New replica looks to be fully joined. I can add users, and I have verified by log examination that the new replica is actually the server adding the user.
I cannot detect any issues, BUT the 3rd replica does not appear as a column when I execute the ipa_check_consistency script.
grant@ef-idm03:~[20181219-11:35][#103]$ ipa-replica-manage list ef-idm03.production.efilm.com: master ef-idm02.production.efilm.com: master ef-idm01.production.efilm.com: master grant@ef-idm03:~[20181219-11:35][#104]$ ipa_check_consistency -d PRODUCTION.EFILM.COM -W ******** FreeIPA servers: ef-idm01 ef-idm02 STATE ================================================= Active Users 129 129 OK Stage Users 7 7 OK Preserved Users 0 0 OK User Groups 22 22 OK Hosts 158 158 OK Host Groups 16 16 OK HBAC Rules 5 5 OK SUDO Rules 14 14 OK DNS Zones ERROR ERROR OK LDAP Conflicts NO NO OK Ghost Replicas NO NO OK Anonymous BIND YES YES OK Replication Status ef-idm02 0 ef-idm01 0 ef-idm03 0 ================================================= grant@ef-idm03:~[20181219-11:35][#105]$ ipa user_find | grep entries Number of entries returned 129 grant@ef-idm03:~[20181219-11:35][#106]$ ipa group_find | grep entries Number of entries returned 22 grant@ef-idm03:~[20181219-11:35][#107]$ ipa host_find | grep entries Number of entries returned 155 grant@ef-idm03:~[20181219-11:36][#108]$ ipa hostgroup_find | grep entries Number of entries returned 16 grant@ef-idm03:~[20181219-11:36][#109]$ ipa hbacrule-find | grep entries Number of entries returned 5 grant@ef-idm03:~[20181219-11:37][#110]$ ipa sudorule-find | grep entries Number of entries returned 14 grant@ef-idm03:~[20181219-11:37][#111]$
what does this indicate?
thanx
- grant
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
On 12/19/18 8:39 PM, Grant Janssen via FreeIPA-users wrote:
New replica looks to be fully joined. I can add users, and I have verified by log examination that the new replica is actually the server adding the user.
I cannot detect any issues, BUT the 3rd replica does not appear as a column when I execute the ipa_check_consistency script.
grant@ef-idm03:~[20181219-11:35][#103]$ ipa-replica-manage list ef-idm03.production.efilm.com: master ef-idm02.production.efilm.com: master ef-idm01.production.efilm.com: master grant@ef-idm03:~[20181219-11:35][#104]$ ipa_check_consistency -d PRODUCTION.EFILM.COM -W ******** FreeIPA servers: ef-idm01 ef-idm02 STATE ================================================= Active Users 129 129 OK Stage Users 7 7 OK Preserved Users 0 0 OK User Groups 22 22 OK Hosts 158 158 OK Host Groups 16 16 OK HBAC Rules 5 5 OK SUDO Rules 14 14 OK DNS Zones ERROR ERROR OK LDAP Conflicts NO NO OK Ghost Replicas NO NO OK Anonymous BIND YES YES OK Replication Status ef-idm02 0 ef-idm01 0 ef-idm03 0 ================================================= grant@ef-idm03:~[20181219-11:35][#105]$ ipa user_find | grep entries Number of entries returned 129 grant@ef-idm03:~[20181219-11:35][#106]$ ipa group_find | grep entries Number of entries returned 22 grant@ef-idm03:~[20181219-11:35][#107]$ ipa host_find | grep entries Number of entries returned 155 grant@ef-idm03:~[20181219-11:36][#108]$ ipa hostgroup_find | grep entries Number of entries returned 16 grant@ef-idm03:~[20181219-11:36][#109]$ ipa hbacrule-find | grep entries Number of entries returned 5 grant@ef-idm03:~[20181219-11:37][#110]$ ipa sudorule-find | grep entries Number of entries returned 14 grant@ef-idm03:~[20181219-11:37][#111]$
what does this indicate?
Hi, (disclaimer: I am not familiar with ipa-check-consistency) I had a quick look at the code for ipa_check_consistency. If the list of servers is not provided in the command line, they are found in the DNS with the records for _ldap._tcp of the domain. Can you check the output of # dig +short -t SRV _ldap._tcp.$domain.
flo
thanx
- grant
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I never thought to dissect the ipa_check_consistency script. I wasn’t going to add the SRV record until everything tested perfectly - didn’t want authorizations going to server that wasn’t functioning.
added the SRV record. now THAT was an easy fix.
grant@ef-idm03:~[20181219-11:37][#111]$ ipa_check_consistency -d PRODUCTION.EFILM.COMhttp://PRODUCTION.EFILM.COM -W ******** FreeIPA servers: ef-idm01 ef-idm02 ef-idm03 STATE ============================================================= Active Users 129 129 129 OK Stage Users 7 7 7 OK Preserved Users 0 0 0 OK User Groups 22 22 22 OK Hosts 158 158 158 OK Host Groups 16 16 16 OK HBAC Rules 5 5 5 OK SUDO Rules 14 14 14 OK DNS Zones ERROR ERROR ERROR OK LDAP Conflicts NO NO NO OK Ghost Replicas NO NO NO OK Anonymous BIND YES YES YES OK Replication Status ef-idm02 0 ef-idm01 0 ef-idm01 0 ef-idm03 0 ============================================================= grant@ef-idm03:~[20181220-5:42][#112]$
thanx & merry christmas
- grant
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
freeipa-users@lists.fedorahosted.org
-
Florence Blanc-Renaud -
Grant Janssen