On pe, 12 tammi 2018, Nacho del Rey via FreeIPA-users wrote:
Hi list
I have spent several days trying to configure a mater<->replica
scenario but I'm having a problem with the dns which doesn't allow to
me to go ahead
I could deploy an IPA server successfully in a Centos 7.3 using the following
command
ipa-server-install --realm .COM --ds-password --admin-password
--hostname=name.domain.com --setup-dns --no-forwarders --unattended
but when I try to configure an IPA replica with dns activated I'm getting the
following error once and again
ipa-replica-install --skip-conncheck --setup-dns --principal=admin -w
--force-join --ssh-trust-dns --no-dnssec-validation --unattended --realm=
.COM --domain=domain.com --auto-forwarders
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: ipa : INFO
Commencing sync process
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: Traceback (most recent call
last):
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: File
"/usr/libexec/ipa/ipa-dnskeysyncd", line 114, in
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: while
ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: File
"/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 348, in
syncrepl_poll
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: add_intermediates=1,
add_ctrls=1, all = 0
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: File
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 476, in result4
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: ldap_result =
self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: File
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: result = func(*args,**kwargs)
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]:
ldap.UNAVAILABLE_CRITICAL_EXTENSION: {'desc': 'Critical extension is
unavailable'}
Jan 12 10:27:41 replica01 systemd[1]: ipa-dnskeysyncd.service: main process
exited, code=exited, status=1/FAILURE
Jan 12 10:27:41 replica01 systemd[1]: Unit ipa-dnskeysyncd.service entered
failed state.
Jan 12 10:27:41 replica01 systemd[1]: ipa-dnskeysyncd.service failed.
Jan 12 10:28:30 replica01 named-pkcs11[5110]: GSSAPI client step 1
Jan 12 10:28:30 replica01 named-pkcs11[5110]: GSSAPI client step 1
Jan 12 10:28:30 replica01 ns-slapd[3651]: GSSAPI server step 1
Jan 12 10:28:30 replica01 named-pkcs11[5110]: GSSAPI client step 1
Jan 12 10:28:30 replica01 ns-slapd[3651]: GSSAPI server step 2
Jan 12 10:28:30 replica01 named-pkcs11[5110]: GSSAPI client step 2
Jan 12 10:28:30 replica01 ns-slapd[3651]: GSSAPI server step 3
Jan 12 10:28:30 replica01 named-pkcs11[5110]: successfully reconnected to LDAP
server
Jan 12 10:28:30 replica01 named-pkcs11[5110]: LDAP error: Critical extension is
unavailable: unable to start SyncRepl session: is RFC 4533 supported by LDAP
server?
Jan 12 10:28:30 replica01 named-pkcs11[5110]: LDAP configuration
synchronization failed: socket is not connected
Jan 12 10:28:30 replica01 named-pkcs11[5110]: ldap_syncrepl will reconnect in
60 seconds
These are the parameters generated by this failing service
[root@replica01 etc]# cat ./sysconfig/ipa-dnskeysyncd
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
[root@replica01 etc]# cat /etc/ipa/dnssec/softhsm2.conf
# SoftHSM v2 configuration file
# File generated by IPA instalation
directories.tokendir = /var/lib/ipa/dnssec/tokens
objectstore.backend = file
[root@replica01 etc]# ls -lart
/var/lib/ipa/dnssec/tokens/b591e51f-56c3-dc08-158f-a01b7f177bc3/
total 16
drwxrws---. 3 ods named 50 Jan 12 10:06 ..
-rwxrwx---. 1 ods named 320 Jan 12 10:06 token.object
-rwxrwx---. 1 ods named0 Jan 12 10:06 token.lock
-rwxrwx---. 1 ods named0 Jan 12 10:06
0c1e587e-443b-cc05-dd3d-2ddaccde958f.lock
-rwxrwx---. 1 ods named 931 Jan 12 10:06
0c1e587e-443b-cc05-dd3d-2ddaccde958f.object
drwxrws---. 2 ods named 262 Jan 12 10:06 .
-rwxrwx---. 1 ods named0 Jan 12 10:06
194085eb-3127-4e35-3874-4f935a069025.lock
-rwxrwx---. 1 ods named 2208 Jan 12 10:06
194085eb-3127-4e35-3874-4f935a069025.object
-rwxrwx---. 1 ods named8 Jan 12 10:25 generation
any help would be too much appreciated
An issue is in LDAP server that named tries to connect to is not
supporting SyncRepl extension. Same with ipa-dnskeysyncd.
Could you check in the logs which LDAP server they talk to?
On IPA LDAP server we have SyncRepl enabled and accessible to all
authenticated users:
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( read, search )
userdn = "ldap:///all";;)
cn: Sync Request Control
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.9.1.1
--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@l