On ti, 14 huhti 2020, Alexandru David via FreeIPA-users wrote:
Hi all
I have two centos 8 servers. One is installed and configured as master and AD
trust controller. The second one, I'm trying to configure it as a replica, but
what ever I do, the replica server fails to start.
Environment :
OS - CentOS Linux release 8.1.1911 (Core)
ipa-server: ipa-server-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64
Replica install is started with :
#ipa-replica-install -v --principal admin -p XXXXX --domain
ipamaster01.example.com --server ipamaster01.example.com --setup-ca
--setup-adtrust
Let's stop here. Why are you using ipamaster01.example.com as a domain?
Your domain (and realm) would be example.com and EXAMPLE.COM
correspondingly.
The client install goes well, but the server stops at :
Starting replication, please wait until this has completed.
Update in progress, 15 seconds elapsed
[ldap://ipamaster01.example.com:389] reports: Update failed! Status: [Error
(-2) - LDAP error: Local error - no response received]
On the ipareplica-install.log, last entries are:
2020-04-14T08:29:13Z DEBUG Created connection context.ldap2_139862275887680
2020-04-14T08:29:13Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]
2020-04-14T08:29:13Z DEBUG retrieving schema for SchemaCache
url=ldap://ipamaster01.example.com:389 conn=<ldap.ldapobject.SimpleLDAPObject
object at 0x7f34367c7080>
2020-04-14T08:29:13Z DEBUG Successfully updated nsDS5ReplicaId.
2020-04-14T08:29:13Z DEBUG Add or update replica config
cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config
2020-04-14T08:29:13Z DEBUG Added replica config
cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config
2020-04-14T08:29:13Z DEBUG Add or update replica config
cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config
2020-04-14T08:29:13Z DEBUG No update to
cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config
necessary
2020-04-14T08:29:13Z DEBUG Waiting for replication
(ldapi://%2Fvar%2Frun%2Fslapd-IPAMASTER01-EXAMPLE-COM.socket)
cn=meToipamaster01.example.com,cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping
tree
,cn=config (objectclass=*)
2020-04-14T08:29:13Z DEBUG Entry found
[LDAPEntry(ipapython.dn.DN('cn=meToipamaster01.example.com,cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping
tree,cn=config'), {'objectClass': [b'nsds5replicat
ionagreement', b'top'], 'cn': [b'meToipamaster01.example.com'],
'nsDS5ReplicaHost': [b'ipamaster01.example.com'], 'nsDS5ReplicaPort': [b'389'],
'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': [b'dc=ipamaste
r01,dc=example,dc=com'], 'description': [b'me to ipamaster01.example.com'],
'nsDS5ReplicatedAttributeList': [b'(objectclass=*) $ EXCLUDE memberof
idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth kr
bloginfailedcount'], 'nsDS5ReplicaTransportInfo': [b'LDAP'],
'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs':
[b'modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp']
, 'nsDS5ReplicatedAttributeListTotal': [b'(objectclass=*) $ EXCLUDE entryusn
krblastsuccessfulauth krblastfailedauth krbloginfailedcount'],
'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': [b'197
00101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'],
'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateStatus':
[b'Error (0) No replication sessions started since server startup'
], 'nsds5replicaLastUpdateStatusJSON': [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", "repl_rc": "0",
"repl_rc_text": "replica acquired", "date": "2020-04-14T08:29:13Z", "message": "Error (0) N
o replication sessions started since server startup"}'],
'nsds5replicaUpdateInProgress': [b'FALSE'], 'nsds5replicaLastInitStart':
[b'19700101000000Z'], 'nsds5replicaLastInitEnd': [b'19700101000000Z']})]
2020-04-14T08:29:29Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
603, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
589, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line
427, in __setup_replica
cacert=self.ca_file
File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py", line
1860, in setup_promote_replication
raise RuntimeError("Failed to start replication")
RuntimeError: Failed to start replication
I can query both ldap servers on the master and replica with :
ldapsearch -h ldap://ipamaster01.example.com -p 389 -Y GSSAPI -b "" -s base -W
ldapsearch -h ldap://ipareplica01.example.com -p 389 -Y GSSAPI -b "" -s base -W
in this point, I'm really run out of options. Could someone tell me what I'm
doing wrong?
Cheers
Alex
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org