freeipa

Clone
Source Code
GIT

#4848 ipa-replica-manage disconnect fails without password
Closed: Fixed None Opened 9 years ago by mkosek.

Closed: Fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1183279

Description of problem:

Trying to disconnect a replication agreement, I'm seeing ipa-replica-manage try
but not work completely.  It's showing errors and when I try to re-connect, it
fails saying it already exists.  This is only happening when I'm relying on
GSSAPI with kerberos and NOT specifying -p Password on the command line.  If I
specify password, it works.

[root@rhel7-1 yum.repos.d]# ipa-replica-manage disconnect rhel7-1.example.com
rhel7-2.example.com
ipa: INFO: Setting agreement
cn=meTorhel7-1.example.com,cn=replica,cn=dc\=example\,dc\=com,cn=mapping
tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement
cn=meTorhel7-1.example.com,cn=replica,cn=dc\=example\,dc\=com,cn=mapping
tree,cn=config
ipa: INFO: Replication Update in progress: TRUE: status: 0 Replica acquired
successfully: Incremental update started: start: 0: end: 0
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired
successfully: Incremental update succeeded: start: 0: end: 0
Unable to remove agreement on rhel7-2.example.com: no such entry

[root@rhel7-1 yum.repos.d]# ipa-replica-manage connect rhel7-1.example.com
rhel7-2.example.com
A replication agreement to rhel7-2.example.com already exists

But, here you see it works if I specify password on command line:

[root@rhel7-1 yum.repos.d]# ipa-replica-manage -p Secret123 disconnect
rhel7-1.example.com rhel7-2.example.com
ipa: INFO: Setting agreement
cn=meTorhel7-1.example.com,cn=replica,cn=dc\=example\,dc\=com,cn=mapping
tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement
cn=meTorhel7-1.example.com,cn=replica,cn=dc\=example\,dc\=com,cn=mapping
tree,cn=config
ipa: INFO: Replication Update in progress: TRUE: status: 0 Replica acquired
successfully: Incremental update started: start: 0: end: 0
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired
successfully: Incremental update succeeded: start: 0: end: 0
Deleted replication agreement from 'rhel7-1.example.com' to
'rhel7-2.example.com'


Version-Release number of selected component (if applicable):
ipa-server-4.1.0-15.el7.x86_64
389-ds-base-1.3.3.1-11.el7.x86_64


How reproducible:
always.

Steps to Reproduce:
1.  Setup IPA MASTER
2.  Setup IPA REPLICA1 from MASTER
3.  Setup IPA REPLICA2 from REPLICA1
ON MASTER:
4.  ipa-replica-manage -p PASSWORD connect REPLICA2
5.  kinit admin
6.  ipa-replica-manage disconnect MASTER REPLICA1


Actual results:
fails as shown above but, works if specifying password instead of relying on
kerberos ticket.

Expected results:
works without needing to specify password.

Additional info:

I have a patch as I investigated the issue.

Patch freeipa-mkosek-491-replication-administrators-cannot-remove-replication.patch sent for review

master:

  • 251c97c Replication Administrators cannot remove replication agreements

ipa-4-1:

  • 338831a Replication Administrators cannot remove replication agreements

Metadata Update from @mkosek:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 4.1.3
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
Replication
None
1
None
None
mbasti
None
https://bugzilla.redhat.com/show_bug.cgi?id=1183279
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.