Steven Jones wrote:
Hi,

No fix for this?

Are both running the same version of IPA? Does ipa-replica-conncheck exist on the master?

What this does is on the replica it checks to be sure it can talk to the master. Then it starts listeners on a bunch of ports and tries to log into the master to see if it can talk to them. This second step is what is failing, it doesn't seem to be doing anything on the master at all.

rob


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Monday, 31 October 2011 1:47 p.m.
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] problem with replica install

Couple of logs I have found.....

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Monday, 31 October 2011 10:03 a.m.
Cc: freeipa-users@redhat.com
Subject: [Freeipa-users] problem with replica install

Hi,

I am getting this failure,

[root@vuwunicoipamt02 ipa]# ipa-replica-install --setup-dns 
--forwarder=130.195.85.25 --forwarder=130.195.98.151 --no-reverse 
/var/lib/ipa/replica-info-vuwunicoipamt02.unix.vuw.ac.nz.gpg
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'vuwunicoipamt01.unix.vuw.ac.nz':
    Directory Service: Unsecure port (389): OK
    Directory Service: Secure port (636): OK
    Kerberos KDC: TCP (88): OK
    Kerberos KDC: UDP (88): OK
    Kerberos Kpasswd: TCP (464): OK
    Kerberos Kpasswd: UDP (464): OK
    HTTP Server: port 80 (80): OK
    HTTP Server: port 443(https) (443): OK

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Password for ad...@unix.vuw.ac.nz:
Execute check on remote master

Remote master check failed with following error message(s):

Connection check failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with --skip-conncheck 
parameter.

On the first master my firewall ruleset is,


===========8><--------master firewall ruleset--------
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:88
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:389
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:464
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:636
ACCEPT     tcp  --  130.195.87.247       0.0.0.0/0           tcp dpt:9443
ACCEPT     tcp  --  130.195.87.247       0.0.0.0/0           tcp dpt:9444
ACCEPT     tcp  --  130.195.87.247       0.0.0.0/0           tcp dpt:9445
ACCEPT     tcp  --  130.195.87.247       0.0.0.0/0           tcp dpt:7389
ACCEPT     tcp  --  130.195.87.248       0.0.0.0/0           tcp dpt:9443
ACCEPT     tcp  --  130.195.87.248       0.0.0.0/0           tcp dpt:9444
ACCEPT     tcp  --  130.195.87.248       0.0.0.0/0           tcp dpt:9445
ACCEPT     tcp  --  130.195.87.248       0.0.0.0/0           tcp dpt:7389
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:88
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:123
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:464
==========8><------

Cant see what else I have missed......

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Monday, 31 October 2011 8:21 a.m.
To: Simo Sorce
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unique world wide UIDS

Hi,

Yeah I kind of wondered after ipv4 being so well known that "we" only went to 
32bit...

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Simo Sorce [s...@redhat.com]
Sent: Monday, 31 October 2011 3:41 a.m.
To: Steven Jones
Cc: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unique world wide UIDS

I would rather lobby the Linux kernel people to give me 128bit IDs
That would solve all problems, as the chance of collision in a carefully
randomly selected 90something bit prefix are basically none.

Simo.

On Thu, 2011-10-27 at 20:40 +0000, Steven Jones wrote:
Yes I can appreciate that, we have done the same thing im '500'...

oops....

As an educational setup we are looking to federate worldwide, that
means Shibboleth or similar....a unique UID per academic world wide
  might be worthwhile....there wont be 2billion
academics...students...well i guess that would one day be a "ipv4"
problem.

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Friday, 28 October 2011 9:34 a.m.
To: Steven Jones
Cc: Adam Young; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unique world wide UIDS

Steven Jones wrote:
Hi,

Well if you understand Peak Oil and that the "green revolution" was
actually truning fossil fuel into food ie we eat oil....only having
2billion UIDs wont be a problem.

:/

Many, many organizations start with the same uid base, 500 or 1000.
When
company A buys company B there are tons and tons of uid collisions. If
each started at a random start point then the chances of collision,
while not zero, are much lower.

Our goal wasn't to guarantee uniqueness in the universe, just to make
integration hopefully easier in the future when namespaces are merged.

rob


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

--
Simo Sorce * Red Hat, Inc * New York


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to