Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.
I think you should now check dirsrv errors logs on both server and the replica. It should have more info what went wrong with starting the replication. Please also check # systemctl status dirsrv@YOUR-REALM.service to check there are no SASL buffer related error messages. On 03/10/2015 12:58 AM, Steven Jones wrote: == 2015-03-09T21:15:31Z DEBUG flushing ldap://vuwunicoipam002.ods.vuw.ac.nz:389 from SchemaCache 2015-03-09T21:15:31Z DEBUG retrieving schema for SchemaCache url=ldap://vuwunicoipam002.ods.vuw.ac.nz:389 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4226cb0 2015-03-09T21:15:31Z DEBUG flushing ldaps://vuwunicoipam004.ods.vuw.ac.nz:636 from SchemaCache 2015-03-09T21:15:31Z DEBUG retrieving schema for SchemaCache url=ldaps://vuwunicoipam004.ods.vuw.ac.nz:636 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3d3d368 2015-03-09T21:17:42Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 368, in __setup_replica r_bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 969, in setup_replication raise RuntimeError(Failed to start replication) RuntimeError: Failed to start replication 2015-03-09T21:17:42Z DEBUG [error] RuntimeError: Failed to start replication 2015-03-09T21:17:42Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 700, in main ds = install_replica_ds(config) File /sbin/ipa-replica-install, line 195, in install_replica_ds ca_file=config.dir + /ca.crt, File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 355, in create_replica self.start_creation(runtime=60) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 368, in __setup_replica r_bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 969, in setup_replication raise RuntimeError(Failed to start replication) 2015-03-09T21:17:42Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Failed to start replication == replica log. ? regards Steven From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Rich Megginson rmegg...@redhat.com Sent: Tuesday, 10 March 2015 11:02 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup. On 03/09/2015 03:35 PM, Steven Jones wrote: Any idea what is going on here please? == [root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck Checking forwarders, please wait ... WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive dnssec-enable yes; to options {}) WARNING: DNSSEC validation will be disabled I don't know if this is a problem, so I will leave it to our DNS gurus to answer. Directory Manager (existing master) password: Adding [10.100.32.50 vuwunicoipam004.ods.vuw.ac.nz] to your /etc/hosts file Using reverse zone(s) 32.100.10.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/35]: creating directory server user [2/35]: creating directory server instance [3/35]: adding default schema [4/35]: enabling memberof plugin [5/35]: enabling winsync plugin [6/35]: configuring replication version plugin [7/35]: enabling IPA enrollment plugin [8/35]: enabling ldapi [9/35]: configuring uniqueness plugin [10/35]: configuring uuid plugin [11/35]: configuring modrdn plugin [12/35]: configuring DNS plugin [13/35]: enabling entryUSN plugin [14/35]: configuring lockout plugin [15/35]: creating indices [16/35]: enabling referential integrity plugin [17/35]: configuring ssl for ds instance [18/35]: configuring certmap.conf [19/35]:
Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.
On 03/09/2015 03:35 PM, Steven Jones wrote: Any idea what is going on here please? == [root@vuwunicoipam004 mailto:root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck Checking forwarders, please wait ... WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive dnssec-enable yes; to options {}) WARNING: DNSSEC validation will be disabled I don't know if this is a problem, so I will leave it to our DNS gurus to answer. Directory Manager (existing master) password: Adding [10.100.32.50 vuwunicoipam004.ods.vuw.ac.nz] to your /etc/hosts file Using reverse zone(s) 32.100.10.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/35]: creating directory server user [2/35]: creating directory server instance [3/35]: adding default schema [4/35]: enabling memberof plugin [5/35]: enabling winsync plugin [6/35]: configuring replication version plugin [7/35]: enabling IPA enrollment plugin [8/35]: enabling ldapi [9/35]: configuring uniqueness plugin [10/35]: configuring uuid plugin [11/35]: configuring modrdn plugin [12/35]: configuring DNS plugin [13/35]: enabling entryUSN plugin [14/35]: configuring lockout plugin [15/35]: creating indices [16/35]: enabling referential integrity plugin [17/35]: configuring ssl for ds instance [18/35]: configuring certmap.conf [19/35]: configure autobind for root [20/35]: configure new location for managed entries [21/35]: configure dirsrv ccache [22/35]: enable SASL mapping fallback [23/35]: restarting directory server [24/35]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 128 seconds elapsed [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] If the client got back a referral, it means the replica was being re-initialized at this time. Sounds like either the client is not checking to see if the initialization is complete, or the server is reporting back erroneously that initialization is complete. [error] RuntimeError: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication [root@vuwunicoipam004 mailto:root@vuwunicoipam004 ipa-certs]# No firewalls are active and the network is a simple vyos virtual router. = [root@vuwunicoipam002 mailto:root@vuwunicoipam002 etc]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@vuwunicoipam002 mailto:root@vuwunicoipam002 etc]# = = Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@vuwunicoipam004 mailto:root@vuwunicoipam004 ipa-certs]# = regards Steven -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.
Any idea what is going on here please? == [root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck Checking forwarders, please wait ... WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive dnssec-enable yes; to options {}) WARNING: DNSSEC validation will be disabled Directory Manager (existing master) password: Adding [10.100.32.50 vuwunicoipam004.ods.vuw.ac.nz] to your /etc/hosts file Using reverse zone(s) 32.100.10.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/35]: creating directory server user [2/35]: creating directory server instance [3/35]: adding default schema [4/35]: enabling memberof plugin [5/35]: enabling winsync plugin [6/35]: configuring replication version plugin [7/35]: enabling IPA enrollment plugin [8/35]: enabling ldapi [9/35]: configuring uniqueness plugin [10/35]: configuring uuid plugin [11/35]: configuring modrdn plugin [12/35]: configuring DNS plugin [13/35]: enabling entryUSN plugin [14/35]: configuring lockout plugin [15/35]: creating indices [16/35]: enabling referential integrity plugin [17/35]: configuring ssl for ds instance [18/35]: configuring certmap.conf [19/35]: configure autobind for root [20/35]: configure new location for managed entries [21/35]: configure dirsrv ccache [22/35]: enable SASL mapping fallback [23/35]: restarting directory server [24/35]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 128 seconds elapsed [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] [error] RuntimeError: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication [root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]# No firewalls are active and the network is a simple vyos virtual router. = [root@vuwunicoipam002mailto:root@vuwunicoipam002 etc]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@vuwunicoipam002mailto:root@vuwunicoipam002 etc]# = = Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]# = regards Steven -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.
On 03/09/2015 05:35 PM, Steven Jones wrote: Any idea what is going on here please? == [root@vuwunicoipam004 mailto:root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck Why are you skipping a connection check? The check will find issues like this ahead of time. I suspect there is something wrong with either DNS entries for LDAP server records or LDAP or Kerberos port is not open between new replica and master. At least I would try with connection check on and see if it gives some hints. Checking forwarders, please wait ... WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive dnssec-enable yes; to options {}) WARNING: DNSSEC validation will be disabled Directory Manager (existing master) password: Adding [10.100.32.50 vuwunicoipam004.ods.vuw.ac.nz] to your /etc/hosts file Using reverse zone(s) 32.100.10.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/35]: creating directory server user [2/35]: creating directory server instance [3/35]: adding default schema [4/35]: enabling memberof plugin [5/35]: enabling winsync plugin [6/35]: configuring replication version plugin [7/35]: enabling IPA enrollment plugin [8/35]: enabling ldapi [9/35]: configuring uniqueness plugin [10/35]: configuring uuid plugin [11/35]: configuring modrdn plugin [12/35]: configuring DNS plugin [13/35]: enabling entryUSN plugin [14/35]: configuring lockout plugin [15/35]: creating indices [16/35]: enabling referential integrity plugin [17/35]: configuring ssl for ds instance [18/35]: configuring certmap.conf [19/35]: configure autobind for root [20/35]: configure new location for managed entries [21/35]: configure dirsrv ccache [22/35]: enable SASL mapping fallback [23/35]: restarting directory server [24/35]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 128 seconds elapsed [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] [error] RuntimeError: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication [root@vuwunicoipam004 mailto:root@vuwunicoipam004 ipa-certs]# No firewalls are active and the network is a simple vyos virtual router. = [root@vuwunicoipam002 mailto:root@vuwunicoipam002 etc]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@vuwunicoipam002 mailto:root@vuwunicoipam002 etc]# = = Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@vuwunicoipam004 mailto:root@vuwunicoipam004 ipa-certs]# = regards Steven -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.
It usually fails, hence I skip it. Since I have no firewall either side and I know I have a simple network since I built there is nothing possible blocking in-between. I will double check the DNS zone file. I had to rename the server to ipam004 as the replica attempt sulked if i re-used an old hostname, ipam001. regards Steven From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Dmitri Pal d...@redhat.com Sent: Tuesday, 10 March 2015 1:22 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup. On 03/09/2015 05:35 PM, Steven Jones wrote: Any idea what is going on here please? == [root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck Why are you skipping a connection check? The check will find issues like this ahead of time. I suspect there is something wrong with either DNS entries for LDAP server records or LDAP or Kerberos port is not open between new replica and master. At least I would try with connection check on and see if it gives some hints. Checking forwarders, please wait ... WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive dnssec-enable yes; to options {}) WARNING: DNSSEC validation will be disabled Directory Manager (existing master) password: Adding [10.100.32.50 vuwunicoipam004.ods.vuw.ac.nz] to your /etc/hosts file Using reverse zone(s) 32.100.10.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/35]: creating directory server user [2/35]: creating directory server instance [3/35]: adding default schema [4/35]: enabling memberof plugin [5/35]: enabling winsync plugin [6/35]: configuring replication version plugin [7/35]: enabling IPA enrollment plugin [8/35]: enabling ldapi [9/35]: configuring uniqueness plugin [10/35]: configuring uuid plugin [11/35]: configuring modrdn plugin [12/35]: configuring DNS plugin [13/35]: enabling entryUSN plugin [14/35]: configuring lockout plugin [15/35]: creating indices [16/35]: enabling referential integrity plugin [17/35]: configuring ssl for ds instance [18/35]: configuring certmap.conf [19/35]: configure autobind for root [20/35]: configure new location for managed entries [21/35]: configure dirsrv ccache [22/35]: enable SASL mapping fallback [23/35]: restarting directory server [24/35]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 128 seconds elapsed [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] [error] RuntimeError: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication [root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]# No firewalls are active and the network is a simple vyos virtual router. = [root@vuwunicoipam002mailto:root@vuwunicoipam002 etc]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@vuwunicoipam002mailto:root@vuwunicoipam002 etc]# = = Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]# = regards Steven -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.
== 2015-03-09T21:15:31Z DEBUG flushing ldap://vuwunicoipam002.ods.vuw.ac.nz:389 from SchemaCache 2015-03-09T21:15:31Z DEBUG retrieving schema for SchemaCache url=ldap://vuwunicoipam002.ods.vuw.ac.nz:389 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4226cb0 2015-03-09T21:15:31Z DEBUG flushing ldaps://vuwunicoipam004.ods.vuw.ac.nz:636 from SchemaCache 2015-03-09T21:15:31Z DEBUG retrieving schema for SchemaCache url=ldaps://vuwunicoipam004.ods.vuw.ac.nz:636 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3d3d368 2015-03-09T21:17:42Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 368, in __setup_replica r_bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 969, in setup_replication raise RuntimeError(Failed to start replication) RuntimeError: Failed to start replication 2015-03-09T21:17:42Z DEBUG [error] RuntimeError: Failed to start replication 2015-03-09T21:17:42Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 700, in main ds = install_replica_ds(config) File /sbin/ipa-replica-install, line 195, in install_replica_ds ca_file=config.dir + /ca.crt, File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 355, in create_replica self.start_creation(runtime=60) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 368, in __setup_replica r_bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 969, in setup_replication raise RuntimeError(Failed to start replication) 2015-03-09T21:17:42Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Failed to start replication == replica log. ? regards Steven From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Rich Megginson rmegg...@redhat.com Sent: Tuesday, 10 March 2015 11:02 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup. On 03/09/2015 03:35 PM, Steven Jones wrote: Any idea what is going on here please? == [root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck Checking forwarders, please wait ... WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive dnssec-enable yes; to options {}) WARNING: DNSSEC validation will be disabled I don't know if this is a problem, so I will leave it to our DNS gurus to answer. Directory Manager (existing master) password: Adding [10.100.32.50 vuwunicoipam004.ods.vuw.ac.nz] to your /etc/hosts file Using reverse zone(s) 32.100.10.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/35]: creating directory server user [2/35]: creating directory server instance [3/35]: adding default schema [4/35]: enabling memberof plugin [5/35]: enabling winsync plugin [6/35]: configuring replication version plugin [7/35]: enabling IPA enrollment plugin [8/35]: enabling ldapi [9/35]: configuring uniqueness plugin [10/35]: configuring uuid plugin [11/35]: configuring modrdn plugin [12/35]: configuring DNS plugin [13/35]: enabling entryUSN plugin [14/35]: configuring lockout plugin [15/35]: creating indices [16/35]: enabling referential integrity plugin [17/35]: configuring ssl for ds instance [18/35]: configuring certmap.conf [19/35]: configure autobind for root [20/35]: configure new location for managed entries [21/35]: configure dirsrv ccache [22/35]: enable SASL mapping fallback [23/35]: restarting directory server [24/35]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 128 seconds elapsed [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] If the
Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.
= Check connection from replica to remote master 'vuwunicoipam002.ods.vuw.ac.nz': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@ods.vuw.ac.nzmailto:ad...@ods.vuw.ac.nz password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'vuwunicoipam004.ods.vuw.ac.nz': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. ipa : DEBUGProcess finished, return code=0 Connection check OK == regards Steven From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Steven Jones steven.jo...@vuw.ac.nz Sent: Tuesday, 10 March 2015 1:36 p.m. To: freeipa-users@redhat.com; d...@redhat.com Subject: Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup. It usually fails, hence I skip it. Since I have no firewall either side and I know I have a simple network since I built there is nothing possible blocking in-between. I will double check the DNS zone file. I had to rename the server to ipam004 as the replica attempt sulked if i re-used an old hostname, ipam001. regards Steven From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Dmitri Pal d...@redhat.com Sent: Tuesday, 10 March 2015 1:22 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup. On 03/09/2015 05:35 PM, Steven Jones wrote: Any idea what is going on here please? == [root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck Why are you skipping a connection check? The check will find issues like this ahead of time. I suspect there is something wrong with either DNS entries for LDAP server records or LDAP or Kerberos port is not open between new replica and master. At least I would try with connection check on and see if it gives some hints. Checking forwarders, please wait ... WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive dnssec-enable yes; to options {}) WARNING: DNSSEC validation will be disabled Directory Manager (existing master) password: Adding [10.100.32.50 vuwunicoipam004.ods.vuw.ac.nz] to your /etc/hosts file Using reverse zone(s) 32.100.10.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/35]: creating directory server user [2/35]: creating directory server instance [3/35]: adding default schema [4/35]: enabling memberof plugin [5/35]: enabling winsync plugin [6/35]: configuring replication version plugin [7/35]: enabling IPA enrollment plugin [8/35]: enabling ldapi [9/35]: configuring uniqueness plugin [10/35]: configuring uuid plugin [11/35]: configuring modrdn plugin [12/35]: configuring DNS plugin [13/35]: enabling entryUSN plugin [14/35]: configuring lockout plugin [15/35]: creating indices [16/35]: enabling referential integrity plugin [17/35]: configuring ssl for ds instance [18/35]: configuring certmap.conf [19/35]: configure autobind for root [20/35]: configure new location for managed entries [21/35]: configure dirsrv ccache [22/35]: enable SASL mapping fallback [23/35]: restarting directory server [24/35]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 128 seconds elapsed [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] [error] RuntimeError: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication [root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]#