Hello Marco, judging from the output you sent, it looks like you had an installed replica on freeipa03, then stopped it with "ipactl" stop and after that tried to run ipa-replica-install again - krb5.conf and /var/log/messages you sent would support this theory.
IPA replica agreement should be first removed with "ipa-replica-manage del <replica>" on freeipa01 and then uninstalled with "ipa-server-install --uninstall" before you try to install it again. Martin On Tue, 2012-03-20 at 12:58 +0100, Marco Pizzoli wrote: > Hi guys, > I'm running this version of FreeIPA: > > > [root@freeipa03 ~]# rpm -qa|grep freeipa > freeipa-server-selinux-2.1.90.rc1-0.fc16.x86_64 > freeipa-server-2.1.90.rc1-0.fc16.x86_64 > freeipa-admintools-2.1.90.rc1-0.fc16.x86_64 > freeipa-client-2.1.90.rc1-0.fc16.x86_64 > freeipa-python-2.1.90.rc1-0.fc16.x86_64 > > > > > I'm having this problem: > > > [root@freeipa03 ~]# ipa-replica-install --setup-dns > --no-forwarders /var/lib/ipa/replica-info-freeipa03.unix.mydomain.it.gpg > Directory Manager (existing master) password: > > > Run connection check to master > Check connection from replica to remote master > 'freeipa01.unix.mydomain.it': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos KDC: TCP (88): OK > Kerberos Kpasswd: TCP (464): OK > HTTP Server: Unsecure port (80): OK > HTTP Server: Secure port (443): OK > > > The following list of ports use UDP protocol and would need to be > checked manually: > Kerberos KDC: UDP (88): SKIPPED > Kerberos Kpasswd: UDP (464): SKIPPED > > > Connection from replica to master is OK. > Start listening on required ports for remote master check > Get credentials to log in to remote master > ad...@unix.mydomain.it password: > > > Cannot acquire Kerberos ticket: kinit: Invalid message type while > getting initial credentials > > > Connection check failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with > --skip-conncheck parameter. > > > ------------------- > I don't have any firewall between freeipa03 and freeipa01. > > > This is what I have in my /var/log/messages file: > > > > > Mar 20 12:03:51 freeipa03 sssd: Starting up > Mar 20 12:03:51 freeipa03 sssd[be[unix.mydomain.it]]: Starting up > Mar 20 12:03:52 freeipa03 ntpd_intres[773]: host name not found: > 0.fedora.pool.ntp.org > Mar 20 12:03:52 freeipa03 ntpd_intres[773]: host name not found: > 1.fedora.pool.ntp.org > Mar 20 12:03:52 freeipa03 ntpd_intres[773]: host name not found: > 2.fedora.pool.ntp.org > Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Successfully called > chroot(). > Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Successfully dropped > remaining capabilities. > Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Loading service > file /services/ssh.service. > Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Loading service > file /services/udisks.service. > Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Network interface > enumeration completed. > Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Registering HINFO record > with values 'X86_64'/'LINUX'. > Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Server startup complete. > Host name is freeipa03.local. Local service cookie is 3668475942. > Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Service > "freeipa03" (/services/udisks.service) successfully established. > Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Service > "freeipa03" (/services/ssh.service) successfully established. > Mar 20 12:03:52 freeipa03 systemd-logind[764]: New seat seat0. > Mar 20 12:03:53 freeipa03 sssd[pam]: Starting up > Mar 20 12:03:53 freeipa03 sssd[nss]: Starting up > Mar 20 12:03:53 freeipa03 network[765]: Bringing up loopback > interface: [ OK ] > Mar 20 12:03:54 freeipa03 kernel: [ 25.724015] e1000: eth0 NIC Link > is Up 1000 Mbps Full Duplex, Flow Control: None > Mar 20 12:03:55 freeipa03 avahi-daemon[734]: Registering new address > record for fe80::20c:29ff:fedc:9788 on eth0.*. > Mar 20 12:03:56 freeipa03 avahi-daemon[734]: Joining mDNS multicast > group on interface eth0.IPv4 with address 192.168.146.134. > Mar 20 12:03:56 freeipa03 avahi-daemon[734]: New relevant interface > eth0.IPv4 for mDNS. > Mar 20 12:03:56 freeipa03 avahi-daemon[734]: Registering new address > record for 192.168.146.134 on eth0.IPv4. > Mar 20 12:03:56 freeipa03 network[765]: Bringing up interface eth0: > [ OK ] > Mar 20 12:03:57 freeipa03 kernel: [ 28.697268] 8021q: 802.1Q VLAN > Support v1.8 > Mar 20 12:03:57 freeipa03 kernel: [ 28.697283] 8021q: adding VLAN 0 > to HW filter on device eth0 > Mar 20 12:03:57 freeipa03 rpc.statd[994]: Version 1.2.5 starting > Mar 20 12:03:57 freeipa03 ntpd[741]: Listen normally on 4 eth0 > 192.168.146.134 UDP 123 > Mar 20 12:03:57 freeipa03 ntpd[741]: Listen normally on 5 eth0 > fe80::20c:29ff:fedc:9788 UDP 123 > Mar 20 12:03:57 freeipa03 ntpd[741]: peers refreshed > Mar 20 12:03:57 freeipa03 sm-notify[995]: Version 1.2.5 starting > Mar 20 12:03:58 freeipa03 systemd[1]: PID file /run/sendmail.pid not > readable (yet?) after start. > Mar 20 12:04:04 freeipa03 ntpd_intres[773]: host name not found: > 0.fedora.pool.ntp.org > Mar 20 12:04:07 freeipa03 systemd[1]: PID file /var/run/krb5kdc.pid > not readable (yet?) after start. > Mar 20 12:04:09 freeipa03 ntpd_intres[773]: host name not found: > 1.fedora.pool.ntp.org > Mar 20 12:04:10 freeipa03 named[1113]: starting BIND > 9.8.2rc2-RedHat-9.8.2-0.4.rc2.fc16 -u named > Mar 20 12:04:10 freeipa03 named[1113]: built with > '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' > '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' > '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' > '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' > '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' > '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' > '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' > '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' > '--disable-openssl-version-check' '--enable-exportlib' > '--with-export-libdir=/usr/lib64' > '--with-export-includedir=/usr/include' > '--includedir=/usr/include/bind9' > '--with-pkcs11=/usr/lib64/pkcs11/PKCS11_API.so' '--with-dlz-ldap=yes' > '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' > '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' > 'build_alias=x86_64-redhat-linux-gnu' > 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall > -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector > --param=ssp-buffer-size=4 -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' > 'CPPFLAGS= -DDIG_SIGCHASE' > Mar 20 12:04:10 freeipa03 named[1113]: > ---------------------------------------------------- > Mar 20 12:04:10 freeipa03 named[1113]: BIND 9 is maintained by > Internet Systems Consortium, > Mar 20 12:04:10 freeipa03 named[1113]: Inc. (ISC), a non-profit > 501(c)(3) public-benefit > Mar 20 12:04:10 freeipa03 named[1113]: corporation. Support and > training for BIND 9 are > Mar 20 12:04:10 freeipa03 named[1113]: available at > https://www.isc.org/support > Mar 20 12:04:10 freeipa03 named[1113]: > ---------------------------------------------------- > Mar 20 12:04:10 freeipa03 named[1113]: adjusted limit on open files > from 4096 to 1048576 > Mar 20 12:04:10 freeipa03 named[1113]: found 1 CPU, using 1 worker > thread > Mar 20 12:04:10 freeipa03 named[1113]: using up to 4096 sockets > Mar 20 12:04:10 freeipa03 named[1113]: loading configuration from > '/etc/named.conf' > Mar 20 12:04:10 freeipa03 named[1113]: using default UDP/IPv4 port > range: [1024, 65535] > Mar 20 12:04:10 freeipa03 named[1113]: using default UDP/IPv6 port > range: [1024, 65535] > Mar 20 12:04:10 freeipa03 named[1113]: listening on IPv6 interfaces, > port 53 > Mar 20 12:04:10 freeipa03 named[1113]: listening on IPv4 interface lo, > 127.0.0.1#53 > Mar 20 12:04:10 freeipa03 named[1113]: listening on IPv4 interface > eth0, 192.168.146.134#53 > Mar 20 12:04:10 freeipa03 named[1113]: generating session key for > dynamic DNS > Mar 20 12:04:10 freeipa03 named[1113]: sizing zone task pool based on > 6 zones > Mar 20 12:04:10 freeipa03 named[1113]: set up managed keys zone for > view _default, file 'managed-keys.bind' > Mar 20 12:04:10 freeipa03 named[1113]: Warning: > 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 > empty zones > Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: > 127.IN-ADDR.ARPA > Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: > 254.169.IN-ADDR.ARPA > Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: > 2.0.192.IN-ADDR.ARPA > Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: > 100.51.198.IN-ADDR.ARPA > Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: > 113.0.203.IN-ADDR.ARPA > Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: > 255.255.255.255.IN-ADDR.ARPA > Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: > 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA > Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: > D.F.IP6.ARPA > Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: > 8.E.F.IP6.ARPA > Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: > 9.E.F.IP6.ARPA > Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: > A.E.F.IP6.ARPA > Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: > B.E.F.IP6.ARPA > Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: > 8.B.D.0.1.0.0.2.IP6.ARPA > Mar 20 12:04:11 freeipa03 named[1113]: command channel listening on > 127.0.0.1#953 > Mar 20 12:04:11 freeipa03 named[1113]: command channel listening > on ::1#953 > Mar 20 12:04:11 freeipa03 named[1113]: zone 0.in-addr.arpa/IN: loaded > serial 0 > Mar 20 12:04:11 freeipa03 named[1113]: zone 1.0.0.127.in-addr.arpa/IN: > loaded serial 0 > Mar 20 12:04:11 freeipa03 named[1113]: zone > 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: > loaded serial 0 > Mar 20 12:04:11 freeipa03 named[1113]: zone localhost.localdomain/IN: > loaded serial 0 > Mar 20 12:04:11 freeipa03 named[1113]: zone localhost/IN: loaded > serial 0 > Mar 20 12:04:11 freeipa03 named[1113]: managed-keys-zone ./IN: loaded > serial 0 > Mar 20 12:04:11 freeipa03 named[1113]: running > Mar 20 12:04:11 freeipa03 named[1107]: Starting named: [ OK ] > Mar 20 12:04:12 freeipa03 systemd[1]: PID > file /var/run/httpd/httpd.pid not readable (yet?) after start. > Mar 20 12:04:13 freeipa03 ipactl[974]: Starting Directory Service > Mar 20 12:04:13 freeipa03 ipactl[974]: Starting KDC Service > Mar 20 12:04:13 freeipa03 ipactl[974]: Starting KPASSWD Service > Mar 20 12:04:13 freeipa03 ipactl[974]: Starting DNS Service > Mar 20 12:04:13 freeipa03 ipactl[974]: Starting HTTP Service > Mar 20 12:04:13 freeipa03 ipactl[974]: Starting CA Service > Mar 20 12:04:14 freeipa03 ntpd_intres[773]: host name not found: > 2.fedora.pool.ntp.org > Mar 20 12:04:17 freeipa03 kernel: [ 49.099554] hrtimer: interrupt > took 17369081 ns > Mar 20 12:05:15 freeipa03 systemd[1]: Startup finished in 2s 98ms > 878us (kernel) + 5s 40ms 620us (initrd) + 1min 40s 13ms 749us > (userspace) = 1min 47s 153ms 247us. > Mar 20 12:06:18 freeipa03 ntpd_intres[773]: host name not found: > 0.fedora.pool.ntp.org > Mar 20 12:06:23 freeipa03 ntpd_intres[773]: host name not found: > 1.fedora.pool.ntp.org > Mar 20 12:06:28 freeipa03 ntpd_intres[773]: host name not found: > 2.fedora.pool.ntp.org > Mar 20 12:09:59 freeipa03 systemd-logind[764]: New session 1 of user > root. > Mar 20 12:10:35 freeipa03 ntpd_intres[773]: host name not found: > 0.fedora.pool.ntp.org > Mar 20 12:10:40 freeipa03 ntpd_intres[773]: host name not found: > 1.fedora.pool.ntp.org > Mar 20 12:10:45 freeipa03 ntpd_intres[773]: host name not found: > 2.fedora.pool.ntp.org > Mar 20 12:16:31 freeipa03 python: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache > file '/tmp/krb5cc_0' not found) > Mar 20 12:18:28 freeipa03 systemd-tmpfiles[1438]: Successfully loaded > SELinux database in 232ms 225us, size on heap is 485K. > Mar 20 12:18:29 freeipa03 systemd-tmpfiles[1438]: Two or more > conflicting lines for /var/run/dirsrv configured, ignoring. > Mar 20 12:18:29 freeipa03 systemd-tmpfiles[1438]: Two or more > conflicting lines for /var/lock/dirsrv configured, ignoring. > Mar 20 12:18:48 freeipa03 ntpd_intres[773]: DNS 0.fedora.pool.ntp.org > -> 212.45.144.206 > Mar 20 12:18:49 freeipa03 ntpd_intres[773]: DNS 1.fedora.pool.ntp.org > -> 212.45.144.88 > Mar 20 12:18:49 freeipa03 ntpd_intres[773]: DNS 2.fedora.pool.ntp.org > -> 77.242.176.254 > Mar 20 12:19:49 freeipa03 ntpd[741]: frequency error 531 PPM exceeds > tolerance 500 PPM > Mar 20 12:24:45 freeipa03 systemd-logind[764]: New session 2 of user > root. > Mar 20 12:24:46 freeipa03 systemd-logind[764]: Removed session 2. > Mar 20 12:27:46 freeipa03 ntpd[741]: frequency error 558 PPM exceeds > tolerance 500 PPM > Mar 20 12:29:56 freeipa03 ntpd[741]: frequency error 516 PPM exceeds > tolerance 500 PPM > Mar 20 12:32:08 freeipa03 systemd[1]: pki-cad@pki-ca.service: main > process exited, code=exited, status=143 > Mar 20 12:32:08 freeipa03 systemd[1]: Unit pki-cad@pki-ca.service > entered failed state. > Mar 20 12:32:21 freeipa03 named[1113]: received control channel > command 'stop' > Mar 20 12:32:21 freeipa03 named[1113]: shutting down: flushing changes > Mar 20 12:32:21 freeipa03 named[1113]: stopping command channel on > 127.0.0.1#953 > Mar 20 12:32:21 freeipa03 named[1113]: stopping command channel > on ::1#953 > Mar 20 12:32:21 freeipa03 named[1113]: no longer listening on ::#53 > Mar 20 12:32:21 freeipa03 named[1113]: no longer listening on > 127.0.0.1#53 > Mar 20 12:32:21 freeipa03 named[1113]: no longer listening on > 192.168.146.134#53 > Mar 20 12:32:22 freeipa03 named[1113]: exiting > Mar 20 12:32:23 freeipa03 named[1538]: Stopping named: .[ OK ] > Mar 20 12:32:24 freeipa03 systemd[1]: kadmin.service: main process > exited, code=exited, status=2 > Mar 20 12:32:24 freeipa03 systemd[1]: Unit kadmin.service entered > failed state. > Mar 20 12:32:28 freeipa03 ipactl[1458]: Stopping CA Service > Mar 20 12:32:28 freeipa03 ipactl[1458]: Stopping HTTP Service > Mar 20 12:32:28 freeipa03 ipactl[1458]: Stopping DNS Service > Mar 20 12:32:28 freeipa03 ipactl[1458]: Stopping KPASSWD Service > Mar 20 12:32:28 freeipa03 ipactl[1458]: Stopping KDC Service > Mar 20 12:32:28 freeipa03 ipactl[1458]: Stopping Directory Service > Mar 20 12:36:43 freeipa03 ntpd[741]: frequency error 546 PPM exceeds > tolerance 500 PPM > Mar 20 12:48:50 freeipa03 ntpd[741]: frequency error 579 PPM exceeds > tolerance 500 PPM > > > > > > > I can add this info: > > > [root@freeipa03 ~]# kinit admin > kinit: Cannot contact any KDC for realm 'UNIX.MYDOMAIN.IT' while > getting initial credentials > > > [root@freeipa03 ~]# cat /etc/krb5.conf > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > > [libdefaults] > default_realm = UNIX.MYDOMAIN.IT > dns_lookup_realm = false > dns_lookup_kdc = false > rdns = false > ticket_lifetime = 24h > forwardable = yes > > > [realms] > UNIX.MYDOMAIN.IT = { > kdc = freeipa03.unix.mydomain.it:88 > admin_server = freeipa03.unix.mydomain.it:749 > default_domain = unix.mydomain.it > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > > [domain_realm] > .unix.mydomain.it = UNIX.MYDOMAIN.IT > unix.mydomain.it = UNIX.MYDOMAIN.IT > > > [dbmodules] > # UNIX.MYDOMAIN.IT = { > # db_library = kldap > # ldap_servers = ldapi://%2fvar%2frun% > 2fslapd-UNIX-MYDOMAIN-IT.socket > # ldap_kerberos_container_dn = > cn=kerberos,dc=unix,dc=mydomain,dc=it > # ldap_kdc_dn = > uid=kdc,cn=sysaccounts,cn=etc,dc=unix,dc=mydomain,dc=it > # ldap_kadmind_dn = > uid=kdc,cn=sysaccounts,cn=etc,dc=unix,dc=mydomain,dc=it > # ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd > # } > > > UNIX.MYDOMAIN.IT = { > db_library = ipadb.so > } > > > > > Thanks as usual > Marco > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
