On 01/09/2017 01:27 PM, Ben .T.George wrote:
Hi LIst,
is there anyone faces/fixed this issue?
Regards,
BEn
Hi Ben,
the directory server fails to restart on the replica. Are there any
specific error message in /var/log/dirsrv/slapd-$DOMAIN/errors and
access log files? If you are hitting ticket 6575 [1], there should be an
error about a missing Server-Cert certificate (similar to: "Can't find
certificate Server-Cert"), and no Server-Cert in /etc/dirsrv/slap-$DOMAIN.
Otherwise we need to figure out what causes the dirsrv startup error.
Flo
[1] https://fedorahosted.org/freeipa/ticket/6575
On Sun, Jan 8, 2017 at 7:03 AM, Ben .T.George <[email protected]
<mailto:[email protected]>> wrote:
HI List,
how can i solve this? is this a bug ,normal behavior or any missing
configuration from my end,
Till now i didn't get ant clue on this.
Regards
Ben
On Thu, Jan 5, 2017 at 1:21 PM, Fraser Tweedale <[email protected]
<mailto:[email protected]>> wrote:
On Thu, Jan 05, 2017 at 01:08:58PM +0300, Ben .T.George wrote:
> HI
>
> there is no filrewall running on both servers,
>
> [root@zkwipamstr01 ~]# systemctl status firewalld
> ● firewalld.service - firewalld - dynamic firewall daemon
> Loaded: loaded (/usr/lib/systemd/system/firewalld.service;
disabled;
> vendor preset: enabled)
> Active: inactive (dead)
> Docs: man:firewalld(1)
>
> [root@zkwipamstr01 ~]# sestatus
> SELinux status: disabled
>
OK, very well. And actually, forget about my idea about connecting
to port 8009 from client - that is not what happens at all. It is
the end of day for me and my brain checked out :/
I shall continue analysis of your problem tomorrow.
Thanks,
Fraser
>
> On Thu, Jan 5, 2017 at 1:05 PM, Fraser Tweedale
<[email protected] <mailto:[email protected]>> wrote:
>
> > On Thu, Jan 05, 2017 at 12:43:47PM +0300, Ben .T.George wrote:
> > > HI,
> > >
> > > on master server and replica server, i have enabled ipv6
> > >
> > > below on master server
> > >
> > > [root@zkwipamstr01 ~]# ip addr | grep inet6
> > >
> > > inet6 fe80::250:56ff:fea0:3857/64 scope link
> > >
> > > [root@zkwipamstr01 ~]# systemctl restart
pki-tomcatd@pki-tomcat
> > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> > > tcp6 0 0 ::1:8009 :::*
> > LISTEN
> > > 12692/java
> > >
> > >
> > > after that 8009 is listening on master server.
> > >
> > > on replica side uninstalled ipa and tried to enrolled
again. Do i need to
> > > enable any service replica side?
> > >
> > > [28/44]: restarting directory server
> > > ipa : CRITICAL Failed to restart the directory
server (Command
> > > '/bin/systemctl restart [email protected]'
returned non-zero
> > > exit status 1). See the installation log for details.
> > > [29/44]: setting up initial replication
> > > [error] error: [Errno 111] Connection refused
> > > Your system may be partly configured.
> > > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > >
> > > ipa.ipapython.install.cli.install_tool(Replica): ERROR
[Errno 111]
> > > Connection refused
> > > ipa.ipapython.install.cli.install_tool(Replica): ERROR The
> > > ipa-replica-install command failed. See
/var/log/ipareplica-install.log
> > for
> > > more information
> > > [root@zkwiparepa01 ~]# systemctl restart
pki-tomcatd@pki-tomcat
> > > Job for [email protected] failed because the
control
> > process
> > > exited with error code. See "systemctl status
> > [email protected]"
> > > and "journalctl -xe" for details.
> > >
> > > Still same error.
> > >
> > > is this service restart pki-tomcatd@pki-tomcat only
applicable on master
> > > server?
> > >
> > Yes, because no CA has been created on replica (yet).
> >
> > Can you confirm that your firewall (if any/enabled) on master is
> > letting the traffic from client/replica through to :8009?
> > Executing: ``nc -v $MASTER_IP 8009`` from the client machine
> > suffices to check.
> >
> > Thanks,
> > Fraser
> >
> > > Regards,
> > > Ben
> > >
> > >
> > > On Thu, Jan 5, 2017 at 11:12 AM, Petr Vobornik
<[email protected] <mailto:[email protected]>>
> > wrote:
> > >
> > > > On 01/05/2017 07:10 AM, Ben .T.George wrote:
> > > > > HI
> > > > >
> > > > > yes i did the same and still port is not listening.
> > > > >
> > > > > [root@zkwipamstr01 ~]# cat /etc/hosts
> > > > > 127.0.0.1 localhost localhost.localdomain localhost4
> > > > localhost4.localdomain4
> > > > > ::1 localhost localhost.localdomain localhost6
> > > > localhost6.localdomain6
> > > > > 10.151.4.64 zkwipamstr01.kw.example.com
<http://zkwipamstr01.kw.example.com> <http://zkwipamstr01.kw.
> > > > example.com <http://example.com>>
> > > > > zkwipamstr01
> > > > > 10.151.4.65 zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com> <http://zkwiparepa01.kw.
> > > > example.com <http://example.com>>
> > > > > zkwiparepa01
> > > > > [root@zkwipamstr01 ~]# systemctl restart
pki-tomcatd@pki-tomcat
> > > > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> > > > >
> > > > >
> > > > > Regards
> > > > > Ben
> > > >
> > > > Also IPv6 stack needs to be enabled.
> > > >
> > > > >
> > > > > On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale
<[email protected] <mailto:[email protected]>
> > > > > <mailto:[email protected]
<mailto:[email protected]>>> wrote:
> > > > >
> > > > > On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben
.T.George wrote:
> > > > > > HI
> > > > > >
> > > > > > port 8009 is not listening in master server
> > > > > >
> > > > > > and i added ::1 localhost
localhost.localdomain
> > localhost6
> > > > > > localhost6.localdomain6 in hosts file.
> > > > > >
> > > > >
> > > > > Did you add this to the host file on the master
(then `systemctl
> > > > > restart pki-tomcatd@pki-tomcat` and confirm it is
listening on
> > port
> > > > > 8009)? Or just the client you are trying to promote?
> > > > >
> > > > > It is needed on the master. Won't hurt to make
this change to
> > > > > /etc/hosts on both machines, though.
> > > > >
> > > > > HTH,
> > > > > Fraser
> > > > >
> > > > > > still getting same error
> > > > > >
> > > > > > [28/44]: restarting directory server
> > > > > > ipa : CRITICAL Failed to restart the
directory server
> > > > (Command
> > > > > > '/bin/systemctl restart
[email protected]'
> > returned
> > > > non-zero
> > > > > > exit status 1). See the installation log for
details.
> > > > > > [29/44]: setting up initial replication
> > > > > > [error] error: [Errno 111] Connection refused
> > > > > > Your system may be partly configured.
> > > > > > Run /usr/sbin/ipa-server-install --uninstall to
clean up.
> > > > > >
> > > > > >
ipa.ipapython.install.cli.install_tool(Replica): ERROR
> > [Errno
> > > > 111]
> > > > > > Connection refused
> > > > > >
ipa.ipapython.install.cli.install_tool(Replica): ERROR The
> > > > > > ipa-replica-install command failed. See
> > > > /var/log/ipareplica-install.log for
> > > > > > more information
> > > > > >
> > > > > >
> > > > > > Also ipv6 is disabled on both nodes
> > > > > >
> > > > > > Regards,
> > > > > > Ben
> > > > > >
> > > > > > On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik <
> > > > [email protected] <mailto:[email protected]>
> > > > > <mailto:[email protected]
<mailto:[email protected]>>> wrote:
> > > > > >
> > > > > > > On 01/04/2017 10:59 AM, Ben .T.George wrote:
> > > > > > > > HI
> > > > > > > >
> > > > > > > > i tried the method mentioned on that
document and it end
> > up
> > > > with below
> > > > > > > error. My
> > > > > > > > DNS is managed by external box and i dont
want to create
> > any
> > > > DNS record
> > > > > > > on these
> > > > > > > > servers.
> > > > > > > >
> > > > > > > > and the command which i tried is(non client
server)
> > > > > > > >
> > > > > > > > ipa-replica-install --principal admin
--admin-password
> > > > P@ssw0rd --domain
> > > > > > > > kw.example.com <http://kw.example.com>
<http://kw.example.com> <
> > http://kw.example.com>
> > > > --server
> > > > > > > zkwipamstr01.kw.example.com
<http://zkwipamstr01.kw.example.com> <http://zkwipamstr01.kw.
> > example.com <http://example.com>
> > > > >
> > > > > > > > <http://zkwipamstr01.kw.example.com
<http://zkwipamstr01.kw.example.com> <
> > http://zkwipamstr01.kw.
> > > > example.com <http://example.com>>>
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > ipa : CRITICAL Failed to restart
the directory
> > server
> > > > (Command
> > > > > > > > '/bin/systemctl restart
[email protected]'
> > > > returned
> > > > > > > non-zero exit
> > > > > > > > status 1). See the installation log for
details.
> > > > > > > > [29/44]: setting up initial replication
> > > > > > > > [error] error: [Errno 111] Connection
refused
> > > > > > > > Your system may be partly configured.
> > > > > > > > Run /usr/sbin/ipa-server-install
--uninstall to clean up.
> > > > > > > >
> > > > > > > >
ipa.ipapython.install.cli.install_tool(Replica): ERROR
> > > > [Errno 111]
> > > > > > > Connection
> > > > > > > > refused
> > > > > > > >
ipa.ipapython.install.cli.install_tool(Replica): ERROR
> > The
> > > > > > > > ipa-replica-install command failed. See
> > > > /var/log/ipareplica-install.log
> > > > > > > for more
> > > > > > > > information
> > > > > > >
> > > > > > > This looks like bug https://fedorahosted.org/
> > > > freeipa/ticket/6575
> > > > > <https://fedorahosted.org/freeipa/ticket/6575
<https://fedorahosted.org/freeipa/ticket/6575>>
> > > > > > >
> > > > > > > To verify that, could you check if master
server internally
> > > > listens on
> > > > > > > port 8009 or if ipareplica-install.log contains
> > CA_UNREACHABLE
> > > > string
> > > > > > > near step 27.
> > > > > > >
> > > > > > > Usual fix is to add following line to /etc/hosts
> > > > > > > ::1 localhost localhost.localdomain
localhost6
> > > > > > > localhost6.localdomain6
> > > > > > >
> > > > > > >
> > > > > > > > [root@zkwiparepa01 ~]# /bin/systemctl restart
> > > > > > > [email protected]
> > > > > > > > Job for [email protected]
failed because the
> > > > control
> > > > > > > process exited
> > > > > > > > with error code. See "systemctl status
> > > > [email protected]"
> > > > > > > and
> > > > > > > > "journalctl -xe" for details.
> > > > > > > >
> > > > > > > > [root@zkwiparepa01 ~]# systemctl status
> > > > [email protected]
> > > > > > > > ● [email protected] - 389
Directory Server
> > > > KW-EXAMPLE-COM.
> > > > > > > > Loaded: loaded
(/usr/lib/systemd/system/dirsrv@
> > .service;
> > > > enabled;
> > > > > > > vendor
> > > > > > > > preset: disabled)
> > > > > > > > Active: failed (Result: exit-code)
since Wed
> > 2017-01-04
> > > > 12:54:46
> > > > > > > AST; 13s ago
> > > > > > > > Process: 14893
ExecStart=/usr/sbin/ns-slapd -D
> > > > /etc/dirsrv/slapd-%i -i
> > > > > > > > /var/run/dirsrv/slapd-%i.pid (code=exited,
> > status=1/FAILURE)
> > > > > > > > Process: 14887 ExecStartPre=/usr/sbin/ds_
> > > > systemd_ask_password_acl
> > > > > > > > /etc/dirsrv/slapd-%i/dse.ldif (code=exited,
> > status=0/SUCCESS)
> > > > > > > > Main PID: 14893 (code=exited,
status=1/FAILURE)
> > > > > > > >
> > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>
> > > > > <http://zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>> <http://zkwiparepa01.kw.
> > > > > > > example.com <http://example.com>
<http://example.com>>
> > > > > > > > ns-slapd[14893]:
[04/Jan/2017:12:54:46.177617891 +0300]
> > > > Error:
> > > > > > > > betxnpostoperation plu...arted
> > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>
> > > > > <http://zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>> <http://zkwiparepa01.kw.
> > > > > > > example.com <http://example.com>
<http://example.com>>
> > > > > > > > ns-slapd[14893]:
[04/Jan/2017:12:54:46.178379752 +0300]
> > > > Error: object
> > > > > > > plugin
> > > > > > > > Roles Pl...arted
> > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>
> > > > > <http://zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>> <http://zkwiparepa01.kw.
> > > > > > > example.com <http://example.com>
<http://example.com>>
> > > > > > > > ns-slapd[14893]:
[04/Jan/2017:12:54:46.179162340 +0300]
> > > > Error:
> > > > > > > preoperation
> > > > > > > > plugin su...arted
> > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>
> > > > > <http://zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>> <http://zkwiparepa01.kw.
> > > > > > > example.com <http://example.com>
<http://example.com>>
> > > > > > > > ns-slapd[14893]:
[04/Jan/2017:12:54:46.179993432 +0300]
> > > > Error: object
> > > > > > > plugin USN
> > > > > > > > is n...arted
> > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>
> > > > > <http://zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>> <http://zkwiparepa01.kw.
> > > > > > > example.com <http://example.com>
<http://example.com>>
> > > > > > > > ns-slapd[14893]:
[04/Jan/2017:12:54:46.181305209 +0300]
> > > > Error: object
> > > > > > > plugin
> > > > > > > > Views is...arted
> > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>
> > > > > <http://zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>> <http://zkwiparepa01.kw.
> > > > > > > example.com <http://example.com>
<http://example.com>>
> > > > > > > > ns-slapd[14893]:
[04/Jan/2017:12:54:46.182094981 +0300]
> > > > Error:
> > > > > > > extendedop plugin
> > > > > > > > whoa...arted
> > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>
> > > > > <http://zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>> <http://zkwiparepa01.kw.
> > > > > > > example.com <http://example.com>
<http://example.com>>
> > > > > > > > systemd[1]: [email protected]:
main process
> > > > exited,
> > > > > > > code=exited,
> > > > > > > > status=1/FAILURE
> > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>
> > > > > <http://zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>> <http://zkwiparepa01.kw.
> > > > > > > example.com <http://example.com>
<http://example.com>>
> > > > > > > > systemd[1]: Failed to start 389 Directory
Server
> > > > KW-EXAMPLE-COM..
> > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>
> > > > > <http://zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>> <http://zkwiparepa01.kw.
> > > > > > > example.com <http://example.com>
<http://example.com>>
> > > > > > > > systemd[1]: Unit
[email protected] entered
> > > > failed state.
> > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>
> > > > > <http://zkwiparepa01.kw.example.com
<http://zkwiparepa01.kw.example.com>> <http://zkwiparepa01.kw.
> > > > > > > example.com <http://example.com>
<http://example.com>>
> > > > > > > > systemd[1]: [email protected]
failed.
> > > > > > > > Hint: Some lines were ellipsized, use -l to
show in full.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > Ben
> > > > > > > >
> > > > > > > >
> > > > > > > > On Wed, Jan 4, 2017 at 11:19 AM, Martin
Babinsky <
> > > > [email protected] <mailto:[email protected]>
> > > > > <mailto:[email protected]
<mailto:[email protected]>>
> > > > > > > > <mailto:[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>
> > >>>
> > > > wrote:
> > > > > > > >
> > > > > > > > On 01/04/2017 07:21 AM, Ben .T.George
wrote:
> > > > > > > >
> > > > > > > > HI
> > > > > > > >
> > > > > > > > while trying to create ipa replica,
i am getting
> > > > below error,
> > > > > > > >
> > > > > > > > Replica creation using
'ipa-replica-prepare' to
> > > > generate replica
> > > > > > > file
> > > > > > > > is supported only in 0-level IPA
domain.
> > > > > > > >
> > > > > > > > The current IPA domain level is 1
and thus the
> > > > replica must
> > > > > > > > be created by promoting an existing
IPA client.
> > > > > > > >
> > > > > > > > To set up a replica use the
following procedure:
> > > > > > > > 1.) set up a client on the
host using
> > > > 'ipa-client-install'
> > > > > > > > 2.) promote the client to
replica running
> > > > > > > 'ipa-replica-install'
> > > > > > > > *without* replica file
specified
> > > > > > > >
> > > > > > > > 'ipa-replica-prepare' is allowed
only in domain
> > level
> > > > 0
> > > > > > > > The ipa-replica-prepare command failed.
> > > > > > > >
> > > > > > > >
> > > > > > > > i have IPA master server without AD
integration
> > and
> > > > DNS is
> > > > > > > managed by
> > > > > > > > 3rd party appliances.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > Ben
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Hi Ben,
> > > > > > > >
> > > > > > > > If you installed IPA 4.4 server then
domain level 1 is
> > > > the default.
> > > > > > > This
> > > > > > > > domain level uses different mechanism
to stand up
> > > > replicas. See the
> > > > > > > latest
> > > > > > > > IdM documentation[1] for more details.
> > > > > > > >
> > > > > > > > [1]
> > > > > > > >
https://access.redhat.com/documentation/en-US/Red_Hat_
<https://access.redhat.com/documentation/en-US/Red_Hat_>
> > > > >
<https://access.redhat.com/documentation/en-US/Red_Hat_
<https://access.redhat.com/documentation/en-US/Red_Hat_>>
> > > > > > > Enterprise_Linux/7/html/Linux_Domain_Identity_
> > > > Authentication_and_Policy_
> > > > > > > Guide/creating-the-replica.html
> > > > > > > > <https://access.redhat.com/
> > documentation/en-US/Red_Hat_
> > > > >
<https://access.redhat.com/documentation/en-US/Red_Hat_
<https://access.redhat.com/documentation/en-US/Red_Hat_>>
> > > > > > > Enterprise_Linux/7/html/Linux_Domain_Identity_
> > > > Authentication_and_Policy_
> > > > > > > Guide/creating-the-replica.html>
> > > > > > > >
> > > > > > > > --
> > > > > > > > Martin^3 Babinsky
> > > > > > > >
> > > > > > > > --
> > > > > > > > Manage your subscription for the
Freeipa-users mailing
> > > > list:
> > > > > > > >
https://www.redhat.com/mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>
> > > > >
<https://www.redhat.com/mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>>
> > > > > > > > <https://www.redhat.com/
> > mailman/listinfo/freeipa-users
> > > > >
<https://www.redhat.com/mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>>>
> > > > > > > > Go to http://freeipa.org for more info
on the project
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Petr Vobornik
> > > > > > >
> > > > >
> > > > > > --
> > > > > > Manage your subscription for the Freeipa-users
mailing list:
> > > > > >
https://www.redhat.com/mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>
> > > > >
<https://www.redhat.com/mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>>
> > > > > > Go to http://freeipa.org for more info on the
project
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Petr Vobornik
> > > >
> >
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
