Janelle wrote: > I did find that as the work-around - just trying to understand why it > comes up sometimes... > Did you find any issues with the workings of a replica if you had to > resort to this method?
The conncheck is a reaction to a slew of problems people had setting up replicas and because we don't have direct firewall integration. It provides a way to detect errors that will eventually cause an installation to fail. It isn't necessary to run which is why we provided the skip option. As for why the ssh fails, you'd need to check the system logs on the IPA master where it is failing. The ssh is only used so we can test the reverse connection, it isn't used once the installation itself starts. rob > > Thanks. > > ~J > > On 11/17/14 10:57 AM, Craig White wrote: >> >> Janelle, this may not be that useful but I found it worthwhile to >> resort to >> >> >> >> skip-conncheck >> >> >> >> When setting up the replica pretty much for the same reason. >> >> >> >> Craig White >> >> System Administrator >> >> O623-201-8179 M602-377-9752 >> >> >> >> cid:image001.png@01CF86FE.42D51630 >> >> >> >> SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 >> >> >> >> *From:*freeipa-users-boun...@redhat.com >> [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Janelle >> *Sent:* Monday, November 17, 2014 7:43 AM >> *To:* firstname.lastname@example.org >> *Subject:* [Freeipa-users] strange replica creation problem >> >> >> >> Happy Monday everyone, >> >> I have a strange issue I am seeing with replica creations, but it does >> not seem to be consistent. Sometimes, when trying to install the >> replica I get errors trying to connect to the master via SSH: >> >> /[root@ipa3 ~]# ipa-replica-install >> /var/lib/ipa/replica-info-ipa3.xyzzy.com.gpg >> Directory Manager (existing master) password: >> >> Run connection check to master >> Check connection from replica to remote master 'ipa2.xyzzy.com': >> Directory Service: Unsecure port (389): OK >> Directory Service: Secure port (636): OK >> Kerberos KDC: TCP (88): OK >> Kerberos Kpasswd: TCP (464): OK >> HTTP Server: Unsecure port (80): OK >> HTTP Server: Secure port (443): OK >> >> The following list of ports use UDP protocol and would need to be >> checked manually: >> Kerberos KDC: UDP (88): SKIPPED >> Kerberos Kpasswd: UDP (464): SKIPPED >> >> Connection from replica to master is OK. >> Start listening on required ports for remote master check >> Get credentials to log in to remote master >> ad...@xyzzy.com <mailto:ad...@xyzzy.com> password: >> >> Check SSH connection to remote master >> ad...@ipa2.xyzzy.com <mailto:ad...@ipa2.xyzzy.com>'s password: >> ad...@ipa2.xyzzy.com <mailto:ad...@ipa2.xyzzy.com>'s password: >> Could not SSH into remote host. Error output: >> OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013 >> debug1: Reading configuration data /etc/ssh/ssh_config >> debug1: /etc/ssh/ssh_config line 51: Applying options for */ >> >> >> ssh via root and all the hosts - using keys - works just fine. I don't >> understand why this is happening on some hosts and not others. >> >> >> Any ideas? >> ~J >> > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project