On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote:
Hey,
So on the IPA server under the access logs I am getting the following
error.
Error: could not send startTLS request: Error -11 (connect error)
errno 0 (success)
Any ideas?
Does the access log on the receiving side show a connection attempt from
the master at the same time? The access log will be located at
/var/log/dirsrv/slapd-<DOMAIN>/access.
-NGK
Matt
*From:*Nathan Kinder [mailto:nkin...@redhat.com]
*Sent:* Thursday, April 04, 2013 6:00 PM
*To:* Joseph, Matthew (EXP)
*Cc:* freeipa-users@redhat.com
*Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors
On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote:
Hello,
I'm trying to setup a replica server with ipa-2.2.0-16 on both the
Server and the Replica Server.
Here are the steps I ran (From the Red Hat 6.3 IdM Administration
Guide);
------------------------
*IPA_Server:*
ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2
scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@
ipareplica:/var/lib/ipa/
*IPA_Replica:*
ipa-replica-install --setup-ca --setup-dns
/var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg
------------------------------
Below is the error I am getting when running ipa-replica-install;
Directory Manager (existing master) password:
Run connection check to master
Check connection from replica to remote master 'IPA_Server.domain.ca':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
PKI-CA: Directory Service port (7389): OK
The following list of ports use UDP protocol and would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@domain.ca <mailto:ad...@domain.ca> password:
Execute check on remote master
Check connection from master to remote replica
'IPA_Replica.domain.ca':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
PKI-CA: Directory Service port (7389): OK
Connection from master to replica is OK.
Connection check OK
Configuring ntpd
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 3 minutes 30 seconds
[1/13]: creating certificate server user
[2/13]: creating pki-ca instance
[3/13]: configuring certificate server instance
[4/13]: disabling nonces
[5/13]: creating RA agent certificate database
[6/13]: importing CA chain to RA certificate database
[7/13]: fixing RA database permissions
[8/13]: setting up signing cert profile
[9/13]: set up CRL publishing
[10/13]: set certificate subject base
[11/13]: enabling Subject Key Identifier
[12/13]: configuring certificate server to start on boot
[13/13]: Configure HTTP to proxy connections
done configuring pki-cad.
Restarting the directory and certificate servers
Configuring directory server: Estimated time 1 minute
[1/30]: creating directory server user
[2/30]: creating directory server instance
[3/30]: adding default schema
[4/30]: enabling memberof plugin
[5/30]: enabling referential integrity plugin
[6/30]: enabling winsync plugin
[7/30]: configuring replication version plugin
[8/30]: enabling IPA enrollment plugin
[9/30]: enabling ldapi
[10/30]: configuring uniqueness plugin
[11/30]: configuring uuid plugin
[12/30]: configuring modrdn plugin
[13/30]: enabling entryUSN plugin
[14/30]: configuring lockout plugin
[15/30]: creating indices
[16/30]: configuring ssl for ds instance
[17/30]: configuring certmap.conf
[18/30]: configure autobind for root
[19/30]: configure new location for managed entries
[20/30]: restarting directory server
[21/30]: setting up initial replication
Starting replication, please wait until this has completed.
[IPA_Server.domain.ca] reports: Update failed! Status: [-11 -
System error]
creation of replica failed: Failed to start replication
Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is
the following error;
NSMMReplicationPlugin -- agmt="cn=metoIPA_Server.domain.ca"
(ipa_server:389): Replica has a different generation ID than the
local data.
This is probably just fallout from the replica initialization
failure. If a replica is never initialized, it will get a generation
ID mismatch error when the master contacts it.
Any thoughts or ideas on this issue? Searching google I don't see
anyone getting the Status:-11 -- System Error.
There was a bug in 389-ds-base that was fixed a while back where
negative LDAP error codes were all printed as "System Error". The -11
is a connection error. Here is how it is defined in /usr/include/ldap.h:
#define LDAP_CONNECT_ERROR (-11)
It sounds like this connection error is occurring when it tries to
initialize the replica. It might help to enable replication level
logging on the master, then trying to run ipa-replica-install again.
The errors in the 389 DS errors log might point to the problem. To
enable replication level logging, you can perform the following
operation with ldapmodify as "cn=Directory Manager":
------------------------------------------
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 8192
------------------------------------------
When you are finished debugging the issue, don't forget to change the
log level back to "0".
-NGK
Thanks,
Matt
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
