Hmm. Those are open enough to work but I didn't verify against the official
open port list (memory is coffee dependent).
There was still that install error and that is the primary suspect.
Next step: uninstall replica and main. Remove the log files. Remove the rpms
for freeipa and all required dependents. Run rpm -Va and analyze the output for
bad binaries of everything else. Check for a flakey hard drive or other network
issues.
Reinstall. At each step, do a log analysis and resolve all errors before
continuing. Pay careful attention to the startup process of the CA server
components.
On December 29, 2021 12:52:45 AM EST, Chris Roadfeldt via FreeIPA-users
<[email protected]> wrote:
>Thanks for the help, appreciate another set of eyes on this.
>
>Was hoping it would be something simple between the systems. To that
>end I've turned off all local firewalls on the primary and replica as
>well as ensuring that required ports are open when it is on. I've also
>ensured that the inter-vlan firewall has rules allowing all traffic to
>flow in both directions between primary and replica.
>
>example.com is a sanitized domain as you picked up on.
>
>Here are the nmap -v results
>
>replica to primary
>
>[root@replica ~]# nmap -v primary
>Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-28 23:18 CST
>Initiating Ping Scan at 23:18
>Scanning primary (192.168.0.21) [4 ports]
>Completed Ping Scan at 23:18, 0.07s elapsed (1 total hosts)
>Initiating SYN Stealth Scan at 23:18
>Scanning primary (192.168.0.21) [1000 ports]
>Discovered open port 53/tcp on 192.168.0.21
>Discovered open port 22/tcp on 192.168.0.21
>Discovered open port 443/tcp on 192.168.0.21
>Discovered open port 139/tcp on 192.168.0.21
>Discovered open port 8080/tcp on 192.168.0.21
>Discovered open port 80/tcp on 192.168.0.21
>Discovered open port 445/tcp on 192.168.0.21
>Discovered open port 135/tcp on 192.168.0.21
>Discovered open port 49152/tcp on 192.168.0.21
>Discovered open port 9090/tcp on 192.168.0.21
>Discovered open port 749/tcp on 192.168.0.21
>Discovered open port 8443/tcp on 192.168.0.21
>Discovered open port 389/tcp on 192.168.0.21
>Discovered open port 636/tcp on 192.168.0.21
>Discovered open port 464/tcp on 192.168.0.21
>Discovered open port 88/tcp on 192.168.0.21
>Completed SYN Stealth Scan at 23:18, 0.69s elapsed (192.168.total
>ports)
>Nmap scan report for primary (192.168.0.21)
>Host is up (0.044s latency).
>rDNS record for 192.168.0.21: primary.example.com
>Not shown: 984 closed ports
>PORT STATE SERVICE
>22/tcp open ssh
>53/tcp open domain
>80/tcp open http
>88/tcp open kerberos-sec
>135/tcp open msrpc
>139/tcp open netbios-ssn
>389/tcp open ldap
>443/tcp open https
>445/tcp open microsoft-ds
>464/tcp open kpasswd5
>636/tcp open ldapssl
>749/tcp open kerberos-adm
>8080/tcp open http-proxy
>8443/tcp open https-alt
>9090/tcp open zeus-admin
>49152/tcp open unknown
>
>Read data files from: /usr/bin/../share/nmap
>Nmap done: 1 IP address (1 host up) scanned in 0.83 seconds
> Raw packets sent: 1004 (44.152KB) | Rcvd: 1001 (40.092KB)
>
>
>primary to replica
>
>[root@primary ~]# nmap -v replica
>Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-28 23:21 CST
>Initiating Ping Scan at 23:21
>Scanning 192.168.10.9 [4 ports]
>Completed Ping Scan at 23:21, 0.05s elapsed (1 total hosts)
>Initiating SYN Stealth Scan at 23:21
>Scanning replica.example.com (192.168.10.9) [1000 ports]
>Discovered open port 22/tcp on 192.168.10.9
>Discovered open port 443/tcp on 192.168.10.9
>Discovered open port 80/tcp on 192.168.10.9
>Discovered open port 389/tcp on 192.168.10.9
>Discovered open port 9090/tcp on 192.168.10.9
>Discovered open port 88/tcp on 192.168.10.9
>Discovered open port 636/tcp on 192.168.10.9
>Discovered open port 464/tcp on 192.168.10.9
>Completed SYN Stealth Scan at 23:22, 4.86s elapsed (1000 total ports)
>Nmap scan report for replica.examplenslooku.com (192.168.10.9)
>Host is up (0.040s latency).
>Not shown: 991 filtered ports
>PORT STATE SERVICE
>22/tcp open ssh
>53/tcp closed domain
>80/tcp open http
>88/tcp open kerberos-sec
>389/tcp open ldap
>443/tcp open https
>464/tcp open kpasswd5
>636/tcp open ldapssl
>9090/tcp open zeus-admin
>
>Read data files from: /usr/bin/../share/nmap
>Nmap done: 1 IP address (1 host up) scanned in 4.98 seconds
> Raw packets sent: 1986 (87.360KB) | Rcvd: 20 (1.156KB)
>
>
>Re: No communication, what's baffling is that I can see the replication
>start up on both ends in the dirsrv logs. Also the initial sync runs
>and completes.
>
>Re: DNS, I point the replica to the primary for DNS resolution during
>the replica install. I also have entries in the hosts files on the
>replica and primary for the shortname and fqdn of both the replica and
>primary. I do have other DNS servers that are mirrors of the primary
>IPA DNS.
>
>Re: --uninstall, that is performed as well as a reboot after each
>ipa-client-install, ipa-replica-install and ipa-server-install
>--uninstall for good measure.
>
>I do run a split domain, I know the evils of that, but it's necessary
>for my clients to work while migrating in and out of the internal
>networks. I've verified that is working as expected as well.
>
>The dirsrv logs do show a replication issue around number of entries
>per time, assume that's a throttling mechanism. Also have a dangling
>replication agreement that I can not get rid off for another replica.
>Other than that, I don't see anything unusual in the logs for ldap. But
>I'm no expert, so if a santized version of those would help, let me
>know.
>_______________________________________________
>FreeIPA-users mailing list -- [email protected]
>To unsubscribe send an email to
>[email protected]
>Fedora Code of Conduct:
>https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives:
>https://lists.fedorahosted.org/archives/list/[email protected]
>Do not reply to spam on the list, report it:
>https://pagure.io/fedora-infrastructure
--
Computers amplify human error
Super computers are really cool
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
