Hi LIst,

is there anyone faces/fixed this issue?

Regards,
BEn

On Sun, Jan 8, 2017 at 7:03 AM, Ben .T.George <bentech4...@gmail.com> wrote:

> HI List,
>
> how can i solve this? is this a bug ,normal behavior or any missing
> configuration from my end,
>
> Till now i didn't get ant clue on this.
>
> Regards
> Ben
>
> On Thu, Jan 5, 2017 at 1:21 PM, Fraser Tweedale <ftwee...@redhat.com>
> wrote:
>
>> On Thu, Jan 05, 2017 at 01:08:58PM +0300, Ben .T.George wrote:
>> > HI
>> >
>> > there is no filrewall running on both servers,
>> >
>> > [root@zkwipamstr01 ~]# systemctl status firewalld
>> > ● firewalld.service - firewalld - dynamic firewall daemon
>> >    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled;
>> > vendor preset: enabled)
>> >    Active: inactive (dead)
>> >      Docs: man:firewalld(1)
>> >
>> > [root@zkwipamstr01 ~]# sestatus
>> > SELinux status:                 disabled
>> >
>> OK, very well.  And actually, forget about my idea about connecting
>> to port 8009 from client - that is not what happens at all.  It is
>> the end of day for me and my brain checked out :/
>>
>> I shall continue analysis of your problem tomorrow.
>>
>> Thanks,
>> Fraser
>>
>> >
>> > On Thu, Jan 5, 2017 at 1:05 PM, Fraser Tweedale <ftwee...@redhat.com>
>> wrote:
>> >
>> > > On Thu, Jan 05, 2017 at 12:43:47PM +0300, Ben .T.George wrote:
>> > > > HI,
>> > > >
>> > > > on master server and replica server, i have enabled ipv6
>> > > >
>> > > > below on master server
>> > > >
>> > > > [root@zkwipamstr01 ~]# ip addr | grep inet6
>> > > >
>> > > >     inet6 fe80::250:56ff:fea0:3857/64 scope link
>> > > >
>> > > > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
>> > > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
>> > > > tcp6       0      0 ::1:8009                :::*
>> > > LISTEN
>> > > >      12692/java
>> > > >
>> > > >
>> > > > after that 8009 is listening on master server.
>> > > >
>> > > > on replica side uninstalled ipa and tried to enrolled again. Do i
>> need to
>> > > > enable any service replica side?
>> > > >
>> > > > [28/44]: restarting directory server
>> > > > ipa         : CRITICAL Failed to restart the directory server
>> (Command
>> > > > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned
>> non-zero
>> > > > exit status 1). See the installation log for details.
>> > > >   [29/44]: setting up initial replication
>> > > >   [error] error: [Errno 111] Connection refused
>> > > > Your system may be partly configured.
>> > > > Run /usr/sbin/ipa-server-install --uninstall to clean up.
>> > > >
>> > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR    [Errno
>> 111]
>> > > > Connection refused
>> > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR    The
>> > > > ipa-replica-install command failed. See
>> /var/log/ipareplica-install.log
>> > > for
>> > > > more information
>> > > > [root@zkwiparepa01 ~]# systemctl restart pki-tomcatd@pki-tomcat
>> > > > Job for pki-tomcatd@pki-tomcat.service failed because the control
>> > > process
>> > > > exited with error code. See "systemctl status
>> > > pki-tomcatd@pki-tomcat.service"
>> > > > and "journalctl -xe" for details.
>> > > >
>> > > > Still same error.
>> > > >
>> > > > is this service restart pki-tomcatd@pki-tomcat only applicable on
>> master
>> > > > server?
>> > > >
>> > > Yes, because no CA has been created on replica (yet).
>> > >
>> > > Can you confirm that your firewall (if any/enabled) on master is
>> > > letting the traffic from client/replica through to :8009?
>> > > Executing: ``nc -v $MASTER_IP 8009`` from the client machine
>> > > suffices to check.
>> > >
>> > > Thanks,
>> > > Fraser
>> > >
>> > > > Regards,
>> > > > Ben
>> > > >
>> > > >
>> > > > On Thu, Jan 5, 2017 at 11:12 AM, Petr Vobornik <pvobo...@redhat.com
>> >
>> > > wrote:
>> > > >
>> > > > > On 01/05/2017 07:10 AM, Ben .T.George wrote:
>> > > > > > HI
>> > > > > >
>> > > > > > yes i did the same and still port is not listening.
>> > > > > >
>> > > > > > [root@zkwipamstr01 ~]# cat /etc/hosts
>> > > > > > 127.0.0.1   localhost localhost.localdomain localhost4
>> > > > > localhost4.localdomain4
>> > > > > > ::1         localhost localhost.localdomain localhost6
>> > > > > localhost6.localdomain6
>> > > > > > 10.151.4.64 zkwipamstr01.kw.example.com <http://zkwipamstr01.kw
>> .
>> > > > > example.com>
>> > > > > >     zkwipamstr01
>> > > > > > 10.151.4.65 zkwiparepa01.kw.example.com <http://zkwiparepa01.kw
>> .
>> > > > > example.com>
>> > > > > >     zkwiparepa01
>> > > > > > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
>> > > > > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
>> > > > > >
>> > > > > >
>> > > > > > Regards
>> > > > > > Ben
>> > > > >
>> > > > > Also IPv6 stack needs to be enabled.
>> > > > >
>> > > > > >
>> > > > > > On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale <
>> ftwee...@redhat.com
>> > > > > > <mailto:ftwee...@redhat.com>> wrote:
>> > > > > >
>> > > > > >     On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George
>> wrote:
>> > > > > >     > HI
>> > > > > >     >
>> > > > > >     > port 8009 is not listening in master server
>> > > > > >     >
>> > > > > >     > and i added ::1         localhost localhost.localdomain
>> > > localhost6
>> > > > > >     > localhost6.localdomain6 in hosts file.
>> > > > > >     >
>> > > > > >
>> > > > > >     Did you add this to the host file on the master (then
>> `systemctl
>> > > > > >     restart pki-tomcatd@pki-tomcat` and confirm it is
>> listening on
>> > > port
>> > > > > >     8009)?  Or just the client you are trying to promote?
>> > > > > >
>> > > > > >     It is needed on the master.  Won't hurt to make this change
>> to
>> > > > > >     /etc/hosts on both machines, though.
>> > > > > >
>> > > > > >     HTH,
>> > > > > >     Fraser
>> > > > > >
>> > > > > >      > still getting same error
>> > > > > >      >
>> > > > > >      >  [28/44]: restarting directory server
>> > > > > >      > ipa         : CRITICAL Failed to restart the directory
>> server
>> > > > > (Command
>> > > > > >      > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service'
>> > > returned
>> > > > > non-zero
>> > > > > >      > exit status 1). See the installation log for details.
>> > > > > >      >   [29/44]: setting up initial replication
>> > > > > >      >   [error] error: [Errno 111] Connection refused
>> > > > > >      > Your system may be partly configured.
>> > > > > >      > Run /usr/sbin/ipa-server-install --uninstall to clean up.
>> > > > > >      >
>> > > > > >      > ipa.ipapython.install.cli.install_tool(Replica): ERROR
>> > > [Errno
>> > > > > 111]
>> > > > > >      > Connection refused
>> > > > > >      > ipa.ipapython.install.cli.install_tool(Replica): ERROR
>>   The
>> > > > > >      > ipa-replica-install command failed. See
>> > > > > /var/log/ipareplica-install.log for
>> > > > > >      > more information
>> > > > > >      >
>> > > > > >      >
>> > > > > >      > Also  ipv6 is disabled on both nodes
>> > > > > >      >
>> > > > > >      > Regards,
>> > > > > >      > Ben
>> > > > > >      >
>> > > > > >      > On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik <
>> > > > > pvobo...@redhat.com
>> > > > > >     <mailto:pvobo...@redhat.com>> wrote:
>> > > > > >      >
>> > > > > >      > > On 01/04/2017 10:59 AM, Ben .T.George wrote:
>> > > > > >      > > > HI
>> > > > > >      > > >
>> > > > > >      > > > i tried the method mentioned on that document and it
>> end
>> > > up
>> > > > > with below
>> > > > > >      > > error. My
>> > > > > >      > > > DNS is managed by external box and i dont want to
>> create
>> > > any
>> > > > > DNS record
>> > > > > >      > > on these
>> > > > > >      > > > servers.
>> > > > > >      > > >
>> > > > > >      > > > and the command which i tried is(non client server)
>> > > > > >      > > >
>> > > > > >      > > > ipa-replica-install --principal admin
>> --admin-password
>> > > > > P@ssw0rd --domain
>> > > > > >      > > > kw.example.com <http://kw.example.com> <
>> > > http://kw.example.com>
>> > > > > --server
>> > > > > >      > > zkwipamstr01.kw.example.com <http://zkwipamstr01.kw.
>> > > example.com
>> > > > > >
>> > > > > >      > > > <http://zkwipamstr01.kw.example.com <
>> > > http://zkwipamstr01.kw.
>> > > > > example.com>>
>> > > > > >      > > >
>> > > > > >      > > >
>> > > > > >      > > >
>> > > > > >      > > > ipa         : CRITICAL Failed to restart the
>> directory
>> > > server
>> > > > > (Command
>> > > > > >      > > > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service
>> '
>> > > > > returned
>> > > > > >      > > non-zero exit
>> > > > > >      > > > status 1). See the installation log for details.
>> > > > > >      > > >    [29/44]: setting up initial replication
>> > > > > >      > > >    [error] error: [Errno 111] Connection refused
>> > > > > >      > > > Your system may be partly configured.
>> > > > > >      > > > Run /usr/sbin/ipa-server-install --uninstall to
>> clean up.
>> > > > > >      > > >
>> > > > > >      > > > ipa.ipapython.install.cli.install_tool(Replica):
>> ERROR
>> > > > > [Errno 111]
>> > > > > >      > > Connection
>> > > > > >      > > > refused
>> > > > > >      > > > ipa.ipapython.install.cli.install_tool(Replica):
>> ERROR
>> > >   The
>> > > > > >      > > > ipa-replica-install command failed. See
>> > > > > /var/log/ipareplica-install.log
>> > > > > >      > > for more
>> > > > > >      > > > information
>> > > > > >      > >
>> > > > > >      > > This looks like bug https://fedorahosted.org/
>> > > > > freeipa/ticket/6575
>> > > > > >     <https://fedorahosted.org/freeipa/ticket/6575>
>> > > > > >      > >
>> > > > > >      > > To verify that, could you check if master server
>> internally
>> > > > > listens on
>> > > > > >      > > port 8009 or if ipareplica-install.log contains
>> > > CA_UNREACHABLE
>> > > > > string
>> > > > > >      > > near  step 27.
>> > > > > >      > >
>> > > > > >      > > Usual fix is to add following line to /etc/hosts
>> > > > > >      > >   ::1         localhost localhost.localdomain
>> localhost6
>> > > > > >      > > localhost6.localdomain6
>> > > > > >      > >
>> > > > > >      > >
>> > > > > >      > > > [root@zkwiparepa01 ~]# /bin/systemctl restart
>> > > > > >      > > dirsrv@KW-EXAMPLE-COM.service
>> > > > > >      > > > Job for dirsrv@KW-EXAMPLE-COM.service failed
>> because the
>> > > > > control
>> > > > > >      > > process exited
>> > > > > >      > > > with error code. See "systemctl status
>> > > > > dirsrv@KW-EXAMPLE-COM.service"
>> > > > > >      > > and
>> > > > > >      > > > "journalctl -xe" for details.
>> > > > > >      > > >
>> > > > > >      > > > [root@zkwiparepa01 ~]# systemctl status
>> > > > > dirsrv@KW-EXAMPLE-COM.service
>> > > > > >      > > > ● dirsrv@KW-EXAMPLE-COM.service - 389 Directory
>> Server
>> > > > > KW-EXAMPLE-COM.
>> > > > > >      > > >     Loaded: loaded (/usr/lib/systemd/system/dirsrv@
>> > > .service;
>> > > > > enabled;
>> > > > > >      > > vendor
>> > > > > >      > > > preset: disabled)
>> > > > > >      > > >     Active: failed (Result: exit-code) since Wed
>> > > 2017-01-04
>> > > > > 12:54:46
>> > > > > >      > > AST; 13s ago
>> > > > > >      > > >    Process: 14893 ExecStart=/usr/sbin/ns-slapd -D
>> > > > > /etc/dirsrv/slapd-%i -i
>> > > > > >      > > > /var/run/dirsrv/slapd-%i.pid (code=exited,
>> > > status=1/FAILURE)
>> > > > > >      > > >    Process: 14887 ExecStartPre=/usr/sbin/ds_
>> > > > > systemd_ask_password_acl
>> > > > > >      > > > /etc/dirsrv/slapd-%i/dse.ldif (code=exited,
>> > > status=0/SUCCESS)
>> > > > > >      > > >   Main PID: 14893 (code=exited, status=1/FAILURE)
>> > > > > >      > > >
>> > > > > >      > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > >     <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > >      > > example.com <http://example.com>>
>> > > > > >      > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.177617891
>> +0300]
>> > > > > Error:
>> > > > > >      > > > betxnpostoperation plu...arted
>> > > > > >      > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > >     <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > >      > > example.com <http://example.com>>
>> > > > > >      > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.178379752
>> +0300]
>> > > > > Error: object
>> > > > > >      > > plugin
>> > > > > >      > > > Roles Pl...arted
>> > > > > >      > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > >     <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > >      > > example.com <http://example.com>>
>> > > > > >      > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.179162340
>> +0300]
>> > > > > Error:
>> > > > > >      > > preoperation
>> > > > > >      > > > plugin su...arted
>> > > > > >      > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > >     <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > >      > > example.com <http://example.com>>
>> > > > > >      > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.179993432
>> +0300]
>> > > > > Error: object
>> > > > > >      > > plugin USN
>> > > > > >      > > > is n...arted
>> > > > > >      > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > >     <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > >      > > example.com <http://example.com>>
>> > > > > >      > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.181305209
>> +0300]
>> > > > > Error: object
>> > > > > >      > > plugin
>> > > > > >      > > > Views is...arted
>> > > > > >      > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > >     <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > >      > > example.com <http://example.com>>
>> > > > > >      > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.182094981
>> +0300]
>> > > > > Error:
>> > > > > >      > > extendedop plugin
>> > > > > >      > > > whoa...arted
>> > > > > >      > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > >     <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > >      > > example.com <http://example.com>>
>> > > > > >      > > > systemd[1]: dirsrv@KW-EXAMPLE-COM.service: main
>> process
>> > > > > exited,
>> > > > > >      > > code=exited,
>> > > > > >      > > > status=1/FAILURE
>> > > > > >      > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > >     <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > >      > > example.com <http://example.com>>
>> > > > > >      > > > systemd[1]: Failed to start 389 Directory Server
>> > > > > KW-EXAMPLE-COM..
>> > > > > >      > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > >     <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > >      > > example.com <http://example.com>>
>> > > > > >      > > > systemd[1]: Unit dirsrv@KW-EXAMPLE-COM.service
>> entered
>> > > > > failed state.
>> > > > > >      > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > >     <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > >      > > example.com <http://example.com>>
>> > > > > >      > > > systemd[1]: dirsrv@KW-EXAMPLE-COM.service failed.
>> > > > > >      > > > Hint: Some lines were ellipsized, use -l to show in
>> full.
>> > > > > >      > > >
>> > > > > >      > > >
>> > > > > >      > > >
>> > > > > >      > > > Regards,
>> > > > > >      > > > Ben
>> > > > > >      > > >
>> > > > > >      > > >
>> > > > > >      > > > On Wed, Jan 4, 2017 at 11:19 AM, Martin Babinsky <
>> > > > > mbabi...@redhat.com
>> > > > > >     <mailto:mbabi...@redhat.com>
>> > > > > >      > > > <mailto:mbabi...@redhat.com <mailto:
>> mbabi...@redhat.com
>> > > >>>
>> > > > > wrote:
>> > > > > >      > > >
>> > > > > >      > > >     On 01/04/2017 07:21 AM, Ben .T.George wrote:
>> > > > > >      > > >
>> > > > > >      > > >         HI
>> > > > > >      > > >
>> > > > > >      > > >         while trying to create ipa replica, i am
>> getting
>> > > > > below error,
>> > > > > >      > > >
>> > > > > >      > > >         Replica creation using 'ipa-replica-prepare'
>> to
>> > > > > generate replica
>> > > > > >      > > file
>> > > > > >      > > >         is supported only in 0-level IPA domain.
>> > > > > >      > > >
>> > > > > >      > > >         The current IPA domain level is 1 and thus
>> the
>> > > > > replica must
>> > > > > >      > > >         be created by promoting an existing IPA
>> client.
>> > > > > >      > > >
>> > > > > >      > > >         To set up a replica use the following
>> procedure:
>> > > > > >      > > >              1.) set up a client on the host using
>> > > > > 'ipa-client-install'
>> > > > > >      > > >              2.) promote the client to replica
>> running
>> > > > > >      > > 'ipa-replica-install'
>> > > > > >      > > >                  *without* replica file specified
>> > > > > >      > > >
>> > > > > >      > > >         'ipa-replica-prepare' is allowed only in
>> domain
>> > > level
>> > > > > 0
>> > > > > >      > > >         The ipa-replica-prepare command failed.
>> > > > > >      > > >
>> > > > > >      > > >
>> > > > > >      > > >         i have IPA master server without AD
>> integration
>> > > and
>> > > > > DNS is
>> > > > > >      > > managed by
>> > > > > >      > > >         3rd party appliances.
>> > > > > >      > > >
>> > > > > >      > > >
>> > > > > >      > > >
>> > > > > >      > > >         Regards,
>> > > > > >      > > >         Ben
>> > > > > >      > > >
>> > > > > >      > > >
>> > > > > >      > > >
>> > > > > >      > > >     Hi Ben,
>> > > > > >      > > >
>> > > > > >      > > >     If you installed IPA 4.4 server then domain
>> level 1 is
>> > > > > the default.
>> > > > > >      > > This
>> > > > > >      > > >     domain level uses different mechanism to stand up
>> > > > > replicas. See the
>> > > > > >      > > latest
>> > > > > >      > > >     IdM documentation[1] for more details.
>> > > > > >      > > >
>> > > > > >      > > >     [1]
>> > > > > >      > > > https://access.redhat.com/docu
>> mentation/en-US/Red_Hat_
>> > > > > >     <https://access.redhat.com/documentation/en-US/Red_Hat_>
>> > > > > >      > > Enterprise_Linux/7/html/Linux_Domain_Identity_
>> > > > > Authentication_and_Policy_
>> > > > > >      > > Guide/creating-the-replica.html
>> > > > > >      > > >     <https://access.redhat.com/
>> > > documentation/en-US/Red_Hat_
>> > > > > >     <https://access.redhat.com/documentation/en-US/Red_Hat_>
>> > > > > >      > > Enterprise_Linux/7/html/Linux_Domain_Identity_
>> > > > > Authentication_and_Policy_
>> > > > > >      > > Guide/creating-the-replica.html>
>> > > > > >      > > >
>> > > > > >      > > >     --
>> > > > > >      > > >     Martin^3 Babinsky
>> > > > > >      > > >
>> > > > > >      > > >     --
>> > > > > >      > > >     Manage your subscription for the Freeipa-users
>> mailing
>> > > > > list:
>> > > > > >      > > > https://www.redhat.com/mailman
>> /listinfo/freeipa-users
>> > > > > >     <https://www.redhat.com/mailman/listinfo/freeipa-users>
>> > > > > >      > > >     <https://www.redhat.com/
>> > > mailman/listinfo/freeipa-users
>> > > > > >     <https://www.redhat.com/mailman/listinfo/freeipa-users>>
>> > > > > >      > > >     Go to http://freeipa.org for more info on the
>> project
>> > > > > >      > > >
>> > > > > >      > > >
>> > > > > >      > > >
>> > > > > >      > > >
>> > > > > >      > >
>> > > > > >      > >
>> > > > > >      > > --
>> > > > > >      > > Petr Vobornik
>> > > > > >      > >
>> > > > > >
>> > > > > >      > --
>> > > > > >      > Manage your subscription for the Freeipa-users mailing
>> list:
>> > > > > >      > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > > > > >     <https://www.redhat.com/mailman/listinfo/freeipa-users>
>> > > > > >      > Go to http://freeipa.org for more info on the project
>> > > > > >
>> > > > > >
>> > > > >
>> > > > >
>> > > > > --
>> > > > > Petr Vobornik
>> > > > >
>> > >
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to