On 02/09/2015 11:36 AM, Martin Kosek wrote:
On 02/09/2015 05:16 PM, Chris Mohler wrote:
On 02/09/2015 10:18 AM, Martin Kosek wrote:
On 02/07/2015 12:27 AM, Chris Mohler wrote:
I'm having some troubles. I have an older IPA install Version 3.0.0. on Centos
6.6. It's currently the only master for my domain. I have about 4k user
accounts on here and it's a live system called "idm"
I'm trying to upgrade to V4.x as I am hoping to fix some issues I am having.
(clients can't auth unless service sssd is restarted multiple times "10 (User
not known to the underlying authentication module") I think this is possibly
unrelated and the topic for another thread.
I created a new VM and installed Fedora Server 21 and FreeIPA 4.1.2 it's called
"ipa"
Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
in, so you can also use that platform if you are used to it.
on the master "idm" I ran "ipa-replica-prepare" and transfered the file to the
future replica "ipa" Then I ran the install replica script ipa-replica-install
--setup-ca /home/svradm/replica-info-ipa.cs.oberlin.edu.gpg
Things went well until it failed
[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 133 seconds elapsed
Update in progress yet not in progress
Update in progress yet not in progress
Update in progress yet not in progress
[idm.cs.oberlin.edu] reports: Update failed! Status: [10 Total update
abortedLDAP error: Referral]
[error] RuntimeError: Failed to start replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Please help I'm getting nowhere by myself.
Can you please look on the master you are replicating from and look for errors
in /var/log/messages or DS errors log?
Maybe you will see messages like "ns-slapd: encoded packet size too big (xxxxxx
65536)" that are know to pop up more with CentOS 6.6.
Hi Martin,
Thanks for the reply and help I appreciate it.
Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
in, so you can also use that platform if you are used to it.
Good to know. I try to be distro agnostic. I've used Redhat 7.1 then went
Solaris, then Ubuntu, Now I'm back for Centos and Fedora. I guess I'm equally
uncomfortable with either version.
That Said. Is there any reason that I could or should not have a replica on a
Fedora 21 server and 2nd replica on a Centos 7.1 later? My understanding is the
more the merrier.
It should just work. Just note that in case of Fedora Server, these are
upstream/Fedora bits which are only tested upstream. So if you for example
break something in Fedora 21 (not likely to happen though ;-) and then get the
change *replicated* to RHEL production instance, I do not think Red Hat support
would be happy with that.
Also, if for example upstream releases FreeIPA 4.2, I would not just plug it in
your production RHEL instance is it would upgrade all the data for 4.2 level -
which should get more downstream testing before Red Hat can rubber stamp it.
TLDR; if you are happy with the upstream level of support (this list/IRC/Trac),
knock yourself out :-)
Can you please look on the master you are replicating from and look for errors
in /var/log/messages or DS errors log?
I tried to setup the replica again just now so I have some fresh logs.
From the Dirserv error log
[08/Feb/2015:22:14:48 -0500] - 389-Directory/1.2.11.15 B2014.314.1342 starting
up
[08/Feb/2015:22:14:48 -0500] schema-compat-plugin - warning: no entries set up
under cn=computers, cn=compat,dc=cs,dc=oberlin,dc=edu
[08/Feb/2015:22:14:50 -0500] - slapd started. Listening on All Interfaces port
389 for LDAP requests
[08/Feb/2015:22:14:50 -0500] - Listening on All Interfaces port 636 for LDAPS
requests
[08/Feb/2015:22:14:50 -0500] - Listening on
/var/run/slapd-CS-OBERLIN-EDU.socket for LDAPI requests
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin -
agmt="cn=meToipa.cs.oberlin.edu" (ipa:389): Schema replication update failed:
Server is unwilling to perform
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Warning: unable to
replicate schema to host ipa.cs.oberlin.edu, port 389. Continuing with total
update session.
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Beginning total update of
replica "agmt="cn=meToipa.cs.oberlin.edu" (ipa:389)"
To be fair and not duplicate efforts I have had the following error
[08/Feb/2015:08:51:26 -0500] - WARNING: userRoot: entry cache size 10485760B is
less than db size 12115968B; We recommend to increase the
entry cache size nsslapd-cachememsize.
To which I have asked another question "how do I change the entry cache size"
https://www.redhat.com/archives/freeipa-users/2015-February/msg00114.html
I now get additional errors which I would guess are possibly related.
IMO, they this should not be related (should not break replication). I do not
see anything useful in the error log though. Did you also check
/var/log/messages for the errors log I sent?
/var/log/messgaes on the Centos Master only has one entry from today.
Feb 9 05:50:00 idm rngd: failed fips test (An error about the rngd package)
Do I need to increase the verbosity over the default settings to get
replication errors? Or is there a config file that needs a debug option
in FreeIpa?
/var/log/messages on the client Fedora system isn't much more interesting
Feb 9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL
alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled
Feb 9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL
alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled
Feb 9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL
alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled
Feb 9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL
alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled
Feb 9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL
alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
Feb 9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL
alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled
Feb 9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL
alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
Feb 9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL
alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
Feb 9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL
alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled
Feb 9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL
alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
Feb 9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL
alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
Feb 9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL
alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled
Feb 9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] SSL
Initialization - SSL version range: min: TLS1.0, max: TLS1.2
Feb 9 10:55:25 ipa ntpd[1011]: 0.0.0.0 c612 02 freq_set ntpd -5.531 PPM
Feb 9 10:55:25 ipa ntpd[1011]: 0.0.0.0 c615 05 clock_sync
Feb 9 11:01:02 ipa systemd: Starting Paths.
Feb 9 11:01:02 ipa systemd: Reached target Paths.
Feb 9 11:01:02 ipa systemd: Starting Timers.
Feb 9 11:01:02 ipa systemd: Reached target Timers.
Feb 9 11:01:02 ipa systemd: Starting Sockets.
Feb 9 11:01:02 ipa systemd: Reached target Sockets.
Feb 9 11:01:02 ipa systemd: Starting Basic System.
Feb 9 11:01:02 ipa systemd: Reached target Basic System.
Feb 9 11:01:02 ipa systemd: Starting Default.
Feb 9 11:01:02 ipa systemd: Reached target Default.
Feb 9 11:01:02 ipa systemd: Startup finished in 7ms.
I searched /var/log/messages and the archived message logs on the master
Centos server for "encoded packet size too big", "encoded packet",
"slapd", and "encoded" and did not find any results.
Thanks,
-Chris
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
