Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.
I think you should now check dirsrv errors logs on both server and the replica.
It should have more info what went wrong with starting the replication.
Please also check
# systemctl status dirsrv@YOUR-REALM.service
to check there are no SASL buffer related error messages.
On 03/10/2015 12:58 AM, Steven Jones wrote:
==
2015-03-09T21:15:31Z DEBUG flushing ldap://vuwunicoipam002.ods.vuw.ac.nz:389
from SchemaCache
2015-03-09T21:15:31Z DEBUG retrieving schema for SchemaCache
url=ldap://vuwunicoipam002.ods.vuw.ac.nz:389
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4226cb0
2015-03-09T21:15:31Z DEBUG flushing ldaps://vuwunicoipam004.ods.vuw.ac.nz:636
from SchemaCache
2015-03-09T21:15:31Z DEBUG retrieving schema for SchemaCache
url=ldaps://vuwunicoipam004.ods.vuw.ac.nz:636
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3d3d368
2015-03-09T21:17:42Z DEBUG Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line
382, in start_creation
run_step(full_msg, method)
File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line
372, in run_step
method()
File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py,
line 368, in __setup_replica
r_bindpw=self.dm_password)
File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py,
line 969, in setup_replication
raise RuntimeError(Failed to start replication)
RuntimeError: Failed to start replication
2015-03-09T21:17:42Z DEBUG [error] RuntimeError: Failed to start replication
2015-03-09T21:17:42Z DEBUG File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line
646, in run_script
return_value = main_function()
File /sbin/ipa-replica-install, line 700, in main
ds = install_replica_ds(config)
File /sbin/ipa-replica-install, line 195, in install_replica_ds
ca_file=config.dir + /ca.crt,
File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py,
line 355, in create_replica
self.start_creation(runtime=60)
File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line
382, in start_creation
run_step(full_msg, method)
File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line
372, in run_step
method()
File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py,
line 368, in __setup_replica
r_bindpw=self.dm_password)
File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py,
line 969, in setup_replication
raise RuntimeError(Failed to start replication)
2015-03-09T21:17:42Z DEBUG The ipa-replica-install command failed, exception:
RuntimeError: Failed to start replication
==
replica log.
?
regards
Steven
From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on
behalf of Rich Megginson rmegg...@redhat.com
Sent: Tuesday, 10 March 2015 11:02 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Error in replication while inserting a RHEL7.1
server into a RHEL6.6 IPA setup.
On 03/09/2015 03:35 PM, Steven Jones wrote:
Any idea what is going on here please?
==
[root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]#
ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U
replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck
Checking forwarders, please wait ...
WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in
answers
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive dnssec-enable yes; to options {})
WARNING: DNSSEC validation will be disabled
I don't know if this is a problem, so I will leave it to our DNS gurus to
answer.
Directory Manager (existing master) password:
Adding [10.100.32.50 vuwunicoipam004.ods.vuw.ac.nz] to your /etc/hosts file
Using reverse zone(s) 32.100.10.in-addr.arpa.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
[1/35]: creating directory server user
[2/35]: creating directory server instance
[3/35]: adding default schema
[4/35]: enabling memberof plugin
[5/35]: enabling winsync plugin
[6/35]: configuring replication version plugin
[7/35]: enabling IPA enrollment plugin
[8/35]: enabling ldapi
[9/35]: configuring uniqueness plugin
[10/35]: configuring uuid plugin
[11/35]: configuring modrdn plugin
[12/35]: configuring DNS plugin
[13/35]: enabling entryUSN plugin
[14/35]: configuring lockout plugin
[15/35]: creating indices
[16/35]: enabling referential integrity plugin
[17/35]: configuring ssl for ds instance
[18/35]: configuring certmap.conf
[19/35]:
Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.
On 03/09/2015 03:35 PM, Steven Jones wrote:
Any idea what is going on here please?
==
[root@vuwunicoipam004 mailto:root@vuwunicoipam004 ipa-certs]#
ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U
replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck
Checking forwarders, please wait ...
WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive dnssec-enable yes; to options {})
WARNING: DNSSEC validation will be disabled
I don't know if this is a problem, so I will leave it to our DNS gurus
to answer.
Directory Manager (existing master) password:
Adding [10.100.32.50 vuwunicoipam004.ods.vuw.ac.nz] to your /etc/hosts file
Using reverse zone(s) 32.100.10.in-addr.arpa.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
[1/35]: creating directory server user
[2/35]: creating directory server instance
[3/35]: adding default schema
[4/35]: enabling memberof plugin
[5/35]: enabling winsync plugin
[6/35]: configuring replication version plugin
[7/35]: enabling IPA enrollment plugin
[8/35]: enabling ldapi
[9/35]: configuring uniqueness plugin
[10/35]: configuring uuid plugin
[11/35]: configuring modrdn plugin
[12/35]: configuring DNS plugin
[13/35]: enabling entryUSN plugin
[14/35]: configuring lockout plugin
[15/35]: creating indices
[16/35]: enabling referential integrity plugin
[17/35]: configuring ssl for ds instance
[18/35]: configuring certmap.conf
[19/35]: configure autobind for root
[20/35]: configure new location for managed entries
[21/35]: configure dirsrv ccache
[22/35]: enable SASL mapping fallback
[23/35]: restarting directory server
[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 128 seconds elapsed
[vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [10 Total
update abortedLDAP error: Referral]
If the client got back a referral, it means the replica was being
re-initialized at this time. Sounds like either the client is not
checking to see if the initialization is complete, or the server is
reporting back erroneously that initialization is complete.
[error] RuntimeError: Failed to start replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Failed to start replication
[root@vuwunicoipam004 mailto:root@vuwunicoipam004 ipa-certs]#
No firewalls are active and the network is a simple vyos virtual router.
=
[root@vuwunicoipam002 mailto:root@vuwunicoipam002 etc]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@vuwunicoipam002 mailto:root@vuwunicoipam002 etc]#
=
=
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@vuwunicoipam004 mailto:root@vuwunicoipam004 ipa-certs]#
=
regards
Steven
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.
Any idea what is going on here please?
==
[root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]#
ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U
replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck
Checking forwarders, please wait ...
WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive dnssec-enable yes; to options {})
WARNING: DNSSEC validation will be disabled
Directory Manager (existing master) password:
Adding [10.100.32.50 vuwunicoipam004.ods.vuw.ac.nz] to your /etc/hosts file
Using reverse zone(s) 32.100.10.in-addr.arpa.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
[1/35]: creating directory server user
[2/35]: creating directory server instance
[3/35]: adding default schema
[4/35]: enabling memberof plugin
[5/35]: enabling winsync plugin
[6/35]: configuring replication version plugin
[7/35]: enabling IPA enrollment plugin
[8/35]: enabling ldapi
[9/35]: configuring uniqueness plugin
[10/35]: configuring uuid plugin
[11/35]: configuring modrdn plugin
[12/35]: configuring DNS plugin
[13/35]: enabling entryUSN plugin
[14/35]: configuring lockout plugin
[15/35]: creating indices
[16/35]: enabling referential integrity plugin
[17/35]: configuring ssl for ds instance
[18/35]: configuring certmap.conf
[19/35]: configure autobind for root
[20/35]: configure new location for managed entries
[21/35]: configure dirsrv ccache
[22/35]: enable SASL mapping fallback
[23/35]: restarting directory server
[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 128 seconds elapsed
[vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [10 Total
update abortedLDAP error: Referral]
[error] RuntimeError: Failed to start replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Failed to start replication
[root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]#
No firewalls are active and the network is a simple vyos virtual router.
=
[root@vuwunicoipam002mailto:root@vuwunicoipam002 etc]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@vuwunicoipam002mailto:root@vuwunicoipam002 etc]#
=
=
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]#
=
regards
Steven
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.
On 03/09/2015 05:35 PM, Steven Jones wrote:
Any idea what is going on here please?
==
[root@vuwunicoipam004 mailto:root@vuwunicoipam004 ipa-certs]#
ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U
replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck
Why are you skipping a connection check?
The check will find issues like this ahead of time.
I suspect there is something wrong with either DNS entries for LDAP
server records or LDAP or Kerberos port is not open between new replica
and master.
At least I would try with connection check on and see if it gives some
hints.
Checking forwarders, please wait ...
WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive dnssec-enable yes; to options {})
WARNING: DNSSEC validation will be disabled
Directory Manager (existing master) password:
Adding [10.100.32.50 vuwunicoipam004.ods.vuw.ac.nz] to your /etc/hosts file
Using reverse zone(s) 32.100.10.in-addr.arpa.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
[1/35]: creating directory server user
[2/35]: creating directory server instance
[3/35]: adding default schema
[4/35]: enabling memberof plugin
[5/35]: enabling winsync plugin
[6/35]: configuring replication version plugin
[7/35]: enabling IPA enrollment plugin
[8/35]: enabling ldapi
[9/35]: configuring uniqueness plugin
[10/35]: configuring uuid plugin
[11/35]: configuring modrdn plugin
[12/35]: configuring DNS plugin
[13/35]: enabling entryUSN plugin
[14/35]: configuring lockout plugin
[15/35]: creating indices
[16/35]: enabling referential integrity plugin
[17/35]: configuring ssl for ds instance
[18/35]: configuring certmap.conf
[19/35]: configure autobind for root
[20/35]: configure new location for managed entries
[21/35]: configure dirsrv ccache
[22/35]: enable SASL mapping fallback
[23/35]: restarting directory server
[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 128 seconds elapsed
[vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [10 Total
update abortedLDAP error: Referral]
[error] RuntimeError: Failed to start replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Failed to start replication
[root@vuwunicoipam004 mailto:root@vuwunicoipam004 ipa-certs]#
No firewalls are active and the network is a simple vyos virtual router.
=
[root@vuwunicoipam002 mailto:root@vuwunicoipam002 etc]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@vuwunicoipam002 mailto:root@vuwunicoipam002 etc]#
=
=
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@vuwunicoipam004 mailto:root@vuwunicoipam004 ipa-certs]#
=
regards
Steven
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.
It usually fails, hence I skip it.
Since I have no firewall either side and I know I have a simple network since I
built there is nothing possible blocking in-between.
I will double check the DNS zone file.
I had to rename the server to ipam004 as the replica attempt sulked if i
re-used an old hostname, ipam001.
regards
Steven
From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on
behalf of Dmitri Pal d...@redhat.com
Sent: Tuesday, 10 March 2015 1:22 p.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Error in replication while inserting a RHEL7.1
server into a RHEL6.6 IPA setup.
On 03/09/2015 05:35 PM, Steven Jones wrote:
Any idea what is going on here please?
==
[root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]#
ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U
replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck
Why are you skipping a connection check?
The check will find issues like this ahead of time.
I suspect there is something wrong with either DNS entries for LDAP server
records or LDAP or Kerberos port is not open between new replica and master.
At least I would try with connection check on and see if it gives some hints.
Checking forwarders, please wait ...
WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive dnssec-enable yes; to options {})
WARNING: DNSSEC validation will be disabled
Directory Manager (existing master) password:
Adding [10.100.32.50 vuwunicoipam004.ods.vuw.ac.nz] to your /etc/hosts file
Using reverse zone(s) 32.100.10.in-addr.arpa.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
[1/35]: creating directory server user
[2/35]: creating directory server instance
[3/35]: adding default schema
[4/35]: enabling memberof plugin
[5/35]: enabling winsync plugin
[6/35]: configuring replication version plugin
[7/35]: enabling IPA enrollment plugin
[8/35]: enabling ldapi
[9/35]: configuring uniqueness plugin
[10/35]: configuring uuid plugin
[11/35]: configuring modrdn plugin
[12/35]: configuring DNS plugin
[13/35]: enabling entryUSN plugin
[14/35]: configuring lockout plugin
[15/35]: creating indices
[16/35]: enabling referential integrity plugin
[17/35]: configuring ssl for ds instance
[18/35]: configuring certmap.conf
[19/35]: configure autobind for root
[20/35]: configure new location for managed entries
[21/35]: configure dirsrv ccache
[22/35]: enable SASL mapping fallback
[23/35]: restarting directory server
[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 128 seconds elapsed
[vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [10 Total
update abortedLDAP error: Referral]
[error] RuntimeError: Failed to start replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Failed to start replication
[root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]#
No firewalls are active and the network is a simple vyos virtual router.
=
[root@vuwunicoipam002mailto:root@vuwunicoipam002 etc]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@vuwunicoipam002mailto:root@vuwunicoipam002 etc]#
=
=
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]#
=
regards
Steven
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.
==
2015-03-09T21:15:31Z DEBUG flushing ldap://vuwunicoipam002.ods.vuw.ac.nz:389
from SchemaCache
2015-03-09T21:15:31Z DEBUG retrieving schema for SchemaCache
url=ldap://vuwunicoipam002.ods.vuw.ac.nz:389
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4226cb0
2015-03-09T21:15:31Z DEBUG flushing ldaps://vuwunicoipam004.ods.vuw.ac.nz:636
from SchemaCache
2015-03-09T21:15:31Z DEBUG retrieving schema for SchemaCache
url=ldaps://vuwunicoipam004.ods.vuw.ac.nz:636
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3d3d368
2015-03-09T21:17:42Z DEBUG Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line
382, in start_creation
run_step(full_msg, method)
File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line
372, in run_step
method()
File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line
368, in __setup_replica
r_bindpw=self.dm_password)
File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py,
line 969, in setup_replication
raise RuntimeError(Failed to start replication)
RuntimeError: Failed to start replication
2015-03-09T21:17:42Z DEBUG [error] RuntimeError: Failed to start replication
2015-03-09T21:17:42Z DEBUG File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646,
in run_script
return_value = main_function()
File /sbin/ipa-replica-install, line 700, in main
ds = install_replica_ds(config)
File /sbin/ipa-replica-install, line 195, in install_replica_ds
ca_file=config.dir + /ca.crt,
File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line
355, in create_replica
self.start_creation(runtime=60)
File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line
382, in start_creation
run_step(full_msg, method)
File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line
372, in run_step
method()
File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line
368, in __setup_replica
r_bindpw=self.dm_password)
File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py,
line 969, in setup_replication
raise RuntimeError(Failed to start replication)
2015-03-09T21:17:42Z DEBUG The ipa-replica-install command failed, exception:
RuntimeError: Failed to start replication
==
replica log.
?
regards
Steven
From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on
behalf of Rich Megginson rmegg...@redhat.com
Sent: Tuesday, 10 March 2015 11:02 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Error in replication while inserting a RHEL7.1
server into a RHEL6.6 IPA setup.
On 03/09/2015 03:35 PM, Steven Jones wrote:
Any idea what is going on here please?
==
[root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]#
ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U
replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck
Checking forwarders, please wait ...
WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive dnssec-enable yes; to options {})
WARNING: DNSSEC validation will be disabled
I don't know if this is a problem, so I will leave it to our DNS gurus to
answer.
Directory Manager (existing master) password:
Adding [10.100.32.50 vuwunicoipam004.ods.vuw.ac.nz] to your /etc/hosts file
Using reverse zone(s) 32.100.10.in-addr.arpa.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
[1/35]: creating directory server user
[2/35]: creating directory server instance
[3/35]: adding default schema
[4/35]: enabling memberof plugin
[5/35]: enabling winsync plugin
[6/35]: configuring replication version plugin
[7/35]: enabling IPA enrollment plugin
[8/35]: enabling ldapi
[9/35]: configuring uniqueness plugin
[10/35]: configuring uuid plugin
[11/35]: configuring modrdn plugin
[12/35]: configuring DNS plugin
[13/35]: enabling entryUSN plugin
[14/35]: configuring lockout plugin
[15/35]: creating indices
[16/35]: enabling referential integrity plugin
[17/35]: configuring ssl for ds instance
[18/35]: configuring certmap.conf
[19/35]: configure autobind for root
[20/35]: configure new location for managed entries
[21/35]: configure dirsrv ccache
[22/35]: enable SASL mapping fallback
[23/35]: restarting directory server
[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 128 seconds elapsed
[vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [10 Total
update abortedLDAP error: Referral]
If the
Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.
=
Check connection from replica to remote master 'vuwunicoipam002.ods.vuw.ac.nz':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
The following list of ports use UDP protocol and would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@ods.vuw.ac.nzmailto:ad...@ods.vuw.ac.nz password:
Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'vuwunicoipam004.ods.vuw.ac.nz':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
Connection from master to replica is OK.
ipa : DEBUGProcess finished, return code=0
Connection check OK
==
regards
Steven
From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on
behalf of Steven Jones steven.jo...@vuw.ac.nz
Sent: Tuesday, 10 March 2015 1:36 p.m.
To: freeipa-users@redhat.com; d...@redhat.com
Subject: Re: [Freeipa-users] Error in replication while inserting a RHEL7.1
server into a RHEL6.6 IPA setup.
It usually fails, hence I skip it.
Since I have no firewall either side and I know I have a simple network since I
built there is nothing possible blocking in-between.
I will double check the DNS zone file.
I had to rename the server to ipam004 as the replica attempt sulked if i
re-used an old hostname, ipam001.
regards
Steven
From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on
behalf of Dmitri Pal d...@redhat.com
Sent: Tuesday, 10 March 2015 1:22 p.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Error in replication while inserting a RHEL7.1
server into a RHEL6.6 IPA setup.
On 03/09/2015 05:35 PM, Steven Jones wrote:
Any idea what is going on here please?
==
[root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]#
ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U
replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck
Why are you skipping a connection check?
The check will find issues like this ahead of time.
I suspect there is something wrong with either DNS entries for LDAP server
records or LDAP or Kerberos port is not open between new replica and master.
At least I would try with connection check on and see if it gives some hints.
Checking forwarders, please wait ...
WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive dnssec-enable yes; to options {})
WARNING: DNSSEC validation will be disabled
Directory Manager (existing master) password:
Adding [10.100.32.50 vuwunicoipam004.ods.vuw.ac.nz] to your /etc/hosts file
Using reverse zone(s) 32.100.10.in-addr.arpa.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
[1/35]: creating directory server user
[2/35]: creating directory server instance
[3/35]: adding default schema
[4/35]: enabling memberof plugin
[5/35]: enabling winsync plugin
[6/35]: configuring replication version plugin
[7/35]: enabling IPA enrollment plugin
[8/35]: enabling ldapi
[9/35]: configuring uniqueness plugin
[10/35]: configuring uuid plugin
[11/35]: configuring modrdn plugin
[12/35]: configuring DNS plugin
[13/35]: enabling entryUSN plugin
[14/35]: configuring lockout plugin
[15/35]: creating indices
[16/35]: enabling referential integrity plugin
[17/35]: configuring ssl for ds instance
[18/35]: configuring certmap.conf
[19/35]: configure autobind for root
[20/35]: configure new location for managed entries
[21/35]: configure dirsrv ccache
[22/35]: enable SASL mapping fallback
[23/35]: restarting directory server
[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 128 seconds elapsed
[vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [10 Total
update abortedLDAP error: Referral]
[error] RuntimeError: Failed to start replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Failed to start replication
[root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]#
