Kilian Ries wrote:
Does nobody have an idea whats the problem here?


TL;DR you are best off deleting this failed replica install and trying again.

Initial replication is done over TLS. When replication is completed both sides of the agreement are converted to using GSSAPI and both ldap principals are needed to do this. Given that replication just completed both principals should be available but rarely one is not (hence the vague-ish error message).

In this case the new ldap principal for the new replica wasn't found on the remote master so things blew up.

There is no continuing the installation after this type of failure so you'll need to remove the failed install as a master on auth01 (ipa-replica-manage del auth02...) and then run ipa-server-install --uninstall on autho02 and try again.

rob



Thanks

Kilian



------------------------------------------------------------------------
*Von:* freeipa-users-boun...@redhat.com
<freeipa-users-boun...@redhat.com> im Auftrag von Kilian Ries
<m...@kilian-ries.de>
*Gesendet:* Mittwoch, 6. April 2016 10:41
*An:* freeipa-users@redhat.com
*Betreff:* [Freeipa-users] Error setting up Replication: ldap service
principals is missing. Replication agreement cannot be converted

Hello,


i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm
trying to add an replication partner.


During the installation i got the following error:


###

Restarting the directory and certificate servers

Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds

   [1/8]: adding sasl mappings to the directory

   [2/8]: configuring KDC

   [3/8]: creating a keytab for the directory

   [4/8]: creating a keytab for the machine

   [5/8]: adding the password extension to the directory

   [6/8]: enable GSSAPI for replication

   [error] RuntimeError: One of the ldap service principals is missing.
Replication agreement cannot be converted.

Your system may be partly configured.

Run /usr/sbin/ipa-server-install --uninstall to clean up.


ipa.ipapython.install.cli.install_tool(Replica): ERROR    One of the
ldap service principals is missing. Replication agreement cannot be
converted.

###



The installation Log shows the following:



###

2016-04-06T08:22:34Z INFO Getting ldap service principals for
conversion: (krbprincipalname=ldap/auth02.intern...@intern.eu) and
(krbprincipalname=ldap/auth01.intern...@intern.eu)

2016-04-06T08:22:34Z DEBUG Unable to find entry for
(krbprincipalname=ldap/auth02.intern...@intern.eu) on auth01.intern.eu:636

2016-04-06T08:22:34Z INFO Setting agreement
cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping
tree,cn=config schedule to 2358-2359 0 to force synch

2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement
cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping
tree,cn=config

2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status:
0 Replica acquired successfully: Incremental update succeeded: start: 0:
end: 0

2016-04-06T08:22:36Z DEBUG Traceback (most recent call last):

   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation

     run_step(full_msg, method)

   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step

     method()

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
line 438, in __convert_to_gssapi_replication

     r_bindpw=self.dm_password)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 1104, in convert_to_gssapi_replication

     self.gssapi_update_agreements(self.conn, r_conn)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 797, in gssapi_update_agreements

     self.setup_krb_princs_as_replica_binddns(a, b)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 767, in setup_krb_princs_as_replica_binddns

     (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 751, in get_replica_principal_dns

     raise RuntimeError(error)

RuntimeError: One of the ldap service principals is missing. Replication
agreement cannot be converted.


2016-04-06T08:22:36Z DEBUG   [error] RuntimeError: One of the ldap
service principals is missing. Replication agreement cannot be converted.

2016-04-06T08:22:36Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute

     return_value = self.run()

   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 311, in run

     cfgr.run()

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 281, in run

     self.execute()

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 303, in execute

     for nothing in self._executor():

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner

     self._handle_exception(exc_info)

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception

     util.raise_exc_info(exc_info)

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner

     step()

   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from

     raise_exc_info(exc_info)

   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from

     value = gen.send(prev_value)

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 524, in _configure

     executor.next()

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner

     self._handle_exception(exc_info)

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 421, in _handle_exception

     self.__parent._handle_exception(exc_info)

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception

     util.raise_exc_info(exc_info)

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 418, in _handle_exception

     super(ComponentBase, self)._handle_exception(exc_info)

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception

     util.raise_exc_info(exc_info)

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner

     step()

   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from

     raise_exc_info(exc_info)

   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from

     value = gen.send(prev_value)

   File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 63, in _install

     for nothing in self._installer(self.parent):

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 879, in main

     install(self)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 295, in decorated

     func(installer)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 586, in install

     krb = install_krb(config, setup_pkinit=not options.no_pkinit)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 93, in install_krb

     setup_pkinit, pkcs12_info)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
line 214, in create_replica

     self.start_creation(runtime=30)

   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation

     run_step(full_msg, method)

   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step

     method()

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
line 438, in __convert_to_gssapi_replication

     r_bindpw=self.dm_password)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 1104, in convert_to_gssapi_replication

     self.gssapi_update_agreements(self.conn, r_conn)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 797, in gssapi_update_agreements

     self.setup_krb_princs_as_replica_binddns(a, b)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 767, in setup_krb_princs_as_replica_binddns

     (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 751, in get_replica_principal_dns

     raise RuntimeError(error)


2016-04-06T08:22:36Z DEBUG The ipa-replica-install command failed,
exception: RuntimeError: One of the ldap service principals is missing.
Replication agreement cannot be converted.

2016-04-06T08:22:36Z ERROR One of the ldap service principals is
missing. Replication agreement cannot be converted.

###



Can anybody help me?


Thanks

Greets

Kilian




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to