389-ds-bot
commented
4 years ago Comment from mreynolds (@mreynolds389) at 2012-05-26 01:42:23
Can the error log, and the dse.ldif(master and replica) please be provided?
Closed 389-ds-bot closed 4 years ago
389-ds-bot
commented
4 years ago Comment from mreynolds (@mreynolds389) at 2012-05-26 01:42:23
Can the error log, and the dse.ldif(master and replica) please be provided?
389-ds-bot
commented
4 years ago Comment from simo (@simo5) at 2012-05-26 01:58:53
Sorry I do not have it, but you can easily replicate everything you need with tehse steps:
389-ds-bot
commented
4 years ago Comment from nkinder (@nkinder) at 2012-06-09 03:22:11
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=830338
389-ds-bot
commented
4 years ago Comment from mreynolds (@mreynolds389) at 2012-06-21 23:31:04
I was finally able to reproduce the problem, here are the exact steps:
[1] yum install ipa-server bind-dyndb-ldap on two systems A & B
[2] on A: ipa-server-install --setup-dns (use Secret123 for passwords, and EXAMPLE.COM for realm)
[3] on A: ipa-replica-prepare
ldapmodify -D "cn=directory manager" -w Secret123 -a
dn: cn=mytest,dc=example,dc=com
objectclass: top
objectclass: groupofnames
objectclass: groupOfUniqueNames
cn: mytest[8] on B: search for the new entry to verify replication is working
ldapsearch -D "cn=directory manager" -w Secret123 -b "dc=example,dc=com" -xLLL cn=mytest[9] on A: ipa-replica-manage del
/var/log/dirsrv/slapd-EXAMPLE-COM/errors:
[21/Jun/2012:13:11:44 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [21/Jun/2012:13:11:49 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success)
389-ds-bot
commented
4 years ago Comment from simo (@simo5) at 2012-06-22 01:05:14
Mark, excellent writeup, just for testing you would get a faster setup if you avoid --setup-dns (just make sure boht hosts have appropriate entries for both in /etc/hosts) and also usinf --selfsign so you can skip the whole slow dogtag install). Neither DNS nor dogtag are required to reproduce/verify this bug
389-ds-bot
commented
4 years ago Comment from mreynolds (@mreynolds389) at 2012-06-22 01:19:56
Thanks, and thanks for the tip!
389-ds-bot
commented
4 years ago Comment from mreynolds (@mreynolds389) at 2012-06-27 20:17:41
I have a fix that I will be sending out for review soon. There is an initial failure, but then the authentication succeeds, and replication is successful:
[27/Jun/2012:10:07:08 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [27/Jun/2012:10:07:08 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [27/Jun/2012:10:07:08 -0400] NSMMReplicationPlugin - agmt="cn=meToibm-ls22-04.rhts.eng.brq.redhat.com" (ibm-ls22-04:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) [27/Jun/2012:10:07:14 -0400] NSMMReplicationPlugin - agmt="cn=meToibm-ls22-04.rhts.eng.brq.redhat.com" (ibm-ls22-04:389): Replication bind with GSSAPI auth resumed
The last line if the important one:
[27/Jun/2012:10:07:14 -0400] NSMMReplicationPlugin - agmt="cn=meToibm-ls22-04.rhts.eng.brq.redhat.com" (ibm-ls22-04:389): Replication bind with GSSAPI auth resumed
389-ds-bot
commented
4 years ago Comment from mreynolds (@mreynolds389) at 2012-06-27 20:43:57
attachment 0001-Ticket-366-Change-DS-to-purge-ticket-from-krb-cache-.patch
389-ds-bot
commented
4 years ago Comment from mreynolds (@mreynolds389) at 2012-06-27 21:12:56
[mareynol@localhost servers]$ git merge ticket366 Updating b2a9269..14cb1d0 Fast-forward ldap/servers/plugins/replication/replutil.c | 2 +- ldap/servers/slapd/ldaputil.c | 47 +++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 1 deletions(-)
[mareynol@localhost servers]$ git push origin master Counting objects: 17, done. Delta compression using up to 4 threads. Compressing objects: 100% (9/9), done. Writing objects: 100% (9/9), 1.60 KiB, done. Total 9 (delta 7), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git b2a9269..14cb1d0 master -> master
389-ds-bot
commented
4 years ago Comment from nkinder (@nkinder) at 2012-08-28 04:14:43
Added initial screened field value.
389-ds-bot
commented
4 years ago Comment from mreynolds (@mreynolds389) at 2017-02-11 23:03:40
Metadata Update from @mreynolds389:
Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/366
Cloning from https://fedorahosted.org/freeipa/ticket/2736
When a user wants to reinstall a replica it hits the problem that DS uses a memory ccache and keeps old tickets (against an old set of keys) in the belly until they expire. If a replica is removed and then recreated with the same name then DS will try to use the old ticket to perform GSSAPI auth during replication. This will fail because the ticket is no longer usable by the new replica.
DS should drop the ticket from the ccache (or drop the whole ccache, whichever is easier) when it gets an authentication error using GSSAPI on replication.