We are seeing this. I'm not at work, but I think it's bug report 6766. Patch has already been committed (bot by us), we're waiting for IPA 4.5.
cheers L. ------ "Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards vision and dreams." - Patrice Cullors, *Black Lives Matter founder* On 18 May 2017 at 18:57, Callum Guy <callum....@x-on.co.uk> wrote: > Hi All, > > I am currently stuck trying to setup the first replica of our master IPA > server. I have tried a number of different approaches including escalating > from a client and nothing is working for me. I perform a full OS reset each > time I get stuck. > > I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this version > however having performed ipa-server-upgrade - does this mean i'm on 4.4.4?). > > The command is shown below - note that i am skipping the conn check as my > platforms security settings do not allow the SSH session to be established > back on the master, all ports should be available to the application > however. > > [root@ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101 --setup-ca > --setup-dns --skip-conncheck --no-forwarders SITE.net.gpg > > Directory Manager (existing master) password: > > ipa : ERROR Could not resolve hostname ipa2.SITE.net usis > check queries IPA DNS directly and ignores /etc/hosts.) > Continue? [no]: yes > Configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv). Estimated time: 1 minute > [1/42]: creating directory server user > [2/42]: creating directory server instance > [3/42]: updating configuration in dse.ldif > [4/42]: restarting directory server > [5/42]: adding default schema > [6/42]: enabling memberof plugin > [7/42]: enabling winsync plugin > [8/42]: configuring replication version plugin > [9/42]: enabling IPA enrollment plugin > [10/42]: enabling ldapi > [11/42]: configuring uniqueness plugin > [12/42]: configuring uuid plugin > [13/42]: configuring modrdn plugin > [14/42]: configuring DNS plugin > [15/42]: enabling entryUSN plugin > [16/42]: configuring lockout plugin > [17/42]: configuring topology plugin > [18/42]: creating indices > [19/42]: enabling referential integrity plugin > [20/42]: configuring ssl for ds instance > [21/42]: configuring certmap.conf > [22/42]: configure autobind for root > [23/42]: configure new location for managed entries > [24/42]: configure dirsrv ccache > [25/42]: enabling SASL mapping fallback > [26/42]: restarting directory server > [27/42]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 4 seconds elapsed > Update succeeded > > [28/42]: adding sasl mappings to the directory > [29/42]: updating schema > [30/42]: setting Auto Member configuration > [31/42]: enabling S4U2Proxy delegation > [32/42]: importing CA certificates from LDAP > [33/42]: initializing group membership > [34/42]: adding master entry > [35/42]: initializing domain level > [36/42]: configuring Posix uid/gid generation > [37/42]: adding replication acis > [38/42]: enabling compatibility plugin > [39/42]: activating sidgen plugin > [40/42]: activating extdom plugin > [41/42]: tuning directory server > [42/42]: configuring directory to start on boot > Done configuring directory server (dirsrv). > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 > seconds > [1/27]: creating certificate server user > [2/27]: configuring certificate server instance > [3/27]: stopping certificate server instance to update CS.cfg > [4/27]: backing up CS.cfg > [5/27]: disabling nonces > [6/27]: set up CRL publishing > [7/27]: enable PKIX certificate path discovery and validation > [8/27]: starting certificate server instance > > And here is stays and refuses to move on. The ipareplica-install.log log > reports: > 2017-05-18T08:40:07Z DEBUG wait_for_open_ports: localhost [8080, 8443] > timeout 300 > 2017-05-18T08:40:09Z DEBUG Waiting until the CA is running > 2017-05-18T08:40:09Z DEBUG request POST http://ipa2.SITE.net:8080/ca/ > admin/ca/getStatus > 2017-05-18T08:40:09Z DEBUG request body '' > > I have tried and that port is indeed inaccessible but I can't establish a > way to progress this issue from any of the the other log files. Also I have > seen in the 4.4.4 release notes that IPv6 being disabled on the master can > cause issues, re-enabling (at least in /etc/hosts) did not seem to help. > > If anyone is able to offer ideas that would be very much appreciated. I am > tempted to remove the --setup-ca option to see if this helps. > > Thanks, > > Callum > > > > *0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> | ** > <https://www.linkedin.com/company/x-on> <https://www.facebook.com/XonTel> > <https://twitter.com/xonuk> * > X-on is a trading name of Storacall Technology Ltd a limited company > registered in England and Wales. > Registered Office : Avaland House, 110 London Road, Apsley, Hemel > Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. > The information in this e-mail is confidential and for use by the > addressee(s) only. If you are not the intended recipient, please notify > X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and > delete the > message from your computer. If you are not a named addressee you must not > use, disclose, disseminate, distribute, copy, print or reply to this email. > Views > or opinions expressed by an individual > within this email may not necessarily reflect the views of X-on or its > associated companies. Although X-on routinely screens for viruses, > addressees should scan this email and any attachments > for viruses. X-on makes no representation or warranty as to the absence of > viruses in this email or any attachments. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
