Hi LIst, is there anyone faces/fixed this issue?
Regards, BEn On Sun, Jan 8, 2017 at 7:03 AM, Ben .T.George <[email protected]> wrote: > HI List, > > how can i solve this? is this a bug ,normal behavior or any missing > configuration from my end, > > Till now i didn't get ant clue on this. > > Regards > Ben > > On Thu, Jan 5, 2017 at 1:21 PM, Fraser Tweedale <[email protected]> > wrote: > >> On Thu, Jan 05, 2017 at 01:08:58PM +0300, Ben .T.George wrote: >> > HI >> > >> > there is no filrewall running on both servers, >> > >> > [root@zkwipamstr01 ~]# systemctl status firewalld >> > ● firewalld.service - firewalld - dynamic firewall daemon >> > Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; >> > vendor preset: enabled) >> > Active: inactive (dead) >> > Docs: man:firewalld(1) >> > >> > [root@zkwipamstr01 ~]# sestatus >> > SELinux status: disabled >> > >> OK, very well. And actually, forget about my idea about connecting >> to port 8009 from client - that is not what happens at all. It is >> the end of day for me and my brain checked out :/ >> >> I shall continue analysis of your problem tomorrow. >> >> Thanks, >> Fraser >> >> > >> > On Thu, Jan 5, 2017 at 1:05 PM, Fraser Tweedale <[email protected]> >> wrote: >> > >> > > On Thu, Jan 05, 2017 at 12:43:47PM +0300, Ben .T.George wrote: >> > > > HI, >> > > > >> > > > on master server and replica server, i have enabled ipv6 >> > > > >> > > > below on master server >> > > > >> > > > [root@zkwipamstr01 ~]# ip addr | grep inet6 >> > > > >> > > > inet6 fe80::250:56ff:fea0:3857/64 scope link >> > > > >> > > > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat >> > > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009 >> > > > tcp6 0 0 ::1:8009 :::* >> > > LISTEN >> > > > 12692/java >> > > > >> > > > >> > > > after that 8009 is listening on master server. >> > > > >> > > > on replica side uninstalled ipa and tried to enrolled again. Do i >> need to >> > > > enable any service replica side? >> > > > >> > > > [28/44]: restarting directory server >> > > > ipa : CRITICAL Failed to restart the directory server >> (Command >> > > > '/bin/systemctl restart [email protected]' returned >> non-zero >> > > > exit status 1). See the installation log for details. >> > > > [29/44]: setting up initial replication >> > > > [error] error: [Errno 111] Connection refused >> > > > Your system may be partly configured. >> > > > Run /usr/sbin/ipa-server-install --uninstall to clean up. >> > > > >> > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR [Errno >> 111] >> > > > Connection refused >> > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR The >> > > > ipa-replica-install command failed. See >> /var/log/ipareplica-install.log >> > > for >> > > > more information >> > > > [root@zkwiparepa01 ~]# systemctl restart pki-tomcatd@pki-tomcat >> > > > Job for [email protected] failed because the control >> > > process >> > > > exited with error code. See "systemctl status >> > > [email protected]" >> > > > and "journalctl -xe" for details. >> > > > >> > > > Still same error. >> > > > >> > > > is this service restart pki-tomcatd@pki-tomcat only applicable on >> master >> > > > server? >> > > > >> > > Yes, because no CA has been created on replica (yet). >> > > >> > > Can you confirm that your firewall (if any/enabled) on master is >> > > letting the traffic from client/replica through to :8009? >> > > Executing: ``nc -v $MASTER_IP 8009`` from the client machine >> > > suffices to check. >> > > >> > > Thanks, >> > > Fraser >> > > >> > > > Regards, >> > > > Ben >> > > > >> > > > >> > > > On Thu, Jan 5, 2017 at 11:12 AM, Petr Vobornik <[email protected] >> > >> > > wrote: >> > > > >> > > > > On 01/05/2017 07:10 AM, Ben .T.George wrote: >> > > > > > HI >> > > > > > >> > > > > > yes i did the same and still port is not listening. >> > > > > > >> > > > > > [root@zkwipamstr01 ~]# cat /etc/hosts >> > > > > > 127.0.0.1 localhost localhost.localdomain localhost4 >> > > > > localhost4.localdomain4 >> > > > > > ::1 localhost localhost.localdomain localhost6 >> > > > > localhost6.localdomain6 >> > > > > > 10.151.4.64 zkwipamstr01.kw.example.com <http://zkwipamstr01.kw >> . >> > > > > example.com> >> > > > > > zkwipamstr01 >> > > > > > 10.151.4.65 zkwiparepa01.kw.example.com <http://zkwiparepa01.kw >> . >> > > > > example.com> >> > > > > > zkwiparepa01 >> > > > > > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat >> > > > > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009 >> > > > > > >> > > > > > >> > > > > > Regards >> > > > > > Ben >> > > > > >> > > > > Also IPv6 stack needs to be enabled. >> > > > > >> > > > > > >> > > > > > On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale < >> [email protected] >> > > > > > <mailto:[email protected]>> wrote: >> > > > > > >> > > > > > On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George >> wrote: >> > > > > > > HI >> > > > > > > >> > > > > > > port 8009 is not listening in master server >> > > > > > > >> > > > > > > and i added ::1 localhost localhost.localdomain >> > > localhost6 >> > > > > > > localhost6.localdomain6 in hosts file. >> > > > > > > >> > > > > > >> > > > > > Did you add this to the host file on the master (then >> `systemctl >> > > > > > restart pki-tomcatd@pki-tomcat` and confirm it is >> listening on >> > > port >> > > > > > 8009)? Or just the client you are trying to promote? >> > > > > > >> > > > > > It is needed on the master. Won't hurt to make this change >> to >> > > > > > /etc/hosts on both machines, though. >> > > > > > >> > > > > > HTH, >> > > > > > Fraser >> > > > > > >> > > > > > > still getting same error >> > > > > > > >> > > > > > > [28/44]: restarting directory server >> > > > > > > ipa : CRITICAL Failed to restart the directory >> server >> > > > > (Command >> > > > > > > '/bin/systemctl restart [email protected]' >> > > returned >> > > > > non-zero >> > > > > > > exit status 1). See the installation log for details. >> > > > > > > [29/44]: setting up initial replication >> > > > > > > [error] error: [Errno 111] Connection refused >> > > > > > > Your system may be partly configured. >> > > > > > > Run /usr/sbin/ipa-server-install --uninstall to clean up. >> > > > > > > >> > > > > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR >> > > [Errno >> > > > > 111] >> > > > > > > Connection refused >> > > > > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR >> The >> > > > > > > ipa-replica-install command failed. See >> > > > > /var/log/ipareplica-install.log for >> > > > > > > more information >> > > > > > > >> > > > > > > >> > > > > > > Also ipv6 is disabled on both nodes >> > > > > > > >> > > > > > > Regards, >> > > > > > > Ben >> > > > > > > >> > > > > > > On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik < >> > > > > [email protected] >> > > > > > <mailto:[email protected]>> wrote: >> > > > > > > >> > > > > > > > On 01/04/2017 10:59 AM, Ben .T.George wrote: >> > > > > > > > > HI >> > > > > > > > > >> > > > > > > > > i tried the method mentioned on that document and it >> end >> > > up >> > > > > with below >> > > > > > > > error. My >> > > > > > > > > DNS is managed by external box and i dont want to >> create >> > > any >> > > > > DNS record >> > > > > > > > on these >> > > > > > > > > servers. >> > > > > > > > > >> > > > > > > > > and the command which i tried is(non client server) >> > > > > > > > > >> > > > > > > > > ipa-replica-install --principal admin >> --admin-password >> > > > > P@ssw0rd --domain >> > > > > > > > > kw.example.com <http://kw.example.com> < >> > > http://kw.example.com> >> > > > > --server >> > > > > > > > zkwipamstr01.kw.example.com <http://zkwipamstr01.kw. >> > > example.com >> > > > > > >> > > > > > > > > <http://zkwipamstr01.kw.example.com < >> > > http://zkwipamstr01.kw. >> > > > > example.com>> >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > ipa : CRITICAL Failed to restart the >> directory >> > > server >> > > > > (Command >> > > > > > > > > '/bin/systemctl restart [email protected] >> ' >> > > > > returned >> > > > > > > > non-zero exit >> > > > > > > > > status 1). See the installation log for details. >> > > > > > > > > [29/44]: setting up initial replication >> > > > > > > > > [error] error: [Errno 111] Connection refused >> > > > > > > > > Your system may be partly configured. >> > > > > > > > > Run /usr/sbin/ipa-server-install --uninstall to >> clean up. >> > > > > > > > > >> > > > > > > > > ipa.ipapython.install.cli.install_tool(Replica): >> ERROR >> > > > > [Errno 111] >> > > > > > > > Connection >> > > > > > > > > refused >> > > > > > > > > ipa.ipapython.install.cli.install_tool(Replica): >> ERROR >> > > The >> > > > > > > > > ipa-replica-install command failed. See >> > > > > /var/log/ipareplica-install.log >> > > > > > > > for more >> > > > > > > > > information >> > > > > > > > >> > > > > > > > This looks like bug https://fedorahosted.org/ >> > > > > freeipa/ticket/6575 >> > > > > > <https://fedorahosted.org/freeipa/ticket/6575> >> > > > > > > > >> > > > > > > > To verify that, could you check if master server >> internally >> > > > > listens on >> > > > > > > > port 8009 or if ipareplica-install.log contains >> > > CA_UNREACHABLE >> > > > > string >> > > > > > > > near step 27. >> > > > > > > > >> > > > > > > > Usual fix is to add following line to /etc/hosts >> > > > > > > > ::1 localhost localhost.localdomain >> localhost6 >> > > > > > > > localhost6.localdomain6 >> > > > > > > > >> > > > > > > > >> > > > > > > > > [root@zkwiparepa01 ~]# /bin/systemctl restart >> > > > > > > > [email protected] >> > > > > > > > > Job for [email protected] failed >> because the >> > > > > control >> > > > > > > > process exited >> > > > > > > > > with error code. See "systemctl status >> > > > > [email protected]" >> > > > > > > > and >> > > > > > > > > "journalctl -xe" for details. >> > > > > > > > > >> > > > > > > > > [root@zkwiparepa01 ~]# systemctl status >> > > > > [email protected] >> > > > > > > > > ● [email protected] - 389 Directory >> Server >> > > > > KW-EXAMPLE-COM. >> > > > > > > > > Loaded: loaded (/usr/lib/systemd/system/dirsrv@ >> > > .service; >> > > > > enabled; >> > > > > > > > vendor >> > > > > > > > > preset: disabled) >> > > > > > > > > Active: failed (Result: exit-code) since Wed >> > > 2017-01-04 >> > > > > 12:54:46 >> > > > > > > > AST; 13s ago >> > > > > > > > > Process: 14893 ExecStart=/usr/sbin/ns-slapd -D >> > > > > /etc/dirsrv/slapd-%i -i >> > > > > > > > > /var/run/dirsrv/slapd-%i.pid (code=exited, >> > > status=1/FAILURE) >> > > > > > > > > Process: 14887 ExecStartPre=/usr/sbin/ds_ >> > > > > systemd_ask_password_acl >> > > > > > > > > /etc/dirsrv/slapd-%i/dse.ldif (code=exited, >> > > status=0/SUCCESS) >> > > > > > > > > Main PID: 14893 (code=exited, status=1/FAILURE) >> > > > > > > > > >> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com >> > > > > > <http://zkwiparepa01.kw.example.com> < >> http://zkwiparepa01.kw. >> > > > > > > > example.com <http://example.com>> >> > > > > > > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.177617891 >> +0300] >> > > > > Error: >> > > > > > > > > betxnpostoperation plu...arted >> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com >> > > > > > <http://zkwiparepa01.kw.example.com> < >> http://zkwiparepa01.kw. >> > > > > > > > example.com <http://example.com>> >> > > > > > > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.178379752 >> +0300] >> > > > > Error: object >> > > > > > > > plugin >> > > > > > > > > Roles Pl...arted >> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com >> > > > > > <http://zkwiparepa01.kw.example.com> < >> http://zkwiparepa01.kw. >> > > > > > > > example.com <http://example.com>> >> > > > > > > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.179162340 >> +0300] >> > > > > Error: >> > > > > > > > preoperation >> > > > > > > > > plugin su...arted >> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com >> > > > > > <http://zkwiparepa01.kw.example.com> < >> http://zkwiparepa01.kw. >> > > > > > > > example.com <http://example.com>> >> > > > > > > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.179993432 >> +0300] >> > > > > Error: object >> > > > > > > > plugin USN >> > > > > > > > > is n...arted >> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com >> > > > > > <http://zkwiparepa01.kw.example.com> < >> http://zkwiparepa01.kw. >> > > > > > > > example.com <http://example.com>> >> > > > > > > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.181305209 >> +0300] >> > > > > Error: object >> > > > > > > > plugin >> > > > > > > > > Views is...arted >> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com >> > > > > > <http://zkwiparepa01.kw.example.com> < >> http://zkwiparepa01.kw. >> > > > > > > > example.com <http://example.com>> >> > > > > > > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.182094981 >> +0300] >> > > > > Error: >> > > > > > > > extendedop plugin >> > > > > > > > > whoa...arted >> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com >> > > > > > <http://zkwiparepa01.kw.example.com> < >> http://zkwiparepa01.kw. >> > > > > > > > example.com <http://example.com>> >> > > > > > > > > systemd[1]: [email protected]: main >> process >> > > > > exited, >> > > > > > > > code=exited, >> > > > > > > > > status=1/FAILURE >> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com >> > > > > > <http://zkwiparepa01.kw.example.com> < >> http://zkwiparepa01.kw. >> > > > > > > > example.com <http://example.com>> >> > > > > > > > > systemd[1]: Failed to start 389 Directory Server >> > > > > KW-EXAMPLE-COM.. >> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com >> > > > > > <http://zkwiparepa01.kw.example.com> < >> http://zkwiparepa01.kw. >> > > > > > > > example.com <http://example.com>> >> > > > > > > > > systemd[1]: Unit [email protected] >> entered >> > > > > failed state. >> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com >> > > > > > <http://zkwiparepa01.kw.example.com> < >> http://zkwiparepa01.kw. >> > > > > > > > example.com <http://example.com>> >> > > > > > > > > systemd[1]: [email protected] failed. >> > > > > > > > > Hint: Some lines were ellipsized, use -l to show in >> full. >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > Regards, >> > > > > > > > > Ben >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > On Wed, Jan 4, 2017 at 11:19 AM, Martin Babinsky < >> > > > > [email protected] >> > > > > > <mailto:[email protected]> >> > > > > > > > > <mailto:[email protected] <mailto: >> [email protected] >> > > >>> >> > > > > wrote: >> > > > > > > > > >> > > > > > > > > On 01/04/2017 07:21 AM, Ben .T.George wrote: >> > > > > > > > > >> > > > > > > > > HI >> > > > > > > > > >> > > > > > > > > while trying to create ipa replica, i am >> getting >> > > > > below error, >> > > > > > > > > >> > > > > > > > > Replica creation using 'ipa-replica-prepare' >> to >> > > > > generate replica >> > > > > > > > file >> > > > > > > > > is supported only in 0-level IPA domain. >> > > > > > > > > >> > > > > > > > > The current IPA domain level is 1 and thus >> the >> > > > > replica must >> > > > > > > > > be created by promoting an existing IPA >> client. >> > > > > > > > > >> > > > > > > > > To set up a replica use the following >> procedure: >> > > > > > > > > 1.) set up a client on the host using >> > > > > 'ipa-client-install' >> > > > > > > > > 2.) promote the client to replica >> running >> > > > > > > > 'ipa-replica-install' >> > > > > > > > > *without* replica file specified >> > > > > > > > > >> > > > > > > > > 'ipa-replica-prepare' is allowed only in >> domain >> > > level >> > > > > 0 >> > > > > > > > > The ipa-replica-prepare command failed. >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > i have IPA master server without AD >> integration >> > > and >> > > > > DNS is >> > > > > > > > managed by >> > > > > > > > > 3rd party appliances. >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > Regards, >> > > > > > > > > Ben >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > Hi Ben, >> > > > > > > > > >> > > > > > > > > If you installed IPA 4.4 server then domain >> level 1 is >> > > > > the default. >> > > > > > > > This >> > > > > > > > > domain level uses different mechanism to stand up >> > > > > replicas. See the >> > > > > > > > latest >> > > > > > > > > IdM documentation[1] for more details. >> > > > > > > > > >> > > > > > > > > [1] >> > > > > > > > > https://access.redhat.com/docu >> mentation/en-US/Red_Hat_ >> > > > > > <https://access.redhat.com/documentation/en-US/Red_Hat_> >> > > > > > > > Enterprise_Linux/7/html/Linux_Domain_Identity_ >> > > > > Authentication_and_Policy_ >> > > > > > > > Guide/creating-the-replica.html >> > > > > > > > > <https://access.redhat.com/ >> > > documentation/en-US/Red_Hat_ >> > > > > > <https://access.redhat.com/documentation/en-US/Red_Hat_> >> > > > > > > > Enterprise_Linux/7/html/Linux_Domain_Identity_ >> > > > > Authentication_and_Policy_ >> > > > > > > > Guide/creating-the-replica.html> >> > > > > > > > > >> > > > > > > > > -- >> > > > > > > > > Martin^3 Babinsky >> > > > > > > > > >> > > > > > > > > -- >> > > > > > > > > Manage your subscription for the Freeipa-users >> mailing >> > > > > list: >> > > > > > > > > https://www.redhat.com/mailman >> /listinfo/freeipa-users >> > > > > > <https://www.redhat.com/mailman/listinfo/freeipa-users> >> > > > > > > > > <https://www.redhat.com/ >> > > mailman/listinfo/freeipa-users >> > > > > > <https://www.redhat.com/mailman/listinfo/freeipa-users>> >> > > > > > > > > Go to http://freeipa.org for more info on the >> project >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > > >> > > > > > > > -- >> > > > > > > > Petr Vobornik >> > > > > > > > >> > > > > > >> > > > > > > -- >> > > > > > > Manage your subscription for the Freeipa-users mailing >> list: >> > > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > > > <https://www.redhat.com/mailman/listinfo/freeipa-users> >> > > > > > > Go to http://freeipa.org for more info on the project >> > > > > > >> > > > > > >> > > > > >> > > > > >> > > > > -- >> > > > > Petr Vobornik >> > > > > >> > > >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
