Joseph, Matthew (EXP) wrote:
Hey Rob,

Yes I've tried to do that. Everytime I try to run an ipa-replica-install I make 
sure I create a new replica file from the server.

Well, it is confusing because this worked once, when you got the error about replication ID.

I guess I'd use certutil to compare what /etc/dirsrv/slapd-REALM looks like on the replica vs the existing master.

The error is related to SSL trust.



-----Original Message-----
From: Rob Crittenden []
Sent: Wednesday, April 10, 2013 10:47 AM
To: Joseph, Matthew (EXP); Nathan Kinder
Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors

Joseph, Matthew (EXP) wrote:

I'm still trying to figure out this error but I am getting nothing.

Anyone have any suggestions or ideas on why this is failing?

Is there a chance you're using a replica file prepared from a different IPA 
installation? I'd probably go ahead and use ipa-replica-prepare to create a new 
file and try installing that.



[] *On Behalf Of *Joseph,
*Sent:* Monday, April 08, 2013 12:30 PM
*To:* Nathan Kinder
*Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install


Yup, the client side says the following;

Op=-1 fd=64 closed - Peer does not recognize and trust the CA that
issued your certificate.


*From:*Nathan Kinder []
*Sent:* Monday, April 08, 2013 12:28 PM
*To:* Joseph, Matthew (EXP)
*Subject:* Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install

On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote:


     So on the IPA server under the access logs I am getting the
     following error.

     Error: could not send startTLS request: Error -11 (connect error)
     errno 0 (success)

     Any ideas?

Does the access log on the receiving side show a connection attempt
from the master at the same time?  The access log will be located at



*From:*Nathan Kinder []
*Sent:* Thursday, April 04, 2013 6:00 PM
*To:* Joseph, Matthew (EXP)
*Cc:* <>
*Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors

On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote:


     I'm trying to setup a replica server with ipa-2.2.0-16 on both the
     Server and the Replica Server.

     Here are the steps I ran (From the Red Hat 6.3 IdM Administration



     ipa-replica-prepare --ip-address

     scp /var/lib/ipa/ root@


     ipa-replica-install --setup-ca --setup-dns


     Below is the error I am getting when running ipa-replica-install;

     Directory Manager (existing master) password:

     Run connection check to master

     Check connection from replica to remote master '':

         Directory Service: Unsecure port (389): OK

         Directory Service: Secure port (636): OK

         Kerberos KDC: TCP (88): OK

         Kerberos Kpasswd: TCP (464): OK

         HTTP Server: Unsecure port (80): OK

         HTTP Server: Secure port (443): OK

         PKI-CA: Directory Service port (7389): OK

     The following list of ports use UDP protocol and would need to be

     checked manually:

         Kerberos KDC: UDP (88): SKIPPED

         Kerberos Kpasswd: UDP (464): SKIPPED

     Connection from replica to master is OK.

     Start listening on required ports for remote master check

     Get credentials to log in to remote master <> password:

     Execute check on remote master

     Check connection from master to remote replica '':

         Directory Service: Unsecure port (389): OK

         Directory Service: Secure port (636): OK

         Kerberos KDC: TCP (88): OK

         Kerberos KDC: UDP (88): OK

         Kerberos Kpasswd: TCP (464): OK

         Kerberos Kpasswd: UDP (464): OK

         HTTP Server: Unsecure port (80): OK

         HTTP Server: Secure port (443): OK

         PKI-CA: Directory Service port (7389): OK

     Connection from master to replica is OK.

     Connection check OK

     Configuring ntpd

        [1/4]: stopping ntpd

        [2/4]: writing configuration

        [3/4]: configuring ntpd to start on boot

        [4/4]: starting ntpd

     done configuring ntpd.

     Configuring directory server for the CA: Estimated time 30 seconds

        [1/3]: creating directory server user

        [2/3]: creating directory server instance

        [3/3]: restarting directory server

     done configuring pkids.

     Configuring certificate server: Estimated time 3 minutes 30

        [1/13]: creating certificate server user

        [2/13]: creating pki-ca instance

        [3/13]: configuring certificate server instance

        [4/13]: disabling nonces

        [5/13]: creating RA agent certificate database

        [6/13]: importing CA chain to RA certificate database

        [7/13]: fixing RA database permissions

        [8/13]: setting up signing cert profile

        [9/13]: set up CRL publishing

        [10/13]: set certificate subject base

        [11/13]: enabling Subject Key Identifier

        [12/13]: configuring certificate server to start on boot

        [13/13]: Configure HTTP to proxy connections

     done configuring pki-cad.

     Restarting the directory and certificate servers

     Configuring directory server: Estimated time 1 minute

        [1/30]: creating directory server user

        [2/30]: creating directory server instance

        [3/30]: adding default schema

        [4/30]: enabling memberof plugin

        [5/30]: enabling referential integrity plugin

        [6/30]: enabling winsync plugin

        [7/30]: configuring replication version plugin

        [8/30]: enabling IPA enrollment plugin

        [9/30]: enabling ldapi

        [10/30]: configuring uniqueness plugin

        [11/30]: configuring uuid plugin

        [12/30]: configuring modrdn plugin

        [13/30]: enabling entryUSN plugin

        [14/30]: configuring lockout plugin

        [15/30]: creating indices

        [16/30]: configuring ssl for ds instance

        [17/30]: configuring certmap.conf

        [18/30]: configure autobind for root

        [19/30]: configure new location for managed entries

        [20/30]: restarting directory server

        [21/30]: setting up initial replication

     Starting replication, please wait until this has completed.

     [] reports: Update failed! Status: [-11  -
     System error]

     creation of replica failed: Failed to start replication

     Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the
     following error;

     NSMMReplicationPlugin - agmt=""
     (ipa_server:389): Replica has a different generation ID than the
     local data.

This is probably just fallout from the replica initialization failure.
If a replica is never initialized, it will get a generation ID
mismatch error when the master contacts it.

Any thoughts or ideas on this issue? Searching google I don't see
anyone getting the Status:-11 - System Error.

There was a bug in 389-ds-base that was fixed a while back where
negative LDAP error codes were all printed as "System Error".  The -11
is a connection error.  Here is how it is defined in /usr/include/ldap.h:

      #define LDAP_CONNECT_ERROR                              (-11)

It sounds like this connection error is occurring when it tries to
initialize the replica.  It might help to enable replication level
logging on the master, then trying to run ipa-replica-install again.
The errors in the 389 DS errors log might point to the problem.  To
enable replication level logging, you can perform the following
operation with ldapmodify as "cn=Directory Manager":

dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 8192

When you are finished debugging the issue, don't forget to change the
log level back to "0".





Freeipa-users mailing list  <>

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to