Hi folks,

Related to my posts from earlier in the week. I'm stuck in catch-22 land with no seemingly viable way forward ...

I am stuck with 2x IPA masters in different AWS regions that refuse to replicate because the topology is disconnected, I can't seem to force the re-connect so I'm trying to expand my topology options by building new fresh masters from scratch. CentOS 7.3 with fully updated IPA software.

The fresh replica install fails with a "Local LDAP" error, these seem to be the corresponding errors in the /var/log/dirserv logs:

[02/Jun/2017:14:29:31.965022647 +0000] 389-Directory/ B2017.145.2037 starting up [02/Jun/2017:14:29:31.976521839 +0000] default_mr_indexer_create: warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match [02/Jun/2017:14:29:32.102416271 +0000] slapd started. Listening on All Interfaces port 389 for LDAP requests [02/Jun/2017:14:29:32.104077504 +0000] Listening on All Interfaces port 636 for LDAPS requests [02/Jun/2017:14:29:32.105380691 +0000] Listening on /var/run/slapd-companyIDM-ORG.socket for LDAPI requests [02/Jun/2017:14:29:35.776066609 +0000] NSMMReplicationPlugin - agmt="cn=meTodeawilidmp001.companyidm.org" (deawilidmp001:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica.

And here is the output from trying to perform the replica setup:

[root@usaeilidmp003 centos]# ipa-replica-install --setup-ca --principal admin --admin-password SEKRIT

Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Discovery was successful!
Client hostname: usaeilidmp003.companyidm.org
Realm: companyIDM.ORG
DNS Domain: companyidm.org
IPA Server: deawilidmp001.companyidm.org
BaseDN: dc=companyidm,dc=org

Skipping synchronizing time with NTP server.
Enrolled in IPA realm companyIDM.ORG
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm companyIDM.ORG
trying https://deawilidmp001.companyidm.org/ipa/json
Forwarding 'schema' to json server 'https://deawilidmp001.companyidm.org/ipa/json'
trying https://deawilidmp001.companyidm.org/ipa/session/json
Forwarding 'ping' to json server 'https://deawilidmp001.companyidm.org/ipa/session/json' Forwarding 'ca_is_enabled' to json server 'https://deawilidmp001.companyidm.org/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://deawilidmp001.companyidm.org/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring companyidm.org as NIS domain.
Client configuration complete.

Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/44]: creating directory server user
  [2/44]: creating directory server instance
  [3/44]: updating configuration in dse.ldif
  [4/44]: restarting directory server
  [5/44]: adding default schema
  [6/44]: enabling memberof plugin
  [7/44]: enabling winsync plugin
  [8/44]: configuring replication version plugin
  [9/44]: enabling IPA enrollment plugin
  [10/44]: enabling ldapi
  [11/44]: configuring uniqueness plugin
  [12/44]: configuring uuid plugin
  [13/44]: configuring modrdn plugin
  [14/44]: configuring DNS plugin
  [15/44]: enabling entryUSN plugin
  [16/44]: configuring lockout plugin
  [17/44]: configuring topology plugin
  [18/44]: creating indices
  [19/44]: enabling referential integrity plugin
  [20/44]: configuring certmap.conf
  [21/44]: configure autobind for root
  [22/44]: configure new location for managed entries
  [23/44]: configure dirsrv ccache
  [24/44]: enabling SASL mapping fallback
  [25/44]: restarting directory server
  [26/44]: creating DS keytab
  [27/44]: retrieving DS Certificate
  [28/44]: restarting directory server
  [29/44]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 15 seconds elapsed
[deawilidmp001.companyidm.org] reports: Update failed! Status: [-2 - LDAP error: Local error]

  [error] RuntimeError: Failed to start replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to start replication ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
[root@usaeilidmp003 centos]#

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to