On 08/12/2011 12:06 PM, Shawn Nock wrote:
I am trying to create a replica of my working FreeIPA 2.0.1
installation. Both the server and would-be replica are F15 minimal
installs dedicated to FreeIPA.

Both hosts are in DNS (forward and reverse) with iptables and
selinux temporarily disabled.

ipa-replica-install fails at:
2011-08-12 13:48:14,768 DEBUG   [3/11]: restarting certificate server
2011-08-12 13:48:17,882 DEBUG args=/sbin/service pki-cad restart
2011-08-12 13:48:17,882 DEBUG stdout=Stopping pki-ca: [FAILED]
Starting pki-ca: [  OK  ]
     'pki-ca' must still be CONFIGURED!
     (see /var/log/pki-ca-install.log)

2011-08-12 13:48:17,882 DEBUG stderr=
2011-08-12 13:48:17,905 DEBUG   duration: 3 seconds
2011-08-12 13:48:17,906 DEBUG   [4/11]: configuring certificate server instance

The IPA-PKI instance access log on the replica is full of:

SRCH base="ou=people,o=ipaca" scope=0
   filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL

The IPA-PKI instance error log on the replica contains:

[12/Aug/2011:13:49:09 -0400] NSMMReplicationPlugin - 
agmt="cn=cloneAgreement1-ipa-slave.cfmi.georgetown.edu-pki-ca" (ipa:7389): 
Replica has a different generation ID than the local data.
[12/Aug/2011:13:49:10 -0400] NSMMReplicationPlugin - 
multimaster_be_state_change: replica o=ipaca is going offline; disabling 
replication
[12/Aug/2011:13:49:11 -0400] - entrycache_clear_int: there are still 2 entries 
in the entry cache.
[12/Aug/2011:13:49:11 -0400] - dncache_clear_int: there are still 2 dn's in the 
dn cache. :/
[12/Aug/2011:13:49:11 -0400] - WARNING: Import is running with 
nsslapd-db-private-import-mem on; No other process is allowed to access the 
database
[12/Aug/2011:13:49:15 -0400] - import ipaca: Workers finished; cleaning up...
[12/Aug/2011:13:49:15 -0400] - import ipaca: Workers cleaned up.
[12/Aug/2011:13:49:15 -0400] - import ipaca: Indexing complete.  
Post-processing...
[12/Aug/2011:13:49:15 -0400] - import ipaca: Flushing caches...
[12/Aug/2011:13:49:15 -0400] - import ipaca: Closing files...
[12/Aug/2011:13:49:15 -0400] - entrycache_clear_int: there are still 12 entries 
in the entry cache.
[12/Aug/2011:13:49:15 -0400] - dncache_clear_int: there are still 82 dn's in 
the dn cache. :/
[12/Aug/2011:13:49:15 -0400] - import ipaca: Import complete.  Processed 82 
entries in 4 seconds. (20.50 entries/sec)
[12/Aug/2011:13:49:15 -0400] NSMMReplicationPlugin - 
multimaster_be_state_change: replica o=ipaca is coming online; enabling 
replication
[12/Aug/2011:13:49:15 -0400] NSMMReplicationPlugin - _replica_configure_ruv: 
failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68
[12/Aug/2011:13:49:15 -0400] NSMMReplicationPlugin - 
replica_enable_replication: reloading ruv failed
[12/Aug/2011:13:49:17 -0400] NSMMReplicationPlugin - _replica_configure_ruv: 
failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68
[12/Aug/2011:13:49:47 -0400] NSMMReplicationPlugin - _replica_configure_ruv: 
failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68
[12/Aug/2011:13:50:17 -0400] NSMMReplicationPlugin - _replica_configure_ruv: 
failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68
[12/Aug/2011:13:50:47 -0400] NSMMReplicationPlugin - _replica_configure_ruv: 
failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68
[12/Aug/2011:13:51:17 -0400] NSMMReplicationPlugin - _replica_configure_ruv: 
failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68
[12/Aug/2011:13:51:47 -0400] NSMMReplicationPlugin - _replica_configure_ruv: 
failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68
[12/Aug/2011:13:51:55 -0400] - Error: ldbm_txn_ruv_modify_context failed to 
retrieve and lock RUV entry
[12/Aug/2011:13:51:55 -0400] - ldbm_back_modify: ldbm_txn_ruv_modify_context 
failed to construct RUV modify context
[12/Aug/2011:13:52:17 -0400] NSMMReplicationPlugin - _replica_configure_ruv: 
failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68
[12/Aug/2011:13:52:47 -0400] NSMMReplicationPlugin - _replica_configure_ruv: 
failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68
[12/Aug/2011:13:53:17 -0400] NSMMReplicationPlugin - _replica_configure_ruv: 
failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68
[12/Aug/2011:13:53:47 -0400] NSMMReplicationPlugin - _replica_configure_ruv: 
failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68

/var/log/pki-ca/debug on the replica is full of:

DatabasePanel comparetAndWaitEntries ou=people,o=ipaca not found, let's wait!

This seems to be the problem described in the docs under troubleshooting
(https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html)
when port 7389 is unavailable on the replica. This server is running
nothing else, however, and lsof and netstat confirm that 7389 is
available.

The only other problem is a message about 7389 already existing in
selinux policy, which (from reading the bug report) seems harmless.

Please advise what may be done to further troubleshoot this issue.
what version of 389-ds-base?  rpm -qi 389-ds-base
this is supposed to be fixed in 389-ds-base-1.2.9.6 available from updates-testing


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to