Had some success earlier today, but I seem to be unable to replicate
it. I've been working with the "full" proxy.conf file lately,. and even
that seems to be preventing a replica. It is quite possible that the
problem is something on one of the two systems, as I've found that
install/uninstall often leaves some of the files being owned by
non-existent users. At this point, I'm not sure if the patch I've
submitted will work on a vanilla system. Testing it has proven to be a
pretty time consuming endeavour.
Here's what I've gotten it down to:
ON One machine, run
ipa-server-install -U -r ` hostname | tr '[:lower:]' '[:upper:]'` -p
freeipa4all -a freeipa4all --setup-dns --no-forwarders
once that succeeds, I have to reset /etc/resolv.conf as the lab DNS
server gets removed:
cp ~/resolve.conf /etc
then
ipa-replica-prepare $REPLICA
scp /var/lib/ipa/replica-info-$REPLICA.gpg root@$REPLICA:
On the replica:
ipa-replica-install --setup-ca replica-info-$HOSTNAME.gpg
I have firewall off on master and replica
At one point I had a replica install that worked with the Proxy, so I
know it is possible, but for the last couple of hours this last command
has been failing with:
creation of replica failed: Configuration of CA failed
pkisilent reports the failure in the debug log, but not the URL it is
trying to reach. I'm going to modify it to give some more information
in the morning.
I'm not seeing anything in /var/log/httpd/error|access.log on the
master, which is weird.
I see this in /var/log/ipareplica-conncheck.log. We should not be
trying to do anything in /home/admin
2011-08-24 21:52:18,544 DEBUG stderr=
2011-08-24 21:52:19,521 DEBUG args=/usr/bin/ssh -q -o
StrictHostKeychecking=no -o UserKnownHostsFile=/dev/null
[email protected] /usr/sbin/ipa-replica-conncheck
--replica vm-116.idm.lab.bos.redhat.com --check-ca
2011-08-24 21:52:19,521 DEBUG stdout=Check connection from master to
remote replica 'vm-116.idm.lab.bos.redhat.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos (88): OK
PKI-CA: Directory Service port (7389): OK
PKI-CA: Agent secure port (9443): OK
PKI-CA: EE secure port (9444): OK
PKI-CA: Admin secure port (9445): OK
PKI-CA: EE secure client auth port (9446): OK
PKI-CA: Unsecure port (9180): OK
Connection from master to replica is OK.
2011-08-24 21:52:19,522 DEBUG stderr=Could not chdir to home directory
/home/admin: No such file or directory
Ade Lee noticed that the replica install is failing before it ever
attempts to talk to the Master, which corresponds with what I am
seeing. I see in the PKI install log that
[2011-08-24 22:23:50] [error] FAILED run_command("/sbin/service pki-cad
restart pki-ca"), exit status=1 output="Stopping pki-ca: [FAILED]
Starting pki-ca: [ OK ]^M"
Running this command by hand gets the same output.
In less /var/log/pki-ca/catalina.out
/var/lib/pki-ca/logs/catalina.out: Permission denied
/var/log/pki-ca/catalina.out (END)
SO it looks like another cleanup issue.
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
