On 06/03/2015 02:05 PM, Oleg Fayans wrote:
Update:
The original error occurs ONLY when installing a replica from a gpg
file prepared on a master running FreeIPA 4.1.2.
but this should be covere with patch 0010
If The master runs the upstream code, it works.
On 06/02/2015 02:11 PM, Martin Babinsky wrote:
On 06/02/2015 02:07 PM, Martin Babinsky wrote:
On 06/02/2015 12:09 PM, Oleg Fayans wrote:
Hi all,
The following error was caught during replica installation (I used all
the latest patches from Ludwig and Martin Basti):
root@localhost:/home/ofayans/rpms]$ ipa-replica-install --setup-ca
--setup-dns --forwarder 10.38.5.26
/var/lib/ipa/replica-info-replica1.zaeba.li.gpg
Directory Manager (existing master) password:
Existing BIND configuration detected, overwrite? [no]: yes
Adding [192.168.122.210 replica1.zaeba.li] to your /etc/hosts file
Checking forwarders, please wait ...
Using reverse zone(s) 122.168.192.in-addr.arpa.
Run connection check to master
Check connection from replica to remote master
'upgrademaster.zaeba.li':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
The following list of ports use UDP protocol and would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@zaeba.li password:
Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'replica1.zaeba.li':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
Connection from master to replica is OK.
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
[1/37]: creating directory server user
[2/37]: creating directory server instance
[3/37]: adding default schema
[4/37]: enabling memberof plugin
[5/37]: enabling winsync plugin
[6/37]: configuring replication version plugin
[7/37]: enabling IPA enrollment plugin
[8/37]: enabling ldapi
[9/37]: configuring uniqueness plugin
[10/37]: configuring uuid plugin
[11/37]: configuring modrdn plugin
[12/37]: configuring DNS plugin
[13/37]: enabling entryUSN plugin
[14/37]: configuring lockout plugin
[15/37]: configuring topology plugin
[16/37]: creating indices
[17/37]: enabling referential integrity plugin
[18/37]: configuring ssl for ds instance
[19/37]: configuring certmap.conf
[20/37]: configure autobind for root
[21/37]: configure new location for managed entries
[22/37]: configure dirsrv ccache
[23/37]: enable SASL mapping fallback
[24/37]: restarting directory server
[25/37]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 7 seconds elapsed
Update succeeded
[26/37]: updating schema
[27/37]: setting Auto Member configuration
[28/37]: enabling S4U2Proxy delegation
[29/37]: importing CA certificates from LDAP
[30/37]: initializing group membership
[31/37]: adding master entry
ipa : CRITICAL Failed to load master-entry.ldif: Command
''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpFlM3mD' '-H'
'ldap://replica1.zaeba.li:389' '-x' '-D' 'cn=Directory Manager' '-y'
'/tmp/tmpk_R0Lm'' returned non-zero exit status 68
[32/37]: initializing domain level
[33/37]: configuring Posix uid/gid generation
[34/37]: adding replication acis
[35/37]: enabling compatibility plugin
[36/37]: tuning directory server
[37/37]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
30 seconds
[1/21]: creating certificate server user
[2/21]: configuring certificate server instance
[3/21]: stopping certificate server instance to update CS.cfg
[4/21]: backing up CS.cfg
[5/21]: disabling nonces
[6/21]: set up CRL publishing
[7/21]: enable PKIX certificate path discovery and validation
[8/21]: starting certificate server instance
[9/21]: creating RA agent certificate database
[10/21]: importing CA chain to RA certificate database
[11/21]: fixing RA database permissions
[12/21]: setting up signing cert profile
[13/21]: set certificate subject base
[14/21]: enabling Subject Key Identifier
[15/21]: enabling Subject Alternative Name
[16/21]: enabling CRL and OCSP extensions for certificates
[17/21]: setting audit signing renewal to 2 years
[18/21]: configure certmonger for renewals
[19/21]: configure certificate renewals
[20/21]: configure Server-Cert certificate renewal
[21/21]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Restarting the directory and certificate servers
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
[1/8]: adding sasl mappings to the directory
[2/8]: configuring KDC
[3/8]: creating a keytab for the directory
[4/8]: creating a keytab for the machine
[5/8]: adding the password extension to the directory
[6/8]: enable GSSAPI for replication
[error] NO_SUCH_OBJECT: {'desc': 'No such object'}
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Traceback (most recent call last):
File "/sbin/ipa-replica-install", line 162, in <module>
fail_message=fail_message)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 760, in run_script
message, exitcode = handle_error(error, log_file_name)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 799, in handle_error
type(error).__name__, error.args[0]['info']), 1
KeyError: 'info'
It needs to be noted, that the replica file was prepared on the master
running standard 4.1.2 freeipa-server.
The log is attached
Hi Oleg,
I have encountered a different error during the same step (see
http://pastebin.test.redhat.com/287218) while reviewing pvoborni's
topology API commands. In this case both server and the replica were
from current freeipa-master (HEAD was at commit
e2c2d5967d4dfd219cd6ab5fc6f3bc8094ba28a7).
I have also noticed that everything works if I run ipa-replica-install
without '--setup-ca' flag and then install CA separately using
'ipa-ca-install'.
I will open a ticket for this if you or anyone else will be able to
reproduce this behavior.
Ah seems like I have just hit
https://fedorahosted.org/freeipa/ticket/5035. Nevermind.
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code