Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted

[Ludwig Krispenz]

On 04/15/2016 10:14 AM, Kilian Ries wrote:
Hi,
on auht01 i see the following error just before installation fails:


[14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, 
err=9999 Unknown error 9999
[14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999
[14/Apr/2016:15:57:09 +0200] - str2entry_fast: entry has no dn
[14/Apr/2016:15:57:09 +0200] id2entry - str2entry returned NULL for id 252, 
string=""
[14/Apr/2016:15:57:09 +0200] - dn2entry_ext: the dn 
"krbprincipalname=ldap/auth02.intern...@intern.eu,cn=services,cn=accounts,dc=intern,dc=eu"
 was in the entryrdn index, but it did not exist in id2entry of instance userRoot.
[14/Apr/2016:15:57:09 +0200] entryrdn-index - _entryrdn_insert_key: Same DN 
(dn: 
krbprincipalname=ldap/auth02.intern...@intern.eu,cn=services,cn=accounts,dc=intern,dc=eu)
 is already in the entryrdn file with different ID 252.  Expected ID is 625.
[14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, 
err=9999 Unknown error 9999
[14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999
[14/Apr/2016:15:57:19 +0200] - str2entry_fast: entry has no dn
[14/Apr/2016:15:57:19 +0200] id2entry - str2entry returned NULL for id 252, 
string=""
[14/Apr/2016:15:57:21 +0200] - str2entry_fast: entry has no dn
this looks like a database/index corruption. There are traces for the 
ldapprincipal for auth02in the database, but teh index and the database 
are inconsistent. you can try to reindex teh database and see if this helps:
db2index.pl -D ... -w .. -Z <instance> -t entryrdn  #only this index
or
db2index.pl -D ... -w .. -Z <instance> # full reindex


[14/Apr/2016:16:02:01 +0200] attrlist_replace - attr_replace (nsslapd-referral, 
ldap://auth02.intern.eu:389/o%3Dipaca) failed.


Greets
Kilian


________________________________________
Von: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> im Auftrag 
von Ludwig Krispenz <lkris...@redhat.com>
Gesendet: Donnerstag, 14. April 2016 16:46
An: freeipa-users@redhat.com
Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service 
principals is missing. Replication agreement cannot be converted

On 04/14/2016 04:19 PM, Kilian Ries wrote:
Hello Rob,

thanks for your explanations. I followed your hints and did a complete 
uninstall and started over with a fresh installation. I ended up with exactly 
the same error as the first time...

I did the following steps:


auth01$ ipa-replica-manage del auth02

auth02$ ipa-server-install --uninstall

auth01$ ipa-replica-prepare --ip-address 192.168.210.181 auth02.intern.eu

auth02$ ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.210.40 
/root/replica-info-auth02.intern.eu.gpg


Are there other logfiles i can check for more specific errors?
you should have a look to the DS error logs in /var/log/dirsrv on both
instances
Greets
Kilian

________________________________________
Von: Rob Crittenden <rcrit...@redhat.com>
Gesendet: Mittwoch, 13. April 2016 16:18
An: Kilian Ries; freeipa-users@redhat.com
Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service 
principals is missing. Replication agreement cannot be converted

Kilian Ries wrote:
Does nobody have an idea whats the problem here?
TL;DR you are best off deleting this failed replica install and trying
again.

Initial replication is done over TLS. When replication is completed both
sides of the agreement are converted to using GSSAPI and both ldap
principals are needed to do this. Given that replication just completed
both principals should be available but rarely one is not (hence the
vague-ish error message).

In this case the new ldap principal for the new replica wasn't found on
the remote master so things blew up.

There is no continuing the installation after this type of failure so
you'll need to remove the failed install as a master on auth01
(ipa-replica-manage del auth02...) and then run ipa-server-install
--uninstall on autho02 and try again.

rob

Thanks

Kilian



------------------------------------------------------------------------
*Von:* freeipa-users-boun...@redhat.com
<freeipa-users-boun...@redhat.com> im Auftrag von Kilian Ries
<m...@kilian-ries.de>
*Gesendet:* Mittwoch, 6. April 2016 10:41
*An:* freeipa-users@redhat.com
*Betreff:* [Freeipa-users] Error setting up Replication: ldap service
principals is missing. Replication agreement cannot be converted

Hello,


i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm
trying to add an replication partner.


During the installation i got the following error:


###

Restarting the directory and certificate servers

Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds

     [1/8]: adding sasl mappings to the directory

     [2/8]: configuring KDC

     [3/8]: creating a keytab for the directory

     [4/8]: creating a keytab for the machine

     [5/8]: adding the password extension to the directory

     [6/8]: enable GSSAPI for replication

     [error] RuntimeError: One of the ldap service principals is missing.
Replication agreement cannot be converted.

Your system may be partly configured.

Run /usr/sbin/ipa-server-install --uninstall to clean up.


ipa.ipapython.install.cli.install_tool(Replica): ERROR    One of the
ldap service principals is missing. Replication agreement cannot be
converted.

###



The installation Log shows the following:



###

2016-04-06T08:22:34Z INFO Getting ldap service principals for
conversion: (krbprincipalname=ldap/auth02.intern...@intern.eu) and
(krbprincipalname=ldap/auth01.intern...@intern.eu)

2016-04-06T08:22:34Z DEBUG Unable to find entry for
(krbprincipalname=ldap/auth02.intern...@intern.eu) on auth01.intern.eu:636

2016-04-06T08:22:34Z INFO Setting agreement
cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping
tree,cn=config schedule to 2358-2359 0 to force synch

2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement
cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping
tree,cn=config

2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status:
0 Replica acquired successfully: Incremental update succeeded: start: 0:
end: 0

2016-04-06T08:22:36Z DEBUG Traceback (most recent call last):

     File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation

       run_step(full_msg, method)

     File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step

       method()

     File
"/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
line 438, in __convert_to_gssapi_replication

       r_bindpw=self.dm_password)

     File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 1104, in convert_to_gssapi_replication

       self.gssapi_update_agreements(self.conn, r_conn)

     File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 797, in gssapi_update_agreements

       self.setup_krb_princs_as_replica_binddns(a, b)

     File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 767, in setup_krb_princs_as_replica_binddns

       (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100)

     File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 751, in get_replica_principal_dns

       raise RuntimeError(error)

RuntimeError: One of the ldap service principals is missing. Replication
agreement cannot be converted.


2016-04-06T08:22:36Z DEBUG   [error] RuntimeError: One of the ldap
service principals is missing. Replication agreement cannot be converted.

2016-04-06T08:22:36Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute

       return_value = self.run()

     File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 311, in run

       cfgr.run()

     File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 281, in run

       self.execute()

     File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 303, in execute

       for nothing in self._executor():

     File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner

       self._handle_exception(exc_info)

     File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception

       util.raise_exc_info(exc_info)

     File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner

       step()

     File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from

       raise_exc_info(exc_info)

     File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from

       value = gen.send(prev_value)

     File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 524, in _configure

       executor.next()

     File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner

       self._handle_exception(exc_info)

     File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 421, in _handle_exception

       self.__parent._handle_exception(exc_info)

     File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception

       util.raise_exc_info(exc_info)

     File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 418, in _handle_exception

       super(ComponentBase, self)._handle_exception(exc_info)

     File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception

       util.raise_exc_info(exc_info)

     File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner

       step()

     File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from

       raise_exc_info(exc_info)

     File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from

       value = gen.send(prev_value)

     File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 63, in _install

       for nothing in self._installer(self.parent):

     File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 879, in main

       install(self)

     File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 295, in decorated

       func(installer)

     File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 586, in install

       krb = install_krb(config, setup_pkinit=not options.no_pkinit)

     File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 93, in install_krb

       setup_pkinit, pkcs12_info)

     File
"/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
line 214, in create_replica

       self.start_creation(runtime=30)

     File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation

       run_step(full_msg, method)

     File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step

       method()

     File
"/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
line 438, in __convert_to_gssapi_replication

       r_bindpw=self.dm_password)

     File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 1104, in convert_to_gssapi_replication

       self.gssapi_update_agreements(self.conn, r_conn)

     File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 797, in gssapi_update_agreements

       self.setup_krb_princs_as_replica_binddns(a, b)

     File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 767, in setup_krb_princs_as_replica_binddns

       (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100)

     File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 751, in get_replica_principal_dns

       raise RuntimeError(error)


2016-04-06T08:22:36Z DEBUG The ipa-replica-install command failed,
exception: RuntimeError: One of the ldap service principals is missing.
Replication agreement cannot be converted.

2016-04-06T08:22:36Z ERROR One of the ldap service principals is
missing. Replication agreement cannot be converted.

###



Can anybody help me?


Thanks

Greets

Kilian



--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael 
O'Neill

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael 
O'Neill

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project