Re: [Freeipa-users] IPA 4.4 replica installation failing
Martin, Yes, this is the exact scenario. My lab started with a RHEL 7.2 master/replica with 'domain level' set to 0. I raised the 'domain level' to 1, and now I'm trying to introduce a new replica into the environment. I will check on 'nsds5replicabinddn' and report back. Thanks, Josh -Original Message- From: Martin Babinsky [mailto:mbabi...@redhat.com] Sent: Friday, November 18, 2016 3:17 AM To: Baird, Josh ; 'freeipa-users@redhat.com' Subject: Re: [Freeipa-users] IPA 4.4 replica installation failing On 11/17/2016 03:51 PM, Baird, Josh wrote: > Hi all, > > In my IPA 4.4 lab (RHEL 7.3), I'm trying to install/configure a new replica, > and I seem to be hitting something similar to #5412 [1]. > > The 'ipa-replica-install' is getting stuck on: > > [4/26]: creating installation admin user > > Dirsrv error logs on the new replica: > > [17/Nov/2016:08:45:09.342813042 -0600] NSMMReplicationPlugin - > agmt="cn=caToimqa-d1-dc01.qa-unix.domain.com" (imqa-d1-dc01:389): Unable to > acquire replica: permission denied. The bind dn "" does not have permission > to supply replication updates to the replica. Will retry later. > > Dirsrv access logs on existing master: > > [17/Nov/2016:08:39:59.244698389 -0600] conn=121 op=83 RESULT err=0 > tag=101 nentries=0 etime=0 > [17/Nov/2016:08:40:00.248620354 -0600] conn=121 op=84 SRCH > base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" > scope=0 filter="(objectClass=*)" attrs=ALL > [17/Nov/2016:08:40:00.248917257 -0600] conn=121 op=84 RESULT err=0 > tag=101 nentries=0 etime=0 > [17/Nov/2016:08:40:01.253067200 -0600] conn=121 op=85 SRCH > base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" > scope=0 filter="(objectClass=*)" attrs=ALL > [17/Nov/2016:08:40:01.253481728 -0600] conn=121 op=85 RESULT err=0 > tag=101 nentries=0 etime=0 > [17/Nov/2016:08:40:02.257477560 -0600] conn=121 op=86 SRCH > base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" > scope=0 filter="(objectClass=*)" attrs=ALL > [17/Nov/2016:08:40:02.257813691 -0600] conn=121 op=86 RESULT err=0 > tag=101 nentries=0 etime=0 > [17/Nov/2016:08:40:03.261805482 -0600] conn=121 op=88 SRCH > base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" > scope=0 filter="(objectClass=*)" attrs=ALL > [17/Nov/2016:08:40:03.262310788 -0600] conn=121 op=88 RESULT err=0 > tag=101 nentries=0 etime=0 > > Dirsrv logs on the existing master: > > [17/Nov/2016:08:40:20.644554573 -0600] NSMMReplicationPlugin - > conn=120 op=13 replica="o=ipaca": Unable to acquire replica: error: > permission denied > [17/Nov/2016:08:41:57.858672215 -0600] NSMMReplicationPlugin - > conn=123 op=5 replica="o=ipaca": Unable to acquire replica: error: > permission denied > [17/Nov/2016:08:45:09.334188374 -0600] NSMMReplicationPlugin - > conn=130 op=5 replica="o=ipaca": Unable to acquire replica: error: > permission denied > > Has anyone else experienced this issue? > > Thanks, > > Josh > > [1] https://fedorahosted.org/freeipa/ticket/5412 > > Hi Josh, in the original ticket the issue was occuring when creating CA replica against 7.2 master upgraded to 7.3 with domain level raised to 1. Do you have the same scenario? Also, during the stuck installation can you check for the presence of replica's LDAP principal in 'nsds5replicabinddn' attribute on master's 'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry? I would also check for the reverse, i.e. if the master's LDAP principal is in the 'nsds5replicabinddn' attribute on replica's 'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.4 replica installation failing
On 11/18/2016 09:16 AM, Martin Babinsky wrote: On 11/17/2016 03:51 PM, Baird, Josh wrote: Hi all, In my IPA 4.4 lab (RHEL 7.3), I'm trying to install/configure a new replica, and I seem to be hitting something similar to #5412 [1]. The 'ipa-replica-install' is getting stuck on: [4/26]: creating installation admin user Dirsrv error logs on the new replica: [17/Nov/2016:08:45:09.342813042 -0600] NSMMReplicationPlugin - agmt="cn=caToimqa-d1-dc01.qa-unix.domain.com" (imqa-d1-dc01:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. Dirsrv access logs on existing master: [17/Nov/2016:08:39:59.244698389 -0600] conn=121 op=83 RESULT err=0 tag=101 nentries=0 etime=0 [17/Nov/2016:08:40:00.248620354 -0600] conn=121 op=84 SRCH base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [17/Nov/2016:08:40:00.248917257 -0600] conn=121 op=84 RESULT err=0 tag=101 nentries=0 etime=0 [17/Nov/2016:08:40:01.253067200 -0600] conn=121 op=85 SRCH base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [17/Nov/2016:08:40:01.253481728 -0600] conn=121 op=85 RESULT err=0 tag=101 nentries=0 etime=0 [17/Nov/2016:08:40:02.257477560 -0600] conn=121 op=86 SRCH base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [17/Nov/2016:08:40:02.257813691 -0600] conn=121 op=86 RESULT err=0 tag=101 nentries=0 etime=0 [17/Nov/2016:08:40:03.261805482 -0600] conn=121 op=88 SRCH base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [17/Nov/2016:08:40:03.262310788 -0600] conn=121 op=88 RESULT err=0 tag=101 nentries=0 etime=0 Dirsrv logs on the existing master: [17/Nov/2016:08:40:20.644554573 -0600] NSMMReplicationPlugin - conn=120 op=13 replica="o=ipaca": Unable to acquire replica: error: permission denied [17/Nov/2016:08:41:57.858672215 -0600] NSMMReplicationPlugin - conn=123 op=5 replica="o=ipaca": Unable to acquire replica: error: permission denied [17/Nov/2016:08:45:09.334188374 -0600] NSMMReplicationPlugin - conn=130 op=5 replica="o=ipaca": Unable to acquire replica: error: permission denied Has anyone else experienced this issue? Thanks, Josh [1] https://fedorahosted.org/freeipa/ticket/5412 Hi Josh, in the original ticket the issue was occuring when creating CA replica against 7.2 master upgraded to 7.3 with domain level raised to 1. Do you have the same scenario? Also, during the stuck installation can you check for the presence of replica's LDAP principal in 'nsds5replicabinddn' attribute on master's 'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry? I would also check for the reverse, i.e. if the master's LDAP principal is in the 'nsds5replicabinddn' attribute on replica's 'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry. Hi Josh, Both direction Replica Agreements should use GSSAPI authentication with accounts in 'cn=replication managers,cn=sysaccounts,cn=etc,' Would you check the members (on master and replica) of this entry and see if it contains the expected principals ? regards thierry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.4 replica installation failing
On 11/17/2016 03:51 PM, Baird, Josh wrote: Hi all, In my IPA 4.4 lab (RHEL 7.3), I'm trying to install/configure a new replica, and I seem to be hitting something similar to #5412 [1]. The 'ipa-replica-install' is getting stuck on: [4/26]: creating installation admin user Dirsrv error logs on the new replica: [17/Nov/2016:08:45:09.342813042 -0600] NSMMReplicationPlugin - agmt="cn=caToimqa-d1-dc01.qa-unix.domain.com" (imqa-d1-dc01:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. Dirsrv access logs on existing master: [17/Nov/2016:08:39:59.244698389 -0600] conn=121 op=83 RESULT err=0 tag=101 nentries=0 etime=0 [17/Nov/2016:08:40:00.248620354 -0600] conn=121 op=84 SRCH base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [17/Nov/2016:08:40:00.248917257 -0600] conn=121 op=84 RESULT err=0 tag=101 nentries=0 etime=0 [17/Nov/2016:08:40:01.253067200 -0600] conn=121 op=85 SRCH base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [17/Nov/2016:08:40:01.253481728 -0600] conn=121 op=85 RESULT err=0 tag=101 nentries=0 etime=0 [17/Nov/2016:08:40:02.257477560 -0600] conn=121 op=86 SRCH base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [17/Nov/2016:08:40:02.257813691 -0600] conn=121 op=86 RESULT err=0 tag=101 nentries=0 etime=0 [17/Nov/2016:08:40:03.261805482 -0600] conn=121 op=88 SRCH base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [17/Nov/2016:08:40:03.262310788 -0600] conn=121 op=88 RESULT err=0 tag=101 nentries=0 etime=0 Dirsrv logs on the existing master: [17/Nov/2016:08:40:20.644554573 -0600] NSMMReplicationPlugin - conn=120 op=13 replica="o=ipaca": Unable to acquire replica: error: permission denied [17/Nov/2016:08:41:57.858672215 -0600] NSMMReplicationPlugin - conn=123 op=5 replica="o=ipaca": Unable to acquire replica: error: permission denied [17/Nov/2016:08:45:09.334188374 -0600] NSMMReplicationPlugin - conn=130 op=5 replica="o=ipaca": Unable to acquire replica: error: permission denied Has anyone else experienced this issue? Thanks, Josh [1] https://fedorahosted.org/freeipa/ticket/5412 Hi Josh, in the original ticket the issue was occuring when creating CA replica against 7.2 master upgraded to 7.3 with domain level raised to 1. Do you have the same scenario? Also, during the stuck installation can you check for the presence of replica's LDAP principal in 'nsds5replicabinddn' attribute on master's 'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry? I would also check for the reverse, i.e. if the master's LDAP principal is in the 'nsds5replicabinddn' attribute on replica's 'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA 4.4 replica installation failing
Hi all, In my IPA 4.4 lab (RHEL 7.3), I'm trying to install/configure a new replica, and I seem to be hitting something similar to #5412 [1]. The 'ipa-replica-install' is getting stuck on: [4/26]: creating installation admin user Dirsrv error logs on the new replica: [17/Nov/2016:08:45:09.342813042 -0600] NSMMReplicationPlugin - agmt="cn=caToimqa-d1-dc01.qa-unix.domain.com" (imqa-d1-dc01:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. Dirsrv access logs on existing master: [17/Nov/2016:08:39:59.244698389 -0600] conn=121 op=83 RESULT err=0 tag=101 nentries=0 etime=0 [17/Nov/2016:08:40:00.248620354 -0600] conn=121 op=84 SRCH base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [17/Nov/2016:08:40:00.248917257 -0600] conn=121 op=84 RESULT err=0 tag=101 nentries=0 etime=0 [17/Nov/2016:08:40:01.253067200 -0600] conn=121 op=85 SRCH base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [17/Nov/2016:08:40:01.253481728 -0600] conn=121 op=85 RESULT err=0 tag=101 nentries=0 etime=0 [17/Nov/2016:08:40:02.257477560 -0600] conn=121 op=86 SRCH base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [17/Nov/2016:08:40:02.257813691 -0600] conn=121 op=86 RESULT err=0 tag=101 nentries=0 etime=0 [17/Nov/2016:08:40:03.261805482 -0600] conn=121 op=88 SRCH base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [17/Nov/2016:08:40:03.262310788 -0600] conn=121 op=88 RESULT err=0 tag=101 nentries=0 etime=0 Dirsrv logs on the existing master: [17/Nov/2016:08:40:20.644554573 -0600] NSMMReplicationPlugin - conn=120 op=13 replica="o=ipaca": Unable to acquire replica: error: permission denied [17/Nov/2016:08:41:57.858672215 -0600] NSMMReplicationPlugin - conn=123 op=5 replica="o=ipaca": Unable to acquire replica: error: permission denied [17/Nov/2016:08:45:09.334188374 -0600] NSMMReplicationPlugin - conn=130 op=5 replica="o=ipaca": Unable to acquire replica: error: permission denied Has anyone else experienced this issue? Thanks, Josh [1] https://fedorahosted.org/freeipa/ticket/5412 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project