Finally , I installed it with "--skip-conncheck":-
Now DNS fails to start.
I tried ipa-dns-install too:-

[root@ipa2 log]# ipa-dns-install
The log file for this installation can be found in
/var/log/ipaserver-install.log
==============================================================================
This program will setup DNS for the IPA Server.

This includes:
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.
Existing BIND configuration detected, overwrite? [no]: yes
DNS is already configured in this IPA server.
[root@ipa2 log]# /etc/init.d/ipa status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: STOPPED
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
[root@ipa2 log]# /etc/init.d/named restart
Stopping named:                                            [  OK  ]
Starting named:                                            [FAILED]

---------------------------------------------------------------------------------------------
DNS logs :-
Feb  5 09:40:19 ipa2 named[19873]:
----------------------------------------------------
Feb  5 09:40:19 ipa2 named[19873]: BIND 9 is maintained by Internet
Systems Consortium,
Feb  5 09:40:19 ipa2 named[19873]: Inc. (ISC), a non-profit 501(c)(3)
public-benefit
Feb  5 09:40:19 ipa2 named[19873]: corporation.  Support and training
for BIND 9 are
Feb  5 09:40:19 ipa2 named[19873]: available at https://www.isc.org/support
Feb  5 09:40:19 ipa2 named[19873]:
----------------------------------------------------
Feb  5 09:40:19 ipa2 named[19873]: adjusted limit on open files from
102400 to 1048576
Feb  5 09:40:19 ipa2 named[19873]: found 2 CPUs, using 2 worker threads
Feb  5 09:40:19 ipa2 named[19873]: using up to 4096 sockets
Feb  5 09:40:19 ipa2 named[19873]: loading configuration from '/etc/named.conf'
Feb  5 09:40:19 ipa2 named[19873]: using default UDP/IPv4 port range:
[1024, 65535]
Feb  5 09:40:19 ipa2 named[19873]: using default UDP/IPv6 port range:
[1024, 65535]
Feb  5 09:40:19 ipa2 named[19873]: listening on IPv6 interfaces, port 53
Feb  5 09:40:19 ipa2 named[19873]: listening on IPv4 interface lo, 127.0.0.1#53
Feb  5 09:40:19 ipa2 named[19873]: listening on IPv4 interface eth0,
172.31.254.205#53
Feb  5 09:40:19 ipa2 named[19873]: generating session key for dynamic DNS
Feb  5 09:40:19 ipa2 named[19873]: sizing zone task pool based on 6 zones
Feb  5 09:40:19 ipa2 named[19873]: set up managed keys zone for view
_default, file 'dynamic/managed-keys.bind'
Feb  5 09:40:19 ipa2 named[19873]: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Mutual
authentication failed)
Feb  5 09:40:19 ipa2 named[19873]: bind to LDAP server failed: Local error
Feb  5 09:40:19 ipa2 named[19873]: loading configuration: failure
Feb  5 09:40:19 ipa2 named[19873]: exiting (due to fatal error)
Feb  5 09:40:28 ipa2 kernel: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:22:6b:12:99:bc:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=60 ID=0 PROTO=UDP
SPT=68 DPT=67 LEN=308
[root@ipa2 log]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@xyz.dmz
Valid starting     Expires            Service principal
02/05/13 14:32:56  02/06/13 14:32:24  krbtgt/xyz....@xyz.dmz
02/05/13 14:33:16  02/06/13 14:31:34  ldap/ipa2.xyz....@xyz.dmz



On Tue, Feb 5, 2013 at 7:45 PM, Rajnesh Kumar Siwal
<rajnesh.si...@gmail.com> wrote:
> Hi Rob,
>
> Thanks for the quick reply.
> I tried logging iptables in the replica also, but no log for dropped packet :-
> I would appreciate if you could please let me know what these login actually 
> do.
> 1. Looks to me as getting tgt for admin
> 2. Is it trying to login though ssh to ipa1 server ?
> ----------------------------------------------------------------------
> Get credentials to log in to remote master
>  ad...@xyz.dmz password:
>
>  Execute check on remote master
>  ad...@ipa1.xyz.dmz's password:
> ----------------------------------------------------------------------
>
> SELINUX is disabled at both the ends.
>
> Is there any other log file that may suggest something.
> It would be great if we could figure out whats the cause of the error.
> -----------------------------------------------------------------------------------------------------------------------
>
> On Tue, Feb 5, 2013 at 7:35 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
>> Rajnesh Kumar Siwal wrote:
>>>
>>> We are trying to setup the IPA replication but it says "Connection
>>> check failed!".
>>> We disabled the firewall and found the same result.
>>>
>>>
>>> -----------------------------------------------------------------------------------------------------------------------
>>> [root@ipa2 /]# ipa-replica-install -d --setup-ca --setup-dns
>>> --forwarder 64.71.0.60 /var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg
>>> ipa         : DEBUG    /usr/sbin/ipa-replica-install was invoked with
>>> argument "/var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg" and options:
>>> {'no_forwarders': False, 'conf_ssh': False, 'conf_sshd': False,
>>> 'ui_redirect': True, 'reverse_zone': None, 'trust_sshfp': False,
>>> 'unattended': False, 'no_host_dns': False, 'ip_address': None,
>>> 'no_reverse': False, 'setup_dns': True, 'create_sshfp': True,
>>> 'setup_ca': True, 'forwarders': [CheckedIPAddress('64.71.0.60')],
>>> 'debug': True, 'conf_ntp': True, 'skip_conncheck': False}
>>> ipa         : DEBUG    Loading Index file from
>>> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>>> ipa         : DEBUG    Loading StateFile from
>>> '/var/lib/ipa/sysrestore/sysrestore.state'
>>> ipa         : DEBUG    Loading Index file from
>>> '/var/lib/ipa/sysrestore/sysrestore.index'
>>> Directory Manager (existing master) password:
>>>
>>> ipa         : DEBUG    args=/usr/bin/gpg --batch --homedir
>>> /tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg --passphrase-fd 0 --yes --no-tty
>>> -o /tmp/tmpRGaqDpipa/files.tar -d
>>> /var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg
>>> ipa         : DEBUG    stdout=
>>> ipa         : DEBUG    stderr=gpg: WARNING: unsafe permissions on
>>> homedir `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg'
>>> gpg: keyring `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg/secring.gpg' created
>>> gpg: keyring `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg/pubring.gpg' created
>>> gpg: 3DES encrypted data
>>> gpg: encrypted with 1 passphrase
>>> gpg: WARNING: message was not integrity protected
>>>
>>> ipa         : DEBUG    args=tar xf /tmp/tmpRGaqDpipa/files.tar -C
>>> /tmp/tmpRGaqDpipa
>>> ipa         : DEBUG    stdout=
>>> ipa         : DEBUG    stderr=
>>> Run connection check to master
>>> Check connection from replica to remote master 'ipa1.xyz.dmz':
>>>     Directory Service: Unsecure port (389): OK
>>>     Directory Service: Secure port (636): OK
>>>     Kerberos KDC: TCP (88): OK
>>>     Kerberos Kpasswd: TCP (464): OK
>>>     HTTP Server: Unsecure port (80): OK
>>>     HTTP Server: Secure port (443): OK
>>>     PKI-CA: Directory Service port (7389): OK
>>>
>>> The following list of ports use UDP protocol and would need to be
>>> checked manually:
>>>     Kerberos KDC: UDP (88): SKIPPED
>>>     Kerberos Kpasswd: UDP (464): SKIPPED
>>>
>>> Connection from replica to master is OK.
>>> Start listening on required ports for remote master check
>>> Get credentials to log in to remote master
>>> ad...@xyz.dmz password:
>>>
>>> Execute check on remote master
>>> ad...@ipa1.xyz.dmz's password:
>>>
>>> Remote master check failed with following error message(s):
>>>
>>> ipa         : DEBUG    args=/usr/sbin/ipa-replica-conncheck --master
>>> ipa1.xyz.dmz --auto-master-check --realm XYZ.DMZ --principal admin
>>> --hostname ipa2.xyz.dmz --check-ca
>>> Connection check failed!
>>> Please fix your network settings according to error messages above.
>>> If the check results are not valid it can be skipped with
>>> --skip-conncheck parameter.
>>>
>>> --------------------------------------------------------------------------------------------------------------------------------------------------------------
>>> Please suggest
>>
>>
>> Each server has its own iptables configuration.
>>
>> The test from the replica to the master succeeded. What failed is the
>> connection test from the master to the replica, so I'd look at the iptables
>> configuration on the replica machine.
>>
>> If that turns out ok it could be a false positive. You can add the
>> --skip-conncheck to the ipa-replica-install command to skip this test.
>>
>> rob
>
>
>
> --
> Regards,
> Rajnesh Kumar Siwal



-- 
Regards,
Rajnesh Kumar Siwal

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to