From: Petr Vobornik <pvobo...@redhat.com>
 To: John Williams <john.1...@yahoo.com>; "Freeipa-users@redhat.com" 
<Freeipa-users@redhat.com> 
 Sent: Thursday, April 7, 2016 7:11 AM
 Subject: Re: [Freeipa-users] CentOS 7 replica installation failing
   
On 04/07/2016 06:12 AM, John Williams wrote:
> I've setup an initial FreeIPA instance on a CentOS 7 host.  The install went 
> without a hitch.  I can login to the GUI with no problems.  However, I am not 
> able to install the replica on another CentOS 7 host.  I get the following 
> errors:
> 
> [root@ipa2 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders 
> /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheck

It was run with '--skip-conncheck'. Is there a reason? If you remove it,
what does it complain about?

In general, using --skip-conncheck should be avoided because it may hide
errors.

You could also check master server
/var/log/dirsrv/slapd-your-instance/access and errors logs if there is
some connection attempt from the replica visible.

And maybe /var/log/ipareplica-install.log contains more info.
I ran the skip connections, because when I ran it initially without the skip 
connections, I got the following messages:
The following UDP ports could not be verified as open: 88, 464This can happen 
if they are already bound to an applicationand ipa-replica-conncheck cannot 
attach own UDP responder.
Remote master check failed with following error message(s):Warning: Permanently 
added 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of known hosts.Could not 
chdir to home directory /home/admin: No such file or directoryPort check 
failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 (TCP), 80 
(TCP), 443 (TCP)
ipa.ipapython.install.cli.install_tool(Replica): ERROR    Connection check 
failed!Please fix your network settings according to error messages above.If 
the check results are not valid it can be skipped with --skip-conncheck 
parameter.
There is nothing blocking the connections, and the initial IPA server seems to 
be working fine.
Here are some snippets from the log:

 File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
line 525, in install_check    options.setup_ca, config.ca_ds_port, 
options.admin_password)  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 91, 
in replica_conn_check    "\nIf the check results are not valid it can be 
skipped with --skip-conncheck parameter.")
2016-04-07T11:30:06Z DEBUG The ipa-replica-install command failed, exception: 
SystemExit: Connection check failed!Please fix your network settings according 
to error messages above.If the check results are not valid it can be skipped 
with --skip-conncheck parameter.2016-04-07T11:30:06Z ERROR Connection check 
failed!Please fix your network settings according to error messages above.If 
the check results are not valid it can be skipped with --skip-conncheck 
parameter.
Here are some more logs:
[root@ipa2 ~]# tail -30 /var/log/ipareplica-conncheck.logCould not chdir to 
home directory /home/admin: No such file or directorydebug1: 
client_input_channel_req: channel 0 rtype exit-status reply 0debug1: 
client_input_channel_req: channel 0 rtype e...@openssh.com reply 0debug1: 
channel 0: free: client-session, nchannels 1debug1: fd 1 clearing 
O_NONBLOCKdebug1: fd 2 clearing O_NONBLOCKTransferred: sent 3032, received 2584 
bytes, in 0.0 secondsBytes per second: sent 131062.5, received 111697.1debug1: 
Exit status 0
2016-04-07T11:30:02Z DEBUG Starting external process2016-04-07T11:30:02Z DEBUG 
args='/bin/ssh' '-o StrictHostKeychecking=no' '-o 
UserKnownHostsFile=/tmp/tmpCbCb50' 'ad...@ipa1.nrln.us' 
'/usr/sbin/ipa-replica-conncheck --replica ipa2.nrln.us'2016-04-07T11:30:05Z 
DEBUG Process finished, return code=12016-04-07T11:30:05Z DEBUG stdout=Check 
connection from master to remote replica 'ipa2.nrln.us':   Directory Service: 
Unsecure port (389): FAILED   Directory Service: Secure port (636): FAILED   
Kerberos KDC: TCP (88): FAILED   Kerberos KDC: UDP (88): WARNING   Kerberos 
Kpasswd: TCP (464): FAILED   Kerberos Kpasswd: UDP (464): WARNING   HTTP 
Server: Unsecure port (80): FAILED   HTTP Server: Secure port (443): FAILEDThe 
following UDP ports could not be verified as open: 88, 464This can happen if 
they are already bound to an applicationand ipa-replica-conncheck cannot attach 
own UDP responder.
2016-04-07T11:30:05Z DEBUG stderr=Warning: Permanently added 
'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of known hosts.Could not chdir 
to home directory /home/admin: No such file or directoryPort check failed! 
Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 (TCP), 80 (TCP), 443 
(TCP)
These two hosts are on the same subnet, nor firewall, or IPTables running.  
That's why the error message confusing.
Any suggestions?
> WARNING: conflicting time&date synchronization service 'chronyd' will
> be disabled in favor of ntpd
> 
> Directory Manager (existing master) password:
> 
> Existing BIND configuration detected, overwrite? [no]: yes
> Using reverse zone(s) 1.168.192.in-addr.arpa.
> Configuring NTP daemon (ntpd)
>    [1/4]: stopping ntpd
>    [2/4]: writing configuration
>    [3/4]: configuring ntpd to start on boot
>    [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv). Estimated time: 1 minute
>    [1/38]: creating directory server user
>    [2/38]: creating directory server instance
>    [3/38]: adding default schema
>    [4/38]: enabling memberof plugin
>    [5/38]: enabling winsync plugin
>    [6/38]: configuring replication version plugin
>    [7/38]: enabling IPA enrollment plugin
>    [8/38]: enabling ldapi
>    [9/38]: configuring uniqueness plugin
>    [10/38]: configuring uuid plugin
>    [11/38]: configuring modrdn plugin
>    [12/38]: configuring DNS plugin
>    [13/38]: enabling entryUSN plugin
>    [14/38]: configuring lockout plugin
>    [15/38]: creating indices
>    [16/38]: enabling referential integrity plugin
>    [17/38]: configuring ssl for ds instance
>    [18/38]: configuring certmap.conf
>    [19/38]: configure autobind for root
>    [20/38]: configure new location for managed entries
>    [21/38]: configure dirsrv ccache
>    [22/38]: enable SASL mapping fallback
>    [23/38]: restarting directory server
>    [24/38]: setting up initial replication
> Starting replication, please wait until this has completed.
> 
> [ipa1.nrln.us] reports: Update failed! Status: [-1  - LDAP error: Can't 
> contact 
> LDAP server]
> 
>    [error] RuntimeError: Failed to start replication
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    Failed to start 
> replication
> 
> 
> The error message is misleading. The two hosts sit on the same subnet.  All 
> firewalls are off.  Selinux is disabled.  Here is an nmap port scan from the 
> replica to the master:
> 
> 
> [root@ipa2 ~]# nmap ipa1
> 
> Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-07 00:12 EDT
> Nmap scan report for ipa1 (192.168.1.38)
> Host is up (0.000086s latency).
> rDNS record for 192.168.1.38: ipa1.nrln.us
> Not shown: 990 closed ports
> PORT    STATE SERVICE
> 22/tcp  open  ssh
> 80/tcp  open  http
> 88/tcp  open  kerberos-sec
> 389/tcp  open  ldap
> 443/tcp  open  https
> 464/tcp  open  kpasswd5
> 636/tcp  open  ldapssl
> 749/tcp  open  kerberos-adm
> 8080/tcp open  http-proxy
> 8443/tcp open  https-alt
> MAC Address: 52:54:00:33:34:F0 (QEMU Virtual NIC)
> 
> Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
> [root@ipa2 ~]#
> 
> 
> Why do I get this message?
> 
> TIA!!
> 
> 
> 


-- 
Petr Vobornik


  
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to