freeipa

Clone
Source Code
GIT

#3106 3.0 replica does not see all 2.2 master's services
Closed: Fixed None Opened 11 years ago by mkosek.

Closed: Fixed
Reopen Issue

3.0 replica made out of 2.2 master cannot see all services:

2.2 master:

# ipa service-find
------------------
7 services matched
------------------
  Principal: DNS/vm-120.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM
  Keytab: True
  Managed by: vm-120.idm.lab.bos.redhat.com

  Principal: dogtagldap/vm-065.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM
  Certificate: MIIDxTCCAq2gAwIBAgIBDjANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwOTIxMTI1NTI0WhcNMTQwOTIyMTI1NTI0WjBJMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjUuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMs/QNqREWqCSTIMFoyVeRcMJDYVrowc7SRPl5UPP+pjoWPwMJAlO3Wh7B7TUItxUt95FLhA13b4pETENnXLe7OA3RWCA91CwvB2Z6STOcuT9cYffxplbtNbH+yv+LtKlu8ryR2ECNs5QRaZNFxK8YeWHE8V5NN9acTub6dBFASorNEudHyH2qzKBTwvL4Xl7OZKtFXVgw/9+JoWIW/VmHr4QFAF/UQT7EBlHYhKL4+3BNJla5mtcQG5LEimZVXWQhFtQrw6NhpfQfMO+a+sZDVuyB5qLf96/eLL3o9qB+DZl0H1cxOyQuCNUT2gmbEv8ztVNquimmcEmWQAswxW5j8CAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBQw3EDmBAWWGPd7gvC4tNjtQLp8EjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly92bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFIAkouQut69QwAJ8gVQtQ4/WXSxyMA0GCSqGSIb3DQEBCwUAA4IBAQCcqMRAQnklwA+XJaWI6oWU51okjpgve8QYcOLB6ESfMNN1vjqPaV3eCPgl2mwet0jFnUQzHgLtaQ5UF5YNI+yK4mYv/k4rNx6gtEFZyc5Bo0vCBHUT4seBOWRTKMaXayTWcBpgcQrMdPdptnyyH97eoH5TIMvfjHT+WiQsdY4uFlj5XfdH9pC9fKoeCKt9TuGZDGP4IiJGD+Ua+OZADstCuMdm9aTi5nT1ocvUra/X+Ah+TkgiC3G2J+HkLbH1mb2GR3Na23WLwGLwqI9wGXcHL5mtwdiUq0IDMAKy6QSTsNFirTt1HEMd+0NseWArLN6bJ/kbLz1aLCy9Lmtvoexv
  Keytab: False
  Managed by: vm-065.idm.lab.bos.redhat.com
  Subject: CN=vm-065.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM
  Serial Number: 14
  Serial Number (hex): 0xE
  Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
  Not Before: Fri Sep 21 12:55:24 2012 UTC
  Not After: Mon Sep 22 12:55:24 2014 UTC
  Fingerprint (MD5): 26:5d:b1:2c:a6:9e:fe:3b:06:87:87:7d:0e:7a:5a:ae
  Fingerprint (SHA1): 30:48:11:86:ba:14:41:db:ae:27:79:2a:2c:88:e9:90:a4:bf:f6:99

  Principal: dogtagldap/vm-120.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM
  Certificate: MIIDxTCCAq2gAwIBAgIBCTANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwOTIxMTIzOTM5WhcNMTQwOTIyMTIzOTM5WjBJMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO2jkSUoFkrFrorfzjbRzaHSfrVNoujNF3QTP2nITv3EwWgvG/Z1j+DCPgOQt00pAQqry9UHAdq34NedFIR+781QaNG1zVF40QeEtg4RDsCWcVc8Pyshp3jZwtQ9E1+ttZex4g1g1e/LfrrDYuW7edeLpFXL/qKy8e4EQLKk1hvvPaShpANUx/Zxh+gknN5Tk0qI4/JLIYD8DwPjLk/nE1s6tXBgJrt6/3j89EkiyPN1d2m0OOCt17XbbBe8233xdVc+ngdy24YBWNM6vJ4rE83ChLcXjaDVLtGVyzbQoQo8w6sGfugQEAMQKWsnDA+j3VnnfxpTdAmoCpXGoEo3nFUCAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBQw3EDmBAWWGPd7gvC4tNjtQLp8EjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly92bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFCMX9KH6Mwqz3A9sljtpJpTN7Af9MA0GCSqGSIb3DQEBCwUAA4IBAQClppC6meZ1GgoerUL3oxASVPfqs/fyTCFehDrd7pV3frrS4GE6c4oX3NtMpGIoKYEcrNFWxv+MHNJdZWJD7QAhKduXWYGNXoT7sqvqdjsK2RFjW6fZfyCKmO1bP+HB5U49nBBT8z6BKn5WPr5kY/Ghm5xmSjBO9PWiAbekCr6ON6yqwS5lATuaAhfCMlNnZn2uEsqpFXtJEUmSYUOL2eTbIaKZryXTlvigThWxAm8q0I1oTdjd7kJRmSBazcuzRbAfRCi6cZGMYJSVymScS/rtcQ+U1/ejbn27Bqr9iNR+iAhvsw4Mot2YEGBbnKHn8WgoMfAfuuB9AnhUyJX6Wae4
  Keytab: False
  Managed by: vm-120.idm.lab.bos.redhat.com
  Subject: CN=vm-120.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM
  Serial Number: 9
  Serial Number (hex): 0x9
  Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
  Not Before: Fri Sep 21 12:39:39 2012 UTC
  Not After: Mon Sep 22 12:39:39 2014 UTC
  Fingerprint (MD5): 78:c1:95:e2:e8:3d:92:1b:f9:b1:8b:ac:b9:84:5f:06
  Fingerprint (SHA1): be:53:aa:3e:8e:40:af:02:51:b1:b6:f6:c1:25:2f:8c:12:47:9c:85

  Principal: HTTP/vm-065.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM
  Certificate: MIIDxTCCAq2gAwIBAgIBDzANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwOTIxMTI1NTI1WhcNMTQwOTIyMTI1NTI1WjBJMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjUuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALkgi08cjZmq24vGPOvCI/kTKo7MfYhX3aBP8IrxxUh4qGJVpl5IJKrdm5fELL5INPLEckbTQKBw0riDYclVOhHiZq0h2kwsgNisb0uZaBLmufW4jDsyVX6RSbgspQv74YRIhJs+sIln5g1AVIORrHSmL8bVa8saX7bEWvwEQHqoaJKKAeNPM3f1L3kxwsgvOaT7DcjuoP0b1kCIIOst5CBy5hhIkyc5jwQq6FV5YJ6+q6gaAnWRjxSGSeWZAknpEPOSRIPqHWDImPkMpfCozaf5X77XW3tDJW+3KBz1D9U8TfN8zwFfWkz2TtAIhMgMjGzf7i0eDMwQAIXiiRQdGnsCAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBQw3EDmBAWWGPd7gvC4tNjtQLp8EjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly92bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFJQi61ic2nSBWKwKnbTqenBVhvWRMA0GCSqGSIb3DQEBCwUAA4IBAQCO8QvMmjkoIiBfoHpNRqdDyZ3+8v2shI/1eoY/uXl2l0pLN79ysB6IqM619ESb7W2H4gPKegFm189ahFrEnWQ6C1dZqB+2H2p0bT3gTLggXjGzkVINaobG/lEn4hRXRPW6uXP4jrF1AwsKI1dybuF9ZjhqNcsI9krItpzCNKluLPReKGiyISyJoyUGgfecJ4FFS5LAKObLDG5FPZdSqyzc2uGyDRgVaEltocI844Zn1UNkBfld6NJ7dFBxGcVukd6Vube2/ejx6272khN/WsPtkQyp1LcKKRXBtuNCe2q/RDFWX5ay9ILoETJoEYEnxQjXMWCOLuwWFRyGtlx+Lz9l
  Keytab: True
  Managed by: vm-065.idm.lab.bos.redhat.com
  Subject: CN=vm-065.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM
  Serial Number: 15
  Serial Number (hex): 0xF
  Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
  Not Before: Fri Sep 21 12:55:25 2012 UTC
  Not After: Mon Sep 22 12:55:25 2014 UTC
  Fingerprint (MD5): 59:38:b2:80:a7:50:56:84:83:0c:d5:ab:0b:3c:68:92
  Fingerprint (SHA1): 82:39:0f:8e:a1:52:7b:cd:df:24:bd:a4:f0:1d:a9:bf:7f:f1:4d:e0

  Principal: HTTP/vm-120.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM
  Certificate: MIIDxTCCAq2gAwIBAgIBCjANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwOTIxMTI0MjEyWhcNMTQwOTIyMTI0MjEyWjBJMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKwyrdNcstCs7GOvmU1lK//arUEMMUo9R6QOLcwrlPoZYq0Obfky7K9NEPzjJBhJuftnyUUL7t2e+gif6gbwVVN3Z1VHQHW/szvtBalplzR/UulxTJCwNrroVY7+ETyL3L1nhJdzjQ+/W8KfcsiMlF/1NadXYpLdECZ0DDzvHWGi1YpOj2ZRQPaQVT0mh8shEgZml/MM+XbBGrS+eG2Z/u28jYgk5mKZEyc9dyc0rsFFBjOTCBtHykewALmm+EtpsuMi13CJhGFov+8vQFR3BCJxsQSNTfCLkIuWue9onIQR4Aux1cZCbVn8qOgx8ET6VSNIfY71vdNKG1o1wAxNybMCAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBQw3EDmBAWWGPd7gvC4tNjtQLp8EjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly92bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFD/dzIcRZENvGwVg5Pj88TByHdMtMA0GCSqGSIb3DQEBCwUAA4IBAQCc7Ct9AskZlMFkhrqwYZ2xCbOcjqsscMwRnIbJWero9awsIhXTBa8AHNkgcw/Umymx+S2SsUFy8nV14TFg37pJhVqATzYAzhGUSHd6cCt55blEqjxhaEzWJJctiHuCeufH84zlXjKXxmVYFs/yGUgBsOGmRwpa05uPaAn6U9VHV1Ewe9NrWjdNUtfYNh4gNO6K0BsLkFUpqVd5p+EHTsICpZsZ2lvxLbVRZTp++I4KN9GUmJpaliJ6N06Y/6IjVueAdBFsxLloP99HSdvMvmgfpRwFDcqPKAEtZuowDImTxXCRDoSLPbfghHxhTqdfOzPu7/1afFpfaP7LiiEiJXQR
  Keytab: True
  Managed by: vm-120.idm.lab.bos.redhat.com
  Subject: CN=vm-120.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM
  Serial Number: 10
  Serial Number (hex): 0xA
  Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
  Not Before: Fri Sep 21 12:42:12 2012 UTC
  Not After: Mon Sep 22 12:42:12 2014 UTC
  Fingerprint (MD5): 3a:d5:7a:ea:bb:57:7a:0b:66:80:e3:73:97:29:41:19
  Fingerprint (SHA1): 0c:dd:d0:9b:e1:f9:3d:9e:8d:c0:c0:6e:92:0b:bb:2b:56:c9:8c:6a

  Principal: ldap/vm-065.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM
  Certificate: MIIDxTCCAq2gAwIBAgIBDTANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwOTIxMTI1NTIzWhcNMTQwOTIyMTI1NTIzWjBJMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjUuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPFqZ/u74csXLCoDC+1qkraYRvFP7ge4Z6Xarxeevz9PgKpuFL0MzRYbmEcRaecszD+0FVIddEMPGvcWO4PLSxz+i9FhhiOhc9C4muSa1aLpGN1B4RrwcT4DlX3j8viPXUuIJuALTAvdCxZp555nUoMWFUta2WE1o6Tnag4zv1vreWMUyzQy+8V2z+W3RQgDb1NxXX4NfMtJp83D/15JBWcw5UmSqYXR+5ctBcR0ZYOnkZXAVjjYzYzIQmnmNkSrIrbAQuKWT2iMpMXxIcTWiAq/y9KhJ5KFLnfT6wE3XXsqp5hXFtkpDpTeXstMhT8cnz2tE42sdBgjmuFzyaD6ZcsCAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBQw3EDmBAWWGPd7gvC4tNjtQLp8EjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly92bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFGi/+neIqSIMIucJtT/4E6QRNrqUMA0GCSqGSIb3DQEBCwUAA4IBAQAVqefQSl9SDs8hI+Dr07O2ArR8pc5m8in7et2p64mA02NJneetEbjLc43XBYDfDKWF6eFkCBv6O+89SwglozBcfnUmWlO4X/TdrUhOq9Uq0ZzfzjDC3ClUwP7JpPf0MRCjEW8LAeT1iPDKD7ZyiLl4M4oaLGqF07nLU+552CUapxfMp+5to/WI67afpNTzvt2gX/ZUCoGpqaes7fMdkkdd6qRQnTsmTgPDERO6vl8mDz2BYKK4/FkseawAXjoB9D99sOKxGY1H7rUUK+HIE6Dxd//lysIoaJJofMcj/th5VpfoPAGkdKQN+8GsYt+uKNcdvcfP0UbN/dGdIRpfqq+H
  Keytab: True
  Managed by: vm-065.idm.lab.bos.redhat.com
  Subject: CN=vm-065.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM
  Serial Number: 13
  Serial Number (hex): 0xD
  Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
  Not Before: Fri Sep 21 12:55:23 2012 UTC
  Not After: Mon Sep 22 12:55:23 2014 UTC
  Fingerprint (MD5): cd:07:33:42:c7:d7:43:fc:8d:90:d0:65:f3:7a:fb:d9
  Fingerprint (SHA1): 5a:ad:f2:62:51:ae:6e:63:d8:0f:cd:c4:e9:29:b1:dc:8c:c8:7c:5a

  Principal: ldap/vm-120.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM
  Certificate: MIIDxTCCAq2gAwIBAgIBCDANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwOTIxMTIzOTE2WhcNMTQwOTIyMTIzOTE2WjBJMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKeo073oXAgzUb1aKz0QKV3Bi9P8yac0hFgRMg48ur2e4mghxnxBlkVLgTrptz2Ig8MmO8xOEuH2hUr3wvg6T4C1OpNE6+qy9SG+lJc9+Zo2WulxRzM6B38HlffWg3KyGzpSURZR69UhCX0NxSudNCtgKgmUOQzJwrgg2Y1YszCTg+FWf10BR4UJeiiy2DOS3Hxxa4hDXgWNsZtduGzRJy0H7aCHDJtLg7emV0Dug5WdSRBeXibzopirNTNufEgbQlihEqShKSBwwhRA2sQhtm3OA/bMoIyLaq78KT49RGdhnv2gBUmp2FHrbDcEultl+a/p6npjub8h4yd9S0tOJkUCAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBQw3EDmBAWWGPd7gvC4tNjtQLp8EjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly92bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFOAXud9YilJ4F4BzH4yeYy0ZoDOMMA0GCSqGSIb3DQEBCwUAA4IBAQAJRhOSixeu1t+Fg3iq7MehxHcMya6nBSUhv0GhousmS4c8w3g25ibgMssg4/VCeXhatOAxeuKAr88C1Buo032dHCa4B7ALvMBzBXEsrwYBoPS87J6or8Wyud6aVIcSBzxBUS6ILUzK1WxFUuaEWzi073O1fYqnBQxeq/GBcE+yL4QVq3I6z7lZri/xEJLX7F1W/Vee3DnA2lu+IN5gGIeNq6vfX35UzWErvTTAkdAIZL+XWmsf8upbBOgc8G1Xb6uPodtPSVXOD73MudobZzuGRHRC5o7fcDZTczqo0hnBpeaybgNSJHDKZVkaU7jwfgec7QYGOf6bkq3Sb15vVXF4
  Keytab: True
  Managed by: vm-120.idm.lab.bos.redhat.com
  Subject: CN=vm-120.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM
  Serial Number: 8
  Serial Number (hex): 0x8
  Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
  Not Before: Fri Sep 21 12:39:16 2012 UTC
  Not After: Mon Sep 22 12:39:16 2014 UTC
  Fingerprint (MD5): 7e:b0:55:c1:0d:8d:13:23:cd:58:1b:d6:52:fd:b9:ca
  Fingerprint (SHA1): c1:18:e3:0f:0c:0b:9d:33:2f:14:f9:95:3c:40:c7:ea:16:69:a3:6f
----------------------------
Number of entries returned 7
----------------------------

3.0 replica:

[root@vm-065 ~]# ipa service-find
------------------
2 services matched
------------------
  Principal: HTTP/vm-065.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM
  Certificate: MIIDxTCCAq2gAwIBAgIBDzANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwOTIxMTI1NTI1WhcNMTQwOTIyMTI1NTI1WjBJMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjUuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALkgi08cjZmq24vGPOvCI/kTKo7MfYhX3aBP8IrxxUh4qGJVpl5IJKrdm5fELL5INPLEckbTQKBw0riDYclVOhHiZq0h2kwsgNisb0uZaBLmufW4jDsyVX6RSbgspQv74YRIhJs+sIln5g1AVIORrHSmL8bVa8saX7bEWvwEQHqoaJKKAeNPM3f1L3kxwsgvOaT7DcjuoP0b1kCIIOst5CBy5hhIkyc5jwQq6FV5YJ6+q6gaAnWRjxSGSeWZAknpEPOSRIPqHWDImPkMpfCozaf5X77XW3tDJW+3KBz1D9U8TfN8zwFfWkz2TtAIhMgMjGzf7i0eDMwQAIXiiRQdGnsCAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBQw3EDmBAWWGPd7gvC4tNjtQLp8EjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly92bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFJQi61ic2nSBWKwKnbTqenBVhvWRMA0GCSqGSIb3DQEBCwUAA4IBAQCO8QvMmjkoIiBfoHpNRqdDyZ3+8v2shI/1eoY/uXl2l0pLN79ysB6IqM619ESb7W2H4gPKegFm189ahFrEnWQ6C1dZqB+2H2p0bT3gTLggXjGzkVINaobG/lEn4hRXRPW6uXP4jrF1AwsKI1dybuF9ZjhqNcsI9krItpzCNKluLPReKGiyISyJoyUGgfecJ4FFS5LAKObLDG5FPZdSqyzc2uGyDRgVaEltocI844Zn1UNkBfld6NJ7dFBxGcVukd6Vube2/ejx6272khN/WsPtkQyp1LcKKRXBtuNCe2q/RDFWX5ay9ILoETJoEYEnxQjXMWCOLuwWFRyGtlx+Lz9l
  Keytab: True
  Managed by: vm-065.idm.lab.bos.redhat.com
  Subject: CN=vm-065.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM
  Serial Number: 15
  Serial Number (hex): 0xF
  Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
  Not Before: Fri Sep 21 12:55:25 2012 UTC
  Not After: Mon Sep 22 12:55:25 2014 UTC
  Fingerprint (MD5): 59:38:b2:80:a7:50:56:84:83:0c:d5:ab:0b:3c:68:92
  Fingerprint (SHA1): 82:39:0f:8e:a1:52:7b:cd:df:24:bd:a4:f0:1d:a9:bf:7f:f1:4d:e0

  Principal: ldap/vm-065.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM
  Certificate: MIIDxTCCAq2gAwIBAgIBDTANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwOTIxMTI1NTIzWhcNMTQwOTIyMTI1NTIzWjBJMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjUuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPFqZ/u74csXLCoDC+1qkraYRvFP7ge4Z6Xarxeevz9PgKpuFL0MzRYbmEcRaecszD+0FVIddEMPGvcWO4PLSxz+i9FhhiOhc9C4muSa1aLpGN1B4RrwcT4DlX3j8viPXUuIJuALTAvdCxZp555nUoMWFUta2WE1o6Tnag4zv1vreWMUyzQy+8V2z+W3RQgDb1NxXX4NfMtJp83D/15JBWcw5UmSqYXR+5ctBcR0ZYOnkZXAVjjYzYzIQmnmNkSrIrbAQuKWT2iMpMXxIcTWiAq/y9KhJ5KFLnfT6wE3XXsqp5hXFtkpDpTeXstMhT8cnz2tE42sdBgjmuFzyaD6ZcsCAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBQw3EDmBAWWGPd7gvC4tNjtQLp8EjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly92bS0xMjAuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFGi/+neIqSIMIucJtT/4E6QRNrqUMA0GCSqGSIb3DQEBCwUAA4IBAQAVqefQSl9SDs8hI+Dr07O2ArR8pc5m8in7et2p64mA02NJneetEbjLc43XBYDfDKWF6eFkCBv6O+89SwglozBcfnUmWlO4X/TdrUhOq9Uq0ZzfzjDC3ClUwP7JpPf0MRCjEW8LAeT1iPDKD7ZyiLl4M4oaLGqF07nLU+552CUapxfMp+5to/WI67afpNTzvt2gX/ZUCoGpqaes7fMdkkdd6qRQnTsmTgPDERO6vl8mDz2BYKK4/FkseawAXjoB9D99sOKxGY1H7rUUK+HIE6Dxd//lysIoaJJofMcj/th5VpfoPAGkdKQN+8GsYt+uKNcdvcfP0UbN/dGdIRpfqq+H
  Keytab: True
  Managed by: vm-065.idm.lab.bos.redhat.com
  Subject: CN=vm-065.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM
  Serial Number: 13
  Serial Number (hex): 0xD
  Issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
  Not Before: Fri Sep 21 12:55:23 2012 UTC
  Not After: Mon Sep 22 12:55:23 2014 UTC
  Fingerprint (MD5): cd:07:33:42:c7:d7:43:fc:8d:90:d0:65:f3:7a:fb:d9
  Fingerprint (SHA1): 5a:ad:f2:62:51:ae:6e:63:d8:0f:cd:c4:e9:29:b1:dc:8c:c8:7c:5a
----------------------------
Number of entries returned 2
----------------------------

The problem is that ipakrbprincipal objectclass is added to the list of ipaservice "core" objectclasses and thus the LDAP search in service-find adds this objectclass to the search filter.

I just found out that this will also apply for local services on machine upgraded from 2.2 to 3.0. Bumping the priority.

Simo or Alexander - is our Kerberos LDAP driver able to cope with service entries which do not have ipakrbprincipal objectclass set and thus no ipakrbprincipalalias attribute set?

Getting keytab for such service or kinit'ing with this keytab worked for me, but I saw that there are some LDAP searches relying on this attribute in our Kerberos LDAP driver...

I had a conversation with abbra about the issue:

(08:33:04 AM) mkosek: ab: Hi Alexander, can you please comment on ticket #3106? I am wondering about the correct approach there...
(08:34:27 AM) mkosek: ab: we can either just fix our framework to recognize services without ipakrbprincipal object class or update all 2.x-style services to have this objectclass - which may not be ideal when someone has too many services...
(08:34:51 AM) mkosek: ab: I wasn't sure if such 2.x services do not cause issues in our krb driver/trusts...
(08:34:58 AM) ab: those services are supposed to have keytabs?
(08:36:14 AM) mkosek: ab: may have - these services will be present on any system upgraded from IPA 2.x
(08:36:35 AM) ab: if they need to have keytabs associated, they should have ipakrbprincipals
(08:36:35 AM) mkosek: ab: or when we install a 3.0 replica to 2.2 master
(08:37:35 AM) ab: mkosek: do they have any of krbprincipal/krbprincipal?
(08:38:57 AM) mkosek: ab: they have standard krbprincipalname attribute filled...
(08:39:15 AM) ab: we have two filters
(08:39:43 AM) ab: when issuing TGS, we accept objectclass=krbprincipalaux|krbprincipal|ipakrbprincipal
(08:40:07 AM) ab: when searching principals we accept objectclass=krbprincipal|krbprincipalaux
(08:40:24 AM) ab: so I think you should fix the framework
(08:40:41 AM) mkosek: ab: ok, then it seems we are compatible with the 2.x services without issues...
(08:40:47 AM) ab: ipakrbprincipal is something that is used to make possible case-insensitive principals
(08:41:33 AM) ab: i.e., if you have a principal for which you'd like to allow case insensitive searches, you add ipakrbprincipal to it and set ipakrbprincipalalias to wanted name
(08:42:17 AM) mkosek: ab: I think it is now being set by default - so all principal searches are now case-insensitive?
(08:42:33 AM) ab: yes, for new installs
(08:43:15 AM) ab: technically you could simply propagate on upgrades krbprincipalname to ipakrbprincipalalias
(08:47:51 AM) mkosek: ab: technically yes... Upgrades may just get difficult on machines with really high number of services, we may be also hitting query/time limits...
(08:49:07 AM) ab: then we can do optional objectclass in the search filter

Bottomline is that the best approach here would be simply to update our framework to recognize 2.x style services.

master: 0c2d0bb

ipa-3-0: f69101b

Metadata Update from @mkosek:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.0 RC2
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
IPA
None
0
None
None
None
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.