From: Petr Vobornik <pvobo...@redhat.com> To: John Williams <john.1...@yahoo.com>; "Freeipa-users@redhat.com" <Freeipa-users@redhat.com> Sent: Thursday, April 7, 2016 8:01 AM Subject: Re: [Freeipa-users] CentOS 7 replica installation failing On 04/07/2016 01:34 PM, John Williams wrote: > > > -------------------------------------------------------------------------------- > *From:* Petr Vobornik <pvobo...@redhat.com> > *To:* John Williams <john.1...@yahoo.com>; "Freeipa-users@redhat.com" > <Freeipa-users@redhat.com> > *Sent:* Thursday, April 7, 2016 7:11 AM > *Subject:* Re: [Freeipa-users] CentOS 7 replica installation failing > > On 04/07/2016 06:12 AM, John Williams wrote: > > I've setup an initial FreeIPA instance on a CentOS 7 host. The install >went > > without a hitch. I can login to the GUI with no problems. However, I am >not > > able to install the replica on another CentOS 7 host. I get the following > errors: > > > > [root@ipa2 <mailto:root@ipa2> ~]# ipa-replica-install --setup-ca >--setup-dns > --no-forwarders > > /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheck > > It was run with '--skip-conncheck'. Is there a reason? If you remove it, > what does it complain about? > > In general, using --skip-conncheck should be avoided because it may hide > errors. > > You could also check master server > /var/log/dirsrv/slapd-your-instance/access and errors logs if there is > some connection attempt from the replica visible. > > And maybe /var/log/ipareplica-install.log contains more info. > > I ran the skip connections, because when I ran it initially without the skip > connections, I got the following messages: > > The following UDP ports could not be verified as open: 88, 464 > This can happen if they are already bound to an application > and ipa-replica-conncheck cannot attach own UDP responder. > > Remote master check failed with following error message(s): > Warning: Permanently added 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of > known hosts. > Could not chdir to home directory /home/admin: No such file or directory > Port check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 > (TCP), 80 (TCP), 443 (TCP) > > ipa.ipapython.install.cli.install_tool(Replica): ERROR Connection check > failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > > There is nothing blocking the connections, and the initial IPA server seems > to > be working fine. > > Here are some snippets from the log: > > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > > line 525, in install_check > options.setup_ca, config.ca_ds_port, options.admin_password) > File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 91, in replica_conn_check > "\nIf the check results are not valid it can be skipped with > --skip-conncheck parameter.") > > 2016-04-07T11:30:06Z DEBUG The ipa-replica-install command failed, exception: > SystemExit: Connection check failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > 2016-04-07T11:30:06Z ERROR Connection check failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > > Here are some more logs: > > [root@ipa2 ~]# tail -30 /var/log/ipareplica-conncheck.log > Could not chdir to home directory /home/admin: No such file or directory > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > debug1: client_input_channel_req: channel 0 rtype e...@openssh.com reply 0 > debug1: channel 0: free: client-session, nchannels 1 > debug1: fd 1 clearing O_NONBLOCK > debug1: fd 2 clearing O_NONBLOCK > Transferred: sent 3032, received 2584 bytes, in 0.0 seconds > Bytes per second: sent 131062.5, received 111697.1 > debug1: Exit status 0 > > 2016-04-07T11:30:02Z DEBUG Starting external process > 2016-04-07T11:30:02Z DEBUG args='/bin/ssh' '-o StrictHostKeychecking=no' '-o > UserKnownHostsFile=/tmp/tmpCbCb50' 'ad...@ipa1.nrln.us' > '/usr/sbin/ipa-replica-conncheck --replica ipa2.nrln.us' > 2016-04-07T11:30:05Z DEBUG Process finished, return code=1 > 2016-04-07T11:30:05Z DEBUG stdout=Check connection from master to remote > replica > 'ipa2.nrln.us': > Directory Service: Unsecure port (389): FAILED > Directory Service: Secure port (636): FAILED > Kerberos KDC: TCP (88): FAILED > Kerberos KDC: UDP (88): WARNING > Kerberos Kpasswd: TCP (464): FAILED > Kerberos Kpasswd: UDP (464): WARNING > HTTP Server: Unsecure port (80): FAILED > HTTP Server: Secure port (443): FAILED > The following UDP ports could not be verified as open: 88, 464 > This can happen if they are already bound to an application > and ipa-replica-conncheck cannot attach own UDP responder. > > 2016-04-07T11:30:05Z DEBUG stderr=Warning: Permanently added > 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of known hosts. > Could not chdir to home directory /home/admin: No such file or directory > Port check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 > (TCP), 80 (TCP), 443 (TCP) > > These two hosts are on the same subnet, nor firewall, or IPTables running. > That's why the error message confusing. > > Any suggestions?
The error suggest that master is not able to contact replica on any port. Is DNS ok? What does `nmap ipa2.nrln.us` return? OMG. The firewall was on the replica. Thanks so much!! > > > WARNING: conflicting time&date synchronization service 'chronyd' will > > be disabled in favor of ntpd > > > > Directory Manager (existing master) password: > > > > Existing BIND configuration detected, overwrite? [no]: yes > > Using reverse zone(s) 1.168.192.in-addr.arpa. > > Configuring NTP daemon (ntpd) > > [1/4]: stopping ntpd > > [2/4]: writing configuration > > [3/4]: configuring ntpd to start on boot > > [4/4]: starting ntpd > > Done configuring NTP daemon (ntpd). > > Configuring directory server (dirsrv). Estimated time: 1 minute > > [1/38]: creating directory server user > > [2/38]: creating directory server instance > > [3/38]: adding default schema > > [4/38]: enabling memberof plugin > > [5/38]: enabling winsync plugin > > [6/38]: configuring replication version plugin > > [7/38]: enabling IPA enrollment plugin > > [8/38]: enabling ldapi > > [9/38]: configuring uniqueness plugin > > [10/38]: configuring uuid plugin > > [11/38]: configuring modrdn plugin > > [12/38]: configuring DNS plugin > > [13/38]: enabling entryUSN plugin > > [14/38]: configuring lockout plugin > > [15/38]: creating indices > > [16/38]: enabling referential integrity plugin > > [17/38]: configuring ssl for ds instance > > [18/38]: configuring certmap.conf > > [19/38]: configure autobind for root > > [20/38]: configure new location for managed entries > > [21/38]: configure dirsrv ccache > > [22/38]: enable SASL mapping fallback > > [23/38]: restarting directory server > > [24/38]: setting up initial replication > > Starting replication, please wait until this has completed. > > > > [ipa1.nrln.us] reports: Update failed! Status: [-1 - LDAP error: Can't >contact > > LDAP server] > > > > [error] RuntimeError: Failed to start replication > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to start > > replication > > > > > > The error message is misleading. The two hosts sit on the same subnet. All > > firewalls are off. Selinux is disabled. Here is an nmap port scan from >the > > replica to the master: > > > > > > [root@ipa2 <mailto:root@ipa2> ~]# nmap ipa1 > > > > Starting Nmap 6.40 ( http://nmap.org <http://nmap.org/>) at 2016-04-07 >00:12 EDT > > Nmap scan report for ipa1 (192.168.1.38) > > Host is up (0.000086s latency). > > rDNS record for 192.168.1.38: ipa1.nrln.us > > Not shown: 990 closed ports > > PORT STATE SERVICE > > 22/tcp open ssh > > 80/tcp open http > > 88/tcp open kerberos-sec > > 389/tcp open ldap > > 443/tcp open https > > 464/tcp open kpasswd5 > > 636/tcp open ldapssl > > 749/tcp open kerberos-adm > > 8080/tcp open http-proxy > > 8443/tcp open https-alt > > MAC Address: 52:54:00:33:34:F0 (QEMU Virtual NIC) > > > > Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds > > [root@ipa2 <mailto:root@ipa2> ~]# > > > > > > Why do I get this message? > > -- Petr Vobornik
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project