On Fri, Jul 28, 2017 at 12:15 AM, Patrick Hemmer via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
> I'm trying to setup a FreeIPA replica on 4.5.2 and the ipa-replica-install
> script dies with:
>
>         [27/40]: setting up initial replication
>     Starting replication, please wait until this has completed.
>     Update in progress, 14 seconds elapsed
>     [ldap://fll2aipa01stg.ipa-stg.chewy.net:389] reports: Update failed!
> Status: [-1  - LDAP error: Can't contact LDAP server]
>
>         [error] RuntimeError: Failed to start replication
>
>
> When I look in the /var/log/dirsrv/slapd-IPA-STG-CHEWY-NET/errors of the new
> replica, the last few lines contains:
>         [27/Jul/2017:17:54:36.501614930 -0400] NSMMReplicationPlugin -
> agmt="cn=meTofll2aipa01stg.ipa-stg.chewy.net" (fll2aipa01stg:389): Unable to
> acquire replica: permission denied. The bind dn "" does not have permission
> to supply replication updates to the replica. Will retry later.
>         [27/Jul/2017:17:54:42.511659900 -0400] NSMMReplicationPlugin -
> agmt="cn=meTofll2aipa01stg.ipa-stg.chewy.net" (fll2aipa01stg:389): Unable to
> acquire replica: permission denied. The bind dn "" does not have permission
> to supply replication updates to the replica. Will retry later.
>         [27/Jul/2017:17:54:54.517563545 -0400] NSMMReplicationPlugin -
> agmt="cn=meTofll2aipa01stg.ipa-stg.chewy.net" (fll2aipa01stg:389): Unable to
> acquire replica: permission denied. The bind dn "" does not have permission
> to supply replication updates to the replica. Will retry later.
>         [27/Jul/2017:17:55:18.527945464 -0400] NSMMReplicationPlugin -
> agmt="cn=meTofll2aipa01stg.ipa-stg.chewy.net" (fll2aipa01stg:389): Unable to
> acquire replica: permission denied. The bind dn "" does not have permission
> to supply replication updates to the replica. Will retry later.
>         [27/Jul/2017:17:56:06.546462326 -0400] NSMMReplicationPlugin -
> agmt="cn=meTofll2aipa01stg.ipa-stg.chewy.net" (fll2aipa01stg:389): The
> remote replica has a different database generation ID than the local
> database.  You may have to reinitialize the remote replica, or the local
> replica.
>
>
> In the /var/log/dirsrv/slapd-IPA-STG-CHEWY-NET/errors of the original
> master, the last few lines has:
>         [27/Jul/2017:17:54:33.567167570 -0400] NSMMReplicationPlugin -
> Warning: unable to acquire replica for total update, error: -1, retrying in
> 2 seconds.
>         [27/Jul/2017:17:54:35.572200957 -0400] NSMMReplicationPlugin -
> Warning: unable to acquire replica for total update, error: -1, retrying in
> 3 seconds.
>         [27/Jul/2017:17:54:36.498618557 -0400] NSMMReplicationPlugin -
> conn=115 op=6 replica="dc=ipa-stg,dc=chewy,dc=net": Unable to acquire
> replica: error: permission denied
>         [27/Jul/2017:17:54:38.579074442 -0400] NSMMReplicationPlugin -
> Warning: unable to acquire replica for total update, error: -1, retrying in
> 4 seconds.
>         [27/Jul/2017:17:54:42.504309388 -0400] NSMMReplicationPlugin -
> conn=115 op=7 replica="dc=ipa-stg,dc=chewy,dc=net": Unable to acquire
> replica: error: permission denied
>         [27/Jul/2017:17:54:42.586071823 -0400] NSMMReplicationPlugin -
> Warning: unable to acquire replica for total update, error: -1, retrying in
> 5 seconds.
>         [27/Jul/2017:17:54:54.514797243 -0400] NSMMReplicationPlugin -
> conn=115 op=9 replica="dc=ipa-stg,dc=chewy,dc=net": Unable to acquire
> replica: error: permission denied
>         [27/Jul/2017:17:55:18.521047403 -0400] NSMMReplicationPlugin -
> conn=115 op=11 replica="dc=ipa-stg,dc=chewy,dc=net": Unable to acquire
> replica: error: permission denied
>
>
> The access log on the original master contains:
>         [27/Jul/2017:17:31:48.338205279 -0400] conn=115 fd=70 slot=70
> connection from 10.0.33.200 to 10.0.33.200
>         [27/Jul/2017:17:31:48.338602001 -0400] conn=115 op=0 BIND
> dn="cn=Directory Manager" method=128 version=2
>         [27/Jul/2017:17:31:48.338684940 -0400] conn=115 op=0 RESULT err=0
> tag=97 nentries=0 etime=0 dn="cn=directory manager"
>         [27/Jul/2017:17:54:32.478121113 -0400] conn=115 fd=121 slot=121
> connection from 10.0.33.201 to 10.0.33.200
>         [27/Jul/2017:17:54:32.479047230 -0400] conn=115 op=0 BIND dn=""
> method=sasl version=3 mech=GSSAPI
>         [27/Jul/2017:17:54:32.482605087 -0400] conn=115 op=0 RESULT err=14
> tag=97 nentries=0 etime=0, SASL bind in progress
>         [27/Jul/2017:17:54:32.483393321 -0400] conn=115 op=1 BIND dn=""
> method=sasl version=3 mech=GSSAPI
>         [27/Jul/2017:17:54:32.484615090 -0400] conn=115 op=1 RESULT err=14
> tag=97 nentries=0 etime=0, SASL bind in progress
>         [27/Jul/2017:17:54:32.485067380 -0400] conn=115 op=2 BIND dn=""
> method=sasl version=3 mech=GSSAPI
>         [27/Jul/2017:17:54:32.486355861 -0400] conn=115 op=2 RESULT err=0
> tag=97 nentries=0 etime=0
> dn="krbprincipalname=ldap/fll2aipa02stg.ipa-stg.chewy....@ipa-stg.chewy.net,cn=services,cn=accounts,dc=ipa-stg,dc=chewy,dc=net"
>         [27/Jul/2017:17:54:32.486992403 -0400] conn=115 op=3 SRCH base=""
> scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
>         [27/Jul/2017:17:54:32.489473132 -0400] conn=115 op=3 RESULT err=0
> tag=101 nentries=1 etime=0
>         [27/Jul/2017:17:54:32.489967733 -0400] conn=115 op=4 SRCH base=""
> scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
>         [27/Jul/2017:17:54:32.492209604 -0400] conn=115 op=4 RESULT err=0
> tag=101 nentries=1 etime=0
>         [27/Jul/2017:17:54:32.492559529 -0400] conn=115 op=5 EXT
> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
>         [27/Jul/2017:17:54:32.494124224 -0400] conn=115 op=5 RESULT err=0
> tag=120 nentries=0 etime=0
>         [27/Jul/2017:17:54:36.498506345 -0400] conn=115 op=6 EXT
> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
>         [27/Jul/2017:17:54:36.500590218 -0400] conn=115 op=6 RESULT err=0
> tag=120 nentries=0 etime=0
>         [27/Jul/2017:17:54:42.504167583 -0400] conn=115 op=7 EXT
> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
>         [27/Jul/2017:17:54:42.507097328 -0400] conn=115 op=7 RESULT err=0
> tag=120 nentries=0 etime=0
>         [27/Jul/2017:17:54:54.514671476 -0400] conn=115 op=9 EXT
> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
>         [27/Jul/2017:17:54:54.516861209 -0400] conn=115 op=9 RESULT err=0
> tag=120 nentries=0 etime=0
>         [27/Jul/2017:17:55:18.520948176 -0400] conn=115 op=11 EXT
> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
>         [27/Jul/2017:17:55:18.523931139 -0400] conn=115 op=11 RESULT err=0
> tag=120 nentries=0 etime=0
>
>
> The command being used is:
>
>         ipa-replica-install --principal admin -w XXXX -n ipa-stg.chewy.net
> -r IPA-STG.CHEWY.NET --setup-dns --no-host-dns --setup-kra --mkhomedir
> --forwarder 10.0.2.10 --forwarder 10.0.2.11 --no-ntp --no-dnssec-validation
> -U --server=fll2aipa01stg.ipa-stg.chewy.net --setup-ca --skip-conncheck

What is the reason of using --skip-conncheck? Connection checks verify
that replica can contact master and vice-versa skipping it might hide
some env issues which might then fail replica installation. The error:
"Can't contact LDAP server" suggests that.


>
>
> Any ideas what's wrong?
>
> I've attached the output of ipa-replica-install as well as
> /var/log/ipareplica-install.log. I can provide additional logs if necessary,
> just let me know which ones.
>
> -Patrick



-- 
Petr Vobornik
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to