Thu, 13 Feb 2014 17:59:04 GMT; Secure; HttpOnly' > ipa: DEBUG: storing cookie 'ipa_session=d5dcde16a47612ec6debfc7ed42b5efb; > Domain=ipa02.example.com; Path=/ipa; Expires=Thu, 13 Feb 2014 17:59:04 GMT; > Secure; HttpOnly' for principal [email protected] > ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:[email protected] > ipa: DEBUG: stdout=227287872 > > > ipa: DEBUG: stderr= > ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:[email protected] > ipa: DEBUG: stdout=227287872 > > > ipa: DEBUG: stderr= > ipa: DEBUG: args=keyctl pupdate 227287872 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr= > ipa: DEBUG: Caught fault 4203 from server https://ipa02.example.com/ipa/xml: > Operations error: Allocation of a new value for range cn=posix > ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! > Unable to proceed. > ipa: DEBUG: Destroyed connection context.xmlclient > ipa: ERROR: Operations error: Allocation of a new value for range cn=posix > ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! > Unable to proceed. > > > > > Under the labs I did on IPA, I could resolve that by booting the replica > server, but this time I couldn't solve. Looking for assistance, please! > > > Thank you for any help you can provide in this situation! > > > Bruno Henrique Barbosa > Jr. Sys Admin > IT Department > Santos City Hall
Hello Bruno, I saw the logs you sent to Dmitri. It seems to me that the replication link is broken, thus replica DNA plugin cannot acquire DNA ranges from master, thus it has no available range, thus adding users fails as DS cannot allocate UID and GID. I think your replication will be broken as well, did you verify that users you delete/modify on replica are also deleted/modified on master? I think the root cause is this log: [13/Feb/2014:15:31:11 -0200] set_krb5_creds - Could not get initial credentials for principal [ldap/[email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) Is your KDC running? [replica] # ipactl status You can also try to kinit manually to debug: [replica] # kinit -kt /etc/dirsrv/ds.keytab ldap/[email protected] If it does not succeed, neither it'd succeed for the DS. I would also recommend checking that DNS is sane. You can find some pointers here: http://www.freeipa.org/page/Troubleshooting#DNS_Issues HTH, Martin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
