Please disregard this email, as it was duplicated. Sorry for the incovenience
On Tue, Feb 9, 2016 at 4:26 PM, <[email protected]> wrote: > Hi, I desperately need your help/advice with our ipa update process. > Briefly, we'd like to update our IPA 3.0 installation based on CentOS 6.7 > to a newer version, and I read that the way of doing it is to create a new > replica with a newer version of IPA server. > Before writing this post, I browsed for similar issues (there are many of > them with similar outcome) and tried to apply the suggested solutions but > no luck. I also tried previous versions of Fedora (18 and 19) but again no > luck. > It seems I'm stuck and I don't know how to proceed :( > > Thank you in advance to anyhow who will take the time to read my message > :) Let's start! > > Right now we have a single running on Centos 6.7, and we are planning to > create a replica with Fedora 20 which has IPA 3.3 > > Here are the details of the master (ipaserver) > [root@ipaserver ~]# uname -a > Linux ipaserver.it.fx.lan 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 > UTC 2012 x86_64 x86_64 x86_64 GNU/Linux > > [root@ipaserver ~]# rpm -qa|grep -E 'freeipa-server|pki-ca' > ipa-pki-ca-theme-9.0.3-7.el6.noarch > pki-ca-9.0.3-43.el6.noarch > > And here are the details of the replica (ipaserver-ha2 > Replica server on Fedora 20: > [root@ipaserver-ha2 ~]# uname -a > Linux ipaserver-ha2.it.fx.lan 3.19.8-100.fc20.x86_64 #1 SMP Tue May 12 > 17:08:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux > > [root@ipaserver-ha2 ~]# rpm -qa|grep -E 'freeipa-server|pki-ca' > pki-ca-10.1.2-7.fc20.noarch > freeipa-server-3.3.5-1.fc20.x86_64 > > Here are the steps I made: > > - Before starting the replica I updated the schema of the master with > the copy-schema-to-ca.py script > - I prepared the replica certificates on the server > ("ipa-replica-prepare ipaserver-ha2.it.fx.lan --ip-address 10.0.0.10") and > transferred to the replica server on the same folder > - The I ran the replica install and here's the output: > > [root@ipaserver-ha2 ~]# ipa-replica-install --setup-ca --setup-dns > --no-forwarders --no-ntp > /var/lib/ipa/replica-info-ipaserver-ha2.it.fx.lan.gpg > Directory Manager (existing master) password: > > Run connection check to master > Check connection from replica to remote master 'ipaserver.it.fx.lan': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos KDC: TCP (88): OK > Kerberos Kpasswd: TCP (464): OK > HTTP Server: Unsecure port (80): OK > HTTP Server: Secure port (443): OK > PKI-CA: Directory Service port (7389): OK > > The following list of ports use UDP protocol and would need to be > checked manually: > Kerberos KDC: UDP (88): SKIPPED > Kerberos Kpasswd: UDP (464): SKIPPED > > Connection from replica to master is OK. > Start listening on required ports for remote master check > Get credentials to log in to remote master > [email protected] password: > > Check SSH connection to remote master > Execute check on remote master > Check connection from master to remote replica 'ipaserver-ha2.it.fx.lan': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos KDC: TCP (88): OK > Kerberos KDC: UDP (88): OK > Kerberos Kpasswd: TCP (464): OK > Kerberos Kpasswd: UDP (464): OK > HTTP Server: Unsecure port (80): OK > HTTP Server: Secure port (443): OK > > Connection from master to replica is OK. > > Connection check OK > Configuring directory server (dirsrv): Estimated time 1 minute > [1/34]: creating directory server user > [2/34]: creating directory server instance > [3/34]: adding default schema > [4/34]: enabling memberof plugin > [5/34]: enabling winsync plugin > [6/34]: configuring replication version plugin > [7/34]: enabling IPA enrollment plugin > [8/34]: enabling ldapi > [9/34]: configuring uniqueness plugin > [10/34]: configuring uuid plugin > [11/34]: configuring modrdn plugin > [12/34]: configuring DNS plugin > [13/34]: enabling entryUSN plugin > [14/34]: configuring lockout plugin > [15/34]: creating indices > [16/34]: enabling referential integrity plugin > [17/34]: configuring ssl for ds instance > [18/34]: configuring certmap.conf > [19/34]: configure autobind for root > [20/34]: configure new location for managed entries > [21/34]: configure dirsrv ccache > [22/34]: enable SASL mapping fallback > [23/34]: restarting directory server > [24/34]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 3 seconds elapsed > Update succeeded > > [25/34]: updating schema > [26/34]: setting Auto Member configuration > [27/34]: enabling S4U2Proxy delegation > [28/34]: initializing group membership > [29/34]: adding master entry > [30/34]: configuring Posix uid/gid generation > [31/34]: adding replication acis > [32/34]: enabling compatibility plugin > [33/34]: tuning directory server > [34/34]: configuring directory to start on boot > Done configuring directory server (dirsrv). > Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 > seconds > [1/19]: creating certificate server user > [2/19]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command > '/usr/sbin/pkispawn -s CA -f /tmp/tmpoqFGBW' returned non-zero exit status 1 > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Configuration of CA failed > > > Here are the log files on the replica server: > > > > > > On the master I extraced the access log of the http server: > 10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET > /ca/rest/securityDomain/domainInfo HTTP/1.1" 404 317 > 10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET /ca/admin/ca/getDomainXML > HTTP/1.1" 200 1593 > 10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET /ca/rest/account/login > HTTP/1.1" 404 305 > 10.0.0.10 - - [09/Feb/2016:15:30:45 +0100] "POST /ca/admin/ca/getCertChain > HTTP/1.0" 200 1410 > 10.0.0.10 - - [09/Feb/2016:15:30:46 +0100] "GET /ca/rest/account/login > HTTP/1.1" 404 305 > 10.0.0.10 - - [09/Feb/2016:15:30:46 +0100] "POST /ca/admin/ca/getCookie > HTTP/1.1" 200 4092 > 10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST /ca/admin/ca/getDomainXML > HTTP/1.0" 200 1593 > 10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST /ca/admin/ca/getCertChain > HTTP/1.0" 200 1410 > 10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST > /ca/admin/ca/updateNumberRange HTTP/1.0" 404 313 > 10.0.0.8 - - [09/Feb/2016:15:30:47 +0100] "POST > /ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154 > 10.0.0.10 - - [09/Feb/2016:15:30:48 +0100] "POST > /ca/admin/ca/updateNumberRange HTTP/1.0" 404 313 > 10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST > /ca/ee/ca/updateNumberRange HTTP/1.0" 200 163 > 10.0.0.8 - - [09/Feb/2016:15:30:48 +0100] "POST > /ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154 > 10.0.0.10 - - [09/Feb/2016:15:30:48 +0100] "POST > /ca/ee/ca/updateNumberRange HTTP/1.0" 200 163 > 10.0.0.10 - - [09/Feb/2016:15:30:49 +0100] "POST > /ca/admin/ca/updateNumberRange HTTP/1.0" 404 313 > 10.0.0.8 - - [09/Feb/2016:15:30:49 +0100] "POST > /ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154 > 10.0.0.10 - - [09/Feb/2016:15:30:49 +0100] "POST > /ca/ee/ca/updateNumberRange HTTP/1.0" 200 157 > 10.0.0.8 - - [09/Feb/2016:15:30:50 +0100] "POST > /ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154 > 10.0.0.10 - - [09/Feb/2016:15:30:50 +0100] "POST > /ca/admin/ca/getConfigEntries HTTP/1.0" 200 13746 > 10.0.0.8 - - [09/Feb/2016:15:31:41 +0100] "POST > /ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154 > 10.0.0.10 - - [09/Feb/2016:15:31:41 +0100] "POST /ca/ee/ca/profileSubmit > HTTP/1.0" 200 1459 > 10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST /ca/admin/ca/getDomainXML > HTTP/1.0" 200 1593 > 10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST > /ca/admin/ca/updateDomainXML HTTP/1.0" 404 311 > 10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST > /ca/agent/ca/updateDomainXML HTTP/1.0" 200 115 > > > > Best regards, > > *Giuseppe Calignano* > IT Manager > > > Mobile: +39 335 7864 963 | Office: + 39 041 258 7618 | Email: > [email protected] | skype: quasaro > Via della Pila, 13 | I-30175 Marghera | Venezia | Italy > > CONFIDENTIALITY NOTICE - This message may contain privileged and > confidential information intended only for the use of the addressee named > above. If you are not the intended recipient of this message, you are > hereby notified that any use, dissemination, distribution or reproduction > of this message is prohibited. If you have received this message in error, > please notify Finantix immediately via email to the sender. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Giuseppe Calignano
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
