On pe, 12 tammi 2018, Nacho del Rey via FreeIPA-users wrote:
Hi list

I have spent several days trying to configure a mater<->replica
scenario but I'm having a problem with the dns which doesn't allow to
me to go ahead

I could deploy an IPA server successfully in a Centos 7.3 using the following 
command
   ipa-server-install --realm XXXX.COM --ds-password XXXX --admin-password XXXX 
 --hostname=name.domain.com --setup-dns --no-forwarders --unattended

but when I try to configure an IPA replica with dns activated I'm getting the 
following error once and again
ipa-replica-install --skip-conncheck --setup-dns --principal=admin -w XXXX 
--force-join --ssh-trust-dns  --no-dnssec-validation --unattended --realm= 
XXXX.COM --domain=domain.com --auto-forwarders


Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: ipa         : INFO     
Commencing sync process
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: Traceback (most recent call 
last):
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: File 
"/usr/libexec/ipa/ipa-dnskeysyncd", line 114, in <module>
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: while 
ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: File 
"/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 348, in 
syncrepl_poll
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: add_intermediates=1, 
add_ctrls=1, all = 0
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 476, in result4
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: ldap_result = 
self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: result = func(*args,**kwargs)
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: 
ldap.UNAVAILABLE_CRITICAL_EXTENSION: {'desc': 'Critical extension is 
unavailable'}
Jan 12 10:27:41 replica01 systemd[1]: ipa-dnskeysyncd.service: main process 
exited, code=exited, status=1/FAILURE
Jan 12 10:27:41 replica01 systemd[1]: Unit ipa-dnskeysyncd.service entered 
failed state.
Jan 12 10:27:41 replica01 systemd[1]: ipa-dnskeysyncd.service failed.
Jan 12 10:28:30 replica01 named-pkcs11[5110]: GSSAPI client step 1
Jan 12 10:28:30 replica01 named-pkcs11[5110]: GSSAPI client step 1
Jan 12 10:28:30 replica01 ns-slapd[3651]: GSSAPI server step 1
Jan 12 10:28:30 replica01 named-pkcs11[5110]: GSSAPI client step 1
Jan 12 10:28:30 replica01 ns-slapd[3651]: GSSAPI server step 2
Jan 12 10:28:30 replica01 named-pkcs11[5110]: GSSAPI client step 2
Jan 12 10:28:30 replica01 ns-slapd[3651]: GSSAPI server step 3
Jan 12 10:28:30 replica01 named-pkcs11[5110]: successfully reconnected to LDAP 
server
Jan 12 10:28:30 replica01 named-pkcs11[5110]: LDAP error: Critical extension is 
unavailable: unable to start SyncRepl session: is RFC 4533 supported by LDAP 
server?
Jan 12 10:28:30 replica01 named-pkcs11[5110]: LDAP configuration 
synchronization failed: socket is not connected
Jan 12 10:28:30 replica01 named-pkcs11[5110]: ldap_syncrepl will reconnect in 
60 seconds

These are the parameters generated by this failing service

[root@replica01 etc]# cat ./sysconfig/ipa-dnskeysyncd
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf

[root@replica01 etc]# cat /etc/ipa/dnssec/softhsm2.conf
# SoftHSM v2 configuration file
# File generated by IPA instalation
directories.tokendir = /var/lib/ipa/dnssec/tokens
objectstore.backend = file

[root@replica01 etc]# ls -lart 
/var/lib/ipa/dnssec/tokens/b591e51f-56c3-dc08-158f-a01b7f177bc3/
total 16
drwxrws---. 3 ods named   50 Jan 12 10:06 ..
-rwxrwx---. 1 ods named  320 Jan 12 10:06 token.object
-rwxrwx---. 1 ods named    0 Jan 12 10:06 token.lock
-rwxrwx---. 1 ods named    0 Jan 12 10:06 
0c1e587e-443b-cc05-dd3d-2ddaccde958f.lock
-rwxrwx---. 1 ods named  931 Jan 12 10:06 
0c1e587e-443b-cc05-dd3d-2ddaccde958f.object
drwxrws---. 2 ods named  262 Jan 12 10:06 .
-rwxrwx---. 1 ods named    0 Jan 12 10:06 
194085eb-3127-4e35-3874-4f935a069025.lock
-rwxrwx---. 1 ods named 2208 Jan 12 10:06 
194085eb-3127-4e35-3874-4f935a069025.object
-rwxrwx---. 1 ods named    8 Jan 12 10:25 generation

any help would be too much appreciated
An issue is in LDAP server that named tries to connect to is not
supporting SyncRepl extension. Same with ipa-dnskeysyncd.

Could you check in the logs which LDAP server they talk to?

On IPA LDAP server we have SyncRepl enabled and accessible to all
authenticated users:

dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( read, search ) 
userdn = "ldap:///all";;)
cn: Sync Request Control
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.9.1.1


--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to