Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1183279
Description of problem: Trying to disconnect a replication agreement, I'm seeing ipa-replica-manage try but not work completely. It's showing errors and when I try to re-connect, it fails saying it already exists. This is only happening when I'm relying on GSSAPI with kerberos and NOT specifying -p Password on the command line. If I specify password, it works. [root@rhel7-1 yum.repos.d]# ipa-replica-manage disconnect rhel7-1.example.com rhel7-2.example.com ipa: INFO: Setting agreement cn=meTorhel7-1.example.com,cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meTorhel7-1.example.com,cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config ipa: INFO: Replication Update in progress: TRUE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 0: end: 0 Unable to remove agreement on rhel7-2.example.com: no such entry [root@rhel7-1 yum.repos.d]# ipa-replica-manage connect rhel7-1.example.com rhel7-2.example.com A replication agreement to rhel7-2.example.com already exists But, here you see it works if I specify password on command line: [root@rhel7-1 yum.repos.d]# ipa-replica-manage -p Secret123 disconnect rhel7-1.example.com rhel7-2.example.com ipa: INFO: Setting agreement cn=meTorhel7-1.example.com,cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meTorhel7-1.example.com,cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config ipa: INFO: Replication Update in progress: TRUE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 0: end: 0 Deleted replication agreement from 'rhel7-1.example.com' to 'rhel7-2.example.com' Version-Release number of selected component (if applicable): ipa-server-4.1.0-15.el7.x86_64 389-ds-base-1.3.3.1-11.el7.x86_64 How reproducible: always. Steps to Reproduce: 1. Setup IPA MASTER 2. Setup IPA REPLICA1 from MASTER 3. Setup IPA REPLICA2 from REPLICA1 ON MASTER: 4. ipa-replica-manage -p PASSWORD connect REPLICA2 5. kinit admin 6. ipa-replica-manage disconnect MASTER REPLICA1 Actual results: fails as shown above but, works if specifying password instead of relying on kerberos ticket. Expected results: works without needing to specify password. Additional info:
I have a patch as I investigated the issue.
attachment freeipa-mkosek-491-replication-administrators-cannot-remove-replication.patch
Patch freeipa-mkosek-491-replication-administrators-cannot-remove-replication.patch sent for review
master:
ipa-4-1:
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 4.1.3
Login to comment on this ticket.