As a side question to this issue, might it be possible to use this 
non-replicating essentially standalone new replica as a basis to rebuild the 
entire IPA environment since it did complete successfully during the replica 
install?

The whole drive behind trying to get a new CA server in the environment is 
because I would like to eventually retire all 3.x IPA servers to take advantage 
of some of the newer features.


> I tried a fresh install with the same result.  The new replica install 
> process completes
> successfully but it does not register as a master.  When I look at the 
> replication status
> via ipa-replica-manage it shows this:
> 
> # ipa-replica-manage list -v ipa8.domain.tld
> Directory Manager password:
> 
> ipa1.domain.tld: replica
>   last init status: None
>   last init ended: 1970-01-01 00:00:00+00:00
>   last update status: Error (3) Replication error acquiring replica: Unable 
> to acquire
> replica: permission denied. The bind dn does not have permission to supply 
> replication
> updates to the replica. Will retry later. (permission denied)
>   last update ended: 1970-01-01 00:00:00+00:00
> 
> When I try to create a new replication agreement via ipa-replica-manage 
> connect I get this
> message:
> 
> # ipa-replica-manage connect ipa4.domain.tld
> Directory Manager password:
> 
> Connection unsuccessful: ipa4.domain.tld is an IPA Server, but it might be 
> unknown,
> foreign or previously deleted one.
> 
> I saw this article:
> https://access.redhat.com/solutions/2988311
> 
> I checked all my replicas and they show:
> $ ldapsearch -o ldif-wrap=no -D "cn=directory manager" -W -b
> "cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld"
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld> with 
> scope
> subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # replication managers, sysaccounts, etc, domain.tld
> dn: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld
> member:
> krbprincipalname=ldap/ipa2.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
> member:
> krbprincipalname=ldap/ipa4.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
> member:
> krbprincipalname=ldap/ipa7.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
> member:
> krbprincipalname=ldap/ipa3.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
> member:
> krbprincipalname=ldap/ipa5.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
> member:
> krbprincipalname=ldap/ipa6.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
> member:
> krbprincipalname=ldap/ipa1.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
> member:
> krbprincipalname=ldap/ipa8.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
> 
> I also checked this on the new server:
> 
> # ldapsearch -xLLL -D "cn=directory manager" -W -b "cn=config"
> "(cn=replica)" nsds5replicabinddngroup nsds5replicabinddngroupcheckinterval
> Enter LDAP Password:
> dn: cn=replica,cn=dc\3Ddomain\2Cdc\3Dtld,cn=mapping tree,cn=config
> nsds5replicabinddngroup: cn=replication 
> managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld
> nsds5replicabinddngroupcheckinterval: 60
> 
> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
> nsds5replicabinddngroup: cn=replication 
> managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld
> nsds5replicabinddngroupcheckinterval: 60
> 
> On the other 4.x IPA servers (all non CA replicas) it showed the first stanza 
> like above
> and on the 3.x servers it only had:
> $ ldapsearch -o ldif-wrap=no -xLLL -D "cn=directory manager" -W -b
> "cn=config" "(cn=replica)" nsds5replicabinddngroup
> nsds5replicabinddngroupcheckinterval
> Enter LDAP Password:
> dn: cn=replica,cn=dc\3Ddomain\2Cdc\3Dtld,cn=mapping tree,cn=config
> 
> Anything else I should verify as well that might lead to a solution?
> 
> Thanks!
> 
> > After some trial and error I was finally able to get a new replica + CA 
> > (RHEL7.4 and
> > ipa-server 4.5) added to our existing mixed (RHEL 6 and ipa server 3.0 - 
> > 4.x) and
> the
> > ipa-replica-install command completed successfully but now when I run the
> > ipa-manage-replica -v list <host> command I see this:
> > 
> > # ipa-replica-manage -v list ipa5.domain.tld
> > Directory Manager password:
> > 
> > ipa1.domain.tld: replica
> >   last init status: None
> >   last init ended: 1970-01-01 00:00:00+00:00
> >   last update status: Error (3) Replication error acquiring replica: Unable 
> > to
> acquire
> > replica: permission denied. The bind dn does not have permission to supply
> replication
> > updates to the replica. Will retry later. (permission denied)
> >   last update ended: 1970-01-01 00:00:00+00:00
> > 
> > I ran the ipa-replica-manage re-initialize and it runs successfully and the 
> > above
> > permission denied error goes away but the host can not be connected to any 
> > other
> replicas,
> > it no longer sees itself as a replica or csreplica.  I assume this is due 
> > to the
> re-init. 
> >  I'm leery of trying to force it to try and join and potentially cause more
> issues.  
> > I would appreciate any helpful suggestions.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to