Dmitri Pal wrote:
On 02/11/2014 05:02 PM, Todd Maugh wrote:
Hey Guys,

So I have my master and replica up in my datacenter.

I have a client, I have a winsync agreement, I have a password sync.

It's working lovely.

So Now I have spun up an AWS instance of redh hat 6.5  (same as my
master and first replica)

I run the ipa replica and it fails


ipa-replica-install --setup-ca --setup-dns --no-forwarders
/var/lib/ipa/replica-info-se-idm-03.boingo.com.gpg
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'se-idm-01.boingo.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@boingo.com password:

Execute check on remote master
Check connection from master to remote replica 'se-idm-03.boingo.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

Connection from master to replica is OK.

Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
ipa         : CRITICAL failed to create ds instance Command
'/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3'
returned non-zero exit status 1
  [3/3]: restarting directory server
ipa         : CRITICAL Failed to restart the directory server. See the
installation log for details.
Done configuring directory server for the CA (pkids).

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Can't contact LDAP server


I check the log file and this is what I get

2014-02-11T19:55:48Z DEBUG calling setup-ds.pl
2014-02-11T19:57:53Z DEBUG args=/usr/sbin/setup-ds.pl --silent
--logfile - -f /tmp/tmpo9ROF3
2014-02-11T19:57:53Z DEBUG stdout=[11/Feb/2014:14:57:53 -0500]
createprlistensockets - PR_Bind() on All Interfaces port 7389 failed:
Netscape Portable Runtime error -5966 (Access Denied.)
[11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All
Interfaces port 7389 failed: Netscape Portable Runtime error -5966
(Access Denied.)
[14/02/11:14:57:53] - [Setup] Info Could not start the directory
server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'.
The last line from the error log was '[11/Feb/2014:14:57:53 -0500] create
prlistensockets - PR_Bind() on All Interfaces port 7389 failed:
Netscape Portable Runtime error -5966 (Access Denied.)
'.  Error: Unknown error 256
Could not start the directory server using command
'/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'.  The last line from the
error log was '[11/Feb/2014:14:57:53 -0500] createprlistensockets -
PR_Bind() on All
Interfaces port 7389 failed: Netscape Portable Runtime error -5966
(Access Denied.)
'.  Error: Unknown error 256
[14/02/11:14:57:53] - [Setup] Fatal Error: Could not create directory
server instance 'PKI-IPA'.
Error: Could not create directory server instance 'PKI-IPA'.
[14/02/11:14:57:53] - [Setup] Fatal Exiting . . .
Log file is '-'

Exiting . . .
Log file is '-'




Please help




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Bind failed. This usually happens when the system has an identity crisis
and tries to bind to the interface that is not there.

Access Denied is a bit unexpected though it may have to do with the AWS network config. Any SELinux errors or anything in /var/log/messages?

Running IPA in AWS is a bit strange because of the dynamic nature of AWS. Have you seen http://cloud-mechanic.blogspot.com/2013/10/diversion-kerberos-freeipa-in-aws-ec2.html

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to