Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

[Rich Megginson]

On 01/21/2016 12:50 AM, Nathan Peters wrote:
I don't know if this makes a difference too, but I performed the same checks on 
a different completely working and joined FreeIPA master, against other 
masters, and even against itself directly.
It seems that no account, no keytab, and no host can see that mapping tree 
branch no matter who they search from or against if GSSAPI is used.


-----Original Message-----
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Nathan Peters
Sent: January-20-16 11:41 PM
To: Rich Megginson; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with 
DuplicateEntry: This entry already exists

All checks below were performed from the host we are trying to turn into a 
replica and they were performed against the master who logs I also show

The first check was to kinit admin and try the search.  Surprisingly, the 
GSSAPI bind returns no results when we search that.  In my previous email you 
can see that the standard bind gets a result as admin for that search.

Next, I tried as the host by kinit with its keytab.  Same result, nothing back.

Finally I tried as my own personal admin user.  Same result, nothing back.

For good measure, I tried a broad search against the base "cn=mydomain,cn=net" 
as each user as well and I'll spare you the ten thousand lines of screenshot but the 
results were as expected, several thousand entries in that tree.
Although the output differed slightly.  This is the total as admin or my 
personal user # numResponses: 3372 # numEntries: 3371

and this is the total as the host keytab account

# numResponses: 3371
# numEntries: 3370

To be even more thorough, I did searches farther and farther up the config tree 
using GSSAPI until I found something.  The only thing that is visible through 
GSSAPI searches is the base of the config tree.  Even the mapping tree branch 
doesn't seem to be visible.

At the very bottom of this email is the results of the search against cn=config 
directly as the attempted new replica and as admin.  Admin gets about 50 
results and the host only gets about 30 for some reason.  I get the same 
results as admin on my personal account so I've excluded those.

So if I got all that right I was able to determine that only the base of the 
config tree is available using GSSAPI for any account, users for some reason 
get slightly more results than hosts, and all accounts can see the 
dc=mydomain,dc=net tree just fine using GSSAPI.

So does that help shed some light on what the cause of this might be or why the 
server is not answering as expected?

Is there some way I can adjust this so everyone can see the results they do 
using regular binds as they do using GSSAPI binds ?

Is there some way I can check ACLS on stuff ?

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Viewing_the_ACIs_for_an_Entry.html

Note: There is a bug in the docs.  You have to also specify the suffix 
e.g. "-b cn=config", and make sure the search filter is quoted e.g. 
'(aci=*)'

If it is not aci related, I have no idea why you would get different 
results depending on if you did a simple bind vs. a gssapi bind with the 
same user that mapped to the same bind DN.


===============
search as admin
===============
[nathan.peters@dc2-ipa-dev-van ~]$ klist Ticket cache: 
KEYRING:persistent:756600344:756600344
Default principal: ad...@mydomain.net

Valid starting     Expires            Service principal
20/01/16 22:53:18  21/01/16 22:53:08  krbtgt/mydomain....@mydomain.net 
[nathan.peters@dc2-ipa-dev-van ~]$ ldapsearch -Y GSSAPI -H 
ldaps://dc2-ipa-dev-nvan.mydomain.net -b 
"cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config"
SASL/GSSAPI authentication started
SASL username: ad...@mydomain.net
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with 
scope subtree # filter: (objectclass=*) # requesting: ALL #

# search result
search: 4
result: 0 Success

# numResponses: 1

============
check host keytab
============

[root@dc2-ipa-dev-van ipa]# klist -kt /etc/krb5.keytab Keytab name: 
FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
    5 19/01/16 12:07:12 host/dc2-ipa-dev-van.mydomain....@mydomain.net
    5 19/01/16 12:07:12 host/dc2-ipa-dev-van.mydomain....@mydomain.net
    5 19/01/16 12:07:12 host/dc2-ipa-dev-van.mydomain....@mydomain.net
    5 19/01/16 12:07:12 host/dc2-ipa-dev-van.mydomain....@mydomain.net

========
kinit host keytab
========
    
[root@dc2-ipa-dev-van ipa]# kinit -t /etc/krb5.keytab keytab specified, forcing -k [root@dc2-ipa-dev-van ipa]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_uwO1f2L
Default principal: host/dc2-ipa-dev-van.mydomain....@mydomain.net

Valid starting     Expires            Service principal
20/01/16 23:01:11  21/01/16 23:01:11  krbtgt/mydomain....@mydomain.net 
[root@dc2-ipa-dev-van ipa]#

=========
ldap search against master as host
==========
[root@dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net 
-b "cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config"
SASL/GSSAPI authentication started
SASL username: host/dc2-ipa-dev-van.mydomain....@mydomain.net
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with 
scope subtree # filter: (objectclass=*) # requesting: ALL #

# search result
search: 4
result: 0 Success

# numResponses: 1
[root@dc2-ipa-dev-van ipa]#

========
ldap search against master as my personal domain admin account ======== 
[root@dc2-ipa-dev-van ipa]# kinit nathan.peters Password for 
nathan.pet...@mydomain.net:
[root@dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net 
-b "cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config"
SASL/GSSAPI authentication started
SASL username: nathan.pet...@mydomain.net SASL SSF: 56 SASL data security layer 
installed.
# extended LDIF
#
# LDAPv3
# base <cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with 
scope subtree # filter: (objectclass=*) # requesting: ALL #

# search result
search: 4
result: 0 Success

# numResponses: 1

    
    
=======
logs on master during attempt
=======

=====
logs on master as admin
=====
[20/Jan/2016:22:55:22 -0800] conn=62398 fd=321 slot=321 SSL connection from 
10.21.0.98 to 10.178.0.98
[20/Jan/2016:22:55:22 -0800] conn=62398 TLS1.2 128-bit AES
[20/Jan/2016:22:55:22 -0800] conn=62398 op=0 BIND dn="" method=sasl version=3 
mech=GSSAPI
[20/Jan/2016:22:55:22 -0800] conn=62398 op=0 RESULT err=14 tag=97 nentries=0 
etime=0, SASL bind in progress
[20/Jan/2016:22:55:22 -0800] conn=62398 op=1 BIND dn="" method=sasl version=3 
mech=GSSAPI
[20/Jan/2016:22:55:22 -0800] conn=62398 op=1 RESULT err=14 tag=97 nentries=0 
etime=0, SASL bind in progress
[20/Jan/2016:22:55:22 -0800] conn=62398 op=2 BIND dn="" method=sasl version=3 
mech=GSSAPI
[20/Jan/2016:22:55:22 -0800] conn=62398 op=2 RESULT err=0 tag=97 nentries=0 etime=0 
dn="uid=admin,cn=users,cn=accounts,dc=mydomain,dc=net"
[20/Jan/2016:22:55:22 -0800] conn=62398 op=3 SRCH 
base="cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" scope=2 
filter="(objectClass=*)" attrs=ALL
[20/Jan/2016:22:55:22 -0800] conn=62398 op=3 RESULT err=0 tag=101 nentries=0 
etime=0
[20/Jan/2016:22:55:22 -0800] conn=62398 op=4 UNBIND
[20/Jan/2016:22:55:22 -0800] conn=62398 op=4 fd=321 closed - U1

=====
logs on master as the host we are trying to promote as a replica ======
[20/Jan/2016:23:02:40 -0800] conn=62480 fd=153 slot=153 SSL connection from 
10.21.0.98 to 10.178.0.98
[20/Jan/2016:23:02:40 -0800] conn=62480 TLS1.2 128-bit AES
[20/Jan/2016:23:02:40 -0800] conn=62480 op=0 BIND dn="" method=sasl version=3 
mech=GSSAPI
[20/Jan/2016:23:02:40 -0800] conn=62480 op=0 RESULT err=14 tag=97 nentries=0 
etime=0, SASL bind in progress
[20/Jan/2016:23:02:40 -0800] conn=62480 op=1 BIND dn="" method=sasl version=3 
mech=GSSAPI
[20/Jan/2016:23:02:40 -0800] conn=62480 op=1 RESULT err=14 tag=97 nentries=0 
etime=0, SASL bind in progress
[20/Jan/2016:23:02:40 -0800] conn=62480 op=2 BIND dn="" method=sasl version=3 
mech=GSSAPI
[20/Jan/2016:23:02:40 -0800] conn=62480 op=2 RESULT err=0 tag=97 nentries=0 etime=0 
dn="fqdn=dc2-ipa-dev-van.mydomain.net,cn=computers,cn=accounts,dc=mydomain,dc=net"
[20/Jan/2016:23:02:40 -0800] conn=62480 op=3 SRCH 
base="cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" scope=2 
filter="(objectClass=*)" attrs=ALL
[20/Jan/2016:23:02:40 -0800] conn=62480 op=3 RESULT err=0 tag=101 nentries=0 
etime=0
[20/Jan/2016:23:02:40 -0800] conn=62480 op=4 UNBIND
[20/Jan/2016:23:02:40 -0800] conn=62480 op=4 fd=153 closed - U1

=====
logs on master as my personal user
======
[20/Jan/2016:23:09:36 -0800] conn=62564 fd=318 slot=318 SSL connection from 
10.21.0.98 to 10.178.0.98
[20/Jan/2016:23:09:36 -0800] conn=62564 TLS1.2 128-bit AES
[20/Jan/2016:23:09:36 -0800] conn=62564 op=0 BIND dn="" method=sasl version=3 
mech=GSSAPI
[20/Jan/2016:23:09:36 -0800] conn=62564 op=0 RESULT err=14 tag=97 nentries=0 
etime=0, SASL bind in progress
[20/Jan/2016:23:09:36 -0800] conn=62564 op=1 BIND dn="" method=sasl version=3 
mech=GSSAPI
[20/Jan/2016:23:09:36 -0800] conn=62564 op=1 RESULT err=14 tag=97 nentries=0 
etime=0, SASL bind in progress
[20/Jan/2016:23:09:36 -0800] conn=62564 op=2 BIND dn="" method=sasl version=3 
mech=GSSAPI
[20/Jan/2016:23:09:36 -0800] conn=62564 op=2 RESULT err=0 tag=97 nentries=0 etime=0 
dn="uid=nathan.peters,cn=users,cn=accounts,dc=mydomain,dc=net"
[20/Jan/2016:23:09:36 -0800] conn=62564 op=3 SRCH 
base="cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" scope=2 
filter="(objectClass=*)" attrs=ALL
[20/Jan/2016:23:09:36 -0800] conn=62564 op=3 RESULT err=0 tag=101 nentries=0 
etime=0
[20/Jan/2016:23:09:36 -0800] conn=62564 op=4 UNBIND
[20/Jan/2016:23:09:36 -0800] conn=62564 op=4 fd=318 closed - U1


==========
final searches against cn=mapping tree,cn=config and cn=config using host 
keytab and gssapi ==========

[root@dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net 
-b "cn=mapping tree,cn=config"
SASL/GSSAPI authentication started
SASL username: host/dc2-ipa-dev-van.mydomain....@mydomain.net
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=mapping tree,cn=config> with scope subtree # filter: (objectclass=*) 
# requesting: ALL #

# search result
search: 4
result: 0 Success

# numResponses: 1
[root@dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net 
-b "cn=config"             SASL/GSSAPI authentication started
SASL username: host/dc2-ipa-dev-van.mydomain....@mydomain.net
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# SNMP, config
dn: cn=SNMP,cn=config
cn: SNMP
nsSNMPEnabled: on
objectClass: top
objectClass: nsSNMP

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
cn: Sync Request Control
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.9.1.1

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
cn: VLV Request Control
objectClass: top
objectClass: directoryServerFeature
oid: 2.16.840.1.113730.3.4.9

# ipa_pwd_extop, plugins, config
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
cn: ipa_pwd_extop
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
cn: Posix IDs
dnaMaxValue: 1100
dnaNextValue: 1101
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject

# config, ldbm database, plugins, config
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
cn: config
objectClass: top
objectClass: extensibleObject
nsslapd-directory: /var/lib/dirsrv/slapd-mydomain-NET/db

# default indexes, config, ldbm database, plugins, config
dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: default indexes
objectClass: top
objectClass: extensibleObject

# aci, default indexes, config, ldbm database, plugins, config
dn: cn=aci,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: aci
objectClass: top
objectClass: nsIndex

# cn, default indexes, config, ldbm database, plugins, config
dn: cn=cn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: cn
objectClass: top
objectClass: nsIndex

# entryusn, default indexes, config, ldbm database, plugins, config
dn: cn=entryusn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co  
nfig
cn: entryusn
objectClass: top
objectClass: nsIndex

# givenName, default indexes, config, ldbm database, plugins, config
dn: cn=givenName,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=c  
onfig
cn: givenName
objectClass: top
objectClass: nsIndex

# mail, default indexes, config, ldbm database, plugins, config
dn: cn=mail,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: mail
objectClass: top
objectClass: nsIndex

# mailAlternateAddress, default indexes, config, ldbm database, plugins, config
dn: cn=mailAlternateAddress,cn=default indexes,cn=config,cn=ldbm database,cn=p  
lugins,cn=config
cn: mailAlternateAddress
objectClass: top
objectClass: nsIndex

# mailHost, default indexes, config, ldbm database, plugins, config
dn: cn=mailHost,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co  
nfig
cn: mailHost
objectClass: top
objectClass: nsIndex

# member, default indexes, config, ldbm database, plugins, config
dn: cn=member,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=conf  
ig
cn: member
objectClass: top
objectClass: nsIndex

# memberOf, default indexes, config, ldbm database, plugins, config
dn: cn=memberOf,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co  
nfig
cn: memberOf
objectClass: top
objectClass: nsIndex

# nsTombstoneCSN, default indexes, config, ldbm database, plugins, config
dn: cn=nsTombstoneCSN,cn=default indexes,cn=config,cn=ldbm database,cn=plugins  
,cn=config
cn: nsTombstoneCSN
objectClass: top
objectClass: nsIndex

# nsUniqueId, default indexes, config, ldbm database, plugins, config
dn: cn=nsUniqueId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=  
config
cn: nsUniqueId
objectClass: top
objectClass: nsIndex

# ntUniqueId, default indexes, config, ldbm database, plugins, config
dn: cn=ntUniqueId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=  
config
cn: ntUniqueId
objectClass: top
objectClass: nsIndex

# ntUserDomainId, default indexes, config, ldbm database, plugins, config
dn: cn=ntUserDomainId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins  
,cn=config
cn: ntUserDomainId
objectClass: top
objectClass: nsIndex

# numsubordinates, default indexes, config, ldbm database, plugins, config
dn: cn=numsubordinates,cn=default indexes,cn=config,cn=ldbm database,cn=plugin  
s,cn=config
cn: numsubordinates
objectClass: top
objectClass: nsIndex

# objectclass, default indexes, config, ldbm database, plugins, config
dn: cn=objectclass,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn  
=config
cn: objectclass
objectClass: top
objectClass: nsIndex

# owner, default indexes, config, ldbm database, plugins, config
dn: cn=owner,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=confi  
g
cn: owner
objectClass: top
objectClass: nsIndex

# parentid, default indexes, config, ldbm database, plugins, config
dn: cn=parentid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co  
nfig
cn: parentid
objectClass: top
objectClass: nsIndex

# seeAlso, default indexes, config, ldbm database, plugins, config
dn: cn=seeAlso,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=con  
fig
cn: seeAlso
objectClass: top
objectClass: nsIndex

# sn, default indexes, config, ldbm database, plugins, config
dn: cn=sn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: sn
objectClass: top
objectClass: nsIndex

# targetuniqueid, default indexes, config, ldbm database, plugins, config
dn: cn=targetuniqueid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins  
,cn=config
cn: targetuniqueid
objectClass: top
objectClass: nsIndex

# telephoneNumber, default indexes, config, ldbm database, plugins, config
dn: cn=telephoneNumber,cn=default indexes,cn=config,cn=ldbm database,cn=plugin  
s,cn=config
cn: telephoneNumber
objectClass: top
objectClass: nsIndex

# uid, default indexes, config, ldbm database, plugins, config
dn: cn=uid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: uid
objectClass: top
objectClass: nsIndex

# uniquemember, default indexes, config, ldbm database, plugins, config
dn: cn=uniquemember,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,c  
n=config
cn: uniquemember
objectClass: top
objectClass: nsIndex

# search result
search: 4
result: 0 Success

# numResponses: 31
# numEntries: 30

========
search against cn=config as admin using GSSAPI from host we are trying to turn 
into a replica ========= [root@dc2-ipa-dev-van ipa]# kinit admin Password for 
ad...@mydomain.net:
[root@dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net 
-b "cn=config"
SASL/GSSAPI authentication started
SASL username: ad...@mydomain.net
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# SNMP, config
dn: cn=SNMP,cn=config
cn: SNMP
nsSNMPEnabled: on
objectClass: top
objectClass: nsSNMP

# tasks, config
dn: cn=tasks,cn=config
cn: tasks
objectClass: top
objectClass: extensibleObject

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
cn: Sync Request Control
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.9.1.1

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
cn: VLV Request Control
objectClass: top
objectClass: directoryServerFeature
oid: 2.16.840.1.113730.3.4.9

# ipa_pwd_extop, plugins, config
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
cn: ipa_pwd_extop
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject

# abort cleanallruv, tasks, config
dn: cn=abort cleanallruv,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: abort cleanallruv

# automember export updates, tasks, config
dn: cn=automember export updates,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: automember export updates

# automember map updates, tasks, config
dn: cn=automember map updates,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: automember map updates

# automember rebuild membership, tasks, config
dn: cn=automember rebuild membership,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: automember rebuild membership

# backup, tasks, config
dn: cn=backup,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: backup

# cleanallruv, tasks, config
dn: cn=cleanallruv,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: cleanallruv

# export, tasks, config
dn: cn=export,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: export

# fixup linked attributes, tasks, config
dn: cn=fixup linked attributes,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: fixup linked attributes

# fixup tombstones, tasks, config
dn: cn=fixup tombstones,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: fixup tombstones

# import, tasks, config
dn: cn=import,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: import

# index, tasks, config
dn: cn=index,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: index

# ipa-sidgen-task, tasks, config
dn: cn=ipa-sidgen-task,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: ipa-sidgen-task

# memberof task, tasks, config
dn: cn=memberof task,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: memberof task

# restore, tasks, config
dn: cn=restore,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: restore

# schema reload task, tasks, config
dn: cn=schema reload task,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: schema reload task

# syntax validate, tasks, config
dn: cn=syntax validate,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: syntax validate

# sysconfig reload, tasks, config
dn: cn=sysconfig reload,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: sysconfig reload

# upgradedb, tasks, config
dn: cn=upgradedb,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: upgradedb

# USN tombstone cleanup task, tasks, config
dn: cn=USN tombstone cleanup task,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: USN tombstone cleanup task

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
cn: Posix IDs
dnaMaxValue: 1100
dnaNextValue: 1101
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject

# config, ldbm database, plugins, config
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
cn: config
objectClass: top
objectClass: extensibleObject
nsslapd-directory: /var/lib/dirsrv/slapd-mydomain-NET/db

# default indexes, config, ldbm database, plugins, config
dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: default indexes
objectClass: top
objectClass: extensibleObject

# aci, default indexes, config, ldbm database, plugins, config
dn: cn=aci,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: aci
objectClass: top
objectClass: nsIndex

# cn, default indexes, config, ldbm database, plugins, config
dn: cn=cn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: cn
objectClass: top
objectClass: nsIndex

# entryusn, default indexes, config, ldbm database, plugins, config
dn: cn=entryusn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co  
nfig
cn: entryusn
objectClass: top
objectClass: nsIndex

# givenName, default indexes, config, ldbm database, plugins, config
dn: cn=givenName,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=c  
onfig
cn: givenName
objectClass: top
objectClass: nsIndex

# mail, default indexes, config, ldbm database, plugins, config
dn: cn=mail,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: mail
objectClass: top
objectClass: nsIndex

# mailAlternateAddress, default indexes, config, ldbm database, plugins, config
dn: cn=mailAlternateAddress,cn=default indexes,cn=config,cn=ldbm database,cn=p  
lugins,cn=config
cn: mailAlternateAddress
objectClass: top
objectClass: nsIndex

# mailHost, default indexes, config, ldbm database, plugins, config
dn: cn=mailHost,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co  
nfig
cn: mailHost
objectClass: top
objectClass: nsIndex

# member, default indexes, config, ldbm database, plugins, config
dn: cn=member,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=conf  
ig
cn: member
objectClass: top
objectClass: nsIndex

# memberOf, default indexes, config, ldbm database, plugins, config
dn: cn=memberOf,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co  
nfig
cn: memberOf
objectClass: top
objectClass: nsIndex

# nsTombstoneCSN, default indexes, config, ldbm database, plugins, config
dn: cn=nsTombstoneCSN,cn=default indexes,cn=config,cn=ldbm database,cn=plugins  
,cn=config
cn: nsTombstoneCSN
objectClass: top
objectClass: nsIndex

# nsUniqueId, default indexes, config, ldbm database, plugins, config
dn: cn=nsUniqueId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=  
config
cn: nsUniqueId
objectClass: top
objectClass: nsIndex

# ntUniqueId, default indexes, config, ldbm database, plugins, config
dn: cn=ntUniqueId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=  
config
cn: ntUniqueId
objectClass: top
objectClass: nsIndex

# ntUserDomainId, default indexes, config, ldbm database, plugins, config
dn: cn=ntUserDomainId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins  
,cn=config
cn: ntUserDomainId
objectClass: top
objectClass: nsIndex

# numsubordinates, default indexes, config, ldbm database, plugins, config
dn: cn=numsubordinates,cn=default indexes,cn=config,cn=ldbm database,cn=plugin  
s,cn=config
cn: numsubordinates
objectClass: top
objectClass: nsIndex

# objectclass, default indexes, config, ldbm database, plugins, config
dn: cn=objectclass,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn  
=config
cn: objectclass
objectClass: top
objectClass: nsIndex

# owner, default indexes, config, ldbm database, plugins, config
dn: cn=owner,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=confi  
g
cn: owner
objectClass: top
objectClass: nsIndex

# parentid, default indexes, config, ldbm database, plugins, config
dn: cn=parentid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co  
nfig
cn: parentid
objectClass: top
objectClass: nsIndex

# seeAlso, default indexes, config, ldbm database, plugins, config
dn: cn=seeAlso,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=con  
fig
cn: seeAlso
objectClass: top
objectClass: nsIndex

# sn, default indexes, config, ldbm database, plugins, config
dn: cn=sn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: sn
objectClass: top
objectClass: nsIndex

# targetuniqueid, default indexes, config, ldbm database, plugins, config
dn: cn=targetuniqueid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins  
,cn=config
cn: targetuniqueid
objectClass: top
objectClass: nsIndex

# telephoneNumber, default indexes, config, ldbm database, plugins, config
dn: cn=telephoneNumber,cn=default indexes,cn=config,cn=ldbm database,cn=plugin  
s,cn=config
cn: telephoneNumber
objectClass: top
objectClass: nsIndex

# uid, default indexes, config, ldbm database, plugins, config
dn: cn=uid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: uid
objectClass: top
objectClass: nsIndex

# uniquemember, default indexes, config, ldbm database, plugins, config
dn: cn=uniquemember,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,c  
n=config
cn: uniquemember
objectClass: top
objectClass: nsIndex

# search result
search: 4
result: 0 Success

# numResponses: 51
# numEntries: 50


-----Original Message-----
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rich Megginson
Sent: January-20-16 11:44 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with 
DuplicateEntry: This entry already exists

On 01/20/2016 12:24 PM, Nathan Peters wrote:
Now we are starting to get somewhere (although a resolution still is
not visible) :)

First, thank you Petr and Rob for your help on this issue.  I apologize for our 
hard to parse server names.  I'm not a fan of them myself and in earlier 
reports I had been reformatting everything nicely with dc1, dc2, dc3 etc.  
After having to submit so many reports I started to get lazy an thought it may 
be more helpful to see data closer to what we are actually using.

Petr hit the nail on the head with the "does everyone who binds get the same 
result" question, which although it has not revealed a resolution, has revealed a 
bunch of really interesting facts about the process.

Going back to the original logs that were running on the remote master during 
the replica installation attempt I see the following :

[18/Jan/2016:09:28:32 -0800] conn=18732 fd=77 slot=77 connection from
10.21.0.98 to 10.178.0.98
[18/Jan/2016:09:28:32 -0800] conn=18732 op=0 BIND dn="" method=sasl
version=3 mech=GSSAPI
[18/Jan/2016:09:28:32 -0800] conn=18732 op=0 RESULT err=14 tag=97
nentries=0 etime=0, SASL bind in progress
[18/Jan/2016:09:28:32 -0800] conn=18732 op=1 BIND dn="" method=sasl
version=3 mech=GSSAPI
[18/Jan/2016:09:28:32 -0800] conn=18732 op=1 RESULT err=14 tag=97
nentries=0 etime=0, SASL bind in progress
[18/Jan/2016:09:28:32 -0800] conn=18732 op=2 BIND dn="" method=sasl
version=3 mech=GSSAPI
[18/Jan/2016:09:28:32 -0800] conn=18732 op=2 RESULT err=0 tag=97 nentries=0 etime=0 
dn="fqdn=dc2-ipa-dev-van.mydomain.net,cn=computers,cn=accounts,dc=mydomain,dc=net"
[18/Jan/2016:09:28:32 -0800] conn=18732 op=3 SRCH
base="cn=replication,cn=etc,dc=mydomain,dc=net" scope=0
filter="(objectClass=*)" attrs=ALL
[18/Jan/2016:09:28:32 -0800] conn=18732 op=3 RESULT err=0 tag=101
nentries=1 etime=0
[18/Jan/2016:09:28:32 -0800] conn=18732 op=4 SRCH base="cn=schema" scope=0 
filter="(objectClass=*)" attrs="attributeTypes objectClasses"
[18/Jan/2016:09:28:32 -0800] conn=18732 op=4 RESULT err=0 tag=101
nentries=1 etime=0
So, conn18732 was opened with a bind dn of "" ?  Is this supposed to happen?
Yes.  GSSAPI/SASL binds are multi-stage binds.  You'll notice that the last stage is 
op=2, and the result has the full bind DN to which the kerberos principals mapped to.  
The dn="" until the last stage at which time the mapped DN is known and logged.

Here is what I see when I search that base using the same empty bind dn :
nack - you have to first use "kinit myusername@MYDOMAIN", then use ldapsearch 
-Y GSSAPI ...., to do the bind in the same way to use GSSAPI.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project