[Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
Nathan Peters
Nathan.Peters at globalrelay.net
Thu Jan 21 07:38:13 UTC 2016
All checks below were performed from the host we are trying to turn into a replica and they were performed against the master who logs I also show
The first check was to kinit admin and try the search. Surprisingly, the GSSAPI bind returns no results when we search that. In my previous email you can see that the standard bind gets a result as admin for that search.
Next, I tried as the host by kinit with its keytab. Same result, nothing back.
Finally I tried as my own personal admin user. Same result, nothing back.
For good measure, I tried a broad search against the base "cn=mydomain,cn=net" as each user as well and I'll spare you the ten thousand lines of screenshot but the results were as expected, several thousand entries in that tree.
Although the output differed slightly. This is the total as admin or my personal user
# numResponses: 3372
# numEntries: 3371
and this is the total as the host keytab account
# numResponses: 3371
# numEntries: 3370
To be even more thorough, I did searches farther and farther up the config tree using GSSAPI until I found something. The only thing that is visible through GSSAPI searches is the base of the config tree. Even the mapping tree branch doesn't seem to be visible.
At the very bottom of this email is the results of the search against cn=config directly as the attempted new replica and as admin. Admin gets about 50 results and the host only gets about 30 for some reason. I get the same results as admin on my personal account so I've excluded those.
So if I got all that right I was able to determine that only the base of the config tree is available using GSSAPI for any account, users for some reason get slightly more results than hosts, and all accounts can see the dc=mydomain,dc=net tree just fine using GSSAPI.
So does that help shed some light on what the cause of this might be or why the server is not answering as expected?
Is there some way I can adjust this so everyone can see the results they do using regular binds as they do using GSSAPI binds ?
Is there some way I can check ACLS on stuff ?
===============
search as admin
===============
[nathan.peters at dc2-ipa-dev-van ~]$ klist
Ticket cache: KEYRING:persistent:756600344:756600344
Default principal: admin at MYDOMAIN.NET
Valid starting Expires Service principal
20/01/16 22:53:18 21/01/16 22:53:08 krbtgt/MYDOMAIN.NET at MYDOMAIN.NET
[nathan.peters at dc2-ipa-dev-van ~]$ ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config"
SASL/GSSAPI authentication started
SASL username: admin at MYDOMAIN.NET
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 4
result: 0 Success
# numResponses: 1
============
check host keytab
============
[root at dc2-ipa-dev-van ipa]# klist -kt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
5 19/01/16 12:07:12 host/dc2-ipa-dev-van.mydomain.net at MYDOMAIN.NET
5 19/01/16 12:07:12 host/dc2-ipa-dev-van.mydomain.net at MYDOMAIN.NET
5 19/01/16 12:07:12 host/dc2-ipa-dev-van.mydomain.net at MYDOMAIN.NET
5 19/01/16 12:07:12 host/dc2-ipa-dev-van.mydomain.net at MYDOMAIN.NET
========
kinit host keytab
========
[root at dc2-ipa-dev-van ipa]# kinit -t /etc/krb5.keytab
keytab specified, forcing -k
[root at dc2-ipa-dev-van ipa]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_uwO1f2L
Default principal: host/dc2-ipa-dev-van.mydomain.net at MYDOMAIN.NET
Valid starting Expires Service principal
20/01/16 23:01:11 21/01/16 23:01:11 krbtgt/MYDOMAIN.NET at MYDOMAIN.NET
[root at dc2-ipa-dev-van ipa]#
=========
ldap search against master as host
==========
[root at dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config"
SASL/GSSAPI authentication started
SASL username: host/dc2-ipa-dev-van.mydomain.net at MYDOMAIN.NET
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 4
result: 0 Success
# numResponses: 1
[root at dc2-ipa-dev-van ipa]#
========
ldap search against master as my personal domain admin account
========
[root at dc2-ipa-dev-van ipa]# kinit nathan.peters
Password for nathan.peters at MYDOMAIN.NET:
[root at dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config"
SASL/GSSAPI authentication started
SASL username: nathan.peters at MYDOMAIN.NET
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 4
result: 0 Success
# numResponses: 1
=======
logs on master during attempt
=======
=====
logs on master as admin
=====
[20/Jan/2016:22:55:22 -0800] conn=62398 fd=321 slot=321 SSL connection from 10.21.0.98 to 10.178.0.98
[20/Jan/2016:22:55:22 -0800] conn=62398 TLS1.2 128-bit AES
[20/Jan/2016:22:55:22 -0800] conn=62398 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[20/Jan/2016:22:55:22 -0800] conn=62398 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[20/Jan/2016:22:55:22 -0800] conn=62398 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[20/Jan/2016:22:55:22 -0800] conn=62398 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[20/Jan/2016:22:55:22 -0800] conn=62398 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[20/Jan/2016:22:55:22 -0800] conn=62398 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=mydomain,dc=net"
[20/Jan/2016:22:55:22 -0800] conn=62398 op=3 SRCH base="cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL
[20/Jan/2016:22:55:22 -0800] conn=62398 op=3 RESULT err=0 tag=101 nentries=0 etime=0
[20/Jan/2016:22:55:22 -0800] conn=62398 op=4 UNBIND
[20/Jan/2016:22:55:22 -0800] conn=62398 op=4 fd=321 closed - U1
=====
logs on master as the host we are trying to promote as a replica
======
[20/Jan/2016:23:02:40 -0800] conn=62480 fd=153 slot=153 SSL connection from 10.21.0.98 to 10.178.0.98
[20/Jan/2016:23:02:40 -0800] conn=62480 TLS1.2 128-bit AES
[20/Jan/2016:23:02:40 -0800] conn=62480 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[20/Jan/2016:23:02:40 -0800] conn=62480 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[20/Jan/2016:23:02:40 -0800] conn=62480 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[20/Jan/2016:23:02:40 -0800] conn=62480 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[20/Jan/2016:23:02:40 -0800] conn=62480 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[20/Jan/2016:23:02:40 -0800] conn=62480 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=dc2-ipa-dev-van.mydomain.net,cn=computers,cn=accounts,dc=mydomain,dc=net"
[20/Jan/2016:23:02:40 -0800] conn=62480 op=3 SRCH base="cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL
[20/Jan/2016:23:02:40 -0800] conn=62480 op=3 RESULT err=0 tag=101 nentries=0 etime=0
[20/Jan/2016:23:02:40 -0800] conn=62480 op=4 UNBIND
[20/Jan/2016:23:02:40 -0800] conn=62480 op=4 fd=153 closed - U1
=====
logs on master as my personal user
======
[20/Jan/2016:23:09:36 -0800] conn=62564 fd=318 slot=318 SSL connection from 10.21.0.98 to 10.178.0.98
[20/Jan/2016:23:09:36 -0800] conn=62564 TLS1.2 128-bit AES
[20/Jan/2016:23:09:36 -0800] conn=62564 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[20/Jan/2016:23:09:36 -0800] conn=62564 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[20/Jan/2016:23:09:36 -0800] conn=62564 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[20/Jan/2016:23:09:36 -0800] conn=62564 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[20/Jan/2016:23:09:36 -0800] conn=62564 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[20/Jan/2016:23:09:36 -0800] conn=62564 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=nathan.peters,cn=users,cn=accounts,dc=mydomain,dc=net"
[20/Jan/2016:23:09:36 -0800] conn=62564 op=3 SRCH base="cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL
[20/Jan/2016:23:09:36 -0800] conn=62564 op=3 RESULT err=0 tag=101 nentries=0 etime=0
[20/Jan/2016:23:09:36 -0800] conn=62564 op=4 UNBIND
[20/Jan/2016:23:09:36 -0800] conn=62564 op=4 fd=318 closed - U1
==========
final searches against cn=mapping tree,cn=config and cn=config using host keytab and gssapi
==========
[root at dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=mapping tree,cn=config"
SASL/GSSAPI authentication started
SASL username: host/dc2-ipa-dev-van.mydomain.net at mydomain.NET
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=mapping tree,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 4
result: 0 Success
# numResponses: 1
[root at dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=config" SASL/GSSAPI authentication started
SASL username: host/dc2-ipa-dev-van.mydomain.net at mydomain.NET
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# SNMP, config
dn: cn=SNMP,cn=config
cn: SNMP
nsSNMPEnabled: on
objectClass: top
objectClass: nsSNMP
# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
cn: Sync Request Control
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.9.1.1
# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
cn: VLV Request Control
objectClass: top
objectClass: directoryServerFeature
oid: 2.16.840.1.113730.3.4.9
# ipa_pwd_extop, plugins, config
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
cn: ipa_pwd_extop
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
cn: Posix IDs
dnaMaxValue: 1100
dnaNextValue: 1101
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject
# config, ldbm database, plugins, config
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
cn: config
objectClass: top
objectClass: extensibleObject
nsslapd-directory: /var/lib/dirsrv/slapd-mydomain-NET/db
# default indexes, config, ldbm database, plugins, config
dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: default indexes
objectClass: top
objectClass: extensibleObject
# aci, default indexes, config, ldbm database, plugins, config
dn: cn=aci,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: aci
objectClass: top
objectClass: nsIndex
# cn, default indexes, config, ldbm database, plugins, config
dn: cn=cn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: cn
objectClass: top
objectClass: nsIndex
# entryusn, default indexes, config, ldbm database, plugins, config
dn: cn=entryusn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co
nfig
cn: entryusn
objectClass: top
objectClass: nsIndex
# givenName, default indexes, config, ldbm database, plugins, config
dn: cn=givenName,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=c
onfig
cn: givenName
objectClass: top
objectClass: nsIndex
# mail, default indexes, config, ldbm database, plugins, config
dn: cn=mail,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: mail
objectClass: top
objectClass: nsIndex
# mailAlternateAddress, default indexes, config, ldbm database, plugins, config
dn: cn=mailAlternateAddress,cn=default indexes,cn=config,cn=ldbm database,cn=p
lugins,cn=config
cn: mailAlternateAddress
objectClass: top
objectClass: nsIndex
# mailHost, default indexes, config, ldbm database, plugins, config
dn: cn=mailHost,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co
nfig
cn: mailHost
objectClass: top
objectClass: nsIndex
# member, default indexes, config, ldbm database, plugins, config
dn: cn=member,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=conf
ig
cn: member
objectClass: top
objectClass: nsIndex
# memberOf, default indexes, config, ldbm database, plugins, config
dn: cn=memberOf,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co
nfig
cn: memberOf
objectClass: top
objectClass: nsIndex
# nsTombstoneCSN, default indexes, config, ldbm database, plugins, config
dn: cn=nsTombstoneCSN,cn=default indexes,cn=config,cn=ldbm database,cn=plugins
,cn=config
cn: nsTombstoneCSN
objectClass: top
objectClass: nsIndex
# nsUniqueId, default indexes, config, ldbm database, plugins, config
dn: cn=nsUniqueId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=
config
cn: nsUniqueId
objectClass: top
objectClass: nsIndex
# ntUniqueId, default indexes, config, ldbm database, plugins, config
dn: cn=ntUniqueId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=
config
cn: ntUniqueId
objectClass: top
objectClass: nsIndex
# ntUserDomainId, default indexes, config, ldbm database, plugins, config
dn: cn=ntUserDomainId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins
,cn=config
cn: ntUserDomainId
objectClass: top
objectClass: nsIndex
# numsubordinates, default indexes, config, ldbm database, plugins, config
dn: cn=numsubordinates,cn=default indexes,cn=config,cn=ldbm database,cn=plugin
s,cn=config
cn: numsubordinates
objectClass: top
objectClass: nsIndex
# objectclass, default indexes, config, ldbm database, plugins, config
dn: cn=objectclass,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn
=config
cn: objectclass
objectClass: top
objectClass: nsIndex
# owner, default indexes, config, ldbm database, plugins, config
dn: cn=owner,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=confi
g
cn: owner
objectClass: top
objectClass: nsIndex
# parentid, default indexes, config, ldbm database, plugins, config
dn: cn=parentid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co
nfig
cn: parentid
objectClass: top
objectClass: nsIndex
# seeAlso, default indexes, config, ldbm database, plugins, config
dn: cn=seeAlso,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=con
fig
cn: seeAlso
objectClass: top
objectClass: nsIndex
# sn, default indexes, config, ldbm database, plugins, config
dn: cn=sn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: sn
objectClass: top
objectClass: nsIndex
# targetuniqueid, default indexes, config, ldbm database, plugins, config
dn: cn=targetuniqueid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins
,cn=config
cn: targetuniqueid
objectClass: top
objectClass: nsIndex
# telephoneNumber, default indexes, config, ldbm database, plugins, config
dn: cn=telephoneNumber,cn=default indexes,cn=config,cn=ldbm database,cn=plugin
s,cn=config
cn: telephoneNumber
objectClass: top
objectClass: nsIndex
# uid, default indexes, config, ldbm database, plugins, config
dn: cn=uid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: uid
objectClass: top
objectClass: nsIndex
# uniquemember, default indexes, config, ldbm database, plugins, config
dn: cn=uniquemember,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,c
n=config
cn: uniquemember
objectClass: top
objectClass: nsIndex
# search result
search: 4
result: 0 Success
# numResponses: 31
# numEntries: 30
========
search against cn=config as admin using GSSAPI from host we are trying to turn into a replica
=========
[root at dc2-ipa-dev-van ipa]# kinit admin
Password for admin at MYDOMAIN.NET:
[root at dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=config"
SASL/GSSAPI authentication started
SASL username: admin at MYDOMAIN.NET
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# SNMP, config
dn: cn=SNMP,cn=config
cn: SNMP
nsSNMPEnabled: on
objectClass: top
objectClass: nsSNMP
# tasks, config
dn: cn=tasks,cn=config
cn: tasks
objectClass: top
objectClass: extensibleObject
# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
cn: Sync Request Control
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.9.1.1
# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
cn: VLV Request Control
objectClass: top
objectClass: directoryServerFeature
oid: 2.16.840.1.113730.3.4.9
# ipa_pwd_extop, plugins, config
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
cn: ipa_pwd_extop
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
# abort cleanallruv, tasks, config
dn: cn=abort cleanallruv,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: abort cleanallruv
# automember export updates, tasks, config
dn: cn=automember export updates,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: automember export updates
# automember map updates, tasks, config
dn: cn=automember map updates,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: automember map updates
# automember rebuild membership, tasks, config
dn: cn=automember rebuild membership,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: automember rebuild membership
# backup, tasks, config
dn: cn=backup,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: backup
# cleanallruv, tasks, config
dn: cn=cleanallruv,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: cleanallruv
# export, tasks, config
dn: cn=export,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: export
# fixup linked attributes, tasks, config
dn: cn=fixup linked attributes,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: fixup linked attributes
# fixup tombstones, tasks, config
dn: cn=fixup tombstones,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: fixup tombstones
# import, tasks, config
dn: cn=import,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: import
# index, tasks, config
dn: cn=index,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: index
# ipa-sidgen-task, tasks, config
dn: cn=ipa-sidgen-task,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: ipa-sidgen-task
# memberof task, tasks, config
dn: cn=memberof task,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: memberof task
# restore, tasks, config
dn: cn=restore,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: restore
# schema reload task, tasks, config
dn: cn=schema reload task,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: schema reload task
# syntax validate, tasks, config
dn: cn=syntax validate,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: syntax validate
# sysconfig reload, tasks, config
dn: cn=sysconfig reload,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: sysconfig reload
# upgradedb, tasks, config
dn: cn=upgradedb,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: upgradedb
# USN tombstone cleanup task, tasks, config
dn: cn=USN tombstone cleanup task,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: USN tombstone cleanup task
# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
cn: Posix IDs
dnaMaxValue: 1100
dnaNextValue: 1101
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject
# config, ldbm database, plugins, config
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
cn: config
objectClass: top
objectClass: extensibleObject
nsslapd-directory: /var/lib/dirsrv/slapd-mydomain-NET/db
# default indexes, config, ldbm database, plugins, config
dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: default indexes
objectClass: top
objectClass: extensibleObject
# aci, default indexes, config, ldbm database, plugins, config
dn: cn=aci,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: aci
objectClass: top
objectClass: nsIndex
# cn, default indexes, config, ldbm database, plugins, config
dn: cn=cn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: cn
objectClass: top
objectClass: nsIndex
# entryusn, default indexes, config, ldbm database, plugins, config
dn: cn=entryusn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co
nfig
cn: entryusn
objectClass: top
objectClass: nsIndex
# givenName, default indexes, config, ldbm database, plugins, config
dn: cn=givenName,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=c
onfig
cn: givenName
objectClass: top
objectClass: nsIndex
# mail, default indexes, config, ldbm database, plugins, config
dn: cn=mail,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: mail
objectClass: top
objectClass: nsIndex
# mailAlternateAddress, default indexes, config, ldbm database, plugins, config
dn: cn=mailAlternateAddress,cn=default indexes,cn=config,cn=ldbm database,cn=p
lugins,cn=config
cn: mailAlternateAddress
objectClass: top
objectClass: nsIndex
# mailHost, default indexes, config, ldbm database, plugins, config
dn: cn=mailHost,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co
nfig
cn: mailHost
objectClass: top
objectClass: nsIndex
# member, default indexes, config, ldbm database, plugins, config
dn: cn=member,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=conf
ig
cn: member
objectClass: top
objectClass: nsIndex
# memberOf, default indexes, config, ldbm database, plugins, config
dn: cn=memberOf,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co
nfig
cn: memberOf
objectClass: top
objectClass: nsIndex
# nsTombstoneCSN, default indexes, config, ldbm database, plugins, config
dn: cn=nsTombstoneCSN,cn=default indexes,cn=config,cn=ldbm database,cn=plugins
,cn=config
cn: nsTombstoneCSN
objectClass: top
objectClass: nsIndex
# nsUniqueId, default indexes, config, ldbm database, plugins, config
dn: cn=nsUniqueId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=
config
cn: nsUniqueId
objectClass: top
objectClass: nsIndex
# ntUniqueId, default indexes, config, ldbm database, plugins, config
dn: cn=ntUniqueId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=
config
cn: ntUniqueId
objectClass: top
objectClass: nsIndex
# ntUserDomainId, default indexes, config, ldbm database, plugins, config
dn: cn=ntUserDomainId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins
,cn=config
cn: ntUserDomainId
objectClass: top
objectClass: nsIndex
# numsubordinates, default indexes, config, ldbm database, plugins, config
dn: cn=numsubordinates,cn=default indexes,cn=config,cn=ldbm database,cn=plugin
s,cn=config
cn: numsubordinates
objectClass: top
objectClass: nsIndex
# objectclass, default indexes, config, ldbm database, plugins, config
dn: cn=objectclass,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn
=config
cn: objectclass
objectClass: top
objectClass: nsIndex
# owner, default indexes, config, ldbm database, plugins, config
dn: cn=owner,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=confi
g
cn: owner
objectClass: top
objectClass: nsIndex
# parentid, default indexes, config, ldbm database, plugins, config
dn: cn=parentid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co
nfig
cn: parentid
objectClass: top
objectClass: nsIndex
# seeAlso, default indexes, config, ldbm database, plugins, config
dn: cn=seeAlso,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=con
fig
cn: seeAlso
objectClass: top
objectClass: nsIndex
# sn, default indexes, config, ldbm database, plugins, config
dn: cn=sn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: sn
objectClass: top
objectClass: nsIndex
# targetuniqueid, default indexes, config, ldbm database, plugins, config
dn: cn=targetuniqueid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins
,cn=config
cn: targetuniqueid
objectClass: top
objectClass: nsIndex
# telephoneNumber, default indexes, config, ldbm database, plugins, config
dn: cn=telephoneNumber,cn=default indexes,cn=config,cn=ldbm database,cn=plugin
s,cn=config
cn: telephoneNumber
objectClass: top
objectClass: nsIndex
# uid, default indexes, config, ldbm database, plugins, config
dn: cn=uid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: uid
objectClass: top
objectClass: nsIndex
# uniquemember, default indexes, config, ldbm database, plugins, config
dn: cn=uniquemember,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,c
n=config
cn: uniquemember
objectClass: top
objectClass: nsIndex
# search result
search: 4
result: 0 Success
# numResponses: 51
# numEntries: 50
-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Rich Megginson
Sent: January-20-16 11:44 AM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
On 01/20/2016 12:24 PM, Nathan Peters wrote:
> Now we are starting to get somewhere (although a resolution still is
> not visible) :)
>
> First, thank you Petr and Rob for your help on this issue. I apologize for our hard to parse server names. I'm not a fan of them myself and in earlier reports I had been reformatting everything nicely with dc1, dc2, dc3 etc. After having to submit so many reports I started to get lazy an thought it may be more helpful to see data closer to what we are actually using.
>
> Petr hit the nail on the head with the "does everyone who binds get the same result" question, which although it has not revealed a resolution, has revealed a bunch of really interesting facts about the process.
>
> Going back to the original logs that were running on the remote master during the replica installation attempt I see the following :
>
> [18/Jan/2016:09:28:32 -0800] conn=18732 fd=77 slot=77 connection from
> 10.21.0.98 to 10.178.0.98
>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=0 BIND dn="" method=sasl
>> version=3 mech=GSSAPI
>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=0 RESULT err=14 tag=97
>> nentries=0 etime=0, SASL bind in progress
>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=1 BIND dn="" method=sasl
>> version=3 mech=GSSAPI
>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=1 RESULT err=14 tag=97
>> nentries=0 etime=0, SASL bind in progress
>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=2 BIND dn="" method=sasl
>> version=3 mech=GSSAPI
>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=dc2-ipa-dev-van.mydomain.net,cn=computers,cn=accounts,dc=mydomain,dc=net"
>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=3 SRCH
>> base="cn=replication,cn=etc,dc=mydomain,dc=net" scope=0
>> filter="(objectClass=*)" attrs=ALL
>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=3 RESULT err=0 tag=101
>> nentries=1 etime=0
>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=4 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes objectClasses"
>> [18/Jan/2016:09:28:32 -0800] conn=18732 op=4 RESULT err=0 tag=101
>> nentries=1 etime=0
> So, conn18732 was opened with a bind dn of "" ? Is this supposed to happen?
Yes. GSSAPI/SASL binds are multi-stage binds. You'll notice that the last stage is op=2, and the result has the full bind DN to which the kerberos principals mapped to. The dn="" until the last stage at which time the mapped DN is known and logged.
>
> Here is what I see when I search that base using the same empty bind dn :
nack - you have to first use "kinit myusername at MYDOMAIN", then use ldapsearch -Y GSSAPI ...., to do the bind in the same way to use GSSAPI.
More information about the Freeipa-users
mailing list