Rajnesh Kumar Siwal wrote:
We are trying to setup the IPA replication but it says "Connection
check failed!".
We disabled the firewall and found the same result.
-----------------------------------------------------------------------------------------------------------------------
[root@ipa2 /]# ipa-replica-install -d --setup-ca --setup-dns
--forwarder 64.71.0.60 /var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg
ipa : DEBUG /usr/sbin/ipa-replica-install was invoked with
argument "/var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg" and options:
{'no_forwarders': False, 'conf_ssh': False, 'conf_sshd': False,
'ui_redirect': True, 'reverse_zone': None, 'trust_sshfp': False,
'unattended': False, 'no_host_dns': False, 'ip_address': None,
'no_reverse': False, 'setup_dns': True, 'create_sshfp': True,
'setup_ca': True, 'forwarders': [CheckedIPAddress('64.71.0.60')],
'debug': True, 'conf_ntp': True, 'skip_conncheck': False}
ipa : DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa : DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
ipa : DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
Directory Manager (existing master) password:
ipa : DEBUG args=/usr/bin/gpg --batch --homedir
/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg --passphrase-fd 0 --yes --no-tty
-o /tmp/tmpRGaqDpipa/files.tar -d
/var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg
ipa : DEBUG stdout=
ipa : DEBUG stderr=gpg: WARNING: unsafe permissions on
homedir `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg'
gpg: keyring `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg/secring.gpg' created
gpg: keyring `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg/pubring.gpg' created
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
ipa : DEBUG args=tar xf /tmp/tmpRGaqDpipa/files.tar -C
/tmp/tmpRGaqDpipa
ipa : DEBUG stdout=
ipa : DEBUG stderr=
Run connection check to master
Check connection from replica to remote master 'ipa1.xyz.dmz':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
PKI-CA: Directory Service port (7389): OK
The following list of ports use UDP protocol and would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@xyz.dmz password:
Execute check on remote master
ad...@ipa1.xyz.dmz's password:
Remote master check failed with following error message(s):
ipa : DEBUG args=/usr/sbin/ipa-replica-conncheck --master
ipa1.xyz.dmz --auto-master-check --realm XYZ.DMZ --principal admin
--hostname ipa2.xyz.dmz --check-ca
Connection check failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with
--skip-conncheck parameter.
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Please suggest
Each server has its own iptables configuration.
The test from the replica to the master succeeded. What failed is the
connection test from the master to the replica, so I'd look at the
iptables configuration on the replica machine.
If that turns out ok it could be a false positive. You can add the
--skip-conncheck to the ipa-replica-install command to skip this test.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users