3.0 replica made out of 2.2 master cannot see all services:
2.2 master:
# ipa service-find ------------------ 7 services matched ------------------ Principal: DNS/vm-120.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM Keytab: True Managed by: vm-120.idm.lab.bos.redhat.com Principal: dogtagldap/vm-065.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM Certificate: MIIDxTCCAq2gAwIBAgIBDjANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwOTIxMTI1NTI0WhcNMTQwOTIyMTI1NTI0WjBJMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjUuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMs/QNqREWqCSTIMFoyVeRcMJDYVrowc7SRPl5UPP+pjoWPwMJAlO3Wh7B7TUItxUt95FLhA13b4pETENnXLe7OA3RWCA91CwvB2Z6STOcuT9cYffxplbtNbH+yv+LtKlu8ryR2ECNs5QRaZNFxK8YeWHE8V5NN9acTub6dBFASorNEudHyH2qzKBTwvL4Xl7OZKtFXVgw/9+JoWIW/VmHr4QFAF/UQT7EBlHYhKL4+3BNJla5mtcQG5LEimZVXWQhFtQrw6NhpfQfMO+a+sZDVuyB5qLf96/eLL3o9qB+DZl0H1cxOyQuCNUT2gmbEv8ztVNquimmcEmWQAswxW5j8CAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBQw3EDmBAWWGPd7gvC4tNjtQLp8EjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly92bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFIAkouQut69QwAJ8gVQtQ4/WXSxyMA0GCSqGSIb3DQEBCwUAA4IBAQCcqMRAQnklwA+XJaWI6oWU51okjpgve8QYcOLB6ESfMNN1vjqPaV3eCPgl2mwet0jFnUQzHgLtaQ5UF5YNI+yK4mYv/k4rNx6gtEFZyc5Bo0vCBHUT4seBOWRTKMaXayTWcBpgcQrMdPdptnyyH97eoH5TIMvfjHT+WiQsdY4uFlj5XfdH9pC9fKoeCKt9TuGZDGP4IiJGD+Ua+OZADstCuMdm9aTi5nT1ocvUra/X+Ah+TkgiC3G2J+HkLbH1mb2GR3Na23WLwGLwqI9wGXcHL5mtwdiUq0IDMAKy6QSTsNFirTt1HEMd+0NseWArLN6bJ/kbLz1aLCy9Lmtvoexv Keytab: False Managed by: vm-065.idm.lab.bos.redhat.com Subject: CN=vm-065.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM Serial Number: 14 Serial Number (hex): 0xE Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM Not Before: Fri Sep 21 12:55:24 2012 UTC Not After: Mon Sep 22 12:55:24 2014 UTC Fingerprint (MD5): 26:5d:b1:2c:a6:9e:fe:3b:06:87:87:7d:0e:7a:5a:ae Fingerprint (SHA1): 30:48:11:86:ba:14:41:db:ae:27:79:2a:2c:88:e9:90:a4:bf:f6:99 Principal: dogtagldap/vm-120.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM Certificate: MIIDxTCCAq2gAwIBAgIBCTANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwOTIxMTIzOTM5WhcNMTQwOTIyMTIzOTM5WjBJMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO2jkSUoFkrFrorfzjbRzaHSfrVNoujNF3QTP2nITv3EwWgvG/Z1j+DCPgOQt00pAQqry9UHAdq34NedFIR+781QaNG1zVF40QeEtg4RDsCWcVc8Pyshp3jZwtQ9E1+ttZex4g1g1e/LfrrDYuW7edeLpFXL/qKy8e4EQLKk1hvvPaShpANUx/Zxh+gknN5Tk0qI4/JLIYD8DwPjLk/nE1s6tXBgJrt6/3j89EkiyPN1d2m0OOCt17XbbBe8233xdVc+ngdy24YBWNM6vJ4rE83ChLcXjaDVLtGVyzbQoQo8w6sGfugQEAMQKWsnDA+j3VnnfxpTdAmoCpXGoEo3nFUCAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBQw3EDmBAWWGPd7gvC4tNjtQLp8EjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly92bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFCMX9KH6Mwqz3A9sljtpJpTN7Af9MA0GCSqGSIb3DQEBCwUAA4IBAQClppC6meZ1GgoerUL3oxASVPfqs/fyTCFehDrd7pV3frrS4GE6c4oX3NtMpGIoKYEcrNFWxv+MHNJdZWJD7QAhKduXWYGNXoT7sqvqdjsK2RFjW6fZfyCKmO1bP+HB5U49nBBT8z6BKn5WPr5kY/Ghm5xmSjBO9PWiAbekCr6ON6yqwS5lATuaAhfCMlNnZn2uEsqpFXtJEUmSYUOL2eTbIaKZryXTlvigThWxAm8q0I1oTdjd7kJRmSBazcuzRbAfRCi6cZGMYJSVymScS/rtcQ+U1/ejbn27Bqr9iNR+iAhvsw4Mot2YEGBbnKHn8WgoMfAfuuB9AnhUyJX6Wae4 Keytab: False Managed by: vm-120.idm.lab.bos.redhat.com Subject: CN=vm-120.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM Serial Number: 9 Serial Number (hex): 0x9 Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM Not Before: Fri Sep 21 12:39:39 2012 UTC Not After: Mon Sep 22 12:39:39 2014 UTC Fingerprint (MD5): 78:c1:95:e2:e8:3d:92:1b:f9:b1:8b:ac:b9:84:5f:06 Fingerprint (SHA1): be:53:aa:3e:8e:40:af:02:51:b1:b6:f6:c1:25:2f:8c:12:47:9c:85 Principal: HTTP/vm-065.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM Certificate: MIIDxTCCAq2gAwIBAgIBDzANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwOTIxMTI1NTI1WhcNMTQwOTIyMTI1NTI1WjBJMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjUuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALkgi08cjZmq24vGPOvCI/kTKo7MfYhX3aBP8IrxxUh4qGJVpl5IJKrdm5fELL5INPLEckbTQKBw0riDYclVOhHiZq0h2kwsgNisb0uZaBLmufW4jDsyVX6RSbgspQv74YRIhJs+sIln5g1AVIORrHSmL8bVa8saX7bEWvwEQHqoaJKKAeNPM3f1L3kxwsgvOaT7DcjuoP0b1kCIIOst5CBy5hhIkyc5jwQq6FV5YJ6+q6gaAnWRjxSGSeWZAknpEPOSRIPqHWDImPkMpfCozaf5X77XW3tDJW+3KBz1D9U8TfN8zwFfWkz2TtAIhMgMjGzf7i0eDMwQAIXiiRQdGnsCAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBQw3EDmBAWWGPd7gvC4tNjtQLp8EjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly92bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFJQi61ic2nSBWKwKnbTqenBVhvWRMA0GCSqGSIb3DQEBCwUAA4IBAQCO8QvMmjkoIiBfoHpNRqdDyZ3+8v2shI/1eoY/uXl2l0pLN79ysB6IqM619ESb7W2H4gPKegFm189ahFrEnWQ6C1dZqB+2H2p0bT3gTLggXjGzkVINaobG/lEn4hRXRPW6uXP4jrF1AwsKI1dybuF9ZjhqNcsI9krItpzCNKluLPReKGiyISyJoyUGgfecJ4FFS5LAKObLDG5FPZdSqyzc2uGyDRgVaEltocI844Zn1UNkBfld6NJ7dFBxGcVukd6Vube2/ejx6272khN/WsPtkQyp1LcKKRXBtuNCe2q/RDFWX5ay9ILoETJoEYEnxQjXMWCOLuwWFRyGtlx+Lz9l Keytab: True Managed by: vm-065.idm.lab.bos.redhat.com Subject: CN=vm-065.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM Serial Number: 15 Serial Number (hex): 0xF Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM Not Before: Fri Sep 21 12:55:25 2012 UTC Not After: Mon Sep 22 12:55:25 2014 UTC Fingerprint (MD5): 59:38:b2:80:a7:50:56:84:83:0c:d5:ab:0b:3c:68:92 Fingerprint (SHA1): 82:39:0f:8e:a1:52:7b:cd:df:24:bd:a4:f0:1d:a9:bf:7f:f1:4d:e0 Principal: HTTP/vm-120.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM Certificate: MIIDxTCCAq2gAwIBAgIBCjANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwOTIxMTI0MjEyWhcNMTQwOTIyMTI0MjEyWjBJMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKwyrdNcstCs7GOvmU1lK//arUEMMUo9R6QOLcwrlPoZYq0Obfky7K9NEPzjJBhJuftnyUUL7t2e+gif6gbwVVN3Z1VHQHW/szvtBalplzR/UulxTJCwNrroVY7+ETyL3L1nhJdzjQ+/W8KfcsiMlF/1NadXYpLdECZ0DDzvHWGi1YpOj2ZRQPaQVT0mh8shEgZml/MM+XbBGrS+eG2Z/u28jYgk5mKZEyc9dyc0rsFFBjOTCBtHykewALmm+EtpsuMi13CJhGFov+8vQFR3BCJxsQSNTfCLkIuWue9onIQR4Aux1cZCbVn8qOgx8ET6VSNIfY71vdNKG1o1wAxNybMCAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBQw3EDmBAWWGPd7gvC4tNjtQLp8EjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly92bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFD/dzIcRZENvGwVg5Pj88TByHdMtMA0GCSqGSIb3DQEBCwUAA4IBAQCc7Ct9AskZlMFkhrqwYZ2xCbOcjqsscMwRnIbJWero9awsIhXTBa8AHNkgcw/Umymx+S2SsUFy8nV14TFg37pJhVqATzYAzhGUSHd6cCt55blEqjxhaEzWJJctiHuCeufH84zlXjKXxmVYFs/yGUgBsOGmRwpa05uPaAn6U9VHV1Ewe9NrWjdNUtfYNh4gNO6K0BsLkFUpqVd5p+EHTsICpZsZ2lvxLbVRZTp++I4KN9GUmJpaliJ6N06Y/6IjVueAdBFsxLloP99HSdvMvmgfpRwFDcqPKAEtZuowDImTxXCRDoSLPbfghHxhTqdfOzPu7/1afFpfaP7LiiEiJXQR Keytab: True Managed by: vm-120.idm.lab.bos.redhat.com Subject: CN=vm-120.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM Serial Number: 10 Serial Number (hex): 0xA Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM Not Before: Fri Sep 21 12:42:12 2012 UTC Not After: Mon Sep 22 12:42:12 2014 UTC Fingerprint (MD5): 3a:d5:7a:ea:bb:57:7a:0b:66:80:e3:73:97:29:41:19 Fingerprint (SHA1): 0c:dd:d0:9b:e1:f9:3d:9e:8d:c0:c0:6e:92:0b:bb:2b:56:c9:8c:6a Principal: ldap/vm-065.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM Certificate: MIIDxTCCAq2gAwIBAgIBDTANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwOTIxMTI1NTIzWhcNMTQwOTIyMTI1NTIzWjBJMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjUuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPFqZ/u74csXLCoDC+1qkraYRvFP7ge4Z6Xarxeevz9PgKpuFL0MzRYbmEcRaecszD+0FVIddEMPGvcWO4PLSxz+i9FhhiOhc9C4muSa1aLpGN1B4RrwcT4DlX3j8viPXUuIJuALTAvdCxZp555nUoMWFUta2WE1o6Tnag4zv1vreWMUyzQy+8V2z+W3RQgDb1NxXX4NfMtJp83D/15JBWcw5UmSqYXR+5ctBcR0ZYOnkZXAVjjYzYzIQmnmNkSrIrbAQuKWT2iMpMXxIcTWiAq/y9KhJ5KFLnfT6wE3XXsqp5hXFtkpDpTeXstMhT8cnz2tE42sdBgjmuFzyaD6ZcsCAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBQw3EDmBAWWGPd7gvC4tNjtQLp8EjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly92bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFGi/+neIqSIMIucJtT/4E6QRNrqUMA0GCSqGSIb3DQEBCwUAA4IBAQAVqefQSl9SDs8hI+Dr07O2ArR8pc5m8in7et2p64mA02NJneetEbjLc43XBYDfDKWF6eFkCBv6O+89SwglozBcfnUmWlO4X/TdrUhOq9Uq0ZzfzjDC3ClUwP7JpPf0MRCjEW8LAeT1iPDKD7ZyiLl4M4oaLGqF07nLU+552CUapxfMp+5to/WI67afpNTzvt2gX/ZUCoGpqaes7fMdkkdd6qRQnTsmTgPDERO6vl8mDz2BYKK4/FkseawAXjoB9D99sOKxGY1H7rUUK+HIE6Dxd//lysIoaJJofMcj/th5VpfoPAGkdKQN+8GsYt+uKNcdvcfP0UbN/dGdIRpfqq+H Keytab: True Managed by: vm-065.idm.lab.bos.redhat.com Subject: CN=vm-065.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM Serial Number: 13 Serial Number (hex): 0xD Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM Not Before: Fri Sep 21 12:55:23 2012 UTC Not After: Mon Sep 22 12:55:23 2014 UTC Fingerprint (MD5): cd:07:33:42:c7:d7:43:fc:8d:90:d0:65:f3:7a:fb:d9 Fingerprint (SHA1): 5a:ad:f2:62:51:ae:6e:63:d8:0f:cd:c4:e9:29:b1:dc:8c:c8:7c:5a Principal: ldap/vm-120.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM Certificate: MIIDxTCCAq2gAwIBAgIBCDANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwOTIxMTIzOTE2WhcNMTQwOTIyMTIzOTE2WjBJMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKeo073oXAgzUb1aKz0QKV3Bi9P8yac0hFgRMg48ur2e4mghxnxBlkVLgTrptz2Ig8MmO8xOEuH2hUr3wvg6T4C1OpNE6+qy9SG+lJc9+Zo2WulxRzM6B38HlffWg3KyGzpSURZR69UhCX0NxSudNCtgKgmUOQzJwrgg2Y1YszCTg+FWf10BR4UJeiiy2DOS3Hxxa4hDXgWNsZtduGzRJy0H7aCHDJtLg7emV0Dug5WdSRBeXibzopirNTNufEgbQlihEqShKSBwwhRA2sQhtm3OA/bMoIyLaq78KT49RGdhnv2gBUmp2FHrbDcEultl+a/p6npjub8h4yd9S0tOJkUCAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBQw3EDmBAWWGPd7gvC4tNjtQLp8EjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly92bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFOAXud9YilJ4F4BzH4yeYy0ZoDOMMA0GCSqGSIb3DQEBCwUAA4IBAQAJRhOSixeu1t+Fg3iq7MehxHcMya6nBSUhv0GhousmS4c8w3g25ibgMssg4/VCeXhatOAxeuKAr88C1Buo032dHCa4B7ALvMBzBXEsrwYBoPS87J6or8Wyud6aVIcSBzxBUS6ILUzK1WxFUuaEWzi073O1fYqnBQxeq/GBcE+yL4QVq3I6z7lZri/xEJLX7F1W/Vee3DnA2lu+IN5gGIeNq6vfX35UzWErvTTAkdAIZL+XWmsf8upbBOgc8G1Xb6uPodtPSVXOD73MudobZzuGRHRC5o7fcDZTczqo0hnBpeaybgNSJHDKZVkaU7jwfgec7QYGOf6bkq3Sb15vVXF4 Keytab: True Managed by: vm-120.idm.lab.bos.redhat.com Subject: CN=vm-120.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM Serial Number: 8 Serial Number (hex): 0x8 Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM Not Before: Fri Sep 21 12:39:16 2012 UTC Not After: Mon Sep 22 12:39:16 2014 UTC Fingerprint (MD5): 7e:b0:55:c1:0d:8d:13:23:cd:58:1b:d6:52:fd:b9:ca Fingerprint (SHA1): c1:18:e3:0f:0c:0b:9d:33:2f:14:f9:95:3c:40:c7:ea:16:69:a3:6f ---------------------------- Number of entries returned 7 ----------------------------
3.0 replica:
[root@vm-065 ~]# ipa service-find ------------------ 2 services matched ------------------ Principal: HTTP/vm-065.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM Certificate: MIIDxTCCAq2gAwIBAgIBDzANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwOTIxMTI1NTI1WhcNMTQwOTIyMTI1NTI1WjBJMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjUuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALkgi08cjZmq24vGPOvCI/kTKo7MfYhX3aBP8IrxxUh4qGJVpl5IJKrdm5fELL5INPLEckbTQKBw0riDYclVOhHiZq0h2kwsgNisb0uZaBLmufW4jDsyVX6RSbgspQv74YRIhJs+sIln5g1AVIORrHSmL8bVa8saX7bEWvwEQHqoaJKKAeNPM3f1L3kxwsgvOaT7DcjuoP0b1kCIIOst5CBy5hhIkyc5jwQq6FV5YJ6+q6gaAnWRjxSGSeWZAknpEPOSRIPqHWDImPkMpfCozaf5X77XW3tDJW+3KBz1D9U8TfN8zwFfWkz2TtAIhMgMjGzf7i0eDMwQAIXiiRQdGnsCAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBQw3EDmBAWWGPd7gvC4tNjtQLp8EjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly92bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFJQi61ic2nSBWKwKnbTqenBVhvWRMA0GCSqGSIb3DQEBCwUAA4IBAQCO8QvMmjkoIiBfoHpNRqdDyZ3+8v2shI/1eoY/uXl2l0pLN79ysB6IqM619ESb7W2H4gPKegFm189ahFrEnWQ6C1dZqB+2H2p0bT3gTLggXjGzkVINaobG/lEn4hRXRPW6uXP4jrF1AwsKI1dybuF9ZjhqNcsI9krItpzCNKluLPReKGiyISyJoyUGgfecJ4FFS5LAKObLDG5FPZdSqyzc2uGyDRgVaEltocI844Zn1UNkBfld6NJ7dFBxGcVukd6Vube2/ejx6272khN/WsPtkQyp1LcKKRXBtuNCe2q/RDFWX5ay9ILoETJoEYEnxQjXMWCOLuwWFRyGtlx+Lz9l Keytab: True Managed by: vm-065.idm.lab.bos.redhat.com Subject: CN=vm-065.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM Serial Number: 15 Serial Number (hex): 0xF Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM Not Before: Fri Sep 21 12:55:25 2012 UTC Not After: Mon Sep 22 12:55:25 2014 UTC Fingerprint (MD5): 59:38:b2:80:a7:50:56:84:83:0c:d5:ab:0b:3c:68:92 Fingerprint (SHA1): 82:39:0f:8e:a1:52:7b:cd:df:24:bd:a4:f0:1d:a9:bf:7f:f1:4d:e0 Principal: ldap/vm-065.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM Certificate: MIIDxTCCAq2gAwIBAgIBDTANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwOTIxMTI1NTIzWhcNMTQwOTIyMTI1NTIzWjBJMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjUuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPFqZ/u74csXLCoDC+1qkraYRvFP7ge4Z6Xarxeevz9PgKpuFL0MzRYbmEcRaecszD+0FVIddEMPGvcWO4PLSxz+i9FhhiOhc9C4muSa1aLpGN1B4RrwcT4DlX3j8viPXUuIJuALTAvdCxZp555nUoMWFUta2WE1o6Tnag4zv1vreWMUyzQy+8V2z+W3RQgDb1NxXX4NfMtJp83D/15JBWcw5UmSqYXR+5ctBcR0ZYOnkZXAVjjYzYzIQmnmNkSrIrbAQuKWT2iMpMXxIcTWiAq/y9KhJ5KFLnfT6wE3XXsqp5hXFtkpDpTeXstMhT8cnz2tE42sdBgjmuFzyaD6ZcsCAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBQw3EDmBAWWGPd7gvC4tNjtQLp8EjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly92bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFGi/+neIqSIMIucJtT/4E6QRNrqUMA0GCSqGSIb3DQEBCwUAA4IBAQAVqefQSl9SDs8hI+Dr07O2ArR8pc5m8in7et2p64mA02NJneetEbjLc43XBYDfDKWF6eFkCBv6O+89SwglozBcfnUmWlO4X/TdrUhOq9Uq0ZzfzjDC3ClUwP7JpPf0MRCjEW8LAeT1iPDKD7ZyiLl4M4oaLGqF07nLU+552CUapxfMp+5to/WI67afpNTzvt2gX/ZUCoGpqaes7fMdkkdd6qRQnTsmTgPDERO6vl8mDz2BYKK4/FkseawAXjoB9D99sOKxGY1H7rUUK+HIE6Dxd//lysIoaJJofMcj/th5VpfoPAGkdKQN+8GsYt+uKNcdvcfP0UbN/dGdIRpfqq+H Keytab: True Managed by: vm-065.idm.lab.bos.redhat.com Subject: CN=vm-065.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM Serial Number: 13 Serial Number (hex): 0xD Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM Not Before: Fri Sep 21 12:55:23 2012 UTC Not After: Mon Sep 22 12:55:23 2014 UTC Fingerprint (MD5): cd:07:33:42:c7:d7:43:fc:8d:90:d0:65:f3:7a:fb:d9 Fingerprint (SHA1): 5a:ad:f2:62:51:ae:6e:63:d8:0f:cd:c4:e9:29:b1:dc:8c:c8:7c:5a ---------------------------- Number of entries returned 2 ----------------------------
The problem is that ipakrbprincipal objectclass is added to the list of ipaservice "core" objectclasses and thus the LDAP search in service-find adds this objectclass to the search filter.
ipakrbprincipal
service-find
I just found out that this will also apply for local services on machine upgraded from 2.2 to 3.0. Bumping the priority.
Simo or Alexander - is our Kerberos LDAP driver able to cope with service entries which do not have ipakrbprincipal objectclass set and thus no ipakrbprincipalalias attribute set?
ipakrbprincipalalias
Getting keytab for such service or kinit'ing with this keytab worked for me, but I saw that there are some LDAP searches relying on this attribute in our Kerberos LDAP driver...
I had a conversation with abbra about the issue:
(08:33:04 AM) mkosek: ab: Hi Alexander, can you please comment on ticket #3106? I am wondering about the correct approach there... (08:34:27 AM) mkosek: ab: we can either just fix our framework to recognize services without ipakrbprincipal object class or update all 2.x-style services to have this objectclass - which may not be ideal when someone has too many services... (08:34:51 AM) mkosek: ab: I wasn't sure if such 2.x services do not cause issues in our krb driver/trusts... (08:34:58 AM) ab: those services are supposed to have keytabs? (08:36:14 AM) mkosek: ab: may have - these services will be present on any system upgraded from IPA 2.x (08:36:35 AM) ab: if they need to have keytabs associated, they should have ipakrbprincipals (08:36:35 AM) mkosek: ab: or when we install a 3.0 replica to 2.2 master (08:37:35 AM) ab: mkosek: do they have any of krbprincipal/krbprincipal? (08:38:57 AM) mkosek: ab: they have standard krbprincipalname attribute filled... (08:39:15 AM) ab: we have two filters (08:39:43 AM) ab: when issuing TGS, we accept objectclass=krbprincipalaux|krbprincipal|ipakrbprincipal (08:40:07 AM) ab: when searching principals we accept objectclass=krbprincipal|krbprincipalaux (08:40:24 AM) ab: so I think you should fix the framework (08:40:41 AM) mkosek: ab: ok, then it seems we are compatible with the 2.x services without issues... (08:40:47 AM) ab: ipakrbprincipal is something that is used to make possible case-insensitive principals (08:41:33 AM) ab: i.e., if you have a principal for which you'd like to allow case insensitive searches, you add ipakrbprincipal to it and set ipakrbprincipalalias to wanted name (08:42:17 AM) mkosek: ab: I think it is now being set by default - so all principal searches are now case-insensitive? (08:42:33 AM) ab: yes, for new installs (08:43:15 AM) ab: technically you could simply propagate on upgrades krbprincipalname to ipakrbprincipalalias (08:47:51 AM) mkosek: ab: technically yes... Upgrades may just get difficult on machines with really high number of services, we may be also hitting query/time limits... (08:49:07 AM) ab: then we can do optional objectclass in the search filter
Bottomline is that the best approach here would be simply to update our framework to recognize 2.x style services.
attachment freeipa-mkosek-319-make-ipakrbprincipal-objectclass-optional.patch
master: 0c2d0bb
ipa-3-0: f69101b
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.0 RC2
Login to comment on this ticket.