On 13.2.2014 01:13, Todd Maugh wrote:
thanks Guys, turns out this was a redhat bug in the 6.4 image of the aws 
instance, so I built in 6.5

and was able to get past it, but now I'm  failing with this:

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Unexpected error - see /var/log/ipareplica-install.log for details:
ObjectclassViolation: missing attribute "idnsSOAserial" required by object class 
"idnsZone"

i tried attaching the log file but unfortunately its 30 mb trying to compress

That is interesting. Which version of ipa-server package you are trying to install? Is it RHEL or CentOS 6.5?

My guess that you have DNS installed on one IPA server and now you are installing another replica without DNS (without --setup-dns option), right?

May be that you are hitting
https://bugzilla.redhat.com/show_bug.cgi?id=894131
but it was fixed in ipa-3.0.0-22.el6.

Petr^2 Spacek

________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, February 12, 2014 10:36 AM
To: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] trouble creating a replica in the cloud

Dmitri Pal wrote:
On 02/11/2014 05:02 PM, Todd Maugh wrote:
Hey Guys,

So I have my master and replica up in my datacenter.

I have a client, I have a winsync agreement, I have a password sync.

It's working lovely.

So Now I have spun up an AWS instance of redh hat 6.5  (same as my
master and first replica)

I run the ipa replica and it fails


ipa-replica-install --setup-ca --setup-dns --no-forwarders
/var/lib/ipa/replica-info-se-idm-03.boingo.com.gpg
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'se-idm-01.boingo.com':
    Directory Service: Unsecure port (389): OK
    Directory Service: Secure port (636): OK
    Kerberos KDC: TCP (88): OK
    Kerberos Kpasswd: TCP (464): OK
    HTTP Server: Unsecure port (80): OK
    HTTP Server: Secure port (443): OK
    PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
    Kerberos KDC: UDP (88): SKIPPED
    Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@boingo.com password:

Execute check on remote master
Check connection from master to remote replica 'se-idm-03.boingo.com':
    Directory Service: Unsecure port (389): OK
    Directory Service: Secure port (636): OK
    Kerberos KDC: TCP (88): OK
    Kerberos KDC: UDP (88): OK
    Kerberos Kpasswd: TCP (464): OK
    Kerberos Kpasswd: UDP (464): OK
    HTTP Server: Unsecure port (80): OK
    HTTP Server: Secure port (443): OK
    PKI-CA: Directory Service port (7389): OK

Connection from master to replica is OK.

Connection check OK
Configuring NTP daemon (ntpd)
   [1/4]: stopping ntpd
   [2/4]: writing configuration
   [3/4]: configuring ntpd to start on boot
   [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
   [1/3]: creating directory server user
   [2/3]: creating directory server instance
ipa         : CRITICAL failed to create ds instance Command
'/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3'
returned non-zero exit status 1
   [3/3]: restarting directory server
ipa         : CRITICAL Failed to restart the directory server. See the
installation log for details.
Done configuring directory server for the CA (pkids).

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Can't contact LDAP server


I check the log file and this is what I get

2014-02-11T19:55:48Z DEBUG calling setup-ds.pl
2014-02-11T19:57:53Z DEBUG args=/usr/sbin/setup-ds.pl --silent
--logfile - -f /tmp/tmpo9ROF3
2014-02-11T19:57:53Z DEBUG stdout=[11/Feb/2014:14:57:53 -0500]
createprlistensockets - PR_Bind() on All Interfaces port 7389 failed:
Netscape Portable Runtime error -5966 (Access Denied.)
[11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All
Interfaces port 7389 failed: Netscape Portable Runtime error -5966
(Access Denied.)
[14/02/11:14:57:53] - [Setup] Info Could not start the directory
server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'.
The last line from the error log was '[11/Feb/2014:14:57:53 -0500] create
prlistensockets - PR_Bind() on All Interfaces port 7389 failed:
Netscape Portable Runtime error -5966 (Access Denied.)
'.  Error: Unknown error 256
Could not start the directory server using command
'/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'.  The last line from the
error log was '[11/Feb/2014:14:57:53 -0500] createprlistensockets -
PR_Bind() on All
Interfaces port 7389 failed: Netscape Portable Runtime error -5966
(Access Denied.)
'.  Error: Unknown error 256
[14/02/11:14:57:53] - [Setup] Fatal Error: Could not create directory
server instance 'PKI-IPA'.
Error: Could not create directory server instance 'PKI-IPA'.
[14/02/11:14:57:53] - [Setup] Fatal Exiting . . .
Log file is '-'

Exiting . . .
Log file is '-'

Please help

Bind failed. This usually happens when the system has an identity crisis
and tries to bind to the interface that is not there.

Access Denied is a bit unexpected though it may have to do with the AWS
network config. Any SELinux errors or anything in /var/log/messages?

Running IPA in AWS is a bit strange because of the dynamic nature of
AWS. Have you seen
http://cloud-mechanic.blogspot.com/2013/10/diversion-kerberos-freeipa-in-aws-ec2.html

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to