Ok, here are the logs and console session from those searches as admin and as the host on the new master against itself. Same result, nothing in there.
See my email reply to Rich I sent a few minutes ago for the directory manager aci search results. ========================================================================== GSSAPI search using admin on old master searching old master (current host) ========================================================================== [root@dc2-ipa-dev-nvan ~]# kinit admin Password for [email protected]: [root@dc2-ipa-dev-nvan ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_swFzxQf Default principal: [email protected] Valid starting Expires Service principal 21/01/16 19:54:14 22/01/16 19:54:05 krbtgt/[email protected] [root@dc2-ipa-dev-nvan ~]# ldapsearch -Y GSSAPI -b "cn=replica,cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=replica,cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1 [root@dc2-ipa-dev-nvan ~]# kdestroy ========================================================================== GSSAPI search using host keytab on old master searching old master (current host) ========================================================================== [root@dc2-ipa-dev-nvan ~]# kinit -k -t /etc/krb5.keytab [root@dc2-ipa-dev-nvan ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_swFzxQf Default principal: host/[email protected] Valid starting Expires Service principal 21/01/16 19:54:53 22/01/16 19:54:53 krbtgt/[email protected] [root@dc2-ipa-dev-nvan ~]# ldapsearch -Y GSSAPI -b "cn=replica,cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" SASL/GSSAPI authentication started SASL username: host/[email protected] SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=replica,cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1 [root@dc2-ipa-dev-nvan ~]# ======================================================== logs from old master (current host) during search using host keytab ======================================================== [21/Jan/2016:19:55:15 -0800] conn=76103 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [21/Jan/2016:19:55:15 -0800] conn=76103 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [21/Jan/2016:19:55:15 -0800] conn=76103 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [21/Jan/2016:19:55:15 -0800] conn=76103 op=2 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [21/Jan/2016:19:55:15 -0800] conn=76103 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [21/Jan/2016:19:55:15 -0800] conn=76103 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=dc2-ipa-dev-nvan.dev-mydomain.net,cn=computers,cn=accounts,dc=dev-mydomain,dc=net" [21/Jan/2016:19:55:15 -0800] conn=76103 op=4 SRCH base="cn=replica,cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL [21/Jan/2016:19:55:15 -0800] conn=76103 op=4 RESULT err=0 tag=101 nentries=0 etime=0 [21/Jan/2016:19:55:15 -0800] conn=76103 op=5 UNBIND [21/Jan/2016:19:55:15 -0800] conn=76103 op=5 fd=273 closed - U1 =========================================================== logs from old master (current host) during search as admin =========================================================== [21/Jan/2016:19:54:40 -0800] conn=76094 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [21/Jan/2016:19:54:40 -0800] conn=76094 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [21/Jan/2016:19:54:40 -0800] conn=76094 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [21/Jan/2016:19:54:40 -0800] conn=76094 op=2 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [21/Jan/2016:19:54:40 -0800] conn=76094 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [21/Jan/2016:19:54:40 -0800] conn=76094 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=dev-mydomain,dc=net" [21/Jan/2016:19:54:40 -0800] conn=76094 op=4 SRCH base="cn=replica,cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL [21/Jan/2016:19:54:40 -0800] conn=76094 op=4 RESULT err=0 tag=101 nentries=0 etime=0 [21/Jan/2016:19:54:40 -0800] conn=76094 op=5 UNBIND [21/Jan/2016:19:54:40 -0800] conn=76094 op=5 fd=143 closed - U1 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Ludwig Krispenz Sent: January-21-16 7:45 AM To: [email protected] Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists On 01/21/2016 08:50 AM, Nathan Peters wrote: > I don't know if this makes a difference too, but I performed the same checks > on a different completely working and joined FreeIPA master, against other > masters, and even against itself directly. > > It seems that no account, no keytab, and no host can see that mapping tree > branch no matter who they search from or against if GSSAPI is used. there should be no difference in the result, it should only depend on the acis and in one of your previous posts you said that you don't get a result bound as admin: >>> [root@dc2-ipa-dev-van ~]# ldapsearch -Hldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" -D "uid=admin,cn=users,cn=accounts,dc=mydomain,dc=net" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 ---snip--- So we know that for whatever reason, this particular DN cannot be searched from anyone other than directory manager. <<< so could you provide the result and log of a search with gssapi and directly bound to the same server. And as directory manager query the acis in the mapping tree entry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
