Rajnesh Kumar Siwal wrote:
We are trying to setup the IPA replication but it says "Connection
check failed!".
We disabled the firewall and found the same result.

[root@ipa2 /]# ipa-replica-install -d --setup-ca --setup-dns
--forwarder /var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg
ipa         : DEBUG    /usr/sbin/ipa-replica-install was invoked with
argument "/var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg" and options:
{'no_forwarders': False, 'conf_ssh': False, 'conf_sshd': False,
'ui_redirect': True, 'reverse_zone': None, 'trust_sshfp': False,
'unattended': False, 'no_host_dns': False, 'ip_address': None,
'no_reverse': False, 'setup_dns': True, 'create_sshfp': True,
'setup_ca': True, 'forwarders': [CheckedIPAddress('')],
'debug': True, 'conf_ntp': True, 'skip_conncheck': False}
ipa         : DEBUG    Loading Index file from
ipa         : DEBUG    Loading StateFile from
ipa         : DEBUG    Loading Index file from
Directory Manager (existing master) password:

ipa         : DEBUG    args=/usr/bin/gpg --batch --homedir
/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg --passphrase-fd 0 --yes --no-tty
-o /tmp/tmpRGaqDpipa/files.tar -d
ipa         : DEBUG    stdout=
ipa         : DEBUG    stderr=gpg: WARNING: unsafe permissions on
homedir `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg'
gpg: keyring `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg/secring.gpg' created
gpg: keyring `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg/pubring.gpg' created
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

ipa         : DEBUG    args=tar xf /tmp/tmpRGaqDpipa/files.tar -C
ipa         : DEBUG    stdout=
ipa         : DEBUG    stderr=
Run connection check to master
Check connection from replica to remote master 'ipa1.xyz.dmz':
    Directory Service: Unsecure port (389): OK
    Directory Service: Secure port (636): OK
    Kerberos KDC: TCP (88): OK
    Kerberos Kpasswd: TCP (464): OK
    HTTP Server: Unsecure port (80): OK
    HTTP Server: Secure port (443): OK
    PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
    Kerberos KDC: UDP (88): SKIPPED
    Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@xyz.dmz password:

Execute check on remote master
ad...@ipa1.xyz.dmz's password:

Remote master check failed with following error message(s):

ipa         : DEBUG    args=/usr/sbin/ipa-replica-conncheck --master
ipa1.xyz.dmz --auto-master-check --realm XYZ.DMZ --principal admin
--hostname ipa2.xyz.dmz --check-ca
Connection check failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with
--skip-conncheck parameter.
Please suggest

Each server has its own iptables configuration.

The test from the replica to the master succeeded. What failed is the connection test from the master to the replica, so I'd look at the iptables configuration on the replica machine.

If that turns out ok it could be a false positive. You can add the --skip-conncheck to the ipa-replica-install command to skip this test.


Freeipa-users mailing list

Reply via email to