On 11/09/2011 05:11 PM, JR Aquino wrote:
Upon a FreeIPA Replica install, I am failing at:
Configuring Kerberos KDC: Estimated time 30 seconds
[1/9]: adding sasl mappings to the directory
[2/9]: writing stash file from DS
[3/9]: configuring KDC
[4/9]: creating a keytab for the directory
[5/9]: creating a keytab for the machine
[6/9]: adding the password extension to the directory
[7/9]: enable GSSAPI for replication
creation of replica failed: list index out of range
Per an IRC session with Rich, it looks like
ldap/authdev1.qai.example....@example.com<mailto:ldap/authdev1.qai.example....@example.com>
is not being created at all... So when the replica slave goes to search for it, it
yields an empty list and throws the python exception...
Does anyone know how and when that principal should be getting created/inserted?
The /var/log/ipareplica-install.log:
<snipit>
2011-11-17 12:50:14,708 DEBUG stderr=ldap_initialize(
ldap://authdev1.qai.example.com )
2011-11-17 12:50:14,708 DEBUG duration: 0 seconds
2011-11-17 12:50:14,708 DEBUG [7/9]: enable GSSAPI for replication
2011-11-17 12:50:14,746 INFO Changing agreement
cn=meToauthdev2.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,cn=config schedule to 2358-2359 0 to force synch
2011-11-17 12:50:15,756 INFO Changing agreement
cn=meToauthdev2.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,cn=config to restore original schedule 0000-2359 0123456
2011-11-17 12:50:16,787 INFO Replication Update in progress: FALSE: status: -1
Incremental update has failed and requires administrator actionSystem error:
start: 0: end: 0
2011-11-17 12:50:16,791 INFO Changing agreement
cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,cn=config schedule to 2358-2359 0 to force synch
2011-11-17 12:50:17,802 INFO Changing agreement
cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,cn=config to restore original schedule 0000-2359 0123456
2011-11-17 12:50:18,816 INFO Replication Update in progress: FALSE: status: 0
Replica acquired successfully: Incremental update succeeded: start:
20111110000049Z: end: 20111110000049Z
2011-11-17 12:50:18,865 DEBUG list index out of range
File "/usr/sbin/ipa-replica-install", line 483, in<module>
main()
File "/usr/sbin/ipa-replica-install", line 444, in main
install_krb(config, setup_pkinit=options.setup_pkinit)
File "/usr/sbin/ipa-replica-install", line 156, in install_krb
setup_pkinit, pkcs12_info)
File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
line 212, in create_replica
self.start_creation("Configuring Kerberos KDC", 30)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
248, in start_creation
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
line 553, in __convert_to_gssapi_replication
r_bindpw=self.dm_password)
File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 798, in convert_to_gssapi_replication
self.gssapi_update_agreements(self.conn, r_conn)
File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 532, in gssapi_update_agreements
self.setup_krb_princs_as_replica_binddns(a, b)
File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 525, in setup_krb_princs_as_replica_binddns
mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)]
One problem is at this point in the code, a_pn is [] - so the check for
a_pn is None fails. I think the error checking here needs to be improved.
But the real problem is that this search fails (from the master server
dirsrv access log below):
[09/Nov/2011:15:40:04 -0800] conn=29 op=6 SRCH base="dc=example,dc=com"
scope=2
filter="(krbPrincipalName=ldap/authdev1.qai.example....@example.com)"
attrs=ALL
[09/Nov/2011:15:40:04 -0800] conn=29 op=6 RESULT err=0 tag=101
nentries=0 etime=0
note - nentries=0 means not found.
Who adds this entry?
The Master server dirsrv access log:
[09/Nov/2011:15:39:44 -0800] conn=28 op=1 RESULT err=0 tag=97 nentries=0 etime=0
dn="cn=replication manager,cn=config"
[09/Nov/2011:15:39:44 -0800] conn=28 op=2 SRCH base="" scope=0 filter="(objectClass=*)"
attrs="supportedControl supportedExtension"
[09/Nov/2011:15:39:44 -0800] conn=28 op=2 RESULT err=0 tag=101 nentries=1
etime=0
[09/Nov/2011:15:39:44 -0800] conn=28 op=3 SRCH base="" scope=0 filter="(objectClass=*)"
attrs="supportedControl supportedExtension"
[09/Nov/2011:15:39:44 -0800] conn=28 op=3 RESULT err=0 tag=101 nentries=1
etime=0
[09/Nov/2011:15:39:44 -0800] conn=28 op=4 EXT oid="2.16.840.1.113730.3.5.12"
[09/Nov/2011:15:39:44 -0800] conn=28 op=4 RESULT err=0 tag=120 nentries=0
etime=0
[09/Nov/2011:15:40:00 -0800] conn=29 fd=76 slot=76 SSL connection from
10.230.6.100 to 10.230.6.96
[09/Nov/2011:15:40:00 -0800] conn=29 SSL 256-bit AES
[09/Nov/2011:15:40:00 -0800] conn=29 op=0 BIND dn="cn=Directory Manager"
method=128 version=3
[09/Nov/2011:15:40:00 -0800] conn=29 op=0 RESULT err=0 tag=97 nentries=0 etime=0
dn="cn=directory manager"
[09/Nov/2011:15:40:00 -0800] conn=29 op=1 SRCH base="cn=config,cn=ldbm
database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)"
attrs="nsslapd-directory"
[09/Nov/2011:15:40:00 -0800] conn=29 op=1 RESULT err=0 tag=101 nentries=1
etime=0
[09/Nov/2011:15:40:01 -0800] conn=28 op=5 UNBIND
[09/Nov/2011:15:40:01 -0800] conn=28 op=5 fd=75 closed - U1
[09/Nov/2011:15:40:01 -0800] conn=30 fd=75 slot=75 connection from 10.230.6.100
to 10.230.6.96
[09/Nov/2011:15:40:01 -0800] conn=30 op=0 EXT oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
[09/Nov/2011:15:40:01 -0800] conn=30 op=0 RESULT err=0 tag=120 nentries=0
etime=0
[09/Nov/2011:15:40:01 -0800] conn=30 SSL 256-bit AES
[09/Nov/2011:15:40:01 -0800] conn=30 op=1 BIND dn="cn=replication
manager,cn=config" method=128 version=3
[09/Nov/2011:15:40:01 -0800] conn=30 op=1 RESULT err=0 tag=97 nentries=0 etime=0
dn="cn=replication manager,cn=config"
[09/Nov/2011:15:40:01 -0800] conn=30 op=2 SRCH base="" scope=0 filter="(objectClass=*)"
attrs="supportedControl supportedExtension"
[09/Nov/2011:15:40:01 -0800] conn=30 op=2 RESULT err=0 tag=101 nentries=1
etime=0
[09/Nov/2011:15:40:01 -0800] conn=30 op=3 SRCH base="" scope=0 filter="(objectClass=*)"
attrs="supportedControl supportedExtension"
[09/Nov/2011:15:40:01 -0800] conn=30 op=3 RESULT err=0 tag=101 nentries=1
etime=0
[09/Nov/2011:15:40:01 -0800] conn=30 op=4 EXT oid="2.16.840.1.113730.3.5.12"
[09/Nov/2011:15:40:01 -0800] conn=30 op=4 RESULT err=0 tag=120 nentries=0
etime=0
[09/Nov/2011:15:40:02 -0800] conn=29 op=2 SRCH base="cn=config" scope=2
filter="(&(nsDS5ReplicaHost=authdev1.qai.example.com)(|(objectClass=nsDSWindowsReplicationAgreement)(objectClass=nsds5ReplicationAgreement)))"
attrs=ALL
[09/Nov/2011:15:40:02 -0800] conn=29 op=2 RESULT err=0 tag=101 nentries=1
etime=0
[09/Nov/2011:15:40:02 -0800] conn=29 op=3 MOD
dn="cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,cn=config"
[09/Nov/2011:15:40:02 -0800] conn=29 op=3 RESULT err=0 tag=103 nentries=0
etime=0
[09/Nov/2011:15:40:03 -0800] conn=29 op=4 MOD
dn="cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,cn=config"
[09/Nov/2011:15:40:03 -0800] conn=29 op=4 RESULT err=0 tag=103 nentries=0
etime=0
[09/Nov/2011:15:40:04 -0800] conn=29 op=5 SRCH
base="cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,cn=config" scope=0 filter="(objectClass=*)" attrs="cn nsds5replicaUpdateInProgress
nsds5replicaLastUpdateStatus nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd"
[09/Nov/2011:15:40:04 -0800] conn=29 op=5 RESULT err=0 tag=101 nentries=1
etime=0
[09/Nov/2011:15:40:04 -0800] conn=29 op=6 SRCH base="dc=example,dc=com" scope=2
filter="(krbPrincipalName=ldap/authdev1.qai.example....@example.com<mailto:krbPrincipalName=ldap/authdev1.qai.example....@example.com>)"
attrs=ALL
[09/Nov/2011:15:40:04 -0800] conn=29 op=6 RESULT err=0 tag=101 nentries=0
etime=0
[09/Nov/2011:15:40:04 -0800] conn=29 op=7 UNBIND
[09/Nov/2011:15:40:04 -0800] conn=29 op=7 fd=76 closed - U1
[09/Nov/2011:15:40:08 -0800] conn=30 op=5 UNBIND
[09/Nov/2011:15:40:08 -0800] conn=30 op=5 fd=75 closed - U1
[09/Nov/2011:15:40:08 -0800] conn=31 fd=75 slot=75 connection from 10.230.6.100
to 10.230.6.96
[09/Nov/2011:15:40:08 -0800] conn=31 op=0 EXT oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
[09/Nov/2011:15:40:08 -0800] conn=31 op=0 RESULT err=0 tag=120 nentries=0
etime=0
[09/Nov/2011:15:40:08 -0800] conn=31 SSL 256-bit AES
[09/Nov/2011:15:40:08 -0800] conn=31 op=1 BIND dn="cn=replication
manager,cn=config" method=128 version=3
[09/Nov/2011:15:40:08 -0800] conn=31 op=1 RESULT err=0 tag=97 nentries=0 etime=0
dn="cn=replication manager,cn=config"
[09/Nov/2011:15:40:08 -0800] conn=31 op=2 SRCH base="" scope=0 filter="(objectClass=*)"
attrs="supportedControl supportedExtension"
[09/Nov/2011:15:40:08 -0800] conn=31 op=2 RESULT err=0 tag=101 nentries=1
etime=0
[09/Nov/2011:15:40:08 -0800] conn=31 op=3 SRCH base="" scope=0 filter="(objectClass=*)"
attrs="supportedControl supportedExtension"
[09/Nov/2011:15:40:08 -0800] conn=31 op=3 RESULT err=0 tag=101 nentries=1
etime=0
[09/Nov/2011:15:40:08 -0800] conn=31 op=4 EXT oid="2.16.840.1.113730.3.5.12"
[09/Nov/2011:15:40:08 -0800] conn=31 op=4 RESULT err=0 tag=120 nentries=0
etime=0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino, GCIH, GWAPT | Sr. Information Security Specialist
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
T: +1 805.690.3478
jr.aqu...@citrixonline.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com
[cid:image001.jpg@01CB2FE6.2B7BFA80]
Access Your PC or Mac From Anywhere: www.gotomypc.com
Online Meetings Made Easy: www.gotomeeting.com
Web Events Made Easy: www.gotowebinar.com
Remote Support Made Easy: www.gotoassist.com
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
