I am giving it a fresh start and I notice similar issues.

1) I wasn't able to use the "--setup-ca" while running the ipa-replica-install 
on the replica. It stopped the install after the ntpd step see below.

Done configuring NTP daemon (ntpd).
A CA is already configured on this system.

2) So I tried my install command again without the --setup-ca option. It went 
furthur although it completed it show one error see below.

 MY COMMAND: --> ipa-replica-install 
/var/tmp/ --skip-conncheck
the skip-conncheck was needed to complete the install. Connections checks were 
manually done.

14/31]: configuring lockout plugin
  [15/31]: creating indices
  [16/31]: enabling referential integrity plugin
  [17/31]: configuring ssl for ds instance
ipa         : ERROR    certmonger failed starting to track certificate: Command 
'/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-MYDOMAIN.COM -n 
Server-Cert -p /etc/dirsrv/slapd-MYDOMAIN.COM/pwdfile.txt -C 
/usr/lib64/ipa/certmonger/restart_dirsrv MYDOMAIN.COM' returned non-zero exit 
status 1
  [18/31]: configuring certmap.conf
  [19/31]: configure autobind for root

3) The replica installed fine I can access the same database from the replica's 

4) I cannot add new clients.
MY COMMAND: --> ipa-client-install -d = master = replica


Change is the only Constant !

On Friday, February 14, 2014 11:40 AM, Rob Crittenden <> 
Shree wrote:
> 1) 7839 TCP is open between the master and replica, do I need 7389 udp
> also?  What about clients and replica?
> I have the following ports opened and tested between master and replica.
> --> 389 (TCP), 636 (TCP), 88 (TCP), 464 (TCP), 80 (TCP), 443 (TCP), 7389
> (TCP)
> and  88 (UDP)  464 (UDP)
> Do I need any more ports opened, I have to work with another team to get
> this done, so it will help having all the information.

No, this list is enough. Still, it can't connect to it. Seeing the 
failure output from the connection check might be useful, or at least 
confirm the same.

> 2)I see you skip the connection check, what was failing? :-- Yes my
> replica install fails unless I user --skip connection check. I have
> tested the connection with the ports mentioned during the install.

I don't know what to say, the logs pretty clearly indicate that it can't 
connect on port 7389.

> 3) In the ipareplica-install log this is reported:
> Failed to setup the replication for cloning. :--- Yes but what is the
> solution?

Fix the firewall.

> 4) And in the debug log:
> :- Also what is the solution for the error?

Same thing. One failure cascades to another.

Freeipa-users mailing list

Reply via email to