On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote:


Hey,

So on the IPA server under the access logs I am getting the following error.

Error: could not send startTLS request: Error -11 (connect error) errno 0 (success)

Any ideas?

Does the access log on the receiving side show a connection attempt from the master at the same time? The access log will be located at /var/log/dirsrv/slapd-<DOMAIN>/access.

-NGK

Matt

*From:*Nathan Kinder [mailto:nkin...@redhat.com]
*Sent:* Thursday, April 04, 2013 6:00 PM
*To:* Joseph, Matthew (EXP)
*Cc:* freeipa-users@redhat.com
*Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors

On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote:

    Hello,

    I'm trying to setup a replica server with ipa-2.2.0-16 on both the
    Server and the Replica Server.

    Here are the steps I ran (From the Red Hat 6.3 IdM Administration
    Guide);

    ------------------------

    *IPA_Server:*

    ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2

    scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@
    ipareplica:/var/lib/ipa/

    *IPA_Replica:*

    ipa-replica-install --setup-ca --setup-dns
    /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg

    ------------------------------

    Below is the error I am getting when running ipa-replica-install;

    Directory Manager (existing master) password:

    Run connection check to master

    Check connection from replica to remote master 'IPA_Server.domain.ca':

       Directory Service: Unsecure port (389): OK

       Directory Service: Secure port (636): OK

       Kerberos KDC: TCP (88): OK

       Kerberos Kpasswd: TCP (464): OK

       HTTP Server: Unsecure port (80): OK

       HTTP Server: Secure port (443): OK

       PKI-CA: Directory Service port (7389): OK

    The following list of ports use UDP protocol and would need to be

    checked manually:

       Kerberos KDC: UDP (88): SKIPPED

       Kerberos Kpasswd: UDP (464): SKIPPED

    Connection from replica to master is OK.

    Start listening on required ports for remote master check

    Get credentials to log in to remote master

    ad...@domain.ca <mailto:ad...@domain.ca> password:

    Execute check on remote master

    Check connection from master to remote replica
    'IPA_Replica.domain.ca':

       Directory Service: Unsecure port (389): OK

       Directory Service: Secure port (636): OK

       Kerberos KDC: TCP (88): OK

       Kerberos KDC: UDP (88): OK

       Kerberos Kpasswd: TCP (464): OK

       Kerberos Kpasswd: UDP (464): OK

       HTTP Server: Unsecure port (80): OK

       HTTP Server: Secure port (443): OK

       PKI-CA: Directory Service port (7389): OK

    Connection from master to replica is OK.

    Connection check OK

    Configuring ntpd

      [1/4]: stopping ntpd

      [2/4]: writing configuration

      [3/4]: configuring ntpd to start on boot

      [4/4]: starting ntpd

    done configuring ntpd.

    Configuring directory server for the CA: Estimated time 30 seconds

      [1/3]: creating directory server user

      [2/3]: creating directory server instance

      [3/3]: restarting directory server

    done configuring pkids.

    Configuring certificate server: Estimated time 3 minutes 30 seconds

      [1/13]: creating certificate server user

      [2/13]: creating pki-ca instance

      [3/13]: configuring certificate server instance

      [4/13]: disabling nonces

      [5/13]: creating RA agent certificate database

      [6/13]: importing CA chain to RA certificate database

      [7/13]: fixing RA database permissions

      [8/13]: setting up signing cert profile

      [9/13]: set up CRL publishing

      [10/13]: set certificate subject base

      [11/13]: enabling Subject Key Identifier

      [12/13]: configuring certificate server to start on boot

      [13/13]: Configure HTTP to proxy connections

    done configuring pki-cad.

    Restarting the directory and certificate servers

    Configuring directory server: Estimated time 1 minute

      [1/30]: creating directory server user

      [2/30]: creating directory server instance

      [3/30]: adding default schema

      [4/30]: enabling memberof plugin

      [5/30]: enabling referential integrity plugin

      [6/30]: enabling winsync plugin

      [7/30]: configuring replication version plugin

      [8/30]: enabling IPA enrollment plugin

      [9/30]: enabling ldapi

      [10/30]: configuring uniqueness plugin

      [11/30]: configuring uuid plugin

      [12/30]: configuring modrdn plugin

      [13/30]: enabling entryUSN plugin

      [14/30]: configuring lockout plugin

      [15/30]: creating indices

      [16/30]: configuring ssl for ds instance

      [17/30]: configuring certmap.conf

      [18/30]: configure autobind for root

      [19/30]: configure new location for managed entries

      [20/30]: restarting directory server

      [21/30]: setting up initial replication

    Starting replication, please wait until this has completed.

    [IPA_Server.domain.ca] reports: Update failed! Status: [-11  -
    System error]

    creation of replica failed: Failed to start replication

    Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is
    the following error;

    NSMMReplicationPlugin -- agmt="cn=metoIPA_Server.domain.ca"
    (ipa_server:389): Replica has a different generation ID than the
    local data.

This is probably just fallout from the replica initialization failure. If a replica is never initialized, it will get a generation ID mismatch error when the master contacts it.

Any thoughts or ideas on this issue? Searching google I don't see anyone getting the Status:-11 -- System Error.

There was a bug in 389-ds-base that was fixed a while back where negative LDAP error codes were all printed as "System Error". The -11 is a connection error. Here is how it is defined in /usr/include/ldap.h:

    #define LDAP_CONNECT_ERROR (-11)

It sounds like this connection error is occurring when it tries to initialize the replica. It might help to enable replication level logging on the master, then trying to run ipa-replica-install again. The errors in the 389 DS errors log might point to the problem. To enable replication level logging, you can perform the following operation with ldapmodify as "cn=Directory Manager":

------------------------------------------
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 8192
------------------------------------------

When you are finished debugging the issue, don't forget to change the log level back to "0".

-NGK

Thanks,

Matt




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com  <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to