-----Original Message-----
Sent: Wednesday, April 19, 2017 4:27 PM
Subject: Re: [Freeipa-users] cannot add posix group or user
Post by Cox, JasonHi all,
I had to reinstall my IPA setup, so I’m using 4.4 and am learning the
newer domain levels and topology features.
I’ve installed 3 servers.
I promoted one of the replicas to master and demoted the original
master to replica according to the documentation.
According to what documentation?
Note that they are all masters, some may just run different services and only
one has a few duties (like CRL generation).
Here: https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
And here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/server-roles.html#server-roles-promote-to-ca
Yes, I was referring to CRL master
And yes, I failed to continue reading https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/ to find what I needed to know concerning the id ranges. Sorry about that.
Post by Cox, JasonI ran into an issue with the original master no longer replicating, so
I performed an ipa-server-install –uninstall and removed the
host/server from IPA.
This is the where the problem started.
Post by Cox, JasonI re-setup the replica using ipa-client-install and then
ipa-replica-install, and had no errors reported in the output.
I then went into Web UI and setup replication agreements using the
topology graph page between the new replica and the previous replica
(the master/new replica agreements being setup by the replica install
script).
I then attempted to add a posix group account and got an operational
error message. This caused ldap to crash on the server I was
interfacing with.
If you are getting a core it would be very enlightening to get a stack trace
from that (you'll need to install the debuginfo package to get any really
useful data out of it).
*** Error in `/usr/sbin/ns-slapd': free(): invalid pointer: 0x00007fbcd82f5fb0 ***
Apr 19 17:13:56 server1 ns-slapd[1892]: ======= Backtrace: =========
Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libc.so.6(+0x7c503)[0x7fbd4522c503]
Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libldap_r-2.4.so.2(ldap_mods_free+0x81)[0x7fbd46ba1a11]
Apr 19 17:13:56 server1 ns-slapd[1892]: /usr/lib64/dirsrv/libslapd.so.0(do_modify+0x7e0)[0x7fbd479f96a0]
Apr 19 17:13:56 server1 ns-slapd[1892]: /usr/sbin/ns-slapd(+0x1b9e0)[0x7fbd47ee29e0]
Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libnspr4.so(+0x289bb)[0x7fbd45bd89bb]
Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libpthread.so.0(+0x7dc5)[0x7fbd45578dc5]
Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libc.so.6(clone+0x6d)[0x7fbd452a773d]
(gdb) bt
#0 __GI___libc_free (mem=0x41) at malloc.c:2929
#1 0x00007f87f6fca24c in ber_memvfree_x (vec=0x7f876c00a900, ctx=0x0) at memory.c:180
#2 0x00007f87f71f2a11 in ldap_mods_free (mods=0x7f876c001fb0, freemods=1) at free.c:94
#3 0x00007f87f804a6a0 in do_modify (pb=***@entry=0x7f87b4ff0a90) at ldap/servers/slapd/modify.c:390
#4 0x00007f87f85339e0 in connection_dispatch_operation (pb=0x7f87b4ff0a90, op=0x7f87f931bf80, conn=0x7f87d82d0768) at ldap/servers/slapd/connection.c:627
#5 connection_threadmain () at ldap/servers/slapd/connection.c:1759
#6 0x00007f87f62299bb in _pt_root () from /lib64/libnspr4.so
#7 0x00007f87f5bc9dc5 in start_thread (arg=0x7f87b4ff1700) at pthread_create.c:308
#8 0x00007f87f58f873d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
(gdb) bt full
#0 __GI___libc_free (mem=0x41) at malloc.c:2929
ar_ptr = <optimized out>
p = <optimized out>
hook = 0x0
#1 0x00007f87f6fca24c in ber_memvfree_x (vec=0x7f876c00a900, ctx=0x0) at memory.c:180
i = <optimized out>
#2 0x00007f87f71f2a11 in ldap_mods_free (mods=0x7f876c001fb0, freemods=1) at free.c:94
i = <optimized out>
#3 0x00007f87f804a6a0 in do_modify (pb=***@entry=0x7f87b4ff0a90) at ldap/servers/slapd/modify.c:390
operation = 0x7f87f931bf80
smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0}
ber = <optimized out>
tag = <optimized out>
len = 18446744073709551615
normalized_mods = 0x7f876c001fb0
mod = 0x0
mods = 0x7f876c00c200
last = 0x7f876c000e23 ""
type = 0x0
old_pw = 0x0
rawdn = 0x7f876c000920 "cn=svcaccount,cn=groups,cn=accounts,dc=MYDOMAIN"
minssf_exclude_rootdse = <optimized out>
ignored_some_mods = <optimized out>
has_password_mod = <optimized out>
pw_change = 0
err = <optimized out>
#4 0x00007f87f85339e0 in connection_dispatch_operation (pb=0x7f87b4ff0a90, op=0x7f87f931bf80, conn=0x7f87d82d0768) at ldap/servers/slapd/connection.c:627
minssf = 0
minssf_exclude_rootdse = <optimized out>
---Type <return> to continue, or q <return> to quit---
enable_nagle = 1
pop_cork = 0
#5 connection_threadmain () at ldap/servers/slapd/connection.c:1759
is_timedout = 0
curtime = <optimized out>
local_pb = {pb_backend = 0x7f87f8e1a070, pb_conn = 0x7f87d82d0768, pb_op = 0x7f87f931bf80, pb_plugin = 0x7f87f8c85c50, pb_opreturn = -1, pb_object = 0x0, pb_destroy_fn = 0x0,
pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0,
pb_existing_dn_entry = 0x7f876c00e880, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0,
pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_dbverify_dbdir = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0,
pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0,
pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0,
pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0,
pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0,
pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x7f87ea323470 <replica_ruv_smods_for_op>, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0,
pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0,
pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0,
pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0,
pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 1,
pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0,
pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pb_paged_results_cookie = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f87f8e24d30, pb_aci_target_check = 0,
pb_pw_entry = 0x0}
pb = 0x7f87b4ff0a90
conn = 0x7f87d82d0768
op = 0x7f87f931bf80
tag = 102
need_wakeup = 0
thread_turbo_flag = <optimized out>
ret = <optimized out>
more_data = 0
---Type <return> to continue, or q <return> to quit---
replication_connection = 0
doshutdown = 0
maxthreads = 5
enable_nunc_stans = 0
bypasspollcnt = <optimized out>
#6 0x00007f87f62299bb in _pt_root () from /lib64/libnspr4.so
No symbol table info available.
#7 0x00007f87f5bc9dc5 in start_thread (arg=0x7f87b4ff1700) at pthread_create.c:308
__res = <optimized out>
pd = 0x7f87b4ff1700
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140220833928960, -5233892399363934943, 0, 140220833929664, 140220833928960, 1, 5211249063945286945, 5211388174174106913},
mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
pagesize_m1 = <optimized out>
sp = <optimized out>
freesize = <optimized out>
#8 0x00007f87f58f873d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
No locals.
Post by Cox, JasonI performed an ‘ipactl restart’ on the affected server and attempted
again with the same issue.
I tried adding a non-posix group and it was successful.
I found the dirsrv logs and see the error ‘dna-plugin - dna_pre_op: no
more values available!!’ which lead me to
https://www.redhat.com/archives/freeipa-users/2014-
February/msg00247.h
Post by Cox, Jasontml
dnaMaxValue is 1100
dnaNextValue is 1101
dnaThreshold is 500
Right. A master only gets a range when it needs one. In this case it needed
one after the master holding the entire range went away.
Post by Cox, Jason---------------
1 range matched
---------------
Range name: MYDOMAIN.COM_id_range
First Posix ID of the range: 1946000000
Number of IDs in the range: 200000
Range type: local domain range
----------------------------
Number of entries returned 1
----------------------------
So now my question is what do I need to change to fix the issue?
I can do the ldapmodify to adjust the dnaMaxValue, but I don’t know
what I should be adjusting the idrange to?
I’d like to keep the idrange the same and just adjust the dnaMaxValue,
so would I need to change dnaMaxValue to 200000?
See https://blog-rcritten.rhcloud.com/?p=50
rob
Thank you.
Setting the id ranges manually fixed my problem.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for