Steven Jones wrote:
Hi,
No fix for this?
Are both running the same version of IPA? Does ipa-replica-conncheck
exist on the master?
What this does is on the replica it checks to be sure it can talk to the
master. Then it starts listeners on a bunch of ports and tries to log
into the master to see if it can talk to them. This second step is what
is failing, it doesn't seem to be doing anything on the master at all.
rob
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: [email protected] [[email protected]] on
behalf of Steven Jones [[email protected]]
Sent: Monday, 31 October 2011 1:47 p.m.
Cc: [email protected]
Subject: Re: [Freeipa-users] problem with replica install
Couple of logs I have found.....
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: [email protected] [[email protected]] on
behalf of Steven Jones [[email protected]]
Sent: Monday, 31 October 2011 10:03 a.m.
Cc: [email protected]
Subject: [Freeipa-users] problem with replica install
Hi,
I am getting this failure,
[root@vuwunicoipamt02 ipa]# ipa-replica-install --setup-dns
--forwarder=130.195.85.25 --forwarder=130.195.98.151 --no-reverse
/var/lib/ipa/replica-info-vuwunicoipamt02.unix.vuw.ac.nz.gpg
Directory Manager (existing master) password:
Run connection check to master
Check connection from replica to remote master 'vuwunicoipamt01.unix.vuw.ac.nz':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: port 80 (80): OK
HTTP Server: port 443(https) (443): OK
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Password for [email protected]:
Execute check on remote master
Remote master check failed with following error message(s):
Connection check failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with --skip-conncheck
parameter.
On the first master my firewall ruleset is,
===========8><--------master firewall ruleset--------
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:88
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:389
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:464
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:636
ACCEPT tcp -- 130.195.87.247 0.0.0.0/0 tcp dpt:9443
ACCEPT tcp -- 130.195.87.247 0.0.0.0/0 tcp dpt:9444
ACCEPT tcp -- 130.195.87.247 0.0.0.0/0 tcp dpt:9445
ACCEPT tcp -- 130.195.87.247 0.0.0.0/0 tcp dpt:7389
ACCEPT tcp -- 130.195.87.248 0.0.0.0/0 tcp dpt:9443
ACCEPT tcp -- 130.195.87.248 0.0.0.0/0 tcp dpt:9444
ACCEPT tcp -- 130.195.87.248 0.0.0.0/0 tcp dpt:9445
ACCEPT tcp -- 130.195.87.248 0.0.0.0/0 tcp dpt:7389
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:88
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:464
==========8><------
Cant see what else I have missed......
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: [email protected] [[email protected]] on
behalf of Steven Jones [[email protected]]
Sent: Monday, 31 October 2011 8:21 a.m.
To: Simo Sorce
Cc: [email protected]
Subject: Re: [Freeipa-users] Unique world wide UIDS
Hi,
Yeah I kind of wondered after ipv4 being so well known that "we" only went to
32bit...
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: Simo Sorce [[email protected]]
Sent: Monday, 31 October 2011 3:41 a.m.
To: Steven Jones
Cc: Rob Crittenden; [email protected]
Subject: Re: [Freeipa-users] Unique world wide UIDS
I would rather lobby the Linux kernel people to give me 128bit IDs
That would solve all problems, as the chance of collision in a carefully
randomly selected 90something bit prefix are basically none.
Simo.
On Thu, 2011-10-27 at 20:40 +0000, Steven Jones wrote:
Yes I can appreciate that, we have done the same thing im '500'...
oops....
As an educational setup we are looking to federate worldwide, that
means Shibboleth or similar....a unique UID per academic world wide
might be worthwhile....there wont be 2billion
academics...students...well i guess that would one day be a "ipv4"
problem.
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: Rob Crittenden [[email protected]]
Sent: Friday, 28 October 2011 9:34 a.m.
To: Steven Jones
Cc: Adam Young; [email protected]
Subject: Re: [Freeipa-users] Unique world wide UIDS
Steven Jones wrote:
Hi,
Well if you understand Peak Oil and that the "green revolution" was
actually truning fossil fuel into food ie we eat oil....only having
2billion UIDs wont be a problem.
:/
Many, many organizations start with the same uid base, 500 or 1000.
When
company A buys company B there are tons and tons of uid collisions. If
each started at a random start point then the chances of collision,
while not zero, are much lower.
Our goal wasn't to guarantee uniqueness in the universe, just to make
integration hopefully easier in the future when namespaces are merged.
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
