subject:"\[Freeipa\-users\] Re\: Unable to configure an IPA replica with dns"

[Freeipa-users] Re: Unable to configure an IPA replica with dns

2018-01-12 Thread Nacho del Rey via FreeIPA-users

-Sorry, I clink on reply instead of reply to all

Both servers running Centos (7.4, last test from today)

[root@gcp-sec-ipamaster-01 ~]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)

IPA packages
[root@gcp-dmz-ipareplica-01 ipa]# rpm -qa | grep ipa| sort
ipa-client-4.5.0-22.el7.centos.x86_64
ipa-client-common-4.5.0-22.el7.centos.noarch
ipa-common-4.5.0-22.el7.centos.noarch
ipa-server-4.5.0-22.el7.centos.x86_64
ipa-server-common-4.5.0-22.el7.centos.noarch
ipa-server-dns-4.5.0-22.el7.centos.noarch
libipa_hbac-1.15.2-50.el7_4.8.x86_64
python-iniparse-0.4-9.el7.noarch
python-ipaddress-1.0.16-2.el7.noarch
python-libipa_hbac-1.15.2-50.el7_4.8.x86_64
python2-ipaclient-4.5.0-22.el7.centos.noarch
python2-ipalib-4.5.0-22.el7.centos.noarch
python2-ipaserver-4.5.0-22.el7.centos.noarch
sssd-ipa-1.15.2-50.el7_4.8.x86_64

[root@gcp-sec-ipamaster-01 ~]# rpm -qa | grep 389
389-ds-base-1.3.6.1-24.el7_4.x86_64
389-ds-base-libs-1.3.6.1-24.el7_4.x86_64

both them are VMs running in google cloud

the packages in the master were installed like the following:

yum install rng-tools ipa-server ipa-server-dns ntp -y
where
ipa-server.x86_64
4.5.0-22.el7.centos

  @updates

My goal is to have 2 IPAs running (a master and a replica). Master running
CA & DNS, and replica running only DNS synced with master

Thanks again

Nacho.




2018-01-12 11:49 GMT+01:00 Alexander Bokovoy :

> Please don't drop the mailing list.
>
> On pe, 12 tammi 2018, Nacho del Rey wrote:
>
>> I think it is connecting locally (to the replica server itself)
>>
>> ldap_uri = ldapi://%2fvar%2frun%2fslapd-XX-COM.socket
>>
>> How can I check and to enable this feature? I guess that if the LDAP is
>> replicated between master & replica, it has to done once, right?
>>
> The feature is enabled by default and nothing in IPA is removing it.
>
> Can you explain in more details what is your actual environment? OS is
> CentOS 7.3 but where is it running? Bare metal, VM, Docker, LXC, etc?
> What are the package versions that you have for ipa-server, 389-ds-base,
> etc.
>
> CentOS 7.3 is "old" now (CentOS only supports the very latest release), so
> question about what packages are installed can reveal what's wrong.
>
> --
> / Alexander Bokovoy
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Unable to configure an IPA replica with dns

2018-01-12 Thread Alexander Bokovoy via FreeIPA-users


Please don't drop the mailing list.

On pe, 12 tammi 2018, Nacho del Rey wrote:

I think it is connecting locally (to the replica server itself)

ldap_uri = ldapi://%2fvar%2frun%2fslapd-XX-COM.socket

How can I check and to enable this feature? I guess that if the LDAP is
replicated between master & replica, it has to done once, right?

The feature is enabled by default and nothing in IPA is removing it.

Can you explain in more details what is your actual environment? OS is
CentOS 7.3 but where is it running? Bare metal, VM, Docker, LXC, etc?
What are the package versions that you have for ipa-server, 389-ds-base,
etc.

CentOS 7.3 is "old" now (CentOS only supports the very latest release), so
question about what packages are installed can reveal what's wrong.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Unable to configure an IPA replica with dns

2018-01-12 Thread Alexander Bokovoy via FreeIPA-users


On pe, 12 tammi 2018, Nacho del Rey via FreeIPA-users wrote:

Hi list

I have spent several days trying to configure a mater<->replica
scenario but I'm having a problem with the dns which doesn't allow to
me to go ahead

I could deploy an IPA server successfully in a Centos 7.3 using the following 
command
   ipa-server-install --realm .COM --ds-password  --admin-password  
 --hostname=name.domain.com --setup-dns --no-forwarders --unattended

but when I try to configure an IPA replica with dns activated I'm getting the 
following error once and again
ipa-replica-install --skip-conncheck --setup-dns --principal=admin -w  
--force-join --ssh-trust-dns  --no-dnssec-validation --unattended --realm= 
.COM --domain=domain.com --auto-forwarders


Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: ipa : INFO 
Commencing sync process
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: Traceback (most recent call 
last):
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: File 
"/usr/libexec/ipa/ipa-dnskeysyncd", line 114, in 
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: while 
ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: File 
"/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 348, in 
syncrepl_poll
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: add_intermediates=1, 
add_ctrls=1, all = 0
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 476, in result4
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: ldap_result = 
self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: result = func(*args,**kwargs)
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: 
ldap.UNAVAILABLE_CRITICAL_EXTENSION: {'desc': 'Critical extension is 
unavailable'}
Jan 12 10:27:41 replica01 systemd[1]: ipa-dnskeysyncd.service: main process 
exited, code=exited, status=1/FAILURE
Jan 12 10:27:41 replica01 systemd[1]: Unit ipa-dnskeysyncd.service entered 
failed state.
Jan 12 10:27:41 replica01 systemd[1]: ipa-dnskeysyncd.service failed.
Jan 12 10:28:30 replica01 named-pkcs11[5110]: GSSAPI client step 1
Jan 12 10:28:30 replica01 named-pkcs11[5110]: GSSAPI client step 1
Jan 12 10:28:30 replica01 ns-slapd[3651]: GSSAPI server step 1
Jan 12 10:28:30 replica01 named-pkcs11[5110]: GSSAPI client step 1
Jan 12 10:28:30 replica01 ns-slapd[3651]: GSSAPI server step 2
Jan 12 10:28:30 replica01 named-pkcs11[5110]: GSSAPI client step 2
Jan 12 10:28:30 replica01 ns-slapd[3651]: GSSAPI server step 3
Jan 12 10:28:30 replica01 named-pkcs11[5110]: successfully reconnected to LDAP 
server
Jan 12 10:28:30 replica01 named-pkcs11[5110]: LDAP error: Critical extension is 
unavailable: unable to start SyncRepl session: is RFC 4533 supported by LDAP 
server?
Jan 12 10:28:30 replica01 named-pkcs11[5110]: LDAP configuration 
synchronization failed: socket is not connected
Jan 12 10:28:30 replica01 named-pkcs11[5110]: ldap_syncrepl will reconnect in 
60 seconds

These are the parameters generated by this failing service

[root@replica01 etc]# cat ./sysconfig/ipa-dnskeysyncd
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf

[root@replica01 etc]# cat /etc/ipa/dnssec/softhsm2.conf
# SoftHSM v2 configuration file
# File generated by IPA instalation
directories.tokendir = /var/lib/ipa/dnssec/tokens
objectstore.backend = file

[root@replica01 etc]# ls -lart 
/var/lib/ipa/dnssec/tokens/b591e51f-56c3-dc08-158f-a01b7f177bc3/
total 16
drwxrws---. 3 ods named   50 Jan 12 10:06 ..
-rwxrwx---. 1 ods named  320 Jan 12 10:06 token.object
-rwxrwx---. 1 ods named0 Jan 12 10:06 token.lock
-rwxrwx---. 1 ods named0 Jan 12 10:06 
0c1e587e-443b-cc05-dd3d-2ddaccde958f.lock
-rwxrwx---. 1 ods named  931 Jan 12 10:06 
0c1e587e-443b-cc05-dd3d-2ddaccde958f.object
drwxrws---. 2 ods named  262 Jan 12 10:06 .
-rwxrwx---. 1 ods named0 Jan 12 10:06 
194085eb-3127-4e35-3874-4f935a069025.lock
-rwxrwx---. 1 ods named 2208 Jan 12 10:06 
194085eb-3127-4e35-3874-4f935a069025.object
-rwxrwx---. 1 ods named8 Jan 12 10:25 generation

any help would be too much appreciated

An issue is in LDAP server that named tries to connect to is not
supporting SyncRepl extension. Same with ipa-dnskeysyncd.

Could you check in the logs which LDAP server they talk to?

On IPA LDAP server we have SyncRepl enabled and accessible to all
authenticated users:

dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( read, search ) 
userdn = "ldap:///all";;)
cn: Sync Request Control
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.9.1.1


--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@l

[Freeipa-users] Re: Unable to configure an IPA replica with dns

[Freeipa-users] Re: Unable to configure an IPA replica with dns

[Freeipa-users] Re: Unable to configure an IPA replica with dns

3 matches

Site Navigation

Mail list logo

Footer information