Re: [Freeipa-users] DNS portion of IPA Server randomly crashing
Hello, please provide your version of bind-dyndb-ldap package. It is interface between BIND and LDAP database. Latest version is 0.2.0-7.el6. # rpm -q bind-dyndb-ldap If you reload BIND manually, it crashes also? Every time? # rndc reload How long is log rotation period? What is Kerberos ticket lifetime? # ipa krbtpolicy-show If you can reproduce it (in worst case wait a day ...), please install debug informations: # debuginfo-install bind bind-dyndb-ldap and then send logs again. Thanks for your time. Petr^2 Spacek On 05/20/2012 11:46 AM, Charlie Derwent wrote: Hi I'm running IPA server 2.1.3 on RHEL 6.2 and have been experiencing random DNS failures on my Master and Replica servers. I thought it may have been down to the version of bind I was running and updated it it to bind-9.7.3-8.P3.el6_2.2.x86_64 yet the error still occurs it looks like there is an automated process to reload zones as the log files show it working the day before at the exact same time. I've included the log files below. If anyone can help me get to the bottom of the problem it would be greatly appreciated. Thanks, Charlie. ***Working zone reload*** -- May 17 03:46:01 ipa named[6938]: received SIGHUP signal to reload zones May 17 03:46:01 ipa named[6938]: loading configuration from '/etc/named.conf' May 17 03:46:01 ipa named[6938]: using default UDP/IPv4 port range: [1024, 65535] May 17 03:46:01 ipa named[6938]: using default UDP/IPv6 port range: [1024, 65535] May 17 03:46:01 ipa named[6938]: no IPv6 interfaces found May 17 03:46:01 ipa logrotate: ALERT exited abnormally with [1] May 17 03:46:01 ipa named[6938]: /etc/named.conf:12: no forwarders seen; disabling forwarding May 17 03:46:01 ipa named[6938]: /etc/named.conf:12: no forwarders seen; disabling forwarding May 17 03:46:01 ipa named[6938]: none:0: open: /etc/rndc.key: file not found May 17 03:46:01 ipa named[6938]: couldn't add command channel 127.0.0.1#953: file not found May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed May 17 03:46:01 ipa named[6938]: zone [REMOVED]/IN: (master) removed May 17 03:46:01 ipa named[6938]: reloading configuration succeeded May 17 03:46:01 ipa named[6938]: reloading zones succeeded May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED]) May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED]) May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED]) May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED]) May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED]) May 17 03:46:01 ipa named[6938]: zone [REMOVED]/IN: sending notifies (serial[REMOVED]) May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED]) May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED]) May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED]) -- ***Failed zone reload*** -- May 18 03:46:01 ipa named[6938]: received SIGHUP signal to reload zones May 18 03:46:01 ipa named[6938]: loading configuration from '/etc/named.conf' May 18 03:46:01 ipa named[6938]: using default UDP/IPv4 port range: [1024, 65535] May 18 03:46:01 ipa named[6938]: using default UDP/IPv6 port range: [1024, 65535] May 18 03:46:01 ipa named[6938]: no IPv6 interfaces found May 18 03:46:01 ipa logrotate: ALERT exited abnormally with [1] May 18 03:46:01 ipa named[6938]: GSSAPI Error: The referenced context has expired (Unknown error) May 18 03:46:01 ipa named[6938]: bind to LDAP server failed: Local error May 18 03:46:01 ipa named[6938]: reloading configuration failed: failure May 18 03:46:01 ipa named[6938]: rbt.c:694: REQUIRErbt) != ((void *)0)) (((const isc__magic_t *)(rbt))-magic == ((('R') 24 | ('B') 16 | ('T') 8 | ('+')) failed, back trace May 18 03:46:01 ipa named[6938]: #0 0x7f18f791632f in ?? May 18 03:46:01 ipa named[6938]: #1 0x7f18f62e373a in ?? May 18 03:46:01 ipa named[6938]: #2 0x7f18f71af880 in ?? May 18 03:46:01 ipa named[6938]: #3 0x7f18f71afbf3 in ?? May 18 03:46:01 ipa named[6938]: #4 0x7f18f11621fc in ??
Re: [Freeipa-users] sudo rules in IPA infrastructure
On Sat, May 19, 2012 at 03:11:44PM -0700, David Copperfield wrote: Hi Jakub and Rich, Got it. Thanks a lot on the HBAC and sudoes maps access. I think I got confused with the graph in the powerpoint presentation http://www.redhat.com/summit/2011/presentations/summit/whats_next/friday/pal_crittenden_f_1100_ipa_overview_rev3.pdf. The graph 'Under the hood' claimed that user/group/netgroup/HBAC will go through sssd, while other maps (sudo, autofs?) would goes through nss_ldap. There's no hard rule, we've historically developed support for the most important name-service-switch libc maps such as groups and passwd, then gradually added support for other maps like netgroups depending on demand for them. In some special cases, we even add application-specific responders such as the ones for sudo and autofs in 1.8. These communicate with the app using their own protocol via a unix pipe, not through the name service switch maps (even though both sudo and autofs are configured in the nsswitch.conf file). ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication status
On Mon, May 21, 2012 at 3:21 PM, Rich Megginson rmegg...@redhat.com wrote: On 05/21/2012 07:13 AM, Dan Scott wrote: https://fedorahosted.org/**freeipa/ticket/2770https://fedorahosted.org/freeipa/ticket/2770 I've modified the nagios perl script that I got from: http://directory.**fedoraproject.org/wiki/Howto:**ReplicationMonitoringhttp://directory.fedoraproject.org/wiki/Howto:ReplicationMonitoring to do anonymous binds and to allow an additional parameter with the port number. Should I send it to someone? I don't know who maintains that nagios script. you can always post it to the nagios exchange site ( http://exchange.nagios.org/) so others can benefit from it. -- natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Doc. mixup
Hi, Not sure if this is the right place or not, but I noticed that the freeipa.org documentation link for 2.0 goes to https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html which is for version 2.1.3. Freeipa 2.1.x is also what you get with Fedora 16, however the fedora 16 docs at https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/index.html show the version as 2.2 and as I've learned (the hard way) there are new features not supported in 2.1 :D Are there plans to rebase FreeIPA to 2.2 in Fedora 16? If not, then should I open a bug to fix up the Fedora 16 FreeIPA docs to point at the version which actually ships with it? Thanks ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Doc. mixup
Hi, Not sure if this is the right place or not, but I noticed that the freeipa.org documentation link for 2.0 goes to https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html which is for version 2.1.3. Freeipa 2.1.x is also what you get with Fedora 16, however the fedora 16 docs at https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/index.html show the version as 2.2 and as I've learned (the hard way) there are new features not supported in 2.1 :D Are there plans to rebase FreeIPA to 2.2 in Fedora 16? If not, then should I open a bug to fix up the Fedora 16 FreeIPA docs to point at the version which actually ships with it? Thanks ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???
Gelen James wrote: Hi Mmitri, Rob and all. Thanks for your instructions. I've performed your steps on case#1: replacing failed IPA master. The results, and my confusion and questions, are all detailed below. In general, please setup your own real test environment, and write down the detailed steps one by one clearly. It took me more than one week and still no clues. Frankly, your steps in the formal email are kind of over-simplified for normal IPA users, and not covering how the CA LDAP backend will be handled. The problem is the CA backend. All the replicas still trying to sync to old failed IPA master, even after reboot. Could be that the 'ipa-replica-manage' only manages the user data replication? and 'ipa-csreplica-manage' only handles CA-end replication? In other words, when build, or tear down, IPA replication between two servers, do we need to deal with both replication types with 'ipa-replica-mange' AND 'ipa-csreplica-manage'? If so, then why who should run first? Yes, the replication agreements are managed separately which is why there are separate tools. This allows you to have a different replication topology for the CA than IPA user data. The order the commands are executed doesn't matter. The error messages in /var/log/dirsrv/slapd-PKI-IPA/errors are attached, same from B,C,D replicas. [19/May/2012:19:40:48 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting up [19/May/2012:19:40:48 -0700] - slapd started. Listening on All Interfaces port 7389 for LDAP requests [19/May/2012:19:40:48 -0700] - Listening on All Interfaces port 7390 for LDAPS requests [19/May/2012:19:40:50 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:40:50 -0700] NSMMReplicationPlugin - agmt=cn=cloneAgreement1-B.example.com-pki-ca (A:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [19/May/2012:19:40:57 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:41:03 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:41:15 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:41:39 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:42:27 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:44:03 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:47:15 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [root@B ~]# After seeing the above messages, I tried to run similar commands for CA replication, it shows that replication agreement (which replication agreement? User data, or CA data ?? ) exists already. on B, ipa-csreplica-manage connect C ipa-csreplica-manage connect D ipa-csreplica-manage del A --force ipactl restart on C, ipa-csreplica-manage del A --force ipactl restart on D, ipa-csreplica-manage del A --force ipactl restart [root@B ~]# ipa-csreplica-manage --password=xxx connect C.example.com This replication agreement already exists. [root@B ~]# [root@B ~]# ipa-csreplica-manage --password=xxx connect D.example.com This replication agreement already exists. [root@B ~]# [root@B ~]# ipa-csreplica-manage --password=xxx del C.example.com --force Unable to connect to replica A.example.com, forcing removal Failed to get data from 'A.example.com': Can't contact LDAP server Forcing removal on 'B.example.com' [root@B ~]# After restarting IPA services on B, C, D, and now the error messages finally got away from CA errors log file. But we still can not find the CA replication setups. Please see the difference of output from 'ipa-replica-manage' and 'ipa-csreplica-manage': [root@B ~] ipa-replica-manage list B.example.com C.example.com D.example.com [root@B ~] ipa-csreplica-manage list B.example.com C.example.com D.example.com [root@B ~] ipa-replica-manage list B.example.com C.example.com D.example.com [root@B ~] ipa-csreplica-manage list B.example.com ## Nothing at all! Please have a check and give correct command and sequences for us IPA users. It is such a pain to spend so much time and still can not get restoration work as expected. Even worse is, Have no idea how the 'ipa-replica-manage' and 'ipa-csreplica-manage' work together behind the scene. Thanks a lot. --Gelen *From:* Rob Crittenden rcrit...@redhat.com *To:* Robinson Tiemuqinke hahaha_...@yahoo.com *Cc:* Freeipa-users@redhat.com Freeipa-users@redhat.com; Rich Megginson rmegg...@redhat.com; Dmitri Pal d...@redhat.com *Sent:* Tuesday, May 15, 2012 9:57 AM *Subject:* Re: [Freeipa-users] Please
Re: [Freeipa-users] Doc. mixup
Chris Evich wrote: Hi, Not sure if this is the right place or not, but I noticed that the freeipa.org documentation link for 2.0 goes to https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html which is for version 2.1.3. Ok, I'll take a look. We should probably change the name of the link, at one time it pointed to the 2.0 docs. Freeipa 2.1.x is also what you get with Fedora 16, however the fedora 16 docs at https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/index.html show the version as 2.2 and as I've learned (the hard way) there are new features not supported in 2.1 :D Are there plans to rebase FreeIPA to 2.2 in Fedora 16? No. It can be possible to run a 2.2 server on F-16 but there are some things missing. If not, then should I open a bug to fix up the Fedora 16 FreeIPA docs to point at the version which actually ships with it? That would be great, thanks. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] DNS portion of IPA Server randomly crashing
On 05/21/2012 07:17 PM, Charlie Derwent wrote: Hi Petr I'm running bind-dyndb-ldap-0.2.0-7el6.x86_64 rndc reload doesn't work as neither /etc/rndc.conf nor /etc/rndc.key was found You can fix it with # rndc-confgen -a (It probably doesn't help to reproduce it, unfortunately.) Logrotate is weekly Kerberos ticket lifetime is Max life: 86400 Max renew: 604800 Looking at the time between errors it's very infrequent but of course it's quite serious ipa1 - Apr 1st then Apr 5th How it's possible if logrotate is weekly? Was it reloaded manually? Can you explore logs? Are there another symptoms? ipa2 - Apr 13th then Apr 26th ipa3 - Mar 26th then May 18th Worst of all I can't reproduce it. It just works, until it doesn't In that case, please install debug info to all machines. If it's possible, please install ABRT also - it can catch some useful information after crash. I will look into it ... Good night from Europe. Petr^2 Spacek Regards Charlie On Mon, May 21, 2012 at 9:44 AM, Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com wrote: Hello, please provide your version of bind-dyndb-ldap package. It is interface between BIND and LDAP database. Latest version is 0.2.0-7.el6. # rpm -q bind-dyndb-ldap If you reload BIND manually, it crashes also? Every time? # rndc reload How long is log rotation period? What is Kerberos ticket lifetime? # ipa krbtpolicy-show If you can reproduce it (in worst case wait a day ...), please install debug informations: # debuginfo-install bind bind-dyndb-ldap and then send logs again. Thanks for your time. Petr^2 Spacek On 05/20/2012 11:46 AM, Charlie Derwent wrote: Hi I'm running IPA server 2.1.3 on RHEL 6.2 and have been experiencing random DNS failures on my Master and Replica servers. I thought it may have been down to the version of bind I was running and updated it it to bind-9.7.3-8.P3.el6_2.2.x86_64 yet the error still occurs it looks like there is an automated process to reload zones as the log files show it working the day before at the exact same time. I've included the log files below. If anyone can help me get to the bottom of the problem it would be greatly appreciated. Thanks, Charlie. ***Working zone reload*** --__ May 17 03:46:01 ipa named[6938]: received SIGHUP signal to reload zones May 17 03:46:01 ipa named[6938]: loading configuration from '/etc/named.conf' May 17 03:46:01 ipa named[6938]: using default UDP/IPv4 port range: [1024, 65535] May 17 03:46:01 ipa named[6938]: using default UDP/IPv6 port range: [1024, 65535] May 17 03:46:01 ipa named[6938]: no IPv6 interfaces found May 17 03:46:01 ipa logrotate: ALERT exited abnormally with [1] May 17 03:46:01 ipa named[6938]: /etc/named.conf:12: no forwarders seen; disabling forwarding May 17 03:46:01 ipa named[6938]: /etc/named.conf:12: no forwarders seen; disabling forwarding May 17 03:46:01 ipa named[6938]: none:0: open: /etc/rndc.key: file not found May 17 03:46:01 ipa named[6938]: couldn't add command channel 127.0.0.1#953: file not found May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: (master) removed May 17 03:46:01 ipa named[6938]: zone [REMOVED]/IN: (master) removed May 17 03:46:01 ipa named[6938]: reloading configuration succeeded May 17 03:46:01 ipa named[6938]: reloading zones succeeded May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED]) May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED]) May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED]) May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED]) May 17 03:46:01 ipa named[6938]: zone [REMOVED].in-addr.arpa/IN: sending notifies (serial [REMOVED])
Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???
Hi Rob, Just wonder whether your guys have abandoned IPA 2.1.3 users on Redhat 6.2 or not. :( The IPA replication/restoration procedure/document request has been submitted for more than a week, but I can not see any meaningful work has done for customers although IPA replication and restoration is so vital to users' production IPA reliability! Even when after I've done a lot of investigation work and asking for helps/suggestions, there is still no much attentions paid from you guys. Am I, or any others users here, are just non-paid Q/A IPA team stuff could be ignored for no reasons :) I've mentioned this again and again, and urging IPA team to setup a typical user setup, because only this way you can see what the problems IPA administrators/users are facing and scared of. But unfortunately, we don't have a feeling that you have done so. Thanks. --Gelen From: Gelen James hahaha_...@yahoo.com To: Rob Crittenden rcrit...@redhat.com; Dmitri Pal d...@redhat.com Cc: Freeipa-users@redhat.com Freeipa-users@redhat.com Sent: Sunday, May 20, 2012 12:08 AM Subject: Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup??? Hi Mmitri, Rob and all. Thanks for your instructions. I've performed your steps on case#1: replacing failed IPA master. The results, and my confusion and questions, are all detailed below. In general, please setup your own real test environment, and write down the detailed steps one by one clearly. It took me more than one week and still no clues. Frankly, your steps in the formal email are kind of over-simplified for normal IPA users, and not covering how the CA LDAP backend will be handled. The problem is the CA backend. All the replicas still trying to sync to old failed IPA master, even after reboot. Could be that the 'ipa-replica-manage' only manages the user data replication? and 'ipa-csreplica-manage' only handles CA-end replication? In other words, when build, or tear down, IPA replication between two servers, do we need to deal with both replication types with 'ipa-replica-mange' AND 'ipa-csreplica-manage'? If so, then why who should run first? The error messages in /var/log/dirsrv/slapd-PKI-IPA/errors are attached, same from B,C,D replicas. [19/May/2012:19:40:48 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting up [19/May/2012:19:40:48 -0700] - slapd started. Listening on All Interfaces port 7389 for LDAP requests [19/May/2012:19:40:48 -0700] - Listening on All Interfaces port 7390 for LDAPS requests [19/May/2012:19:40:50 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:40:50 -0700] NSMMReplicationPlugin - agmt=cn=cloneAgreement1-B.example.com-pki-ca (A:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [19/May/2012:19:40:57 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:41:03 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:41:15 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:41:39 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:42:27 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:44:03 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:47:15 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [root@B ~]# After seeing the above messages, I tried to run similar commands for CA replication, it shows that replication agreement (which replication agreement? User data, or CA data ?? ) exists already. on B, ipa-csreplica-manage connect C ipa-csreplica-manage connect D ipa-csreplica-manage del A --force ipactl restart on C, ipa-csreplica-manage del A --force ipactl restart on D, ipa-csreplica-manage del A --force ipactl restart [root@B ~]# ipa-csreplica-manage --password=xxx connect C.example.com This replication agreement already exists. [root@B ~]# [root@B ~]# ipa-csreplica-manage --password=xxx connect D.example.com This replication agreement already exists. [root@B ~]# [root@B ~]# ipa-csreplica-manage --password=xxx del C.example.com --force Unable to connect to replica A.example.com, forcing removal Failed to get data from 'A.example.com': Can't contact LDAP server Forcing removal on 'B.example.com' [root@B ~]# After restarting IPA services on B, C, D, and now the error messages finally got away from CA errors log file. But we still can not find the CA replication setups. Please see the difference of output from
Re: [Freeipa-users] Doc. mixup
On 05/21/2012 10:12 AM, Rob Crittenden wrote: Chris Evich wrote: Are there plans to rebase FreeIPA to 2.2 in Fedora 16? No. It can be possible to run a 2.2 server on F-16 but there are some things missing. If not, then should I open a bug to fix up the Fedora 16 FreeIPA docs to point at the version which actually ships with it? That would be great, thanks. rob Thanks for the info. I opened a fedora docs bug here: https://bugzilla.redhat.com/show_bug.cgi?id=823654 w/ keywords Documentation EasyFix. -- Chris Evich, RHCA, RHCE, RHCDS, RHCSS Quality Assurance Engineer e-mail: cevich + `@' + redhat.com o: 1-888-RED-HAT1 x44214 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] freeipa 2.1.3-9 install with external CA failed
Hi, I am trying to install freeipa 2.1.3-9 with external CA and it failed. Any help is appreciated and thanks in advance! [r...@ipa.dev.example.com ~]# ipa-server-install --external_cert_file=/root/ipa.crt --external_ca_file=/root/ca.crt The log file for this installation can be found in /var/log/ipaserver-install.log Directory Manager password: == This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) Excluded by options: * Configure the Network Time Daemon (ntpd) To accept the default shown in brackets, press the Enter key. The IPA Master Server will be configured with Hostname: ipa.dev.example.com IP address: x.x.x.x Domain name: example.com Configuring certificate server: Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: configuring certificate server instance [3/16]: disabling nonces [4/16]: creating CA agent PKCS#12 file in /root [5/16]: creating RA agent certificate database [6/16]: importing CA chain to RA certificate database [7/16]: fixing RA database permissions [8/16]: setting up signing cert profile [9/16]: set up CRL publishing [10/16]: set certificate subject base [11/16]: configuring certificate server to start on boot [12/16]: restarting certificate server [13/16]: requesting RA certificate from CA [14/16]: issuing RA agent certificate Unexpected error - see ipaserver-install.log for details: Command '/usr/bin/sslget -n ipa-ca-agent -p -d /tmp/tmp-aZzm2V -r /ca/agent/ca/profileReview?requestId=6 ipa.dev.example.com:9443' returned non-zero exit status 4 [r...@ipa.dev.example.com ~]# /usr/bin/sslget -n ipa-ca-agent -p -d /tmp/tmp-aZzm2V -r /ca/agent/ca/profileReview?requestId=6 ipa.dev.example.com:9443 -v GET /ca/agent/ca/profileReview?requestId=6 HTTP/1.0 port: 9443 addr='ipa.dev.example.com' family='2' Subject: CN=ipa.dev.example.com,O=example.com Issuer : CN=Certificate Authority,O=example.com Called mygetclientauthdata - nickname = ipa-ca-agent mygetclientauthdata - cert = 9716d0 mygetclientauthdata - privkey = 9b6f10 exit after PR_Write bigBuf with error -12271: /va/log/ipaserver-install.log information 2012-05-21 16:54:58,852 DEBUG duration: 1 seconds 2012-05-21 16:54:58,852 DEBUG [14/16]: issuing RA agent certificate 2012-05-21 16:54:58,866 DEBUG args=/usr/bin/certutil -d /tmp/tmp-aZzm2V -f -M -t CT,C,C -n System Engineering - Currenex, Inc. 2012-05-21 16:54:58,867 DEBUG stdout= 2012-05-21 16:54:58,867 DEBUG stderr= 2012-05-21 16:54:58,873 DEBUG args=/usr/bin/certutil -d /tmp/tmp-aZzm2V -f -M -t CT,C,C -n Certificate Authority - Currenex, Inc. 2012-05-21 16:54:58,874 DEBUG stdout= 2012-05-21 16:54:58,874 DEBUG stderr= 2012-05-21 16:54:58,909 DEBUG args=/usr/bin/sslget -n ipa-ca-agent -p -d /tmp/tmp-aZzm2V -r /ca/agent/ca/profileReview?requestId=6 ipa.dev.eexchange.com:9443 2012-05-21 16:54:58,909 DEBUG stdout= 2012-05-21 16:54:58,909 DEBUG stderr= 2012-05-21 16:54:59,067 DEBUG Command '/usr/bin/sslget -n ipa-ca-agent -p -d /tmp/tmp-aZzm2V -r /ca/agent/ca/profileReview?requestId=6 ipa.dev.eexchange.com:9443' returned non-zero exit status 4 File /usr/sbin/ipa-server-install, line 1151, in module sys.exit(main()) File /usr/sbin/ipa-server-install, line 975, in main subject_base=options.subject) File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 537, in configure_instance self.start_creation(Configuring certificate server, 210) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 248, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 755, in __issue_ra_cert (stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,)) File /usr/lib/python2.6/site-packages/ipapython/ipautil.py, line 273, in run raise CalledProcessError(p.returncode, args) [cid:image001.gif@01CD376A.2D530910]http://forums.fedoraforum.org/editpost.php?do=editpostp=1577747 The information contained in this e-mail (including any attachments) is intended solely for the use of the intended recipient(s), may be used solely for the purpose for which it was sent, may contain confidential, proprietary, or personally identifiable information, and/or may be subject to the attorney-client or attorney work product privilege or other applicable confidentiality protections. If you are not an intended recipient please notify the author by replying to this e-mail and delete this e-mail immediately. Any unauthorized copying, disclosure, retention, distribution or other use of this email, its contents or its attachments is strictly prohibited. inline:
Re: [Freeipa-users] Help with ipa-replica-manage
Sorry for the late reply Steven - No, there is no firewall. -Ben From: steven.jo...@vuw.ac.nz CC: freeipa-users@redhat.com Date: Tue, 15 May 2012 21:04:04 + Subject: Re: [Freeipa-users] Help with ipa-replica-manage firewall? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Ben Ho [ben1...@hotmail.com] Sent: Wednesday, 16 May 2012 8:49 a.m. To: rmegg...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Help with ipa-replica-manage This is the information I retrieved about my server. ipa-server-selinux-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 CentOS release 6.2 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 Thanks again. -Ben Date: Tue, 15 May 2012 13:15:46 -0600 From: rmegg...@redhat.com To: ben1...@hotmail.com CC: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Help with ipa-replica-manage On 05/15/2012 01:00 PM, Ben Ho wrote: Hello, I am pretty new to IPA. Right now I have three servers that are running IPA. I am trying to replicate one server to two other servers. I use this command: ipa-replica-manage re-initialize --from example2.edu On the first server I need to replicate, it works fine. However, on the second server I get this message in my log files. The errors get printed out once every 1 to 5 minutes. [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt=cn=meToexample1.edu (example1:389): Schema replication update failed: Type or value exists [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt=cn=meToexample1.edu (example1:389): Warning: unable to replicate schema: rc=1 [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt=cn=meToexample2.edu (example2:389): Schema replication update failed: Type or value exists [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt=cn=meToexample2.edu (example2:389): Warning: unable to replicate schema: rc=1 Again, I am pretty new to this, so any help or tips would be appreciated. What platform and what version of 389-ds-base and ipa-server for all of your servers? Thanks! -Ben ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] 2.1.3 and 2.2.0: how to do IPA replica promotion?
Hi all, Any one has successfully do a IPA replica promotion when IPA master(Hub) failed, by following the IPA replica document for 2.1.3 and 2.2.0? I've tried at my side and see that all the steps involved are very confusing and may be out-of-dated. my IPA master is installed with Dogtag, and all replicas are installed with Dogtag too through '--setup-ca'. In case of ipamaster is not reachable, how can I promote ipareplica01? the master.ca.agent.host/port are not setup on either ipareplica01 nor ipareplica02 to forward to IPA master at beginning. do that means all three IPA servers' Dogtag runs independently? And what is the value of 'IssuingPointId' in step 3.e and 3.f? Is that possible for the document http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki, or wiki/email, to give a SOLID use case instead of depicting statement? which is ambiguous and not easy to follow. [root@ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i}; ssh -x ${i} cat /var/lib/pki-ca/conf/CS.cfg | egrep 'ca.certStatusUpdateInterval|ca.listenToCloneModifications|master.ca.agent'; done ipamaster ipareplica01 ipareplica02 [root@ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i}; ssh -x ${i} cat /var/lib/pki-ca/conf/CS.cfg | grep ca.crl | grep enableCRL; doneipamaster ca.crl.MasterCRL.enableCRLCache=true ca.crl.MasterCRL.enableCRLUpdates=true ipareplica01 ca.crl.MasterCRL.enableCRLCache=true ca.crl.MasterCRL.enableCRLUpdates=true ipareplica02 ca.crl.MasterCRL.enableCRLCache=true ca.crl.MasterCRL.enableCRLUpdates=true [root@ipamaster ~]# Thanks. --David___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA dogtag as CA for puppet ?
If joining a machine to IPA automatically gives it a SSL keyset, it seems silly to also join the puppetca for config management. Has anybody looked into using IPA-dogtag as CA for puppet and func? -jf ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Slight confusion about groups, netgroups, sudo rules etc.
On 03/13/2012 11:27 AM, Eivind Olsen wrote: Hello. I'm currently looking at implementing IPA in a mixed environment, consisting of RHEL6, RHEL5 and Solaris 10 systems. The IPA server(s) is the most recent one bundled with RHEL 6.2. I have some general rules I'll need to follow as best as I can, but I'm not really sure how to do this in IPA without it seeming like a huge work-around. This seems easy enough had it been for a pure RHEL6 environment, but with Solaris there's no SSSD, I apparantly might need to downgrade the encryption types for older Solaris 10, etc. All of this is making my head dizzy, and I'd appreciate any help and pointers to clear my mind :) Examples of the basic rules are (there's more of them, it's not only for the DNS servers for example, but the other cases can be solved in the same way): - all sysadmins should be allowed to log into every system in the realm - all sysadmins should be allowed to run certain commands (or to make it easy, any command) through the use of sudo, on all systems - some users will be part of certain groups, giving them permission to log into certain servers and run a set of commands through sudo, for example: members of the dns-managers group should be allowed to ssh into the DNS servers (which consist of both RHEL6 and Solaris 10), and run certain commands through sudo - certain other users will be allowed to log into some systems, but without any additional access through sudo (the fact that they're allowed to log into system X doesn't mean they should be allowed to become root, etc). I've read a suggestion about making a host group for the Red Hat systems, a netgroup for the Solaris systems, and creating a user group which is added as a member of both the host group and netgroup. But, will I still need to worry about the old issue of Solaris apparantly not coping well with users that have16 additional groups to their name? I have also read about having to add / change compatibility plugins, having to downgrade the algorithm for the Solaris 10 encryption type for older Solaris 10 releases, etc. And there's probably a few more things I need to watch out for and that aren't directly mentioned in the IPA documentation. Oh, in case it matters - there's no common NFS home directories, so I'll also need to automatically create the home directories (I've got this bit sorted on RHEL6 with help from oddjob-mkhomedir). For Solaris, I've read suggestions about using executable autofs maps to create home directories in /export/home and have tham loopback-mounted to /home so they match the homeDirectory attribute. Hi, I have implemented Solaris 10 with IPA with success. AES256 did not come to Solaris 10 until around update 7 or 8. There is still a bug where the required crypto provider is not enabled. Check with: # cryptoadm list You should have pkcs11_softtoken_extra.so listed for aes256 support. If not, use the cryptoadm command to install and enable the provider. We have deployed the kerberos keytabs retreived with ipa-getkeytab without any limitations on encryption types for all Solaris 10 clients as soon as this provider was enabled. For access restrictions on Solaris 10, adding a user group to AllowGroups in /etc/ssh/sshd_config is probably your best bet for locking down Solaris machines. We've used the netgroup way of controlling access to services with NIS, but I could not get the same working properly for LDAP. There is also a nscd bug we recently discovered which keeps nscd stalling at random intervals, preventing user logins. Search at support.oracle.com, I don't have the patch number available just now. More than 16 groups: NFS and AUTH_SYS with the Solaris NFS server still have an issue with more than 16 groups, as per the IETF standard. Solaris can still see all the groups with # groups username. Using NFS4+Krb5 solves that issue. I have not met the 16 group issue anywhere else. If you want to lock down your Directory Server to not serve anonymous users, you need a fairly recent patched Solaris ldapclient that supports -D bindDN and -w bindPassword options. -a proxyDN and -a proxyPassword is not enough as the Solaris ldapclient expects nisDomain in the directory root to be available anonymously. I opened request https://bugzilla.redhat.com/show_bug.cgi?id=815515 for an updated DUAConfigProfile supporting more nss databases. I also opened https://bugzilla.redhat.com/show_bug.cgi?id=815533 for updating the Solaris 10 IPA Client documentation. Hope this helps. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA dogtag as CA for puppet ?
On 05/21/2012 01:00 PM, Jan-Frode Myklebust wrote: If joining a machine to IPA automatically gives it a SSL keyset, it seems silly to also join the puppetca for config management. Has anybody looked into using IPA-dogtag as CA for puppet and func? -jf ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users This has been something of a project for me, but it has been on the back burner whilst I deal with other things (the usual story right). There shouldn't be any technical reason why this can't be done, it is just a matter of getting the certs in the right format, I expect a bridge between puppet, func, and certmonger is on order and then you would be good to go. In my mind there are too many CAs running around and I like one to rule them all. I, like you I suspect, run func and puppet as well as IPA giving me three CAs. Now func can rely on puppet as the CA if you configure it to, but I want just one :). Anyway just my thoughts, no real progress in that direction though yet, -Erinn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Help with ipa-replica-manage
Hi Rich, Yes, replication is working otherwise on these two servers: Server1 and Server2:freeipa-server-selinux-2.1.4-7.fc16.x86_64freeipa-client-2.1.4-7.fc16.x86_64freeipa-server-2.1.4-7.fc16.x86_64Fedora release 16389-ds-base-1.2.10.6-1.fc16.x86_64 Date: Tue, 15 May 2012 18:33:34 -0600 From: rmegg...@redhat.com To: ben1...@hotmail.com CC: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Help with ipa-replica-manage On 05/15/2012 02:49 PM, Ben Ho wrote: This is the information I retrieved about my server. ipa-server-selinux-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 CentOS release 6.2 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 Thanks again. Is replication otherwise working? -Ben Date: Tue, 15 May 2012 13:15:46 -0600 From: rmegg...@redhat.com To: ben1...@hotmail.com CC: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Help with ipa-replica-manage On 05/15/2012 01:00 PM, Ben Ho wrote: Hello, I am pretty new to IPA. Right now I have three servers that are running IPA. I am trying to replicate one server to two other servers. I use this command: ipa-replica-manage re-initialize --from example2.edu On the first server I need to replicate, it works fine. However, on the second server I get this message in my log files. The errors get printed out once every 1 to 5 minutes. [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt=cn=meToexample1.edu (example1:389): Schema replication update failed: Type or value exists [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt=cn=meToexample1.edu (example1:389): Warning: unable to replicate schema: rc=1 [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt=cn=meToexample2.edu (example2:389): Schema replication update failed: Type or value exists [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt=cn=meToexample2.edu (example2:389): Warning: unable to replicate schema: rc=1 Again, I am pretty new to this, so any help or tips would be appreciated. What platform and what version of 389-ds-base and ipa-server for all of your servers? Thanks! -Ben ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Slight confusion about groups, netgroups, sudo rules etc.
Sigbjorn Lie wrote: I have implemented Solaris 10 with IPA with success. AES256 did not come to Solaris 10 until around update 7 or 8. There is still a bug where the required crypto provider is not enabled. [etc.. lots of useful information] Thanks! I've postponed using FreeIPA with Solaris so far, due to a lack of time to really dig into these issues. Your answer really helps me get this back on track! :) Regards Eivind Olsen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Help with ipa-replica-manage
On 05/21/2012 03:57 PM, Ben Ho wrote: Hi Rich, Yes, replication is working otherwise on these two servers: *Server1 and Server2:* freeipa-server-selinux-2.1.4-7.fc16.x86_64 freeipa-client-2.1.4-7.fc16.x86_64 freeipa-server-2.1.4-7.fc16.x86_64 Fedora release 16 389-ds-base-1.2.10.6-1.fc16.x86_64 Ok. I'm not sure what's going on. But as long as replication is working otherwise, you can ignore this. Date: Tue, 15 May 2012 18:33:34 -0600 From: rmegg...@redhat.com To: ben1...@hotmail.com CC: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Help with ipa-replica-manage On 05/15/2012 02:49 PM, Ben Ho wrote: This is the information I retrieved about my server. *ipa-server-selinux-2.1.3-9.el6.x86_64* *ipa-client-2.1.3-9.el6.x86_64* *ipa-server-2.1.3-9.el6.x86_64* *CentOS release 6.2* *389-ds-base-1.2.9.14-1.el6_2.2.x86_64* Thanks again. Is replication otherwise working? -Ben Date: Tue, 15 May 2012 13:15:46 -0600 From: rmegg...@redhat.com mailto:rmegg...@redhat.com To: ben1...@hotmail.com mailto:ben1...@hotmail.com CC: freeipa-users@redhat.com mailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Help with ipa-replica-manage On 05/15/2012 01:00 PM, Ben Ho wrote: Hello, I am pretty new to IPA. Right now I have three servers that are running IPA. I am trying to replicate one server to two other servers. I use this command: ipa-replica-manage re-initialize --from example2.edu On the first server I need to replicate, it works fine. However, on the second server I get this message in my log files. The errors get printed out once every 1 to 5 minutes. [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt=cn=meToexample1.edu (example1:389): Schema replication update failed: Type or value exists [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt=cn=meToexample1.edu (example1:389): Warning: unable to replicate schema: rc=1 [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt=cn=meToexample2.edu (example2:389): Schema replication update failed: Type or value exists [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt=cn=meToexample2.edu (example2:389): Warning: unable to replicate schema: rc=1 Again, I am pretty new to this, so any help or tips would be appreciated. What platform and what version of 389-ds-base and ipa-server for all of your servers? Thanks! -Ben ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???
On 05/21/2012 01:25 PM, Gelen James wrote: Hi Rob, Just wonder whether your guys have abandoned IPA 2.1.3 users on Redhat 6.2 or not. :( The IPA replication/restoration procedure/document request has been submitted for more than a week, but I can not see any meaningful work has done for customers although IPA replication and restoration is so vital to users' production IPA reliability! Even when after I've done a lot of investigation work and asking for helps/suggestions, there is still no much attentions paid from you guys. Am I, or any others users here, are just non-paid Q/A IPA team stuff could be ignored for no reasons :) I've mentioned this again and again, and urging IPA team to setup a typical user setup, because only this way you can see what the problems IPA administrators/users are facing and scared of. But unfortunately, we don't have a feeling that you have done so. Thanks. --Gelen Hello Glen, We have not done so because we are pretty busy preparing next release and were hoping that our replies were sufficient to help you to figure out the best procedure that works for you. JR has a running environment so his guidance is first hand. We tried to provide as much help as we can. We also have not been going the path of setting the environment because we are not sure what is your typical environment and what are the main concerns. Your input is very valuable but it is one of the first clearly spelled data points. We need to get a bit more info to make sure that we are addressing the right use case and problem. We apologize for the delays but the turn around would not be fast. It will take us at least several weeks to come up with something we are comfortable with upstream and downstream. I hear your frustration and feel the urgency but we can't move faster than we can, sorry. Please do not feel abandoned we are working hard too. Also it seems that setting the environment and crafting the guidelines should also be combined with attempt to automate the process. I already contacted Foreman project developers in attempt to integrate the replica provisioning for scalability and disaster recovery cases. We will have a conversation with them later this week. This might help with doing automatic provisioning of replicas rather than manually performing couple dozen of steps. Would such integration help? Also if you need some immediate help opening a support ticket might be a better avenue to get the situation prioritized accordingly. Sorry for delays, Thanks Dmitri *From:* Gelen James hahaha_...@yahoo.com *To:* Rob Crittenden rcrit...@redhat.com; Dmitri Pal d...@redhat.com *Cc:* Freeipa-users@redhat.com Freeipa-users@redhat.com *Sent:* Sunday, May 20, 2012 12:08 AM *Subject:* Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup??? Hi Mmitri, Rob and all. Thanks for your instructions. I've performed your steps on case#1: replacing failed IPA master. The results, and my confusion and questions, are all detailed below. In general, please setup your own real test environment, and write down the detailed steps one by one clearly. It took me more than one week and still no clues. Frankly, your steps in the formal email are kind of over-simplified for normal IPA users, and not covering how the CA LDAP backend will be handled. The problem is the CA backend. All the replicas still trying to sync to old failed IPA master, even after reboot. Could be that the 'ipa-replica-manage' only manages the user data replication? and 'ipa-csreplica-manage' only handles CA-end replication? In other words, when build, or tear down, IPA replication between two servers, do we need to deal with both replication types with 'ipa-replica-mange' AND 'ipa-csreplica-manage'? If so, then why who should run first? The error messages in /var/log/dirsrv/slapd-PKI-IPA/errors are attached, same from B,C,D replicas. [19/May/2012:19:40:48 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting up [19/May/2012:19:40:48 -0700] - slapd started. Listening on All Interfaces port 7389 for LDAP requests [19/May/2012:19:40:48 -0700] - Listening on All Interfaces port 7390 for LDAPS requests [19/May/2012:19:40:50 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:40:50 -0700] NSMMReplicationPlugin - agmt=cn=cloneAgreement1-B.example.com-pki-ca (A:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [19/May/2012:19:40:57 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:41:03 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:41:15 -0700] slapi_ldap_bind - Error: could not send startTLS request: