[Freeipa-devel] Re: ipa-replica-install --principal admin --admin-password --setup-ca Traceback

Mon, 12 Mar 2018 01:30:06 -0700 

On 03/10/2018 12:07 PM, Amit via FreeIPA-devel wrote:

Ping!!


On 03/09/2018 02:08 PM, Amit wrote:

Hello,

Any thoughts would be helpful.

Thanks


On 03/07/2018 02:57 PM, Amit wrote:

Hello,

This is scenario in customer env.
Customer is using fresh machine to install replica.

*    IPA-Server
*    # ipa-server-install --no-ntp        //Success
*IPA Replica* 
     # ipa-replica-install --principal admin --admin-password <secret>
--setup-ca
     DEBUG Traceback (most recent call last):
       File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
504, in start_creation        run_step(full_msg, method)
       File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
494, in run_step        method()
       File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
439, in __setup_replica     cacert=self.ca_file)
       File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 1666, in setup_promote_replication    raise RuntimeError("Failed to
start replication")
        RuntimeError: Failed to start replication
     2018-02-06T06:56:48Z DEBUG [error] RuntimeError: Failed to start
replication
     2018-02-06T06:56:48Z DEBUG Destroyed connection context.ldap2_113870544
     2018-02-06T06:56:48Z DEBUG Backing up system configuration file
'/etc/ipa/default.conf'
     2018-02-06T06:56:48Z DEBUG Saving Index File to
'/var/lib/ipa/sysrestore/sysrestore.index'
     2018-02-06T06:56:48Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
execute
         return_value = self.run()

While I cannot repro in my local lab





Hi Amit,
without any logs it is difficult to tell what could go wrong. The part of code that is failing is doing 2 tasks: - starts the replication by performing a LDAP modification on the replication agreement (dn: cn=meTo$master,cn=replica,cn=dc\3Ddomain\2Cdc\3Dcom,cn=mapping tree,cn=config) in order to set the attribute nsds5BeginReplicaRefresh=start - checks the replication status by reading the replication agreement status (attributes nsds5BeginReplicaRefresh, nsds5replicaUpdateInProgress, nsds5ReplicaLastInitStatus, nsds5ReplicaLastInitStart and nsds5ReplicaLastInitEnd).
So if you have 389-ds access logs, you can start by checking if the mod was successful. Then check the replication status. 

Flo
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to