[Freeipa-users] Stock with a Master in read-only mode
Hi, Lately I’ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I’m getting this error. ldapdelete -x -D cn=Directory Manager -W cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help. Any insights would be more than welcome. Davis Davis Goodman Directeur Informatique | IT Manager 5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4 Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Stock with a Master in read-only mode
On 05/21/2014 08:36 AM, Davis Goodman wrote: Hi, Lately I’ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I’m getting this error. ldapdelete -x -D cn=Directory Manager -W cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help. Any insights would be more than welcome. Davis Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an operation or an upgrade was interrupted and left the database put in read only mode? You can find out with this ldapsearch: ldapsearch -h `hostname` -D cn=Directory Manager -x -w kokos123 -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base Check for nsslapd-readonly, it should be put to off in normal operation. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Stock with a Master in read-only mode
Right on, it is. What would be the ldapmodify command to change it. I’m not the most used with the syntax! -- Davis Goodman Directeur Informatique | IT Manager 5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4 Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 On May 21, 2014, at 2:45 , Martin Kosek mko...@redhat.com wrote: 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Stock with a Master in read-only mode
On May 21, 2014, at 2:45 , Martin Kosek mko...@redhat.com wrote: On 05/21/2014 08:36 AM, Davis Goodman wrote: Hi, Lately I’ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I’m getting this error. ldapdelete -x -D cn=Directory Manager -W cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help. Any insights would be more than welcome. Davis Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an operation or an upgrade was interrupted and left the database put in read only mode? You can find out with this ldapsearch: ldapsearch -h `hostname` -D cn=Directory Manager -x -w kokos123 -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base Check for nsslapd-readonly, it should be put to off in normal operation. Martin Ok finally managed to modify the read-only flag. Could prepare my replicas and get them going. Everything seems fine but I’m getting this error while setting up the replicas. Should I be concerned about this one: Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20 [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation the rest seems to work fine. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Stock with a Master in read-only mode
On 05/21/2014 09:12 AM, Davis Goodman wrote: On May 21, 2014, at 2:45 , Martin Kosek mko...@redhat.com wrote: On 05/21/2014 08:36 AM, Davis Goodman wrote: Hi, Lately I’ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I’m getting this error. ldapdelete -x -D cn=Directory Manager -W cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help. Any insights would be more than welcome. Davis Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an operation or an upgrade was interrupted and left the database put in read only mode? You can find out with this ldapsearch: ldapsearch -h `hostname` -D cn=Directory Manager -x -w kokos123 -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base Check for nsslapd-readonly, it should be put to off in normal operation. Martin Ok finally managed to modify the read-only flag. Could prepare my replicas and get them going. Everything seems fine but I’m getting this error while setting up the replicas. Should I be concerned about this one: Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20 [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation the rest seems to work fine. You need to check ipareplica-install.log to see the real error. I wonder if cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX and cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX exist. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Stock with a Master in read-only mode
On May 21, 2014, at 6:54 , Martin Kosek mko...@redhat.com wrote: On 05/21/2014 09:12 AM, Davis Goodman wrote: On May 21, 2014, at 2:45 , Martin Kosek mko...@redhat.com wrote: On 05/21/2014 08:36 AM, Davis Goodman wrote: Hi, Lately I’ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I’m getting this error. ldapdelete -x -D cn=Directory Manager -W cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help. Any insights would be more than welcome. Davis Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an operation or an upgrade was interrupted and left the database put in read only mode? You can find out with this ldapsearch: ldapsearch -h `hostname` -D cn=Directory Manager -x -w kokos123 -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base Check for nsslapd-readonly, it should be put to off in normal operation. Martin Ok finally managed to modify the read-only flag. Could prepare my replicas and get them going. Everything seems fine but I’m getting this error while setting up the replicas. Should I be concerned about this one: Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20 [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation the rest seems to work fine. You need to check ipareplica-install.log to see the real error. I wonder if cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX and cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX exist. Martin The first one is there: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int memberPrincipal: HTTP/freeipa01.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.mtl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.chr.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.bxl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.mtl.ddistrict@ddistrict.int cn: ipa-http-delegation objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top But not the second one: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int No such object (32) Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int Also what is strange is that I got the error only on one of the replicas, the other one went through without any hiccups. Thanks for the help. Davis -- Davis Goodman Directeur Informatique | IT Manager 5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4 Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] be aware of name collision problem
Hello, On 21.5.2014 13:31, Davis Goodman wrote: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int Please note that domain shadowing/hijacking/name collisions are *strongly* discouraged. You *should not* use domain names you don't own. (According to http://www.iana.org/cgi-bin/intreg/intreg.pl domain name 'ddistrict.int' is not registered. Policy for .int registration is on http://www.iana.org/domains/int/policy) It will cause problems with DNSSEC and it also prevents you from accessing resources on Internet under the colliding name. I guess that you want to have an internal sub-tree in DNS. The recommended practice is to use sub-domain of your public (properly registered) domain. E.g.: 'int.digital-district.ca' or even shorter 'i.digital-district.ca' I hope this will help you to avoid serious problems in the future. Have a nice day! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] be aware of name collision problem
-- On May 21, 2014, at 8:17 , Petr Spacek pspa...@redhat.com wrote: Hello, On 21.5.2014 13:31, Davis Goodman wrote: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int Please note that domain shadowing/hijacking/name collisions are *strongly* discouraged. You *should not* use domain names you don't own. (According to http://www.iana.org/cgi-bin/intreg/intreg.pl domain name 'ddistrict.int' is not registered. Policy for .int registration is on http://www.iana.org/domains/int/policy) It will cause problems with DNSSEC and it also prevents you from accessing resources on Internet under the colliding name. I guess that you want to have an internal sub-tree in DNS. The recommended practice is to use sub-domain of your public (properly registered) domain. E.g.: 'int.digital-district.ca' or even shorter 'i.digital-district.ca' I hope this will help you to avoid serious problems in the future. Have a nice day! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Hi Peter, Gee, I didn’t even know the .int was a public suffix domain. I guess we’re kind of stuck now with it now but It’s good to know. Thanks for the info. Davis Goodman Directeur Informatique | IT Manager 5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4 Tél: +1 (514) 360-3253 x104Cell: +1 (514) 994-7360 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] be aware of name collision problem
On 21.5.2014 15:46, Davis Goodman wrote: -- http://www.digital-district.ca/ On May 21, 2014, at 8:17 , Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com wrote: Hello, On 21.5.2014 13:31, Davis Goodman wrote: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int Please note that domain shadowing/hijacking/name collisions are *strongly* discouraged. You *should not* use domain names you don't own. (According to http://www.iana.org/cgi-bin/intreg/intreg.pl domain name 'ddistrict.int' is not registered. Policy for .int registration is on http://www.iana.org/domains/int/policy) It will cause problems with DNSSEC and it also prevents you from accessing resources on Internet under the colliding name. I guess that you want to have an internal sub-tree in DNS. The recommended practice is to use sub-domain of your public (properly registered) domain. E.g.: 'int.digital-district.ca' or even shorter 'i.digital-district.ca' I hope this will help you to avoid serious problems in the future. Have a nice day! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Hi Peter, Gee, I didn’t even know the .int was a public suffix domain. I guess we’re kind of stuck now with it now but It’s good to know. Oh yes, that is the reason why we strongly recommend people to use sub-tree in *their* domain. That prevent such situation (e.g. when ICANN delegates a new TLDs.) Please see http://www.freeipa.org/page/Deployment_Recommendations and documents linked from that page for details. Have a nice day! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] New replica won't accept replication
This occurs on our first attempt to join as a replica. I've erased this box and rebaselined it but the same thing happens. No network ports being blocked that we know of, and another replica I created at the same time installed its replica file without issue. asipa is the new replica, zsipa is the ca and original master on which the replica file was created. [24/34]: setting up initial replication Starting replication, please wait until this has completed Update in progress, 130 seconds elapsed Update in progress yet not in progress [ipamaster.foo.net] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication # /var/log/ipareplica-install.log contains this: 2014-05-21T145:28:56Z DEBUG retrieving schema for SchemaCache url=ldaps://asipa.fopo.net:636 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4faf170 2014-05-21T14:31:08Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 638, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 663, in main ds = install_replica_ds(config) File /usr/sbin/ipa-replica-install, line 188, in install_replica_ds ca_file=config.dir + /ca.crt, File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 360 in create_replica self.start_creation(runtime=60) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 373, in __setup_replica r_bindpw=self.dm_password() File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 961, in setup_replication raise RuntimeError(Failed to start replication) 2014-0521T14:31:08Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Failed to start replication Any guidance on where to start looking? -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New replica won't accept replication
Bret Wortman wrote: This occurs on our first attempt to join as a replica. I've erased this box and rebaselined it but the same thing happens. No network ports being blocked that we know of, and another replica I created at the same time installed its replica file without issue. asipa is the new replica, zsipa is the ca and original master on which the replica file was created. [24/34]: setting up initial replication Starting replication, please wait until this has completed Update in progress, 130 seconds elapsed Update in progress yet not in progress [ipamaster.foo.net] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication # /var/log/ipareplica-install.log contains this: 2014-05-21T145:28:56Z DEBUG retrieving schema for SchemaCache url=ldaps://asipa.fopo.net:636 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4faf170 2014-05-21T14:31:08Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 638, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 663, in main ds = install_replica_ds(config) File /usr/sbin/ipa-replica-install, line 188, in install_replica_ds ca_file=config.dir + /ca.crt, File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 360 in create_replica self.start_creation(runtime=60) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 373, in __setup_replica r_bindpw=self.dm_password() File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 961, in setup_replication raise RuntimeError(Failed to start replication) 2014-0521T14:31:08Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Failed to start replication Any guidance on where to start looking? Check the 389-ds access and error logs on both masters. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New replica won't accept replication
On the new replica (asipa) I see in the access log almost 5000 entries like this: [21/May/2014:10:30:58 -0400] conn=4 op=4923 EXT oid=2.16.840.113730.3.5.6 name=Netscape Replication Total update Entry [21/May/2014:10:30:58 -0400] conn=4 op=4923 RESULT err=0 tag=120 nentries=0 etime=0 And these just repeat, increasing the op value until they terminate with this one. The rest of it just looks like informational messages. Over on zsipa (the CA master), errors contains: [21/May/2014:14:31:06 +] NSMMReplciationPlugin - Schema agmt=cn=meToasipa.foo.net (asipa:389) must not be overwritten(set replication log for additional info) [21/May/2014:14:31:06 +] NSMMReplicationPlugin - agmt=cn=meToasipa.foo.net (asipa:389) Warning: unable to replicate schema: rc=1 These two lines repeat at intervals for a while. Nothing else leapt out at me. On 05/21/2014 11:04 AM, Rob Crittenden wrote: Bret Wortman wrote: This occurs on our first attempt to join as a replica. I've erased this box and rebaselined it but the same thing happens. No network ports being blocked that we know of, and another replica I created at the same time installed its replica file without issue. asipa is the new replica, zsipa is the ca and original master on which the replica file was created. [24/34]: setting up initial replication Starting replication, please wait until this has completed Update in progress, 130 seconds elapsed Update in progress yet not in progress [ipamaster.foo.net] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication # /var/log/ipareplica-install.log contains this: 2014-05-21T145:28:56Z DEBUG retrieving schema for SchemaCache url=ldaps://asipa.fopo.net:636 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4faf170 2014-05-21T14:31:08Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 638, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 663, in main ds = install_replica_ds(config) File /usr/sbin/ipa-replica-install, line 188, in install_replica_ds ca_file=config.dir + /ca.crt, File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 360 in create_replica self.start_creation(runtime=60) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 373, in __setup_replica r_bindpw=self.dm_password() File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 961, in setup_replication raise RuntimeError(Failed to start replication) 2014-0521T14:31:08Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Failed to start replication Any guidance on where to start looking? Check the 389-ds access and error logs on both masters. rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New replica won't accept replication
...but it did at least look like they were talking, right? Some level of replication was happening: (before the Netscape Replication Total update Entry began running away with the logfile): [21/May/2014:10:28:52 -0400] conn=2 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [21/May/2014:10:28:53 -0400] conn=2 op=3 MOD dn=cn=IPA Version Replication,cn=Plugins,cn=config [21/May/2014:10:28:53 -0400] conn=2 op=3 RESULT err=0 tag=103 nentries=0 etime=0 [21/May/2014:10:28:53 -0400] conn=2 op=4 UNBIND On 05/21/2014 11:40 AM, Bret Wortman wrote: On the new replica (asipa) I see in the access log almost 5000 entries like this: [21/May/2014:10:30:58 -0400] conn=4 op=4923 EXT oid=2.16.840.113730.3.5.6 name=Netscape Replication Total update Entry [21/May/2014:10:30:58 -0400] conn=4 op=4923 RESULT err=0 tag=120 nentries=0 etime=0 And these just repeat, increasing the op value until they terminate with this one. The rest of it just looks like informational messages. Over on zsipa (the CA master), errors contains: [21/May/2014:14:31:06 +] NSMMReplciationPlugin - Schema agmt=cn=meToasipa.foo.net (asipa:389) must not be overwritten(set replication log for additional info) [21/May/2014:14:31:06 +] NSMMReplicationPlugin - agmt=cn=meToasipa.foo.net (asipa:389) Warning: unable to replicate schema: rc=1 These two lines repeat at intervals for a while. Nothing else leapt out at me. On 05/21/2014 11:04 AM, Rob Crittenden wrote: Bret Wortman wrote: This occurs on our first attempt to join as a replica. I've erased this box and rebaselined it but the same thing happens. No network ports being blocked that we know of, and another replica I created at the same time installed its replica file without issue. asipa is the new replica, zsipa is the ca and original master on which the replica file was created. [24/34]: setting up initial replication Starting replication, please wait until this has completed Update in progress, 130 seconds elapsed Update in progress yet not in progress [ipamaster.foo.net] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication # /var/log/ipareplica-install.log contains this: 2014-05-21T145:28:56Z DEBUG retrieving schema for SchemaCache url=ldaps://asipa.fopo.net:636 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4faf170 2014-05-21T14:31:08Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 638, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 663, in main ds = install_replica_ds(config) File /usr/sbin/ipa-replica-install, line 188, in install_replica_ds ca_file=config.dir + /ca.crt, File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 360 in create_replica self.start_creation(runtime=60) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 373, in __setup_replica r_bindpw=self.dm_password() File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 961, in setup_replication raise RuntimeError(Failed to start replication) 2014-0521T14:31:08Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Failed to start replication Any guidance on where to start looking? Check the 389-ds access and error logs on both masters. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Stock with a Master in read-only mode
On 05/21/2014 01:31 PM, Davis Goodman wrote: http://www.digital-district.ca/ On May 21, 2014, at 6:54 , Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 05/21/2014 09:12 AM, Davis Goodman wrote: On May 21, 2014, at 2:45 , Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 05/21/2014 08:36 AM, Davis Goodman wrote: Hi, Lately I’ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I’m getting this error. ldapdelete -x -D cn=Directory Manager -W cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I’m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn’t of much help. Any insights would be more than welcome. Davis Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an operation or an upgrade was interrupted and left the database put in read only mode? You can find out with this ldapsearch: ldapsearch -h `hostname` -D cn=Directory Manager -x -w kokos123 -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base Check for nsslapd-readonly, it should be put to off in normal operation. Martin Ok finally managed to modify the read-only flag. Could prepare my replicas and get them going. Everything seems fine but I’m getting this error while setting up the replicas. Should I be concerned about this one: Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20 [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation the rest seems to work fine. You need to check ipareplica-install.log to see the real error. I wonder if cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX and cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX exist. Martin The first one is there: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int memberPrincipal: HTTP/freeipa01.prs.ddistrict@ddistrict.int mailto:HTTP/freeipa01.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.prs.ddistrict@ddistrict.int mailto:HTTP/freeipa02.prs.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa02.mtl.ddistrict@ddistrict.int mailto:HTTP/freeipa02.mtl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.chr.ddistrict@ddistrict.int mailto:HTTP/freeipa01.chr.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.bxl.ddistrict@ddistrict.int mailto:HTTP/freeipa01.bxl.ddistrict@ddistrict.int memberPrincipal: HTTP/freeipa01.mtl.ddistrict@ddistrict.int mailto:HTTP/freeipa01.mtl.ddistrict@ddistrict.int cn: ipa-http-delegation objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top But not the second one: ldapsearch -D cn=Directory Manager” -W -LLL -x -b cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int No such object (32) Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int Also what is strange is that I got the error only on one of the replicas, the other one went through without any hiccups. Ok, I think I misguided you with the second DN, the real DN should be cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int, see /usr/share/ipa/replica-s4u2proxy.ldif for the LDIF that is being loaded. The key here is to check the error message of ldapmodify that was run on the
Re: [Freeipa-users] Have existing wildcard SSL from RapidSSL how to implement?
On 05/19/2014 06:43 AM, Chris Whittle wrote: All I am trying to fix right now is so when the user comes to the web ui they have a valid cert. Then you need to put the IPA cert into the trusted cert store. Its location depends upon the version of the client system you are using. On May 19, 2014 2:01 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 05/17/2014 04:22 AM, Chris Whittle wrote: I have an existing key and crt that has be successfully installed on other subdomain servers... Where is the best place to start? To start what? :-) Without knowing what you want to achieve, I would like to point you to our training presentation describing different FreeIPA Certificate infrastructure integration procedures: http://www.freeipa.org/images/b/b3/FreeIPA33-blending-in-a-certificate-infrastructure.pdf I would like to especially point you to the CA-less integration type. HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New replica won't accept replication
Bret Wortman wrote: ...but it did at least look like they were talking, right? Some level of replication was happening: (before the Netscape Replication Total update Entry began running away with the logfile): [21/May/2014:10:28:52 -0400] conn=2 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [21/May/2014:10:28:53 -0400] conn=2 op=3 MOD dn=cn=IPA Version Replication,cn=Plugins,cn=config [21/May/2014:10:28:53 -0400] conn=2 op=3 RESULT err=0 tag=103 nentries=0 etime=0 [21/May/2014:10:28:53 -0400] conn=2 op=4 UNBIND That is just a failsafe so if we ever put incompatible data into an IPA server we can prevent it from polluting other servers. We fortunately haven't needed this. rob On 05/21/2014 11:40 AM, Bret Wortman wrote: On the new replica (asipa) I see in the access log almost 5000 entries like this: [21/May/2014:10:30:58 -0400] conn=4 op=4923 EXT oid=2.16.840.113730.3.5.6 name=Netscape Replication Total update Entry [21/May/2014:10:30:58 -0400] conn=4 op=4923 RESULT err=0 tag=120 nentries=0 etime=0 And these just repeat, increasing the op value until they terminate with this one. The rest of it just looks like informational messages. Over on zsipa (the CA master), errors contains: [21/May/2014:14:31:06 +] NSMMReplciationPlugin - Schema agmt=cn=meToasipa.foo.net (asipa:389) must not be overwritten(set replication log for additional info) [21/May/2014:14:31:06 +] NSMMReplicationPlugin - agmt=cn=meToasipa.foo.net (asipa:389) Warning: unable to replicate schema: rc=1 These two lines repeat at intervals for a while. Nothing else leapt out at me. On 05/21/2014 11:04 AM, Rob Crittenden wrote: Bret Wortman wrote: This occurs on our first attempt to join as a replica. I've erased this box and rebaselined it but the same thing happens. No network ports being blocked that we know of, and another replica I created at the same time installed its replica file without issue. asipa is the new replica, zsipa is the ca and original master on which the replica file was created. [24/34]: setting up initial replication Starting replication, please wait until this has completed Update in progress, 130 seconds elapsed Update in progress yet not in progress [ipamaster.foo.net] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication # /var/log/ipareplica-install.log contains this: 2014-05-21T145:28:56Z DEBUG retrieving schema for SchemaCache url=ldaps://asipa.fopo.net:636 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4faf170 2014-05-21T14:31:08Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 638, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 663, in main ds = install_replica_ds(config) File /usr/sbin/ipa-replica-install, line 188, in install_replica_ds ca_file=config.dir + /ca.crt, File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 360 in create_replica self.start_creation(runtime=60) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 373, in __setup_replica r_bindpw=self.dm_password() File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 961, in setup_replication raise RuntimeError(Failed to start replication) 2014-0521T14:31:08Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Failed to start replication Any guidance on where to start looking? Check the 389-ds access and error logs on both masters. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New replica won't accept replication
Bret Wortman wrote: On the new replica (asipa) I see in the access log almost 5000 entries like this: [21/May/2014:10:30:58 -0400] conn=4 op=4923 EXT oid=2.16.840.113730.3.5.6 name=Netscape Replication Total update Entry [21/May/2014:10:30:58 -0400] conn=4 op=4923 RESULT err=0 tag=120 nentries=0 etime=0 And these just repeat, increasing the op value until they terminate with this one. The rest of it just looks like informational messages. How long does this take? Is there time to enable replication debugging? That may provide more output. Over on zsipa (the CA master), errors contains: [21/May/2014:14:31:06 +] NSMMReplciationPlugin - Schema agmt=cn=meToasipa.foo.net (asipa:389) must not be overwritten(set replication log for additional info) [21/May/2014:14:31:06 +] NSMMReplicationPlugin - agmt=cn=meToasipa.foo.net (asipa:389) Warning: unable to replicate schema: rc=1 I don't think this is related. I'd run ipa-replica-manage list -v `hostname` and ipa-csreplica-manage list -v `hostname` on the master you generated the replica install file on to see what agreements it has or thinks it has. rob These two lines repeat at intervals for a while. Nothing else leapt out at me. On 05/21/2014 11:04 AM, Rob Crittenden wrote: Bret Wortman wrote: This occurs on our first attempt to join as a replica. I've erased this box and rebaselined it but the same thing happens. No network ports being blocked that we know of, and another replica I created at the same time installed its replica file without issue. asipa is the new replica, zsipa is the ca and original master on which the replica file was created. [24/34]: setting up initial replication Starting replication, please wait until this has completed Update in progress, 130 seconds elapsed Update in progress yet not in progress [ipamaster.foo.net] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication # /var/log/ipareplica-install.log contains this: 2014-05-21T145:28:56Z DEBUG retrieving schema for SchemaCache url=ldaps://asipa.fopo.net:636 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4faf170 2014-05-21T14:31:08Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 638, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 663, in main ds = install_replica_ds(config) File /usr/sbin/ipa-replica-install, line 188, in install_replica_ds ca_file=config.dir + /ca.crt, File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 360 in create_replica self.start_creation(runtime=60) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 373, in __setup_replica r_bindpw=self.dm_password() File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 961, in setup_replication raise RuntimeError(Failed to start replication) 2014-0521T14:31:08Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Failed to start replication Any guidance on where to start looking? Check the 389-ds access and error logs on both masters. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New replica won't accept replication
It takes about 2 minutes. How would you like me to turn debugging on? Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On May 21, 2014, at 4:26 PM, Rob Crittenden rcrit...@redhat.com wrote: Bret Wortman wrote: On the new replica (asipa) I see in the access log almost 5000 entries like this: [21/May/2014:10:30:58 -0400] conn=4 op=4923 EXT oid=2.16.840.113730.3.5.6 name=Netscape Replication Total update Entry [21/May/2014:10:30:58 -0400] conn=4 op=4923 RESULT err=0 tag=120 nentries=0 etime=0 And these just repeat, increasing the op value until they terminate with this one. The rest of it just looks like informational messages. How long does this take? Is there time to enable replication debugging? That may provide more output. Over on zsipa (the CA master), errors contains: [21/May/2014:14:31:06 +] NSMMReplciationPlugin - Schema agmt=cn=meToasipa.foo.net (asipa:389) must not be overwritten(set replication log for additional info) [21/May/2014:14:31:06 +] NSMMReplicationPlugin - agmt=cn=meToasipa.foo.net (asipa:389) Warning: unable to replicate schema: rc=1 I don't think this is related. I'd run ipa-replica-manage list -v `hostname` and ipa-csreplica-manage list -v `hostname` on the master you generated the replica install file on to see what agreements it has or thinks it has. rob These two lines repeat at intervals for a while. Nothing else leapt out at me. On 05/21/2014 11:04 AM, Rob Crittenden wrote: Bret Wortman wrote: This occurs on our first attempt to join as a replica. I've erased this box and rebaselined it but the same thing happens. No network ports being blocked that we know of, and another replica I created at the same time installed its replica file without issue. asipa is the new replica, zsipa is the ca and original master on which the replica file was created. [24/34]: setting up initial replication Starting replication, please wait until this has completed Update in progress, 130 seconds elapsed Update in progress yet not in progress [ipamaster.foo.net] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication # /var/log/ipareplica-install.log contains this: 2014-05-21T145:28:56Z DEBUG retrieving schema for SchemaCache url=ldaps://asipa.fopo.net:636 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4faf170 2014-05-21T14:31:08Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 638, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 663, in main ds = install_replica_ds(config) File /usr/sbin/ipa-replica-install, line 188, in install_replica_ds ca_file=config.dir + /ca.crt, File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 360 in create_replica self.start_creation(runtime=60) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 373, in __setup_replica r_bindpw=self.dm_password() File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 961, in setup_replication raise RuntimeError(Failed to start replication) 2014-0521T14:31:08Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Failed to start replication Any guidance on where to start looking? Check the 389-ds access and error logs on both masters. rob smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New replica won't accept replication
Bret Wortman wrote: It takes about 2 minutes. How would you like me to turn debugging on? http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting I'm not sure if you should enable this on both sides of the agreement or not. If you have the ability and don't mind potentially slowing down the working master it might be useful to the 389-ds guys. rob Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On May 21, 2014, at 4:26 PM, Rob Crittenden rcrit...@redhat.com wrote: Bret Wortman wrote: On the new replica (asipa) I see in the access log almost 5000 entries like this: [21/May/2014:10:30:58 -0400] conn=4 op=4923 EXT oid=2.16.840.113730.3.5.6 name=Netscape Replication Total update Entry [21/May/2014:10:30:58 -0400] conn=4 op=4923 RESULT err=0 tag=120 nentries=0 etime=0 And these just repeat, increasing the op value until they terminate with this one. The rest of it just looks like informational messages. How long does this take? Is there time to enable replication debugging? That may provide more output. Over on zsipa (the CA master), errors contains: [21/May/2014:14:31:06 +] NSMMReplciationPlugin - Schema agmt=cn=meToasipa.foo.net (asipa:389) must not be overwritten(set replication log for additional info) [21/May/2014:14:31:06 +] NSMMReplicationPlugin - agmt=cn=meToasipa.foo.net (asipa:389) Warning: unable to replicate schema: rc=1 I don't think this is related. I'd run ipa-replica-manage list -v `hostname` and ipa-csreplica-manage list -v `hostname` on the master you generated the replica install file on to see what agreements it has or thinks it has. rob These two lines repeat at intervals for a while. Nothing else leapt out at me. On 05/21/2014 11:04 AM, Rob Crittenden wrote: Bret Wortman wrote: This occurs on our first attempt to join as a replica. I've erased this box and rebaselined it but the same thing happens. No network ports being blocked that we know of, and another replica I created at the same time installed its replica file without issue. asipa is the new replica, zsipa is the ca and original master on which the replica file was created. [24/34]: setting up initial replication Starting replication, please wait until this has completed Update in progress, 130 seconds elapsed Update in progress yet not in progress [ipamaster.foo.net] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication # /var/log/ipareplica-install.log contains this: 2014-05-21T145:28:56Z DEBUG retrieving schema for SchemaCache url=ldaps://asipa.fopo.net:636 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4faf170 2014-05-21T14:31:08Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 638, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 663, in main ds = install_replica_ds(config) File /usr/sbin/ipa-replica-install, line 188, in install_replica_ds ca_file=config.dir + /ca.crt, File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 360 in create_replica self.start_creation(runtime=60) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 373, in __setup_replica r_bindpw=self.dm_password() File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 961, in setup_replication raise RuntimeError(Failed to start replication) 2014-0521T14:31:08Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Failed to start replication Any guidance on where to start looking? Check the 389-ds access and error logs on both masters. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users