Re: [Freeipa-users] Unable to Rebuid Replica
Thanks Daniel! Please what are the downsides of installing without --setup-ca? And how do I make certain both servers have the same number of modules? On Fri, Apr 24, 2015 at 10:44 AM, dbisc...@hrz.uni-kassel.de wrote: Sina, On Fri, 24 Apr 2015, Sina Owolabi wrote: I noticed that my IPA domain masters were out of sync, with users having to login with different passwords depending on the IPA client they were connected to. I noticed it was the replica that was the problem, and I took it down, uninstalled IPA with a ipa-server-install --uninstall -U, deleted all the folders based on Adam Young's blog (http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/) and tried to create replica again. It repeatedly fails, and I am hoping for some insight on how to fix this. Please can anyone help? I'm running this on RHEL6.6 and I just updated the entire machine. Installation logs: [...] you may have run into this issue: https://www.redhat.com/archives/freeipa-users/2015-February/msg00384.html In short: You may be missing some Apache modules on the IPA master. This problem occurs only, if you attempt to install your replica with --setup-ca, otherwise installation will work. Mit freundlichen Gruessen/With best regards, --Daniel. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to Rebuid Replica
Sina, On Fri, 24 Apr 2015, Sina Owolabi wrote: I noticed that my IPA domain masters were out of sync, with users having to login with different passwords depending on the IPA client they were connected to. I noticed it was the replica that was the problem, and I took it down, uninstalled IPA with a ipa-server-install --uninstall -U, deleted all the folders based on Adam Young's blog (http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/) and tried to create replica again. It repeatedly fails, and I am hoping for some insight on how to fix this. Please can anyone help? I'm running this on RHEL6.6 and I just updated the entire machine. Installation logs: [...] you may have run into this issue: https://www.redhat.com/archives/freeipa-users/2015-February/msg00384.html In short: You may be missing some Apache modules on the IPA master. This problem occurs only, if you attempt to install your replica with --setup-ca, otherwise installation will work. Mit freundlichen Gruessen/With best regards, --Daniel. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Unable to Rebuid Replica
Hi! I noticed that my IPA domain masters were out of sync, with users having to login with different passwords depending on the IPA client they were connected to. I noticed it was the replica that was the problem, and I took it down, uninstalled IPA with a ipa-server-install --uninstall -U, deleted all the folders based on Adam Young's blog (http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/) and tried to create replica again. It repeatedly fails, and I am hoping for some insight on how to fix this. Please can anyone help? I'm running this on RHEL6.6 and I just updated the entire machine. Installation logs: Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'services.exampl.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@exampl.com password: Execute check on remote master Check connection from master to remote replica 'services01.exampl.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-install.log for details: CalledProcessError: Command '/usr/bin/pkicreate -pki_instance_root /var/lib -pki_instance_name pki-ca -subsystem_type ca -agent_secure_port 9443 -ee_secure_port 9444 -admin_secure_port 9445 -ee_secure_client_auth_port 9446 -unsecure_port 9180 -tomcat_server_port 9701 -redirect conf=/etc/pki-ca -redirect logs=/var/log/pki-ca -enable_proxy' returned non-zero exit status 255 From the ipa-replica-install.log: 2015-04-24T09:01:57Z DEBUG /usr/sbin/ipa-replica-install was invoked with argument /var/lib/ipa/replica-info-services01.qrios.com.gpg and options: {'no_forwarders': False, 'conf_ssh': True, 'conf_sshd': True, 'ui_redirect': True, 'reverse_zone': None, 'trust_sshfp': False, 'unattended': False, 'no_host_dns': False, 'ip_address': None, 'no_reverse': False, 'setup_dns': True, 'create_sshfp': True, 'setup_ca': True, 'forwarders': [CheckedIPAddress('8.8.8.8'), CheckedIPAddress('8.8.4.4')], 'debug': False, 'conf_ntp': True, 'skip_conncheck': False} 2015-04-24T09:01:57Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-04-24T09:01:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-04-24T09:01:57Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2015-04-24T09:01:57Z DEBUG args=/usr/sbin/httpd -t -D DUMP_VHOSTS 2015-04-24T09:01:57Z DEBUG stdout=VirtualHost configuration: wildcard NameVirtualHosts and _default_ servers: _default_:8443 services01.qrios.com (/etc/httpd/conf.d/nss.conf:84) 2015-04-24T09:01:57Z DEBUG stderr=Syntax OK 2015-04-24T09:02:04Z DEBUG args=/usr/bin/gpg --batch --homedir /tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg --passphrase-fd 0 --yes --no-tty -o /tmp/tmpo2Cx3jipa/files.tar -d /var/lib/ipa/replica-info-services01.qrios.com.gpg 2015-04-24T09:02:04Z DEBUG stdout= 2015-04-24T09:02:04Z DEBUG stderr=gpg: WARNING: unsafe permissions on homedir `/tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg' gpg: keyring `/tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg/secring.gpg' created gpg: keyring `/tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg/pubring.gpg' created gpg: 3DES encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected 2015-04-24T09:02:04Z DEBUG args=tar xf /tmp/tmpo2Cx3jipa/files.tar -C /tmp/tmpo2Cx3jipa 2015-04-24T09:02:04Z DEBUG stdout= 2015-04-24T09:02:04Z DEBUG stderr=
Re: [Freeipa-users] Unable to Rebuid Replica
dbisc...@hrz.uni-kassel.de wrote: Sina, On Fri, 24 Apr 2015, Sina Owolabi wrote: I noticed that my IPA domain masters were out of sync, with users having to login with different passwords depending on the IPA client they were connected to. I noticed it was the replica that was the problem, and I took it down, uninstalled IPA with a ipa-server-install --uninstall -U, deleted all the folders based on Adam Young's blog (http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/) and tried to create replica again. It repeatedly fails, and I am hoping for some insight on how to fix this. Please can anyone help? I'm running this on RHEL6.6 and I just updated the entire machine. Installation logs: [...] you may have run into this issue: https://www.redhat.com/archives/freeipa-users/2015-February/msg00384.html In short: You may be missing some Apache modules on the IPA master. This problem occurs only, if you attempt to install your replica with --setup-ca, otherwise installation will work. Well, he said he had it working at one point so I'm not sure this applies, assuming of course the previous install had a CA. The current problem you're seeing is related to the fact that sometimes when the CA fails to install it isn't marked as having tried in the IPA state tracker so when you uninstall it does nothing with this half-installed CA instance which causes all future install attempts to fail because of this left-over stuff. To remove this pki instance: # /usr/sbin/pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force Then re-run ipa-server-install --uninstall just to be sure Then try the install again. And before you do any of this, when you deleted this master did you remove the replication agreements first using ipa-replica-manage? If not I'd check to be sure there isn't an existing agreement, and the same with ipa-csreplica-manage. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project