All checks below were performed from the host we are trying to turn into a replica and they were performed against the master who logs I also show
The first check was to kinit admin and try the search. Surprisingly, the GSSAPI bind returns no results when we search that. In my previous email you can see that the standard bind gets a result as admin for that search. Next, I tried as the host by kinit with its keytab. Same result, nothing back. Finally I tried as my own personal admin user. Same result, nothing back. For good measure, I tried a broad search against the base "cn=mydomain,cn=net" as each user as well and I'll spare you the ten thousand lines of screenshot but the results were as expected, several thousand entries in that tree. Although the output differed slightly. This is the total as admin or my personal user # numResponses: 3372 # numEntries: 3371 and this is the total as the host keytab account # numResponses: 3371 # numEntries: 3370 To be even more thorough, I did searches farther and farther up the config tree using GSSAPI until I found something. The only thing that is visible through GSSAPI searches is the base of the config tree. Even the mapping tree branch doesn't seem to be visible. At the very bottom of this email is the results of the search against cn=config directly as the attempted new replica and as admin. Admin gets about 50 results and the host only gets about 30 for some reason. I get the same results as admin on my personal account so I've excluded those. So if I got all that right I was able to determine that only the base of the config tree is available using GSSAPI for any account, users for some reason get slightly more results than hosts, and all accounts can see the dc=mydomain,dc=net tree just fine using GSSAPI. So does that help shed some light on what the cause of this might be or why the server is not answering as expected? Is there some way I can adjust this so everyone can see the results they do using regular binds as they do using GSSAPI binds ? Is there some way I can check ACLS on stuff ? =============== search as admin =============== [nathan.peters@dc2-ipa-dev-van ~]$ klist Ticket cache: KEYRING:persistent:756600344:756600344 Default principal: ad...@mydomain.net Valid starting Expires Service principal 20/01/16 22:53:18 21/01/16 22:53:08 krbtgt/mydomain....@mydomain.net [nathan.peters@dc2-ipa-dev-van ~]$ ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" SASL/GSSAPI authentication started SASL username: ad...@mydomain.net SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1 ============ check host keytab ============ [root@dc2-ipa-dev-van ipa]# klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 5 19/01/16 12:07:12 host/dc2-ipa-dev-van.mydomain....@mydomain.net 5 19/01/16 12:07:12 host/dc2-ipa-dev-van.mydomain....@mydomain.net 5 19/01/16 12:07:12 host/dc2-ipa-dev-van.mydomain....@mydomain.net 5 19/01/16 12:07:12 host/dc2-ipa-dev-van.mydomain....@mydomain.net ======== kinit host keytab ======== [root@dc2-ipa-dev-van ipa]# kinit -t /etc/krb5.keytab keytab specified, forcing -k [root@dc2-ipa-dev-van ipa]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_uwO1f2L Default principal: host/dc2-ipa-dev-van.mydomain....@mydomain.net Valid starting Expires Service principal 20/01/16 23:01:11 21/01/16 23:01:11 krbtgt/mydomain....@mydomain.net [root@dc2-ipa-dev-van ipa]# ========= ldap search against master as host ========== [root@dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" SASL/GSSAPI authentication started SASL username: host/dc2-ipa-dev-van.mydomain....@mydomain.net SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1 [root@dc2-ipa-dev-van ipa]# ======== ldap search against master as my personal domain admin account ======== [root@dc2-ipa-dev-van ipa]# kinit nathan.peters Password for nathan.pet...@mydomain.net: [root@dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" SASL/GSSAPI authentication started SASL username: nathan.pet...@mydomain.net SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1 ======= logs on master during attempt ======= ===== logs on master as admin ===== [20/Jan/2016:22:55:22 -0800] conn=62398 fd=321 slot=321 SSL connection from 10.21.0.98 to 10.178.0.98 [20/Jan/2016:22:55:22 -0800] conn=62398 TLS1.2 128-bit AES [20/Jan/2016:22:55:22 -0800] conn=62398 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [20/Jan/2016:22:55:22 -0800] conn=62398 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [20/Jan/2016:22:55:22 -0800] conn=62398 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [20/Jan/2016:22:55:22 -0800] conn=62398 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [20/Jan/2016:22:55:22 -0800] conn=62398 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [20/Jan/2016:22:55:22 -0800] conn=62398 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=mydomain,dc=net" [20/Jan/2016:22:55:22 -0800] conn=62398 op=3 SRCH base="cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL [20/Jan/2016:22:55:22 -0800] conn=62398 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [20/Jan/2016:22:55:22 -0800] conn=62398 op=4 UNBIND [20/Jan/2016:22:55:22 -0800] conn=62398 op=4 fd=321 closed - U1 ===== logs on master as the host we are trying to promote as a replica ====== [20/Jan/2016:23:02:40 -0800] conn=62480 fd=153 slot=153 SSL connection from 10.21.0.98 to 10.178.0.98 [20/Jan/2016:23:02:40 -0800] conn=62480 TLS1.2 128-bit AES [20/Jan/2016:23:02:40 -0800] conn=62480 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [20/Jan/2016:23:02:40 -0800] conn=62480 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [20/Jan/2016:23:02:40 -0800] conn=62480 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [20/Jan/2016:23:02:40 -0800] conn=62480 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [20/Jan/2016:23:02:40 -0800] conn=62480 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [20/Jan/2016:23:02:40 -0800] conn=62480 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=dc2-ipa-dev-van.mydomain.net,cn=computers,cn=accounts,dc=mydomain,dc=net" [20/Jan/2016:23:02:40 -0800] conn=62480 op=3 SRCH base="cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL [20/Jan/2016:23:02:40 -0800] conn=62480 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [20/Jan/2016:23:02:40 -0800] conn=62480 op=4 UNBIND [20/Jan/2016:23:02:40 -0800] conn=62480 op=4 fd=153 closed - U1 ===== logs on master as my personal user ====== [20/Jan/2016:23:09:36 -0800] conn=62564 fd=318 slot=318 SSL connection from 10.21.0.98 to 10.178.0.98 [20/Jan/2016:23:09:36 -0800] conn=62564 TLS1.2 128-bit AES [20/Jan/2016:23:09:36 -0800] conn=62564 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [20/Jan/2016:23:09:36 -0800] conn=62564 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [20/Jan/2016:23:09:36 -0800] conn=62564 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [20/Jan/2016:23:09:36 -0800] conn=62564 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [20/Jan/2016:23:09:36 -0800] conn=62564 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [20/Jan/2016:23:09:36 -0800] conn=62564 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=nathan.peters,cn=users,cn=accounts,dc=mydomain,dc=net" [20/Jan/2016:23:09:36 -0800] conn=62564 op=3 SRCH base="cn=replica,cn=dc\3Dmydomain\2Cdc\3Dnet,cn=mapping tree,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL [20/Jan/2016:23:09:36 -0800] conn=62564 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [20/Jan/2016:23:09:36 -0800] conn=62564 op=4 UNBIND [20/Jan/2016:23:09:36 -0800] conn=62564 op=4 fd=318 closed - U1 ========== final searches against cn=mapping tree,cn=config and cn=config using host keytab and gssapi ========== [root@dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=mapping tree,cn=config" SASL/GSSAPI authentication started SASL username: host/dc2-ipa-dev-van.mydomain....@mydomain.net SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=mapping tree,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1 [root@dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=config" SASL/GSSAPI authentication started SASL username: host/dc2-ipa-dev-van.mydomain....@mydomain.net SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config cn: SNMP nsSNMPEnabled: on objectClass: top objectClass: nsSNMP # 1.3.6.1.4.1.4203.1.9.1.1, features, config dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config cn: Sync Request Control objectClass: top objectClass: directoryServerFeature oid: 1.3.6.1.4.1.4203.1.9.1.1 # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config cn: VLV Request Control objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 # ipa_pwd_extop, plugins, config dn: cn=ipa_pwd_extop,cn=plugins,cn=config cn: ipa_pwd_extop objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config cn: Posix IDs dnaMaxValue: 1100 dnaNextValue: 1101 dnaThreshold: 500 dnaType: uidNumber dnaType: gidNumber objectClass: top objectClass: extensibleObject # config, ldbm database, plugins, config dn: cn=config,cn=ldbm database,cn=plugins,cn=config cn: config objectClass: top objectClass: extensibleObject nsslapd-directory: /var/lib/dirsrv/slapd-mydomain-NET/db # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config cn: default indexes objectClass: top objectClass: extensibleObject # aci, default indexes, config, ldbm database, plugins, config dn: cn=aci,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config cn: aci objectClass: top objectClass: nsIndex # cn, default indexes, config, ldbm database, plugins, config dn: cn=cn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config cn: cn objectClass: top objectClass: nsIndex # entryusn, default indexes, config, ldbm database, plugins, config dn: cn=entryusn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co nfig cn: entryusn objectClass: top objectClass: nsIndex # givenName, default indexes, config, ldbm database, plugins, config dn: cn=givenName,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=c onfig cn: givenName objectClass: top objectClass: nsIndex # mail, default indexes, config, ldbm database, plugins, config dn: cn=mail,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config cn: mail objectClass: top objectClass: nsIndex # mailAlternateAddress, default indexes, config, ldbm database, plugins, config dn: cn=mailAlternateAddress,cn=default indexes,cn=config,cn=ldbm database,cn=p lugins,cn=config cn: mailAlternateAddress objectClass: top objectClass: nsIndex # mailHost, default indexes, config, ldbm database, plugins, config dn: cn=mailHost,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co nfig cn: mailHost objectClass: top objectClass: nsIndex # member, default indexes, config, ldbm database, plugins, config dn: cn=member,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=conf ig cn: member objectClass: top objectClass: nsIndex # memberOf, default indexes, config, ldbm database, plugins, config dn: cn=memberOf,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co nfig cn: memberOf objectClass: top objectClass: nsIndex # nsTombstoneCSN, default indexes, config, ldbm database, plugins, config dn: cn=nsTombstoneCSN,cn=default indexes,cn=config,cn=ldbm database,cn=plugins ,cn=config cn: nsTombstoneCSN objectClass: top objectClass: nsIndex # nsUniqueId, default indexes, config, ldbm database, plugins, config dn: cn=nsUniqueId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn= config cn: nsUniqueId objectClass: top objectClass: nsIndex # ntUniqueId, default indexes, config, ldbm database, plugins, config dn: cn=ntUniqueId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn= config cn: ntUniqueId objectClass: top objectClass: nsIndex # ntUserDomainId, default indexes, config, ldbm database, plugins, config dn: cn=ntUserDomainId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins ,cn=config cn: ntUserDomainId objectClass: top objectClass: nsIndex # numsubordinates, default indexes, config, ldbm database, plugins, config dn: cn=numsubordinates,cn=default indexes,cn=config,cn=ldbm database,cn=plugin s,cn=config cn: numsubordinates objectClass: top objectClass: nsIndex # objectclass, default indexes, config, ldbm database, plugins, config dn: cn=objectclass,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn =config cn: objectclass objectClass: top objectClass: nsIndex # owner, default indexes, config, ldbm database, plugins, config dn: cn=owner,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=confi g cn: owner objectClass: top objectClass: nsIndex # parentid, default indexes, config, ldbm database, plugins, config dn: cn=parentid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co nfig cn: parentid objectClass: top objectClass: nsIndex # seeAlso, default indexes, config, ldbm database, plugins, config dn: cn=seeAlso,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=con fig cn: seeAlso objectClass: top objectClass: nsIndex # sn, default indexes, config, ldbm database, plugins, config dn: cn=sn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config cn: sn objectClass: top objectClass: nsIndex # targetuniqueid, default indexes, config, ldbm database, plugins, config dn: cn=targetuniqueid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins ,cn=config cn: targetuniqueid objectClass: top objectClass: nsIndex # telephoneNumber, default indexes, config, ldbm database, plugins, config dn: cn=telephoneNumber,cn=default indexes,cn=config,cn=ldbm database,cn=plugin s,cn=config cn: telephoneNumber objectClass: top objectClass: nsIndex # uid, default indexes, config, ldbm database, plugins, config dn: cn=uid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config cn: uid objectClass: top objectClass: nsIndex # uniquemember, default indexes, config, ldbm database, plugins, config dn: cn=uniquemember,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,c n=config cn: uniquemember objectClass: top objectClass: nsIndex # search result search: 4 result: 0 Success # numResponses: 31 # numEntries: 30 ======== search against cn=config as admin using GSSAPI from host we are trying to turn into a replica ========= [root@dc2-ipa-dev-van ipa]# kinit admin Password for ad...@mydomain.net: [root@dc2-ipa-dev-van ipa]# ldapsearch -Y GSSAPI -H ldaps://dc2-ipa-dev-nvan.mydomain.net -b "cn=config" SASL/GSSAPI authentication started SASL username: ad...@mydomain.net SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config cn: SNMP nsSNMPEnabled: on objectClass: top objectClass: nsSNMP # tasks, config dn: cn=tasks,cn=config cn: tasks objectClass: top objectClass: extensibleObject # 1.3.6.1.4.1.4203.1.9.1.1, features, config dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config cn: Sync Request Control objectClass: top objectClass: directoryServerFeature oid: 1.3.6.1.4.1.4203.1.9.1.1 # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config cn: VLV Request Control objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 # ipa_pwd_extop, plugins, config dn: cn=ipa_pwd_extop,cn=plugins,cn=config cn: ipa_pwd_extop objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject # abort cleanallruv, tasks, config dn: cn=abort cleanallruv,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: abort cleanallruv # automember export updates, tasks, config dn: cn=automember export updates,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: automember export updates # automember map updates, tasks, config dn: cn=automember map updates,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: automember map updates # automember rebuild membership, tasks, config dn: cn=automember rebuild membership,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: automember rebuild membership # backup, tasks, config dn: cn=backup,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: backup # cleanallruv, tasks, config dn: cn=cleanallruv,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: cleanallruv # export, tasks, config dn: cn=export,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: export # fixup linked attributes, tasks, config dn: cn=fixup linked attributes,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: fixup linked attributes # fixup tombstones, tasks, config dn: cn=fixup tombstones,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: fixup tombstones # import, tasks, config dn: cn=import,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: import # index, tasks, config dn: cn=index,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: index # ipa-sidgen-task, tasks, config dn: cn=ipa-sidgen-task,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: ipa-sidgen-task # memberof task, tasks, config dn: cn=memberof task,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: memberof task # restore, tasks, config dn: cn=restore,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: restore # schema reload task, tasks, config dn: cn=schema reload task,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: schema reload task # syntax validate, tasks, config dn: cn=syntax validate,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: syntax validate # sysconfig reload, tasks, config dn: cn=sysconfig reload,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: sysconfig reload # upgradedb, tasks, config dn: cn=upgradedb,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: upgradedb # USN tombstone cleanup task, tasks, config dn: cn=USN tombstone cleanup task,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: USN tombstone cleanup task # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config cn: Posix IDs dnaMaxValue: 1100 dnaNextValue: 1101 dnaThreshold: 500 dnaType: uidNumber dnaType: gidNumber objectClass: top objectClass: extensibleObject # config, ldbm database, plugins, config dn: cn=config,cn=ldbm database,cn=plugins,cn=config cn: config objectClass: top objectClass: extensibleObject nsslapd-directory: /var/lib/dirsrv/slapd-mydomain-NET/db # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config cn: default indexes objectClass: top objectClass: extensibleObject # aci, default indexes, config, ldbm database, plugins, config dn: cn=aci,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config cn: aci objectClass: top objectClass: nsIndex # cn, default indexes, config, ldbm database, plugins, config dn: cn=cn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config cn: cn objectClass: top objectClass: nsIndex # entryusn, default indexes, config, ldbm database, plugins, config dn: cn=entryusn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co nfig cn: entryusn objectClass: top objectClass: nsIndex # givenName, default indexes, config, ldbm database, plugins, config dn: cn=givenName,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=c onfig cn: givenName objectClass: top objectClass: nsIndex # mail, default indexes, config, ldbm database, plugins, config dn: cn=mail,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config cn: mail objectClass: top objectClass: nsIndex # mailAlternateAddress, default indexes, config, ldbm database, plugins, config dn: cn=mailAlternateAddress,cn=default indexes,cn=config,cn=ldbm database,cn=p lugins,cn=config cn: mailAlternateAddress objectClass: top objectClass: nsIndex # mailHost, default indexes, config, ldbm database, plugins, config dn: cn=mailHost,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co nfig cn: mailHost objectClass: top objectClass: nsIndex # member, default indexes, config, ldbm database, plugins, config dn: cn=member,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=conf ig cn: member objectClass: top objectClass: nsIndex # memberOf, default indexes, config, ldbm database, plugins, config dn: cn=memberOf,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co nfig cn: memberOf objectClass: top objectClass: nsIndex # nsTombstoneCSN, default indexes, config, ldbm database, plugins, config dn: cn=nsTombstoneCSN,cn=default indexes,cn=config,cn=ldbm database,cn=plugins ,cn=config cn: nsTombstoneCSN objectClass: top objectClass: nsIndex # nsUniqueId, default indexes, config, ldbm database, plugins, config dn: cn=nsUniqueId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn= config cn: nsUniqueId objectClass: top objectClass: nsIndex # ntUniqueId, default indexes, config, ldbm database, plugins, config dn: cn=ntUniqueId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn= config cn: ntUniqueId objectClass: top objectClass: nsIndex # ntUserDomainId, default indexes, config, ldbm database, plugins, config dn: cn=ntUserDomainId,cn=default indexes,cn=config,cn=ldbm database,cn=plugins ,cn=config cn: ntUserDomainId objectClass: top objectClass: nsIndex # numsubordinates, default indexes, config, ldbm database, plugins, config dn: cn=numsubordinates,cn=default indexes,cn=config,cn=ldbm database,cn=plugin s,cn=config cn: numsubordinates objectClass: top objectClass: nsIndex # objectclass, default indexes, config, ldbm database, plugins, config dn: cn=objectclass,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn =config cn: objectclass objectClass: top objectClass: nsIndex # owner, default indexes, config, ldbm database, plugins, config dn: cn=owner,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=confi g cn: owner objectClass: top objectClass: nsIndex # parentid, default indexes, config, ldbm database, plugins, config dn: cn=parentid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=co nfig cn: parentid objectClass: top objectClass: nsIndex # seeAlso, default indexes, config, ldbm database, plugins, config dn: cn=seeAlso,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=con fig cn: seeAlso objectClass: top objectClass: nsIndex # sn, default indexes, config, ldbm database, plugins, config dn: cn=sn,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config cn: sn objectClass: top objectClass: nsIndex # targetuniqueid, default indexes, config, ldbm database, plugins, config dn: cn=targetuniqueid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins ,cn=config cn: targetuniqueid objectClass: top objectClass: nsIndex # telephoneNumber, default indexes, config, ldbm database, plugins, config dn: cn=telephoneNumber,cn=default indexes,cn=config,cn=ldbm database,cn=plugin s,cn=config cn: telephoneNumber objectClass: top objectClass: nsIndex # uid, default indexes, config, ldbm database, plugins, config dn: cn=uid,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config cn: uid objectClass: top objectClass: nsIndex # uniquemember, default indexes, config, ldbm database, plugins, config dn: cn=uniquemember,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,c n=config cn: uniquemember objectClass: top objectClass: nsIndex # search result search: 4 result: 0 Success # numResponses: 51 # numEntries: 50 -----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rich Megginson Sent: January-20-16 11:44 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists On 01/20/2016 12:24 PM, Nathan Peters wrote: > Now we are starting to get somewhere (although a resolution still is > not visible) :) > > First, thank you Petr and Rob for your help on this issue. I apologize for > our hard to parse server names. I'm not a fan of them myself and in earlier > reports I had been reformatting everything nicely with dc1, dc2, dc3 etc. > After having to submit so many reports I started to get lazy an thought it > may be more helpful to see data closer to what we are actually using. > > Petr hit the nail on the head with the "does everyone who binds get the same > result" question, which although it has not revealed a resolution, has > revealed a bunch of really interesting facts about the process. > > Going back to the original logs that were running on the remote master during > the replica installation attempt I see the following : > > [18/Jan/2016:09:28:32 -0800] conn=18732 fd=77 slot=77 connection from > 10.21.0.98 to 10.178.0.98 >> [18/Jan/2016:09:28:32 -0800] conn=18732 op=0 BIND dn="" method=sasl >> version=3 mech=GSSAPI >> [18/Jan/2016:09:28:32 -0800] conn=18732 op=0 RESULT err=14 tag=97 >> nentries=0 etime=0, SASL bind in progress >> [18/Jan/2016:09:28:32 -0800] conn=18732 op=1 BIND dn="" method=sasl >> version=3 mech=GSSAPI >> [18/Jan/2016:09:28:32 -0800] conn=18732 op=1 RESULT err=14 tag=97 >> nentries=0 etime=0, SASL bind in progress >> [18/Jan/2016:09:28:32 -0800] conn=18732 op=2 BIND dn="" method=sasl >> version=3 mech=GSSAPI >> [18/Jan/2016:09:28:32 -0800] conn=18732 op=2 RESULT err=0 tag=97 nentries=0 >> etime=0 >> dn="fqdn=dc2-ipa-dev-van.mydomain.net,cn=computers,cn=accounts,dc=mydomain,dc=net" >> [18/Jan/2016:09:28:32 -0800] conn=18732 op=3 SRCH >> base="cn=replication,cn=etc,dc=mydomain,dc=net" scope=0 >> filter="(objectClass=*)" attrs=ALL >> [18/Jan/2016:09:28:32 -0800] conn=18732 op=3 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [18/Jan/2016:09:28:32 -0800] conn=18732 op=4 SRCH base="cn=schema" scope=0 >> filter="(objectClass=*)" attrs="attributeTypes objectClasses" >> [18/Jan/2016:09:28:32 -0800] conn=18732 op=4 RESULT err=0 tag=101 >> nentries=1 etime=0 > So, conn18732 was opened with a bind dn of "" ? Is this supposed to happen? Yes. GSSAPI/SASL binds are multi-stage binds. You'll notice that the last stage is op=2, and the result has the full bind DN to which the kerberos principals mapped to. The dn="" until the last stage at which time the mapped DN is known and logged. > > Here is what I see when I search that base using the same empty bind dn : nack - you have to first use "kinit myusername@MYDOMAIN", then use ldapsearch -Y GSSAPI ...., to do the bind in the same way to use GSSAPI. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project