On 11/18/2016 09:16 AM, Martin Babinsky wrote:
On 11/17/2016 03:51 PM, Baird, Josh wrote:
Hi all,
In my IPA 4.4 lab (RHEL 7.3), I'm trying to install/configure a new
replica, and I seem to be hitting something similar to #5412 [1].
The 'ipa-replica-install' is getting stuck on:
[4/26]: creating installation admin user
Dirsrv error logs on the new replica:
[17/Nov/2016:08:45:09.342813042 -0600] NSMMReplicationPlugin -
agmt="cn=caToimqa-d1-dc01.qa-unix.domain.com" (imqa-d1-dc01:389):
Unable to acquire replica: permission denied. The bind dn "" does not
have permission to supply replication updates to the replica. Will
retry later.
Dirsrv access logs on existing master:
[17/Nov/2016:08:39:59.244698389 -0600] conn=121 op=83 RESULT err=0
tag=101 nentries=0 etime=0
[17/Nov/2016:08:40:00.248620354 -0600] conn=121 op=84 SRCH
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca"
scope=0 filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:00.248917257 -0600] conn=121 op=84 RESULT err=0
tag=101 nentries=0 etime=0
[17/Nov/2016:08:40:01.253067200 -0600] conn=121 op=85 SRCH
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca"
scope=0 filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:01.253481728 -0600] conn=121 op=85 RESULT err=0
tag=101 nentries=0 etime=0
[17/Nov/2016:08:40:02.257477560 -0600] conn=121 op=86 SRCH
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca"
scope=0 filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:02.257813691 -0600] conn=121 op=86 RESULT err=0
tag=101 nentries=0 etime=0
[17/Nov/2016:08:40:03.261805482 -0600] conn=121 op=88 SRCH
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca"
scope=0 filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:03.262310788 -0600] conn=121 op=88 RESULT err=0
tag=101 nentries=0 etime=0
Dirsrv logs on the existing master:
[17/Nov/2016:08:40:20.644554573 -0600] NSMMReplicationPlugin -
conn=120 op=13 replica="o=ipaca": Unable to acquire replica: error:
permission denied
[17/Nov/2016:08:41:57.858672215 -0600] NSMMReplicationPlugin -
conn=123 op=5 replica="o=ipaca": Unable to acquire replica: error:
permission denied
[17/Nov/2016:08:45:09.334188374 -0600] NSMMReplicationPlugin -
conn=130 op=5 replica="o=ipaca": Unable to acquire replica: error:
permission denied
Has anyone else experienced this issue?
Thanks,
Josh
[1] https://fedorahosted.org/freeipa/ticket/5412
Hi Josh,
in the original ticket the issue was occuring when creating CA replica
against 7.2 master upgraded to 7.3 with domain level raised to 1. Do
you have the same scenario?
Also, during the stuck installation can you check for the presence of
replica's LDAP principal in 'nsds5replicabinddn' attribute on master's
'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry?
I would also check for the reverse, i.e. if the master's LDAP
principal is in the 'nsds5replicabinddn' attribute on replica's
'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry.
Hi Josh,
Both direction Replica Agreements should use GSSAPI authentication with
accounts in 'cn=replication managers,cn=sysaccounts,cn=etc,<suffix>'
Would you check the members (on master and replica) of this entry and
see if it contains the expected principals ?
regards
thierry
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project