Re: [Freeipa-users] CentOS 7 replica installation failing
From: Petr Vobornik To: John Williams ; "Freeipa-users@redhat.com" Sent: Thursday, April 7, 2016 8:01 AM Subject: Re: [Freeipa-users] CentOS 7 replica installation failing On 04/07/2016 01:34 PM, John Williams wrote: > > > > *From:* Petr Vobornik > *To:* John Williams ; "Freeipa-users@redhat.com" > > *Sent:* Thursday, April 7, 2016 7:11 AM > *Subject:* Re: [Freeipa-users] CentOS 7 replica installation failing > > On 04/07/2016 06:12 AM, John Williams wrote: > > I've setup an initial FreeIPA instance on a CentOS 7 host. The install >went > > without a hitch. I can login to the GUI with no problems. However, I am >not > > able to install the replica on another CentOS 7 host. I get the following > errors: > > > > [root@ipa2 <mailto:root@ipa2> ~]# ipa-replica-install --setup-ca >--setup-dns > --no-forwarders > > /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheck > > It was run with '--skip-conncheck'. Is there a reason? If you remove it, > what does it complain about? > > In general, using --skip-conncheck should be avoided because it may hide > errors. > > You could also check master server > /var/log/dirsrv/slapd-your-instance/access and errors logs if there is > some connection attempt from the replica visible. > > And maybe /var/log/ipareplica-install.log contains more info. > > I ran the skip connections, because when I ran it initially without the skip > connections, I got the following messages: > > The following UDP ports could not be verified as open: 88, 464 > This can happen if they are already bound to an application > and ipa-replica-conncheck cannot attach own UDP responder. > > Remote master check failed with following error message(s): > Warning: Permanently added 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of > known hosts. > Could not chdir to home directory /home/admin: No such file or directory > Port check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 > (TCP), 80 (TCP), 443 (TCP) > > ipa.ipapython.install.cli.install_tool(Replica): ERROR Connection check > failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > > There is nothing blocking the connections, and the initial IPA server seems > to > be working fine. > > Here are some snippets from the log: > > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > > line 525, in install_check > options.setup_ca, config.ca_ds_port, options.admin_password) > File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 91, in replica_conn_check > "\nIf the check results are not valid it can be skipped with > --skip-conncheck parameter.") > > 2016-04-07T11:30:06Z DEBUG The ipa-replica-install command failed, exception: > SystemExit: Connection check failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > 2016-04-07T11:30:06Z ERROR Connection check failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > > Here are some more logs: > > [root@ipa2 ~]# tail -30 /var/log/ipareplica-conncheck.log > Could not chdir to home directory /home/admin: No such file or directory > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > debug1: client_input_channel_req: channel 0 rtype e...@openssh.com reply 0 > debug1: channel 0: free: client-session, nchannels 1 > debug1: fd 1 clearing O_NONBLOCK > debug1: fd 2 clearing O_NONBLOCK > Transferred: sent 3032, received 2584 bytes, in 0.0 seconds > Bytes per second: sent 131062.5, received 111697.1 > debug1: Exit status 0 > > 2016-04-07T11:30:02Z DEBUG Starting external process > 2016-04-07T11:30:02Z DEBUG args='/bin/ssh' '-o StrictHostKeychecking=no' '-o > UserKnownHostsFile=/tmp/tmpCbCb50' 'ad...@ipa1.nrln.us' > '/usr/sbin/ipa-replica-conncheck --replica ipa2.nrln.us' > 2016-04-07T11:30:05Z DEBUG Process finished, return code=1 > 2016-04-07T11:30:05Z DEBUG stdout=Check connection from master to remote > replica > 'ipa2.nrln.us': > Directory Service: Unsecure port (389): FAILED > Directory Service: Secure port (636): FAILED >
Re: [Freeipa-users] CentOS 7 replica installation failing
On 04/07/2016 01:34 PM, John Williams wrote: > > > > *From:* Petr Vobornik > *To:* John Williams ; "Freeipa-users@redhat.com" > > *Sent:* Thursday, April 7, 2016 7:11 AM > *Subject:* Re: [Freeipa-users] CentOS 7 replica installation failing > > On 04/07/2016 06:12 AM, John Williams wrote: > > I've setup an initial FreeIPA instance on a CentOS 7 host. The install > went > > without a hitch. I can login to the GUI with no problems. However, I am > not > > able to install the replica on another CentOS 7 host. I get the following > errors: > > > > [root@ipa2 <mailto:root@ipa2> ~]# ipa-replica-install --setup-ca > --setup-dns > --no-forwarders > > /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheck > > It was run with '--skip-conncheck'. Is there a reason? If you remove it, > what does it complain about? > > In general, using --skip-conncheck should be avoided because it may hide > errors. > > You could also check master server > /var/log/dirsrv/slapd-your-instance/access and errors logs if there is > some connection attempt from the replica visible. > > And maybe /var/log/ipareplica-install.log contains more info. > > I ran the skip connections, because when I ran it initially without the skip > connections, I got the following messages: > > The following UDP ports could not be verified as open: 88, 464 > This can happen if they are already bound to an application > and ipa-replica-conncheck cannot attach own UDP responder. > > Remote master check failed with following error message(s): > Warning: Permanently added 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of > known hosts. > Could not chdir to home directory /home/admin: No such file or directory > Port check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 > (TCP), 80 (TCP), 443 (TCP) > > ipa.ipapython.install.cli.install_tool(Replica): ERRORConnection check > failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > > There is nothing blocking the connections, and the initial IPA server seems > to > be working fine. > > Here are some snippets from the log: > > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > > line 525, in install_check > options.setup_ca, config.ca_ds_port, options.admin_password) >File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 91, in replica_conn_check > "\nIf the check results are not valid it can be skipped with > --skip-conncheck parameter.") > > 2016-04-07T11:30:06Z DEBUG The ipa-replica-install command failed, exception: > SystemExit: Connection check failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > 2016-04-07T11:30:06Z ERROR Connection check failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > > Here are some more logs: > > [root@ipa2 ~]# tail -30 /var/log/ipareplica-conncheck.log > Could not chdir to home directory /home/admin: No such file or directory > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > debug1: client_input_channel_req: channel 0 rtype e...@openssh.com reply 0 > debug1: channel 0: free: client-session, nchannels 1 > debug1: fd 1 clearing O_NONBLOCK > debug1: fd 2 clearing O_NONBLOCK > Transferred: sent 3032, received 2584 bytes, in 0.0 seconds > Bytes per second: sent 131062.5, received 111697.1 > debug1: Exit status 0 > > 2016-04-07T11:30:02Z DEBUG Starting external process > 2016-04-07T11:30:02Z DEBUG args='/bin/ssh' '-o StrictHostKeychecking=no' '-o > UserKnownHostsFile=/tmp/tmpCbCb50' 'ad...@ipa1.nrln.us' > '/usr/sbin/ipa-replica-conncheck --replica ipa2.nrln.us' > 2016-04-07T11:30:05Z DEBUG Process finished, return code=1 > 2016-04-07T11:30:05Z DEBUG stdout=Check connection from master to remote > replica > 'ipa2.nrln.us': > Directory Service: Unsecure port (389): FAILED > Directory Service: Secure port (636): FAILED > Kerberos KDC: TCP (88): FAILED > Kerberos KDC: UDP (88): WARNING > Kerberos Kpasswd: TCP (464): FAILED > Kerberos Kpasswd: UDP (464): WARNING > HTTP Server: Unsecure po
Re: [Freeipa-users] CentOS 7 replica installation failing
From: Petr Vobornik To: John Williams ; "Freeipa-users@redhat.com" Sent: Thursday, April 7, 2016 7:11 AM Subject: Re: [Freeipa-users] CentOS 7 replica installation failing On 04/07/2016 06:12 AM, John Williams wrote: > I've setup an initial FreeIPA instance on a CentOS 7 host. The install went > without a hitch. I can login to the GUI with no problems. However, I am not > able to install the replica on another CentOS 7 host. I get the following > errors: > > [root@ipa2 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders > /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheck It was run with '--skip-conncheck'. Is there a reason? If you remove it, what does it complain about? In general, using --skip-conncheck should be avoided because it may hide errors. You could also check master server /var/log/dirsrv/slapd-your-instance/access and errors logs if there is some connection attempt from the replica visible. And maybe /var/log/ipareplica-install.log contains more info. I ran the skip connections, because when I ran it initially without the skip connections, I got the following messages: The following UDP ports could not be verified as open: 88, 464This can happen if they are already bound to an applicationand ipa-replica-conncheck cannot attach own UDP responder. Remote master check failed with following error message(s):Warning: Permanently added 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of known hosts.Could not chdir to home directory /home/admin: No such file or directoryPort check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 (TCP), 80 (TCP), 443 (TCP) ipa.ipapython.install.cli.install_tool(Replica): ERROR Connection check failed!Please fix your network settings according to error messages above.If the check results are not valid it can be skipped with --skip-conncheck parameter. There is nothing blocking the connections, and the initial IPA server seems to be working fine. Here are some snippets from the log: File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 525, in install_check options.setup_ca, config.ca_ds_port, options.admin_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 91, in replica_conn_check "\nIf the check results are not valid it can be skipped with --skip-conncheck parameter.") 2016-04-07T11:30:06Z DEBUG The ipa-replica-install command failed, exception: SystemExit: Connection check failed!Please fix your network settings according to error messages above.If the check results are not valid it can be skipped with --skip-conncheck parameter.2016-04-07T11:30:06Z ERROR Connection check failed!Please fix your network settings according to error messages above.If the check results are not valid it can be skipped with --skip-conncheck parameter. Here are some more logs: [root@ipa2 ~]# tail -30 /var/log/ipareplica-conncheck.logCould not chdir to home directory /home/admin: No such file or directorydebug1: client_input_channel_req: channel 0 rtype exit-status reply 0debug1: client_input_channel_req: channel 0 rtype e...@openssh.com reply 0debug1: channel 0: free: client-session, nchannels 1debug1: fd 1 clearing O_NONBLOCKdebug1: fd 2 clearing O_NONBLOCKTransferred: sent 3032, received 2584 bytes, in 0.0 secondsBytes per second: sent 131062.5, received 111697.1debug1: Exit status 0 2016-04-07T11:30:02Z DEBUG Starting external process2016-04-07T11:30:02Z DEBUG args='/bin/ssh' '-o StrictHostKeychecking=no' '-o UserKnownHostsFile=/tmp/tmpCbCb50' 'ad...@ipa1.nrln.us' '/usr/sbin/ipa-replica-conncheck --replica ipa2.nrln.us'2016-04-07T11:30:05Z DEBUG Process finished, return code=12016-04-07T11:30:05Z DEBUG stdout=Check connection from master to remote replica 'ipa2.nrln.us': Directory Service: Unsecure port (389): FAILED Directory Service: Secure port (636): FAILED Kerberos KDC: TCP (88): FAILED Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): FAILED Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): FAILED HTTP Server: Secure port (443): FAILEDThe following UDP ports could not be verified as open: 88, 464This can happen if they are already bound to an applicationand ipa-replica-conncheck cannot attach own UDP responder. 2016-04-07T11:30:05Z DEBUG stderr=Warning: Permanently added 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of known hosts.Could not chdir to home directory /home/admin: No such file or directoryPort check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 (TCP), 80 (TCP), 443 (TCP) These two hosts are on the same subnet, nor firewall, or IPTables running. That's why the error message confusing. Any suggestions? > WARNING: conflicting time&
Re: [Freeipa-users] CentOS 7 replica installation failing
I've setup an initial FreeIPA instance on a CentOS 7 host. The install went without a hitch. I can login to the GUI with no problems. However, I am not able to install the replica on another CentOS 7 host. I get the following errors: [root@ipa2 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheckWARNING: conflicting time&date synchronization service 'chronyd' willbe disabled in favor of ntpd Directory Manager (existing master) password: Existing BIND configuration detected, overwrite? [no]: yesUsing reverse zone(s) 1.168.192.in-addr.arpa.Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpdDone configuring NTP daemon (ntpd).Configuring directory server (dirsrv). Estimated time: 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring ssl for ds instance [18/38]: configuring certmap.conf [19/38]: configure autobind for root [20/38]: configure new location for managed entries [21/38]: configure dirsrv ccache [22/38]: enable SASL mapping fallback [23/38]: restarting directory server [24/38]: setting up initial replicationStarting replication, please wait until this has completed. [ipa1.nrln.us] reports: Update failed! Status: [-1 - LDAP error: Can't contact LDAP server] [error] RuntimeError: Failed to start replicationYour system may be partly configured.Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to start replication The error message is misleading. The two hosts sit on the same subnet. All firewalls are off. Selinux is disabled. Here is an nmap port scan from the replica to the master: [root@ipa2 ~]# nmap ipa1 Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-07 00:12 EDTNmap scan report for ipa1 (192.168.1.38)Host is up (0.86s latency).rDNS record for 192.168.1.38: ipa1.nrln.usNot shown: 990 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http88/tcp open kerberos-sec389/tcp open ldap443/tcp open https464/tcp open kpasswd5636/tcp open ldapssl749/tcp open kerberos-adm8080/tcp open http-proxy8443/tcp open https-altMAC Address: 52:54:00:33:34:F0 (QEMU Virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds[root@ipa2 ~]# Why do I get this message? TIA!! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CentOS 7 replica installation failing
On 04/07/2016 06:12 AM, John Williams wrote: > I've setup an initial FreeIPA instance on a CentOS 7 host. The install went > without a hitch. I can login to the GUI with no problems. However, I am not > able to install the replica on another CentOS 7 host. I get the following > errors: > > [root@ipa2 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders > /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheck It was run with '--skip-conncheck'. Is there a reason? If you remove it, what does it complain about? In general, using --skip-conncheck should be avoided because it may hide errors. You could also check master server /var/log/dirsrv/slapd-your-instance/access and errors logs if there is some connection attempt from the replica visible. And maybe /var/log/ipareplica-install.log contains more info. > WARNING: conflicting time&date synchronization service 'chronyd' will > be disabled in favor of ntpd > > Directory Manager (existing master) password: > > Existing BIND configuration detected, overwrite? [no]: yes > Using reverse zone(s) 1.168.192.in-addr.arpa. > Configuring NTP daemon (ntpd) >[1/4]: stopping ntpd >[2/4]: writing configuration >[3/4]: configuring ntpd to start on boot >[4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv). Estimated time: 1 minute >[1/38]: creating directory server user >[2/38]: creating directory server instance >[3/38]: adding default schema >[4/38]: enabling memberof plugin >[5/38]: enabling winsync plugin >[6/38]: configuring replication version plugin >[7/38]: enabling IPA enrollment plugin >[8/38]: enabling ldapi >[9/38]: configuring uniqueness plugin >[10/38]: configuring uuid plugin >[11/38]: configuring modrdn plugin >[12/38]: configuring DNS plugin >[13/38]: enabling entryUSN plugin >[14/38]: configuring lockout plugin >[15/38]: creating indices >[16/38]: enabling referential integrity plugin >[17/38]: configuring ssl for ds instance >[18/38]: configuring certmap.conf >[19/38]: configure autobind for root >[20/38]: configure new location for managed entries >[21/38]: configure dirsrv ccache >[22/38]: enable SASL mapping fallback >[23/38]: restarting directory server >[24/38]: setting up initial replication > Starting replication, please wait until this has completed. > > [ipa1.nrln.us] reports: Update failed! Status: [-1 - LDAP error: Can't > contact > LDAP server] > >[error] RuntimeError: Failed to start replication > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipa.ipapython.install.cli.install_tool(Replica): ERRORFailed to start > replication > > > The error message is misleading. The two hosts sit on the same subnet. All > firewalls are off. Selinux is disabled. Here is an nmap port scan from the > replica to the master: > > > [root@ipa2 ~]# nmap ipa1 > > Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-07 00:12 EDT > Nmap scan report for ipa1 (192.168.1.38) > Host is up (0.86s latency). > rDNS record for 192.168.1.38: ipa1.nrln.us > Not shown: 990 closed ports > PORT STATE SERVICE > 22/tcp open ssh > 80/tcp open http > 88/tcp open kerberos-sec > 389/tcp open ldap > 443/tcp open https > 464/tcp open kpasswd5 > 636/tcp open ldapssl > 749/tcp open kerberos-adm > 8080/tcp open http-proxy > 8443/tcp open https-alt > MAC Address: 52:54:00:33:34:F0 (QEMU Virtual NIC) > > Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds > [root@ipa2 ~]# > > > Why do I get this message? > > TIA!! > > > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project