Hey, I'm still trying to figure out this error but I am getting nothing. Anyone have any suggestions or ideas on why this is failing?
Matt From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Monday, April 08, 2013 12:30 PM To: Nathan Kinder Cc: email@example.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Hey, Yup, the client side says the following; Op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate. Matt From: Nathan Kinder [mailto:nkin...@redhat.com] Sent: Monday, April 08, 2013 12:28 PM To: Joseph, Matthew (EXP) Cc: firstname.lastname@example.org Subject: Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote: Hey, So on the IPA server under the access logs I am getting the following error. Error: could not send startTLS request: Error -11 (connect error) errno 0 (success) Any ideas? Does the access log on the receiving side show a connection attempt from the master at the same time? The access log will be located at /var/log/dirsrv/slapd-<DOMAIN>/access. -NGK Matt From: Nathan Kinder [mailto:nkin...@redhat.com] Sent: Thursday, April 04, 2013 6:00 PM To: Joseph, Matthew (EXP) Cc: email@example.com<mailto:firstname.lastname@example.org> Subject: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: Hello, I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server. Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); ------------------------ IPA_Server: ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/ IPA_Replica: ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg ------------------------------ Below is the error I am getting when running ipa-replica-install; Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'IPA_Server.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@domain.ca<mailto:ad...@domain.ca> password: Execute check on remote master Check connection from master to remote replica 'IPA_Replica.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/13]: creating certificate server user [2/13]: creating pki-ca instance [3/13]: configuring certificate server instance [4/13]: disabling nonces [5/13]: creating RA agent certificate database [6/13]: importing CA chain to RA certificate database [7/13]: fixing RA database permissions [8/13]: setting up signing cert profile [9/13]: set up CRL publishing [10/13]: set certificate subject base [11/13]: enabling Subject Key Identifier [12/13]: configuring certificate server to start on boot [13/13]: Configure HTTP to proxy connections done configuring pki-cad. Restarting the directory and certificate servers Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance [17/30]: configuring certmap.conf [18/30]: configure autobind for root [19/30]: configure new location for managed entries [20/30]: restarting directory server [21/30]: setting up initial replication Starting replication, please wait until this has completed. [IPA_Server.domain.ca] reports: Update failed! Status: [-11 - System error] creation of replica failed: Failed to start replication Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the following error; NSMMReplicationPlugin - agmt="cn=metoIPA_Server.domain.ca" (ipa_server:389): Replica has a different generation ID than the local data. This is probably just fallout from the replica initialization failure. If a replica is never initialized, it will get a generation ID mismatch error when the master contacts it. Any thoughts or ideas on this issue? Searching google I don't see anyone getting the Status:-11 - System Error. There was a bug in 389-ds-base that was fixed a while back where negative LDAP error codes were all printed as "System Error". The -11 is a connection error. Here is how it is defined in /usr/include/ldap.h: #define LDAP_CONNECT_ERROR (-11) It sounds like this connection error is occurring when it tries to initialize the replica. It might help to enable replication level logging on the master, then trying to run ipa-replica-install again. The errors in the 389 DS errors log might point to the problem. To enable replication level logging, you can perform the following operation with ldapmodify as "cn=Directory Manager": ------------------------------------------ dn: cn=config changetype: modify replace: nsslapd-errorlog-level nsslapd-errorlog-level: 8192 ------------------------------------------ When you are finished debugging the issue, don't forget to change the log level back to "0". -NGK Thanks, Matt _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com<mailto:Freeipafirstname.lastname@example.org> https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users