subject:"\[Freeipa\-users\] ipa replica installation help"

Re: [Freeipa-users] ipa replica installation help

2017-01-09 Thread Florence Blanc-Renaud


On 01/09/2017 01:27 PM, Ben .T.George wrote:

Hi LIst,

is there anyone faces/fixed this issue?

Regards,
BEn


Hi Ben,

the directory server fails to restart on the replica. Are there any 
specific error message in /var/log/dirsrv/slapd-$DOMAIN/errors and 
access log files? If you are hitting ticket 6575 [1], there should be an 
error about a missing Server-Cert certificate (similar to: "Can't find 
certificate Server-Cert"), and no Server-Cert in /etc/dirsrv/slap-$DOMAIN.


Otherwise we need to figure out what causes the dirsrv startup error.

Flo

[1] https://fedorahosted.org/freeipa/ticket/6575


On Sun, Jan 8, 2017 at 7:03 AM, Ben .T.George > wrote:

HI List,

how can i solve this? is this a bug ,normal behavior or any missing
configuration from my end,

Till now i didn't get ant clue on this.

Regards
Ben

On Thu, Jan 5, 2017 at 1:21 PM, Fraser Tweedale > wrote:

On Thu, Jan 05, 2017 at 01:08:58PM +0300, Ben .T.George wrote:
> HI
>
> there is no filrewall running on both servers,
>
> [root@zkwipamstr01 ~]# systemctl status firewalld
> ● firewalld.service - firewalld - dynamic firewall daemon
>Loaded: loaded (/usr/lib/systemd/system/firewalld.service; 
disabled;
> vendor preset: enabled)
>Active: inactive (dead)
>  Docs: man:firewalld(1)
>
> [root@zkwipamstr01 ~]# sestatus
> SELinux status: disabled
>
OK, very well.  And actually, forget about my idea about connecting
to port 8009 from client - that is not what happens at all.  It is
the end of day for me and my brain checked out :/

I shall continue analysis of your problem tomorrow.

Thanks,
Fraser

>
> On Thu, Jan 5, 2017 at 1:05 PM, Fraser Tweedale
> wrote:
>
> > On Thu, Jan 05, 2017 at 12:43:47PM +0300, Ben .T.George wrote:
> > > HI,
> > >
> > > on master server and replica server, i have enabled ipv6
> > >
> > > below on master server
> > >
> > > [root@zkwipamstr01 ~]# ip addr | grep inet6
> > >
> > > inet6 fe80::250:56ff:fea0:3857/64 scope link
> > >
> > > [root@zkwipamstr01 ~]# systemctl restart
pki-tomcatd@pki-tomcat
> > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> > > tcp6   0  0 ::1:8009:::*
> > LISTEN
> > >  12692/java
> > >
> > >
> > > after that 8009 is listening on master server.
> > >
> > > on replica side uninstalled ipa and tried to enrolled
again. Do i need to
> > > enable any service replica side?
> > >
> > > [28/44]: restarting directory server
> > > ipa : CRITICAL Failed to restart the directory
server (Command
> > > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service'
returned non-zero
> > > exit status 1). See the installation log for details.
> > >   [29/44]: setting up initial replication
> > >   [error] error: [Errno 111] Connection refused
> > > Your system may be partly configured.
> > > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > >
> > > ipa.ipapython.install.cli.install_tool(Replica): ERROR
[Errno 111]
> > > Connection refused
> > > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> > > ipa-replica-install command failed. See
/var/log/ipareplica-install.log
> > for
> > > more information
> > > [root@zkwiparepa01 ~]# systemctl restart
pki-tomcatd@pki-tomcat
> > > Job for pki-tomcatd@pki-tomcat.service failed because the
control
> > process
> > > exited with error code. See "systemctl status
> > pki-tomcatd@pki-tomcat.service"
> > > and "journalctl -xe" for details.
> > >
> > > Still same error.
> > >
> > > is this service restart pki-tomcatd@pki-tomcat only
applicable on master
> > > server?
> > >
> > Yes, because no CA has been created on replica (yet).
> >
> > Can you confirm that your firewall (if any/enabled) on master is
> > letting the traffic from client/replica through to :8009?
> > Executing: ``nc -v $MASTER_IP 8009`` from the client machine
> > suffices to check.
> >
> > Thanks,
> > Fraser
> >
> > > Regards,
> > > Ben
> > >
> > >
> > > On Thu, Jan 5, 2017 at 11:12 AM, Petr Vobornik
>

Re: [Freeipa-users] ipa replica installation help

2017-01-07 Thread Ben .T.George

HI List,

how can i solve this? is this a bug ,normal behavior or any missing
configuration from my end,

Till now i didn't get ant clue on this.

Regards
Ben

On Thu, Jan 5, 2017 at 1:21 PM, Fraser Tweedale  wrote:

> On Thu, Jan 05, 2017 at 01:08:58PM +0300, Ben .T.George wrote:
> > HI
> >
> > there is no filrewall running on both servers,
> >
> > [root@zkwipamstr01 ~]# systemctl status firewalld
> > ● firewalld.service - firewalld - dynamic firewall daemon
> >Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled;
> > vendor preset: enabled)
> >Active: inactive (dead)
> >  Docs: man:firewalld(1)
> >
> > [root@zkwipamstr01 ~]# sestatus
> > SELinux status: disabled
> >
> OK, very well.  And actually, forget about my idea about connecting
> to port 8009 from client - that is not what happens at all.  It is
> the end of day for me and my brain checked out :/
>
> I shall continue analysis of your problem tomorrow.
>
> Thanks,
> Fraser
>
> >
> > On Thu, Jan 5, 2017 at 1:05 PM, Fraser Tweedale 
> wrote:
> >
> > > On Thu, Jan 05, 2017 at 12:43:47PM +0300, Ben .T.George wrote:
> > > > HI,
> > > >
> > > > on master server and replica server, i have enabled ipv6
> > > >
> > > > below on master server
> > > >
> > > > [root@zkwipamstr01 ~]# ip addr | grep inet6
> > > >
> > > > inet6 fe80::250:56ff:fea0:3857/64 scope link
> > > >
> > > > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> > > > tcp6   0  0 ::1:8009:::*
> > > LISTEN
> > > >  12692/java
> > > >
> > > >
> > > > after that 8009 is listening on master server.
> > > >
> > > > on replica side uninstalled ipa and tried to enrolled again. Do i
> need to
> > > > enable any service replica side?
> > > >
> > > > [28/44]: restarting directory server
> > > > ipa : CRITICAL Failed to restart the directory server
> (Command
> > > > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned
> non-zero
> > > > exit status 1). See the installation log for details.
> > > >   [29/44]: setting up initial replication
> > > >   [error] error: [Errno 111] Connection refused
> > > > Your system may be partly configured.
> > > > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > > >
> > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno
> 111]
> > > > Connection refused
> > > > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> > > > ipa-replica-install command failed. See /var/log/ipareplica-install.
> log
> > > for
> > > > more information
> > > > [root@zkwiparepa01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > > > Job for pki-tomcatd@pki-tomcat.service failed because the control
> > > process
> > > > exited with error code. See "systemctl status
> > > pki-tomcatd@pki-tomcat.service"
> > > > and "journalctl -xe" for details.
> > > >
> > > > Still same error.
> > > >
> > > > is this service restart pki-tomcatd@pki-tomcat only applicable on
> master
> > > > server?
> > > >
> > > Yes, because no CA has been created on replica (yet).
> > >
> > > Can you confirm that your firewall (if any/enabled) on master is
> > > letting the traffic from client/replica through to :8009?
> > > Executing: ``nc -v $MASTER_IP 8009`` from the client machine
> > > suffices to check.
> > >
> > > Thanks,
> > > Fraser
> > >
> > > > Regards,
> > > > Ben
> > > >
> > > >
> > > > On Thu, Jan 5, 2017 at 11:12 AM, Petr Vobornik 
> > > wrote:
> > > >
> > > > > On 01/05/2017 07:10 AM, Ben .T.George wrote:
> > > > > > HI
> > > > > >
> > > > > > yes i did the same and still port is not listening.
> > > > > >
> > > > > > [root@zkwipamstr01 ~]# cat /etc/hosts
> > > > > > 127.0.0.1   localhost localhost.localdomain localhost4
> > > > > localhost4.localdomain4
> > > > > > ::1 localhost localhost.localdomain localhost6
> > > > > localhost6.localdomain6
> > > > > > 10.151.4.64 zkwipamstr01.kw.example.com  > > > > example.com>
> > > > > > zkwipamstr01
> > > > > > 10.151.4.65 zkwiparepa01.kw.example.com  > > > > example.com>
> > > > > > zkwiparepa01
> > > > > > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > > > > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> > > > > >
> > > > > >
> > > > > > Regards
> > > > > > Ben
> > > > >
> > > > > Also IPv6 stack needs to be enabled.
> > > > >
> > > > > >
> > > > > > On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale <
> ftwee...@redhat.com
> > > > > > > wrote:
> > > > > >
> > > > > > On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George
> wrote:
> > > > > > > HI
> > > > > > >
> > > > > > > port 8009 is not listening in master server
> > > > > > >
> > > > > > > and i added ::1 localhost localhost.localdomain
> > > localhost6
> > > > > > > localhost6.localdomain6

Re: [Freeipa-users] ipa replica installation help

2017-01-05 Thread Fraser Tweedale

On Thu, Jan 05, 2017 at 01:08:58PM +0300, Ben .T.George wrote:
> HI
> 
> there is no filrewall running on both servers,
> 
> [root@zkwipamstr01 ~]# systemctl status firewalld
> ● firewalld.service - firewalld - dynamic firewall daemon
>Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled;
> vendor preset: enabled)
>Active: inactive (dead)
>  Docs: man:firewalld(1)
> 
> [root@zkwipamstr01 ~]# sestatus
> SELinux status: disabled
> 
OK, very well.  And actually, forget about my idea about connecting
to port 8009 from client - that is not what happens at all.  It is
the end of day for me and my brain checked out :/

I shall continue analysis of your problem tomorrow.

Thanks,
Fraser

> 
> On Thu, Jan 5, 2017 at 1:05 PM, Fraser Tweedale  wrote:
> 
> > On Thu, Jan 05, 2017 at 12:43:47PM +0300, Ben .T.George wrote:
> > > HI,
> > >
> > > on master server and replica server, i have enabled ipv6
> > >
> > > below on master server
> > >
> > > [root@zkwipamstr01 ~]# ip addr | grep inet6
> > >
> > > inet6 fe80::250:56ff:fea0:3857/64 scope link
> > >
> > > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> > > tcp6   0  0 ::1:8009:::*
> > LISTEN
> > >  12692/java
> > >
> > >
> > > after that 8009 is listening on master server.
> > >
> > > on replica side uninstalled ipa and tried to enrolled again. Do i need to
> > > enable any service replica side?
> > >
> > > [28/44]: restarting directory server
> > > ipa : CRITICAL Failed to restart the directory server (Command
> > > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned non-zero
> > > exit status 1). See the installation log for details.
> > >   [29/44]: setting up initial replication
> > >   [error] error: [Errno 111] Connection refused
> > > Your system may be partly configured.
> > > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > >
> > > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
> > > Connection refused
> > > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> > > ipa-replica-install command failed. See /var/log/ipareplica-install.log
> > for
> > > more information
> > > [root@zkwiparepa01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > > Job for pki-tomcatd@pki-tomcat.service failed because the control
> > process
> > > exited with error code. See "systemctl status
> > pki-tomcatd@pki-tomcat.service"
> > > and "journalctl -xe" for details.
> > >
> > > Still same error.
> > >
> > > is this service restart pki-tomcatd@pki-tomcat only applicable on master
> > > server?
> > >
> > Yes, because no CA has been created on replica (yet).
> >
> > Can you confirm that your firewall (if any/enabled) on master is
> > letting the traffic from client/replica through to :8009?
> > Executing: ``nc -v $MASTER_IP 8009`` from the client machine
> > suffices to check.
> >
> > Thanks,
> > Fraser
> >
> > > Regards,
> > > Ben
> > >
> > >
> > > On Thu, Jan 5, 2017 at 11:12 AM, Petr Vobornik 
> > wrote:
> > >
> > > > On 01/05/2017 07:10 AM, Ben .T.George wrote:
> > > > > HI
> > > > >
> > > > > yes i did the same and still port is not listening.
> > > > >
> > > > > [root@zkwipamstr01 ~]# cat /etc/hosts
> > > > > 127.0.0.1   localhost localhost.localdomain localhost4
> > > > localhost4.localdomain4
> > > > > ::1 localhost localhost.localdomain localhost6
> > > > localhost6.localdomain6
> > > > > 10.151.4.64 zkwipamstr01.kw.example.com  > > > example.com>
> > > > > zkwipamstr01
> > > > > 10.151.4.65 zkwiparepa01.kw.example.com  > > > example.com>
> > > > > zkwiparepa01
> > > > > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > > > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> > > > >
> > > > >
> > > > > Regards
> > > > > Ben
> > > >
> > > > Also IPv6 stack needs to be enabled.
> > > >
> > > > >
> > > > > On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale  > > > > > wrote:
> > > > >
> > > > > On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George wrote:
> > > > > > HI
> > > > > >
> > > > > > port 8009 is not listening in master server
> > > > > >
> > > > > > and i added ::1 localhost localhost.localdomain
> > localhost6
> > > > > > localhost6.localdomain6 in hosts file.
> > > > > >
> > > > >
> > > > > Did you add this to the host file on the master (then `systemctl
> > > > > restart pki-tomcatd@pki-tomcat` and confirm it is listening on
> > port
> > > > > 8009)?  Or just the client you are trying to promote?
> > > > >
> > > > > It is needed on the master.  Won't hurt to make this change to
> > > > > /etc/hosts on both machines, though.
> > > > >
> > > > > HTH,
> > > > > Fraser
> > > > >
> > > > >  > still getting same

Re: [Freeipa-users] ipa replica installation help

2017-01-05 Thread Ben .T.George

HI

there is no filrewall running on both servers,

[root@zkwipamstr01 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled;
vendor preset: enabled)
   Active: inactive (dead)
 Docs: man:firewalld(1)

[root@zkwipamstr01 ~]# sestatus
SELinux status: disabled


On Thu, Jan 5, 2017 at 1:05 PM, Fraser Tweedale  wrote:

> On Thu, Jan 05, 2017 at 12:43:47PM +0300, Ben .T.George wrote:
> > HI,
> >
> > on master server and replica server, i have enabled ipv6
> >
> > below on master server
> >
> > [root@zkwipamstr01 ~]# ip addr | grep inet6
> >
> > inet6 fe80::250:56ff:fea0:3857/64 scope link
> >
> > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> > tcp6   0  0 ::1:8009:::*
> LISTEN
> >  12692/java
> >
> >
> > after that 8009 is listening on master server.
> >
> > on replica side uninstalled ipa and tried to enrolled again. Do i need to
> > enable any service replica side?
> >
> > [28/44]: restarting directory server
> > ipa : CRITICAL Failed to restart the directory server (Command
> > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned non-zero
> > exit status 1). See the installation log for details.
> >   [29/44]: setting up initial replication
> >   [error] error: [Errno 111] Connection refused
> > Your system may be partly configured.
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
> > Connection refused
> > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> > ipa-replica-install command failed. See /var/log/ipareplica-install.log
> for
> > more information
> > [root@zkwiparepa01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > Job for pki-tomcatd@pki-tomcat.service failed because the control
> process
> > exited with error code. See "systemctl status
> pki-tomcatd@pki-tomcat.service"
> > and "journalctl -xe" for details.
> >
> > Still same error.
> >
> > is this service restart pki-tomcatd@pki-tomcat only applicable on master
> > server?
> >
> Yes, because no CA has been created on replica (yet).
>
> Can you confirm that your firewall (if any/enabled) on master is
> letting the traffic from client/replica through to :8009?
> Executing: ``nc -v $MASTER_IP 8009`` from the client machine
> suffices to check.
>
> Thanks,
> Fraser
>
> > Regards,
> > Ben
> >
> >
> > On Thu, Jan 5, 2017 at 11:12 AM, Petr Vobornik 
> wrote:
> >
> > > On 01/05/2017 07:10 AM, Ben .T.George wrote:
> > > > HI
> > > >
> > > > yes i did the same and still port is not listening.
> > > >
> > > > [root@zkwipamstr01 ~]# cat /etc/hosts
> > > > 127.0.0.1   localhost localhost.localdomain localhost4
> > > localhost4.localdomain4
> > > > ::1 localhost localhost.localdomain localhost6
> > > localhost6.localdomain6
> > > > 10.151.4.64 zkwipamstr01.kw.example.com  > > example.com>
> > > > zkwipamstr01
> > > > 10.151.4.65 zkwiparepa01.kw.example.com  > > example.com>
> > > > zkwiparepa01
> > > > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> > > >
> > > >
> > > > Regards
> > > > Ben
> > >
> > > Also IPv6 stack needs to be enabled.
> > >
> > > >
> > > > On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale  > > > > wrote:
> > > >
> > > > On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George wrote:
> > > > > HI
> > > > >
> > > > > port 8009 is not listening in master server
> > > > >
> > > > > and i added ::1 localhost localhost.localdomain
> localhost6
> > > > > localhost6.localdomain6 in hosts file.
> > > > >
> > > >
> > > > Did you add this to the host file on the master (then `systemctl
> > > > restart pki-tomcatd@pki-tomcat` and confirm it is listening on
> port
> > > > 8009)?  Or just the client you are trying to promote?
> > > >
> > > > It is needed on the master.  Won't hurt to make this change to
> > > > /etc/hosts on both machines, though.
> > > >
> > > > HTH,
> > > > Fraser
> > > >
> > > >  > still getting same error
> > > >  >
> > > >  >  [28/44]: restarting directory server
> > > >  > ipa : CRITICAL Failed to restart the directory server
> > > (Command
> > > >  > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service'
> returned
> > > non-zero
> > > >  > exit status 1). See the installation log for details.
> > > >  >   [29/44]: setting up initial replication
> > > >  >   [error] error: [Errno 111] Connection refused
> > > >  > Your system may be partly configured.
> > > >  > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > > >  >

Re: [Freeipa-users] ipa replica installation help

2017-01-05 Thread Fraser Tweedale

On Thu, Jan 05, 2017 at 12:43:47PM +0300, Ben .T.George wrote:
> HI,
> 
> on master server and replica server, i have enabled ipv6
> 
> below on master server
> 
> [root@zkwipamstr01 ~]# ip addr | grep inet6
> 
> inet6 fe80::250:56ff:fea0:3857/64 scope link
> 
> [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> tcp6   0  0 ::1:8009:::*LISTEN
>  12692/java
> 
> 
> after that 8009 is listening on master server.
> 
> on replica side uninstalled ipa and tried to enrolled again. Do i need to
> enable any service replica side?
> 
> [28/44]: restarting directory server
> ipa : CRITICAL Failed to restart the directory server (Command
> '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned non-zero
> exit status 1). See the installation log for details.
>   [29/44]: setting up initial replication
>   [error] error: [Errno 111] Connection refused
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
> ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
> Connection refused
> ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> ipa-replica-install command failed. See /var/log/ipareplica-install.log for
> more information
> [root@zkwiparepa01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> Job for pki-tomcatd@pki-tomcat.service failed because the control process
> exited with error code. See "systemctl status pki-tomcatd@pki-tomcat.service"
> and "journalctl -xe" for details.
> 
> Still same error.
> 
> is this service restart pki-tomcatd@pki-tomcat only applicable on master
> server?
> 
Yes, because no CA has been created on replica (yet).

Can you confirm that your firewall (if any/enabled) on master is
letting the traffic from client/replica through to :8009?
Executing: ``nc -v $MASTER_IP 8009`` from the client machine
suffices to check.

Thanks,
Fraser

> Regards,
> Ben
> 
> 
> On Thu, Jan 5, 2017 at 11:12 AM, Petr Vobornik  wrote:
> 
> > On 01/05/2017 07:10 AM, Ben .T.George wrote:
> > > HI
> > >
> > > yes i did the same and still port is not listening.
> > >
> > > [root@zkwipamstr01 ~]# cat /etc/hosts
> > > 127.0.0.1   localhost localhost.localdomain localhost4
> > localhost4.localdomain4
> > > ::1 localhost localhost.localdomain localhost6
> > localhost6.localdomain6
> > > 10.151.4.64 zkwipamstr01.kw.example.com  > example.com>
> > > zkwipamstr01
> > > 10.151.4.65 zkwiparepa01.kw.example.com  > example.com>
> > > zkwiparepa01
> > > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> > >
> > >
> > > Regards
> > > Ben
> >
> > Also IPv6 stack needs to be enabled.
> >
> > >
> > > On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale  > > > wrote:
> > >
> > > On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George wrote:
> > > > HI
> > > >
> > > > port 8009 is not listening in master server
> > > >
> > > > and i added ::1 localhost localhost.localdomain localhost6
> > > > localhost6.localdomain6 in hosts file.
> > > >
> > >
> > > Did you add this to the host file on the master (then `systemctl
> > > restart pki-tomcatd@pki-tomcat` and confirm it is listening on port
> > > 8009)?  Or just the client you are trying to promote?
> > >
> > > It is needed on the master.  Won't hurt to make this change to
> > > /etc/hosts on both machines, though.
> > >
> > > HTH,
> > > Fraser
> > >
> > >  > still getting same error
> > >  >
> > >  >  [28/44]: restarting directory server
> > >  > ipa : CRITICAL Failed to restart the directory server
> > (Command
> > >  > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned
> > non-zero
> > >  > exit status 1). See the installation log for details.
> > >  >   [29/44]: setting up initial replication
> > >  >   [error] error: [Errno 111] Connection refused
> > >  > Your system may be partly configured.
> > >  > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > >  >
> > >  > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno
> > 111]
> > >  > Connection refused
> > >  > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> > >  > ipa-replica-install command failed. See
> > /var/log/ipareplica-install.log for
> > >  > more information
> > >  >
> > >  >
> > >  > Also  ipv6 is disabled on both nodes
> > >  >
> > >  > Regards,
> > >  > Ben
> > >  >
> > >  > On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik <
> > pvobo...@redhat.com
> > > > wrote:
> > >  >
> > >  > > On 01/04/2017 10:59 AM, Ben .T.George wrote:
> > >  > > > HI
> > >

Re: [Freeipa-users] ipa replica installation help

2017-01-05 Thread Ben .T.George

HI,

on master server and replica server, i have enabled ipv6

below on master server

[root@zkwipamstr01 ~]# ip addr | grep inet6

inet6 fe80::250:56ff:fea0:3857/64 scope link

[root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
[root@zkwipamstr01 ~]# netstat -tunap | grep 8009
tcp6   0  0 ::1:8009:::*LISTEN
 12692/java


after that 8009 is listening on master server.

on replica side uninstalled ipa and tried to enrolled again. Do i need to
enable any service replica side?

[28/44]: restarting directory server
ipa : CRITICAL Failed to restart the directory server (Command
'/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned non-zero
exit status 1). See the installation log for details.
  [29/44]: setting up initial replication
  [error] error: [Errno 111] Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
Connection refused
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
ipa-replica-install command failed. See /var/log/ipareplica-install.log for
more information
[root@zkwiparepa01 ~]# systemctl restart pki-tomcatd@pki-tomcat
Job for pki-tomcatd@pki-tomcat.service failed because the control process
exited with error code. See "systemctl status pki-tomcatd@pki-tomcat.service"
and "journalctl -xe" for details.

Still same error.

is this service restart pki-tomcatd@pki-tomcat only applicable on master
server?

Regards,
Ben


On Thu, Jan 5, 2017 at 11:12 AM, Petr Vobornik  wrote:

> On 01/05/2017 07:10 AM, Ben .T.George wrote:
> > HI
> >
> > yes i did the same and still port is not listening.
> >
> > [root@zkwipamstr01 ~]# cat /etc/hosts
> > 127.0.0.1   localhost localhost.localdomain localhost4
> localhost4.localdomain4
> > ::1 localhost localhost.localdomain localhost6
> localhost6.localdomain6
> > 10.151.4.64 zkwipamstr01.kw.example.com  example.com>
> > zkwipamstr01
> > 10.151.4.65 zkwiparepa01.kw.example.com  example.com>
> > zkwiparepa01
> > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> >
> >
> > Regards
> > Ben
>
> Also IPv6 stack needs to be enabled.
>
> >
> > On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale  > > wrote:
> >
> > On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George wrote:
> > > HI
> > >
> > > port 8009 is not listening in master server
> > >
> > > and i added ::1 localhost localhost.localdomain localhost6
> > > localhost6.localdomain6 in hosts file.
> > >
> >
> > Did you add this to the host file on the master (then `systemctl
> > restart pki-tomcatd@pki-tomcat` and confirm it is listening on port
> > 8009)?  Or just the client you are trying to promote?
> >
> > It is needed on the master.  Won't hurt to make this change to
> > /etc/hosts on both machines, though.
> >
> > HTH,
> > Fraser
> >
> >  > still getting same error
> >  >
> >  >  [28/44]: restarting directory server
> >  > ipa : CRITICAL Failed to restart the directory server
> (Command
> >  > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned
> non-zero
> >  > exit status 1). See the installation log for details.
> >  >   [29/44]: setting up initial replication
> >  >   [error] error: [Errno 111] Connection refused
> >  > Your system may be partly configured.
> >  > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >  >
> >  > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno
> 111]
> >  > Connection refused
> >  > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> >  > ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for
> >  > more information
> >  >
> >  >
> >  > Also  ipv6 is disabled on both nodes
> >  >
> >  > Regards,
> >  > Ben
> >  >
> >  > On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik <
> pvobo...@redhat.com
> > > wrote:
> >  >
> >  > > On 01/04/2017 10:59 AM, Ben .T.George wrote:
> >  > > > HI
> >  > > >
> >  > > > i tried the method mentioned on that document and it end up
> with below
> >  > > error. My
> >  > > > DNS is managed by external box and i dont want to create any
> DNS record
> >  > > on these
> >  > > > servers.
> >  > > >
> >  > > > and the command which i tried is(non client server)
> >  > > >
> >  > > > ipa-replica-install --principal admin --admin-password
> P@ssw0rd --domain
> >  > > > kw.example.com  
> --server
> >  > > zkwipamstr01.kw.example.com

Re: [Freeipa-users] ipa replica installation help

2017-01-05 Thread Petr Vobornik

On 01/05/2017 07:10 AM, Ben .T.George wrote:
> HI
> 
> yes i did the same and still port is not listening.
> 
> [root@zkwipamstr01 ~]# cat /etc/hosts
> 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
> ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
> 10.151.4.64 zkwipamstr01.kw.example.com   
>
> zkwipamstr01
> 10.151.4.65 zkwiparepa01.kw.example.com   
>
> zkwiparepa01
> [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> 
> 
> Regards
> Ben

Also IPv6 stack needs to be enabled.

> 
> On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale  > wrote:
> 
> On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George wrote:
> > HI
> >
> > port 8009 is not listening in master server
> >
> > and i added ::1 localhost localhost.localdomain localhost6
> > localhost6.localdomain6 in hosts file.
> >
> 
> Did you add this to the host file on the master (then `systemctl
> restart pki-tomcatd@pki-tomcat` and confirm it is listening on port
> 8009)?  Or just the client you are trying to promote?
> 
> It is needed on the master.  Won't hurt to make this change to
> /etc/hosts on both machines, though.
> 
> HTH,
> Fraser
> 
>  > still getting same error
>  >
>  >  [28/44]: restarting directory server
>  > ipa : CRITICAL Failed to restart the directory server (Command
>  > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned 
> non-zero
>  > exit status 1). See the installation log for details.
>  >   [29/44]: setting up initial replication
>  >   [error] error: [Errno 111] Connection refused
>  > Your system may be partly configured.
>  > Run /usr/sbin/ipa-server-install --uninstall to clean up.
>  >
>  > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
>  > Connection refused
>  > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
>  > ipa-replica-install command failed. See 
> /var/log/ipareplica-install.log for
>  > more information
>  >
>  >
>  > Also  ipv6 is disabled on both nodes
>  >
>  > Regards,
>  > Ben
>  >
>  > On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik  > wrote:
>  >
>  > > On 01/04/2017 10:59 AM, Ben .T.George wrote:
>  > > > HI
>  > > >
>  > > > i tried the method mentioned on that document and it end up with 
> below
>  > > error. My
>  > > > DNS is managed by external box and i dont want to create any DNS 
> record
>  > > on these
>  > > > servers.
>  > > >
>  > > > and the command which i tried is(non client server)
>  > > >
>  > > > ipa-replica-install --principal admin --admin-password P@ssw0rd 
> --domain
>  > > > kw.example.com   
> --server
>  > > zkwipamstr01.kw.example.com 
>  > > >  >
>  > > >
>  > > >
>  > > >
>  > > > ipa : CRITICAL Failed to restart the directory server 
> (Command
>  > > > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned
>  > > non-zero exit
>  > > > status 1). See the installation log for details.
>  > > >[29/44]: setting up initial replication
>  > > >[error] error: [Errno 111] Connection refused
>  > > > Your system may be partly configured.
>  > > > Run /usr/sbin/ipa-server-install --uninstall to clean up.
>  > > >
>  > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 
> 111]
>  > > Connection
>  > > > refused
>  > > > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
>  > > > ipa-replica-install command failed. See 
> /var/log/ipareplica-install.log
>  > > for more
>  > > > information
>  > >
>  > > This looks like bug https://fedorahosted.org/freeipa/ticket/6575
> 
>  > >
>  > > To verify that, could you check if master server internally listens 
> on
>  > > port 8009 or if ipareplica-install.log contains CA_UNREACHABLE string
>  > > near  step 27.
>  > >
>  > > Usual fix is to add following line to /etc/hosts
>  > >   ::1 localhost localhost.localdomain localhost6
>  > > localhost6.localdomain6
>  > >
>  > >
>  > > > [root@zkwiparepa01 ~]# /bin/systemctl restart
>  > > dirsrv@KW-EXAMPLE-COM.service
>  > > > Job for dirsrv@KW-EXAMPLE-COM.service failed because the control
>  > > process exited
>  > > > with error code. See "systemctl status 
> dirsrv@KW-EXAMPLE-COM.service"

Re: [Freeipa-users] ipa replica installation help

2017-01-04 Thread Ben .T.George

HI

yes i did the same and still port is not listening.

[root@zkwipamstr01 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4
localhost4.localdomain4
::1 localhost localhost.localdomain localhost6
localhost6.localdomain6
10.151.4.64 zkwipamstr01.kw.example.comzkwipamstr01
10.151.4.65 zkwiparepa01.kw.example.comzkwiparepa01
[root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
[root@zkwipamstr01 ~]# netstat -tunap | grep 8009


Regards
Ben

On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale  wrote:

> On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George wrote:
> > HI
> >
> > port 8009 is not listening in master server
> >
> > and i added ::1 localhost localhost.localdomain localhost6
> > localhost6.localdomain6 in hosts file.
> >
>
> Did you add this to the host file on the master (then `systemctl
> restart pki-tomcatd@pki-tomcat` and confirm it is listening on port
> 8009)?  Or just the client you are trying to promote?
>
> It is needed on the master.  Won't hurt to make this change to
> /etc/hosts on both machines, though.
>
> HTH,
> Fraser
>
> > still getting same error
> >
> >  [28/44]: restarting directory server
> > ipa : CRITICAL Failed to restart the directory server (Command
> > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned non-zero
> > exit status 1). See the installation log for details.
> >   [29/44]: setting up initial replication
> >   [error] error: [Errno 111] Connection refused
> > Your system may be partly configured.
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
> > Connection refused
> > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> > ipa-replica-install command failed. See /var/log/ipareplica-install.log
> for
> > more information
> >
> >
> > Also  ipv6 is disabled on both nodes
> >
> > Regards,
> > Ben
> >
> > On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik 
> wrote:
> >
> > > On 01/04/2017 10:59 AM, Ben .T.George wrote:
> > > > HI
> > > >
> > > > i tried the method mentioned on that document and it end up with
> below
> > > error. My
> > > > DNS is managed by external box and i dont want to create any DNS
> record
> > > on these
> > > > servers.
> > > >
> > > > and the command which i tried is(non client server)
> > > >
> > > > ipa-replica-install --principal admin --admin-password P@ssw0rd
> --domain
> > > > kw.example.com  --server
> > > zkwipamstr01.kw.example.com
> > > > 
> > > >
> > > >
> > > >
> > > > ipa : CRITICAL Failed to restart the directory server
> (Command
> > > > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned
> > > non-zero exit
> > > > status 1). See the installation log for details.
> > > >[29/44]: setting up initial replication
> > > >[error] error: [Errno 111] Connection refused
> > > > Your system may be partly configured.
> > > > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > > >
> > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno
> 111]
> > > Connection
> > > > refused
> > > > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> > > > ipa-replica-install command failed. See /var/log/ipareplica-install.
> log
> > > for more
> > > > information
> > >
> > > This looks like bug https://fedorahosted.org/freeipa/ticket/6575
> > >
> > > To verify that, could you check if master server internally listens on
> > > port 8009 or if ipareplica-install.log contains CA_UNREACHABLE string
> > > near  step 27.
> > >
> > > Usual fix is to add following line to /etc/hosts
> > >   ::1 localhost localhost.localdomain localhost6
> > > localhost6.localdomain6
> > >
> > >
> > > > [root@zkwiparepa01 ~]# /bin/systemctl restart
> > > dirsrv@KW-EXAMPLE-COM.service
> > > > Job for dirsrv@KW-EXAMPLE-COM.service failed because the control
> > > process exited
> > > > with error code. See "systemctl status dirsrv@KW-EXAMPLE-COM.service
> "
> > > and
> > > > "journalctl -xe" for details.
> > > >
> > > > [root@zkwiparepa01 ~]# systemctl status
> dirsrv@KW-EXAMPLE-COM.service
> > > > ● dirsrv@KW-EXAMPLE-COM.service - 389 Directory Server
> KW-EXAMPLE-COM.
> > > > Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service;
> enabled;
> > > vendor
> > > > preset: disabled)
> > > > Active: failed (Result: exit-code) since Wed 2017-01-04 12:54:46
> > > AST; 13s ago
> > > >Process: 14893 ExecStart=/usr/sbin/ns-slapd -D
> /etc/dirsrv/slapd-%i -i
> > > > /var/run/dirsrv/slapd-%i.pid (code=exited, status=1/FAILURE)
> > > >Process: 14887 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl
> > > > /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS)
> > > >   Main PID: 14893 (code=exited, status=1/FAILURE)
> > > >
> > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com

Re: [Freeipa-users] ipa replica installation help

2017-01-04 Thread Fraser Tweedale

On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George wrote:
> HI
> 
> port 8009 is not listening in master server
> 
> and i added ::1 localhost localhost.localdomain localhost6
> localhost6.localdomain6 in hosts file.
> 

Did you add this to the host file on the master (then `systemctl
restart pki-tomcatd@pki-tomcat` and confirm it is listening on port
8009)?  Or just the client you are trying to promote?

It is needed on the master.  Won't hurt to make this change to
/etc/hosts on both machines, though.

HTH,
Fraser

> still getting same error
> 
>  [28/44]: restarting directory server
> ipa : CRITICAL Failed to restart the directory server (Command
> '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned non-zero
> exit status 1). See the installation log for details.
>   [29/44]: setting up initial replication
>   [error] error: [Errno 111] Connection refused
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
> ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
> Connection refused
> ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> ipa-replica-install command failed. See /var/log/ipareplica-install.log for
> more information
> 
> 
> Also  ipv6 is disabled on both nodes
> 
> Regards,
> Ben
> 
> On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik  wrote:
> 
> > On 01/04/2017 10:59 AM, Ben .T.George wrote:
> > > HI
> > >
> > > i tried the method mentioned on that document and it end up with below
> > error. My
> > > DNS is managed by external box and i dont want to create any DNS record
> > on these
> > > servers.
> > >
> > > and the command which i tried is(non client server)
> > >
> > > ipa-replica-install --principal admin --admin-password P@ssw0rd --domain
> > > kw.example.com  --server
> > zkwipamstr01.kw.example.com
> > > 
> > >
> > >
> > >
> > > ipa : CRITICAL Failed to restart the directory server (Command
> > > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned
> > non-zero exit
> > > status 1). See the installation log for details.
> > >[29/44]: setting up initial replication
> > >[error] error: [Errno 111] Connection refused
> > > Your system may be partly configured.
> > > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > >
> > > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
> > Connection
> > > refused
> > > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> > > ipa-replica-install command failed. See /var/log/ipareplica-install.log
> > for more
> > > information
> >
> > This looks like bug https://fedorahosted.org/freeipa/ticket/6575
> >
> > To verify that, could you check if master server internally listens on
> > port 8009 or if ipareplica-install.log contains CA_UNREACHABLE string
> > near  step 27.
> >
> > Usual fix is to add following line to /etc/hosts
> >   ::1 localhost localhost.localdomain localhost6
> > localhost6.localdomain6
> >
> >
> > > [root@zkwiparepa01 ~]# /bin/systemctl restart
> > dirsrv@KW-EXAMPLE-COM.service
> > > Job for dirsrv@KW-EXAMPLE-COM.service failed because the control
> > process exited
> > > with error code. See "systemctl status dirsrv@KW-EXAMPLE-COM.service"
> > and
> > > "journalctl -xe" for details.
> > >
> > > [root@zkwiparepa01 ~]# systemctl status dirsrv@KW-EXAMPLE-COM.service
> > > ● dirsrv@KW-EXAMPLE-COM.service - 389 Directory Server KW-EXAMPLE-COM.
> > > Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled;
> > vendor
> > > preset: disabled)
> > > Active: failed (Result: exit-code) since Wed 2017-01-04 12:54:46
> > AST; 13s ago
> > >Process: 14893 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i
> > > /var/run/dirsrv/slapd-%i.pid (code=exited, status=1/FAILURE)
> > >Process: 14887 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl
> > > /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS)
> > >   Main PID: 14893 (code=exited, status=1/FAILURE)
> > >
> > > Jan 04 12:54:46 zkwiparepa01.kw.example.com  > example.com>
> > > ns-slapd[14893]: [04/Jan/2017:12:54:46.177617891 +0300] Error:
> > > betxnpostoperation plu...arted
> > > Jan 04 12:54:46 zkwiparepa01.kw.example.com  > example.com>
> > > ns-slapd[14893]: [04/Jan/2017:12:54:46.178379752 +0300] Error: object
> > plugin
> > > Roles Pl...arted
> > > Jan 04 12:54:46 zkwiparepa01.kw.example.com  > example.com>
> > > ns-slapd[14893]: [04/Jan/2017:12:54:46.179162340 +0300] Error:
> > preoperation
> > > plugin su...arted
> > > Jan 04 12:54:46 zkwiparepa01.kw.example.com  > example.com>
> > > ns-slapd[14893]: [04/Jan/2017:12:54:46.179993432 +0300] Error: object
> > plugin USN
> > > is n...arted
> > > Jan 04 12:54:46 zkwiparepa01.kw.example.com  > example.com>
> > >

Re: [Freeipa-users] ipa replica installation help

2017-01-04 Thread Ben .T.George

HI

anyone please help me to fix this.

Regards,
Ben

On Wed, Jan 4, 2017 at 3:12 PM, Ben .T.George  wrote:

> HI
>
> port 8009 is not listening in master server
>
> and i added ::1 localhost localhost.localdomain localhost6
> localhost6.localdomain6 in hosts file.
>
> still getting same error
>
>  [28/44]: restarting directory server
> ipa : CRITICAL Failed to restart the directory server (Command
> '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned non-zero
> exit status 1). See the installation log for details.
>   [29/44]: setting up initial replication
>   [error] error: [Errno 111] Connection refused
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
> Connection refused
> ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> ipa-replica-install command failed. See /var/log/ipareplica-install.log
> for more information
>
>
> Also  ipv6 is disabled on both nodes
>
> Regards,
> Ben
>
> On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik  wrote:
>
>> On 01/04/2017 10:59 AM, Ben .T.George wrote:
>> > HI
>> >
>> > i tried the method mentioned on that document and it end up with below
>> error. My
>> > DNS is managed by external box and i dont want to create any DNS record
>> on these
>> > servers.
>> >
>> > and the command which i tried is(non client server)
>> >
>> > ipa-replica-install --principal admin --admin-password P@ssw0rd
>> --domain
>> > kw.example.com  --server
>> zkwipamstr01.kw.example.com
>> > 
>> >
>> >
>> >
>> > ipa : CRITICAL Failed to restart the directory server (Command
>> > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned
>> non-zero exit
>> > status 1). See the installation log for details.
>> >[29/44]: setting up initial replication
>> >[error] error: [Errno 111] Connection refused
>> > Your system may be partly configured.
>> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
>> >
>> > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
>> Connection
>> > refused
>> > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
>> > ipa-replica-install command failed. See /var/log/ipareplica-install.log
>> for more
>> > information
>>
>> This looks like bug https://fedorahosted.org/freeipa/ticket/6575
>>
>> To verify that, could you check if master server internally listens on
>> port 8009 or if ipareplica-install.log contains CA_UNREACHABLE string
>> near  step 27.
>>
>> Usual fix is to add following line to /etc/hosts
>>   ::1 localhost localhost.localdomain localhost6
>> localhost6.localdomain6
>>
>>
>> > [root@zkwiparepa01 ~]# /bin/systemctl restart
>> dirsrv@KW-EXAMPLE-COM.service
>> > Job for dirsrv@KW-EXAMPLE-COM.service failed because the control
>> process exited
>> > with error code. See "systemctl status dirsrv@KW-EXAMPLE-COM.service"
>> and
>> > "journalctl -xe" for details.
>> >
>> > [root@zkwiparepa01 ~]# systemctl status dirsrv@KW-EXAMPLE-COM.service
>> > ● dirsrv@KW-EXAMPLE-COM.service - 389 Directory Server KW-EXAMPLE-COM.
>> > Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled;
>> vendor
>> > preset: disabled)
>> > Active: failed (Result: exit-code) since Wed 2017-01-04 12:54:46
>> AST; 13s ago
>> >Process: 14893 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i
>> -i
>> > /var/run/dirsrv/slapd-%i.pid (code=exited, status=1/FAILURE)
>> >Process: 14887 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl
>> > /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS)
>> >   Main PID: 14893 (code=exited, status=1/FAILURE)
>> >
>> > Jan 04 12:54:46 zkwiparepa01.kw.example.com <
>> http://zkwiparepa01.kw.example.com>
>> > ns-slapd[14893]: [04/Jan/2017:12:54:46.177617891 +0300] Error:
>> > betxnpostoperation plu...arted
>> > Jan 04 12:54:46 zkwiparepa01.kw.example.com <
>> http://zkwiparepa01.kw.example.com>
>> > ns-slapd[14893]: [04/Jan/2017:12:54:46.178379752 +0300] Error: object
>> plugin
>> > Roles Pl...arted
>> > Jan 04 12:54:46 zkwiparepa01.kw.example.com <
>> http://zkwiparepa01.kw.example.com>
>> > ns-slapd[14893]: [04/Jan/2017:12:54:46.179162340 +0300] Error:
>> preoperation
>> > plugin su...arted
>> > Jan 04 12:54:46 zkwiparepa01.kw.example.com <
>> http://zkwiparepa01.kw.example.com>
>> > ns-slapd[14893]: [04/Jan/2017:12:54:46.179993432 +0300] Error: object
>> plugin USN
>> > is n...arted
>> > Jan 04 12:54:46 zkwiparepa01.kw.example.com <
>> http://zkwiparepa01.kw.example.com>
>> > ns-slapd[14893]: [04/Jan/2017:12:54:46.181305209 +0300] Error: object
>> plugin
>> > Views is...arted
>> > Jan 04 12:54:46 zkwiparepa01.kw.example.com <
>> http://zkwiparepa01.kw.example.com>
>> > ns-slapd[14893]: [04/Jan/2017:12:54:46.182094981 +0300] Error:
>> extendedop plugin
>> > whoa...arted
>> > Jan 04 12:54:46

Re: [Freeipa-users] ipa replica installation help

2017-01-04 Thread Ben .T.George

HI

port 8009 is not listening in master server

and i added ::1 localhost localhost.localdomain localhost6
localhost6.localdomain6 in hosts file.

still getting same error

 [28/44]: restarting directory server
ipa : CRITICAL Failed to restart the directory server (Command
'/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned non-zero
exit status 1). See the installation log for details.
  [29/44]: setting up initial replication
  [error] error: [Errno 111] Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
Connection refused
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
ipa-replica-install command failed. See /var/log/ipareplica-install.log for
more information


Also  ipv6 is disabled on both nodes

Regards,
Ben

On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik  wrote:

> On 01/04/2017 10:59 AM, Ben .T.George wrote:
> > HI
> >
> > i tried the method mentioned on that document and it end up with below
> error. My
> > DNS is managed by external box and i dont want to create any DNS record
> on these
> > servers.
> >
> > and the command which i tried is(non client server)
> >
> > ipa-replica-install --principal admin --admin-password P@ssw0rd --domain
> > kw.example.com  --server
> zkwipamstr01.kw.example.com
> > 
> >
> >
> >
> > ipa : CRITICAL Failed to restart the directory server (Command
> > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned
> non-zero exit
> > status 1). See the installation log for details.
> >[29/44]: setting up initial replication
> >[error] error: [Errno 111] Connection refused
> > Your system may be partly configured.
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
> Connection
> > refused
> > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> > ipa-replica-install command failed. See /var/log/ipareplica-install.log
> for more
> > information
>
> This looks like bug https://fedorahosted.org/freeipa/ticket/6575
>
> To verify that, could you check if master server internally listens on
> port 8009 or if ipareplica-install.log contains CA_UNREACHABLE string
> near  step 27.
>
> Usual fix is to add following line to /etc/hosts
>   ::1 localhost localhost.localdomain localhost6
> localhost6.localdomain6
>
>
> > [root@zkwiparepa01 ~]# /bin/systemctl restart
> dirsrv@KW-EXAMPLE-COM.service
> > Job for dirsrv@KW-EXAMPLE-COM.service failed because the control
> process exited
> > with error code. See "systemctl status dirsrv@KW-EXAMPLE-COM.service"
> and
> > "journalctl -xe" for details.
> >
> > [root@zkwiparepa01 ~]# systemctl status dirsrv@KW-EXAMPLE-COM.service
> > ● dirsrv@KW-EXAMPLE-COM.service - 389 Directory Server KW-EXAMPLE-COM.
> > Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled;
> vendor
> > preset: disabled)
> > Active: failed (Result: exit-code) since Wed 2017-01-04 12:54:46
> AST; 13s ago
> >Process: 14893 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i
> > /var/run/dirsrv/slapd-%i.pid (code=exited, status=1/FAILURE)
> >Process: 14887 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl
> > /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS)
> >   Main PID: 14893 (code=exited, status=1/FAILURE)
> >
> > Jan 04 12:54:46 zkwiparepa01.kw.example.com  example.com>
> > ns-slapd[14893]: [04/Jan/2017:12:54:46.177617891 +0300] Error:
> > betxnpostoperation plu...arted
> > Jan 04 12:54:46 zkwiparepa01.kw.example.com  example.com>
> > ns-slapd[14893]: [04/Jan/2017:12:54:46.178379752 +0300] Error: object
> plugin
> > Roles Pl...arted
> > Jan 04 12:54:46 zkwiparepa01.kw.example.com  example.com>
> > ns-slapd[14893]: [04/Jan/2017:12:54:46.179162340 +0300] Error:
> preoperation
> > plugin su...arted
> > Jan 04 12:54:46 zkwiparepa01.kw.example.com  example.com>
> > ns-slapd[14893]: [04/Jan/2017:12:54:46.179993432 +0300] Error: object
> plugin USN
> > is n...arted
> > Jan 04 12:54:46 zkwiparepa01.kw.example.com  example.com>
> > ns-slapd[14893]: [04/Jan/2017:12:54:46.181305209 +0300] Error: object
> plugin
> > Views is...arted
> > Jan 04 12:54:46 zkwiparepa01.kw.example.com  example.com>
> > ns-slapd[14893]: [04/Jan/2017:12:54:46.182094981 +0300] Error:
> extendedop plugin
> > whoa...arted
> > Jan 04 12:54:46 zkwiparepa01.kw.example.com  example.com>
> > systemd[1]: dirsrv@KW-EXAMPLE-COM.service: main process exited,
> code=exited,
> > status=1/FAILURE
> > Jan 04 12:54:46 zkwiparepa01.kw.example.com  example.com>
> > systemd[1]: Failed to start 389

Re: [Freeipa-users] ipa replica installation help

2017-01-04 Thread Petr Vobornik

On 01/04/2017 10:59 AM, Ben .T.George wrote:
> HI
> 
> i tried the method mentioned on that document and it end up with below error. 
> My 
> DNS is managed by external box and i dont want to create any DNS record on 
> these 
> servers.
> 
> and the command which i tried is(non client server)
> 
> ipa-replica-install --principal admin --admin-password P@ssw0rd --domain 
> kw.example.com  --server zkwipamstr01.kw.example.com 
> 
> 
> 
> 
> ipa : CRITICAL Failed to restart the directory server (Command 
> '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned non-zero exit 
> status 1). See the installation log for details.
>[29/44]: setting up initial replication
>[error] error: [Errno 111] Connection refused
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
> ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111] 
> Connection 
> refused
> ipa.ipapython.install.cli.install_tool(Replica): ERRORThe 
> ipa-replica-install command failed. See /var/log/ipareplica-install.log for 
> more 
> information

This looks like bug https://fedorahosted.org/freeipa/ticket/6575

To verify that, could you check if master server internally listens on
port 8009 or if ipareplica-install.log contains CA_UNREACHABLE string
near  step 27.

Usual fix is to add following line to /etc/hosts
  ::1 localhost localhost.localdomain localhost6
localhost6.localdomain6


> [root@zkwiparepa01 ~]# /bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service
> Job for dirsrv@KW-EXAMPLE-COM.service failed because the control process 
> exited 
> with error code. See "systemctl status dirsrv@KW-EXAMPLE-COM.service" and 
> "journalctl -xe" for details.
> 
> [root@zkwiparepa01 ~]# systemctl status dirsrv@KW-EXAMPLE-COM.service
> ● dirsrv@KW-EXAMPLE-COM.service - 389 Directory Server KW-EXAMPLE-COM.
> Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor 
> preset: disabled)
> Active: failed (Result: exit-code) since Wed 2017-01-04 12:54:46 AST; 13s 
> ago
>Process: 14893 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i 
> /var/run/dirsrv/slapd-%i.pid (code=exited, status=1/FAILURE)
>Process: 14887 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl 
> /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS)
>   Main PID: 14893 (code=exited, status=1/FAILURE)
> 
> Jan 04 12:54:46 zkwiparepa01.kw.example.com 
>  
> ns-slapd[14893]: [04/Jan/2017:12:54:46.177617891 +0300] Error: 
> betxnpostoperation plu...arted
> Jan 04 12:54:46 zkwiparepa01.kw.example.com 
>  
> ns-slapd[14893]: [04/Jan/2017:12:54:46.178379752 +0300] Error: object plugin 
> Roles Pl...arted
> Jan 04 12:54:46 zkwiparepa01.kw.example.com 
>  
> ns-slapd[14893]: [04/Jan/2017:12:54:46.179162340 +0300] Error: preoperation 
> plugin su...arted
> Jan 04 12:54:46 zkwiparepa01.kw.example.com 
>  
> ns-slapd[14893]: [04/Jan/2017:12:54:46.179993432 +0300] Error: object plugin 
> USN 
> is n...arted
> Jan 04 12:54:46 zkwiparepa01.kw.example.com 
>  
> ns-slapd[14893]: [04/Jan/2017:12:54:46.181305209 +0300] Error: object plugin 
> Views is...arted
> Jan 04 12:54:46 zkwiparepa01.kw.example.com 
>  
> ns-slapd[14893]: [04/Jan/2017:12:54:46.182094981 +0300] Error: extendedop 
> plugin 
> whoa...arted
> Jan 04 12:54:46 zkwiparepa01.kw.example.com 
>  
> systemd[1]: dirsrv@KW-EXAMPLE-COM.service: main process exited, code=exited, 
> status=1/FAILURE
> Jan 04 12:54:46 zkwiparepa01.kw.example.com 
>  
> systemd[1]: Failed to start 389 Directory Server KW-EXAMPLE-COM..
> Jan 04 12:54:46 zkwiparepa01.kw.example.com 
>  
> systemd[1]: Unit dirsrv@KW-EXAMPLE-COM.service entered failed state.
> Jan 04 12:54:46 zkwiparepa01.kw.example.com 
>  
> systemd[1]: dirsrv@KW-EXAMPLE-COM.service failed.
> Hint: Some lines were ellipsized, use -l to show in full.
> 
> 
> 
> Regards,
> Ben
> 
> 
> On Wed, Jan 4, 2017 at 11:19 AM, Martin Babinsky  > wrote:
> 
> On 01/04/2017 07:21 AM, Ben .T.George wrote:
> 
> HI
> 
> while trying to create ipa replica, i am getting below error,
> 
> Replica creation using 'ipa-replica-prepare' to generate replica file
> is supported only in 0-level IPA domain.
> 
> The current IPA domain level is 1 and thus the replica must
> be created by promoting an existing IPA client.
> 
> To set up a replica use the following procedure:
>  1.) set up a client on the host using 'ipa-client-install'
>  2.)

Re: [Freeipa-users] ipa replica installation help

2017-01-04 Thread Martin Babinsky


On 01/04/2017 07:21 AM, Ben .T.George wrote:

HI

while trying to create ipa replica, i am getting below error,

Replica creation using 'ipa-replica-prepare' to generate replica file
is supported only in 0-level IPA domain.

The current IPA domain level is 1 and thus the replica must
be created by promoting an existing IPA client.

To set up a replica use the following procedure:
1.) set up a client on the host using 'ipa-client-install'
2.) promote the client to replica running 'ipa-replica-install'
*without* replica file specified

'ipa-replica-prepare' is allowed only in domain level 0
The ipa-replica-prepare command failed.


i have IPA master server without AD integration and DNS is managed by
3rd party appliances.



Regards,
Ben




Hi Ben,

If you installed IPA 4.4 server then domain level 1 is the default. This 
domain level uses different mechanism to stand up replicas. See the 
latest IdM documentation[1] for more details.


[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa replica installation help

2017-01-03 Thread Ben .T.George

HI

while trying to create ipa replica, i am getting below error,

Replica creation using 'ipa-replica-prepare' to generate replica file
is supported only in 0-level IPA domain.

The current IPA domain level is 1 and thus the replica must
be created by promoting an existing IPA client.

To set up a replica use the following procedure:
1.) set up a client on the host using 'ipa-client-install'
2.) promote the client to replica running 'ipa-replica-install'
*without* replica file specified

'ipa-replica-prepare' is allowed only in domain level 0
The ipa-replica-prepare command failed.


i have IPA master server without AD integration and DNS is managed by 3rd
party appliances.



Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa replica installation help

Re: [Freeipa-users] ipa replica installation help

Re: [Freeipa-users] ipa replica installation help

Re: [Freeipa-users] ipa replica installation help

Re: [Freeipa-users] ipa replica installation help

Re: [Freeipa-users] ipa replica installation help

Re: [Freeipa-users] ipa replica installation help

Re: [Freeipa-users] ipa replica installation help

Re: [Freeipa-users] ipa replica installation help

Re: [Freeipa-users] ipa replica installation help

Re: [Freeipa-users] ipa replica installation help

Re: [Freeipa-users] ipa replica installation help

Re: [Freeipa-users] ipa replica installation help

[Freeipa-users] ipa replica installation help

14 matches

Site Navigation

Mail list logo

Footer information