thanks Guys, turns out this was a redhat bug in the 6.4 image of the aws instance, so I built in 6.5
and was able to get past it, but now I'm failing with this: Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-install.log for details: ObjectclassViolation: missing attribute "idnsSOAserial" required by object class "idnsZone" i tried attaching the log file but unfortunately its 30 mb trying to compress ________________________________________ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, February 12, 2014 10:36 AM To: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] trouble creating a replica in the cloud Dmitri Pal wrote: > On 02/11/2014 05:02 PM, Todd Maugh wrote: >> Hey Guys, >> >> So I have my master and replica up in my datacenter. >> >> I have a client, I have a winsync agreement, I have a password sync. >> >> It's working lovely. >> >> So Now I have spun up an AWS instance of redh hat 6.5 (same as my >> master and first replica) >> >> I run the ipa replica and it fails >> >> >> ipa-replica-install --setup-ca --setup-dns --no-forwarders >> /var/lib/ipa/replica-info-se-idm-03.boingo.com.gpg >> Directory Manager (existing master) password: >> >> Run connection check to master >> Check connection from replica to remote master 'se-idm-01.boingo.com': >> Directory Service: Unsecure port (389): OK >> Directory Service: Secure port (636): OK >> Kerberos KDC: TCP (88): OK >> Kerberos Kpasswd: TCP (464): OK >> HTTP Server: Unsecure port (80): OK >> HTTP Server: Secure port (443): OK >> PKI-CA: Directory Service port (7389): OK >> >> The following list of ports use UDP protocol and would need to be >> checked manually: >> Kerberos KDC: UDP (88): SKIPPED >> Kerberos Kpasswd: UDP (464): SKIPPED >> >> Connection from replica to master is OK. >> Start listening on required ports for remote master check >> Get credentials to log in to remote master >> ad...@boingo.com password: >> >> Execute check on remote master >> Check connection from master to remote replica 'se-idm-03.boingo.com': >> Directory Service: Unsecure port (389): OK >> Directory Service: Secure port (636): OK >> Kerberos KDC: TCP (88): OK >> Kerberos KDC: UDP (88): OK >> Kerberos Kpasswd: TCP (464): OK >> Kerberos Kpasswd: UDP (464): OK >> HTTP Server: Unsecure port (80): OK >> HTTP Server: Secure port (443): OK >> PKI-CA: Directory Service port (7389): OK >> >> Connection from master to replica is OK. >> >> Connection check OK >> Configuring NTP daemon (ntpd) >> [1/4]: stopping ntpd >> [2/4]: writing configuration >> [3/4]: configuring ntpd to start on boot >> [4/4]: starting ntpd >> Done configuring NTP daemon (ntpd). >> Configuring directory server for the CA (pkids): Estimated time 30 seconds >> [1/3]: creating directory server user >> [2/3]: creating directory server instance >> ipa : CRITICAL failed to create ds instance Command >> '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3' >> returned non-zero exit status 1 >> [3/3]: restarting directory server >> ipa : CRITICAL Failed to restart the directory server. See the >> installation log for details. >> Done configuring directory server for the CA (pkids). >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> Can't contact LDAP server >> >> >> I check the log file and this is what I get >> >> 2014-02-11T19:55:48Z DEBUG calling setup-ds.pl >> 2014-02-11T19:57:53Z DEBUG args=/usr/sbin/setup-ds.pl --silent >> --logfile - -f /tmp/tmpo9ROF3 >> 2014-02-11T19:57:53Z DEBUG stdout=[11/Feb/2014:14:57:53 -0500] >> createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: >> Netscape Portable Runtime error -5966 (Access Denied.) >> [11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All >> Interfaces port 7389 failed: Netscape Portable Runtime error -5966 >> (Access Denied.) >> [14/02/11:14:57:53] - [Setup] Info Could not start the directory >> server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'. >> The last line from the error log was '[11/Feb/2014:14:57:53 -0500] create >> prlistensockets - PR_Bind() on All Interfaces port 7389 failed: >> Netscape Portable Runtime error -5966 (Access Denied.) >> '. Error: Unknown error 256 >> Could not start the directory server using command >> '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'. The last line from the >> error log was '[11/Feb/2014:14:57:53 -0500] createprlistensockets - >> PR_Bind() on All >> Interfaces port 7389 failed: Netscape Portable Runtime error -5966 >> (Access Denied.) >> '. Error: Unknown error 256 >> [14/02/11:14:57:53] - [Setup] Fatal Error: Could not create directory >> server instance 'PKI-IPA'. >> Error: Could not create directory server instance 'PKI-IPA'. >> [14/02/11:14:57:53] - [Setup] Fatal Exiting . . . >> Log file is '-' >> >> Exiting . . . >> Log file is '-' >> >> >> >> >> Please help >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > Bind failed. This usually happens when the system has an identity crisis > and tries to bind to the interface that is not there. Access Denied is a bit unexpected though it may have to do with the AWS network config. Any SELinux errors or anything in /var/log/messages? Running IPA in AWS is a bit strange because of the dynamic nature of AWS. Have you seen http://cloud-mechanic.blogspot.com/2013/10/diversion-kerberos-freeipa-in-aws-ec2.html rob _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users