Dan Scott wrote:
Hi,

Recently I've had some crash/hang problems with my FreeIPA 2
installation which appear solved using the updates-testing version of
freeipa-server (2.1.4-2.fc16.x86_64) which I'm currently running on
both servers (as a quick aside, does anyone know when 2.1.4 will be
released to the main repos?).

I'm still having problems creating replicas however. The replication
process mostly completes, but fails with:

Restarting IPA to initialize updates before performing deletes:
   [1/2]: stopping directory server
   [2/2]: starting directory server
done configuring dirsrv.
creation of replica failed: Command '/bin/systemctl restart
krb5kdc.service' returned non-zero exit status 1

You'd need to see why the kdc is failing to start. /var/log/krb5kdc.log is a place to start. dmesg/messages may have info, as well as systemctl status service.krb5kdc.


Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
[root@fileserver4 ~]#

The replication appears to be working, but I'd like to have the
configuration complete successfully to be sure.

If I use the --setup-ca option, the process fails even earlier:

Configuring certificate server: Estimated time 3 minutes 30 seconds
   [1/12]: creating certificate server user
   [2/12]: creating pki-ca instance
   [3/12]: configuring certificate server instance
root        : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname'
'fileserver4.example.com' '-cs_port' '9445' '-client_certdb_dir'
'/tmp/tmp-0h0omd' '-client_certdb_pwd' XXXXXXXX '-preop_pin'
'Vi8OHzzN0yjMDcqMv3aD' '-domain_name' 'IPA' '-admin_user' 'admin'
'-admin_email' 'root@localhost' '-admin_password' XXXXXXXX
'-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048'
'-agent_key_type' 'rsa' '-agent_cert_subject'
'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host' 'fileserver4.example.com'
'-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password'
XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048'
'-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true'
'-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name'
'internal' '-ca_subsystem_cert_subject_name' 'CN=CA
Subsystem,O=EXAMPLE.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP
Subsystem,O=EXAMPLE.COM' '-ca_server_cert_subject_name'
'CN=fileserver4.example.com,O=EXAMPLE.COM'
'-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM'
'-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM'
'-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
'-clone_p12_password' XXXXXXXX '-sd_hostname'
'fileserver1.example.com' '-sd_admin_port' '443' '-sd_admin_name'
'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true'
'-clone_uri' 'https://fileserver1.example.com:443'' returned non-zero
exit status 255
creation of replica failed: Configuration of CA failed

You need to look in /var/log/pki-ca/debug to determine where it failed. IIRC the last time we looked at this there was some issue with the security domain.

rob


Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
[root@fileserver4 ~]#

I'm running 389-ds-base-1.2.10-0.5.a5.fc16.x86_64, if that helps

Can anyone help to fix this? I can send the log file from either
attempt to someone if that would help.

Thanks,

Dan

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to