Hi, On Fri, Feb 23, 2024 at 2:49 PM Markus Rexhepi-Lindberg via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> Hi, > > You are right, sorry for the confusion. I have performed a new > `ipa-replica-install` and you can find the logs for the master and replica > in these links: > > master ds389 access: > https://www.rexhepi-lindberg.com/iparepl/20230223/se-rhidm03_access > master ds389 errors: > https://www.rexhepi-lindberg.com/iparepl/20230223/se-rhidm03_errors > replica ds389 access: > https://www.rexhepi-lindberg.com/iparepl/20230223/usidc1-rhidm01x_access > replica ds389 errors: > https://www.rexhepi-lindberg.com/iparepl/20230223/usidc1-rhidm01x_errors > replica-install.log > <https://www.rexhepi-lindberg.com/iparepl/20230223/usidc1-rhidm01x_errorsreplica-install.log>: > > https://www.rexhepi-lindberg.com/iparepl/20230223/usidc1-rhidm01x_ipareplica-install.log > > master = se-rhidm03x > replica = usidc1-rhidm01x > > The replication is enabled by setting nsds5BeginReplicaRefresh=start on the master (entry cn=meTousidc1-rhidm01x.idc1.us.example.com,cn=replica,cn=dc\3Dlnx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config ). We can see this operation on the master logs: [23/Feb/2024:12:00:57.569011330 +0100] conn=167303 op=21 MOD dn="cn=meTousidc1-rhidm01x.idc1.us.example.com,cn=replica,cn=dc\3Dlnx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" After that, the master tries to establish the connection to the replica but this fails. The logs on the replica show: [23/Feb/2024:06:00:58.077083917 -0500] conn=6 fd=119 slot=119 connection from 10.0.13.146 to 192.168.224.21 [23/Feb/2024:06:00:58.083111562 -0500] conn=6 op=0 UNBIND [23/Feb/2024:06:00:58.083129212 -0500] conn=6 op=0 fd=119 closed error - U1 This connection should be established from the master using the kerberos ticket for the principal ldap/se-rhidm03x.se.example....@lnx.example.com obtained from /etc/dirsrv/ds.keytab, thanks to a mapping defined on the replica in cn=Peer Master,cn=mapping,cn=sasl,cn=config: objectclass: top, nsSaslMapping nsSaslMapRegexString: '^[^:@]+$' nsSaslMapBaseDNTemplate: cn=config nsSaslMapFilterTemplate: '(cn=&@IPA.TEST)' nsSaslMapPriority: 1 This allows to map ldap/se-rhidm03x.se.example....@lnx.example.com to the entry cn=ldap/rhidm03x.se.example....@lnx.example.com,cn=config You can try to reproduce the error with (from the master): kinit -kt /etc/dirsrv/ds.keytab ldap/`hostname` ldapsearch -Y GSSAPI -H ldap://usidc1-rhidm01x.idc1.us.example.com -b "" -s base The output may help understand why the connection is immediately closed instead of trying the GSSAPI bind operation. flo Thanks for clarifying the DNSSEC warnings. > > -- > Markus > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
