Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted

2016-04-15 Thread Rob Crittenden 

Kilian Ries wrote:

I'm not quite familiar with the db2index.pl script ... what am i doing wrong?

db2index.pl -n userRoot -D cn=admin -w
ldap_bind: No such object (32)
Failed to search the server for indexes, error (32)


db2index.pl -n userRoot -D cn=admin -w -v -t entryrdn
ldap_bind: No such object (32)
Failed to add task entry "cn=db2index_2016_4_15_16_44_19, cn=index, cn=tasks, 
cn=config" error (32)


Use 'cn=Directory Manager' instead of cn=admin

rob




Von: Ludwig Krispenz <lkris...@redhat.com>
Gesendet: Freitag, 15. April 2016 12:31
An: Kilian Ries
Cc: freeipa-users@redhat.com
Betreff: Re: AW: [Freeipa-users] Error setting up Replication: ldap service 
principals is missing. Replication agreement cannot be converted

On 04/15/2016 10:14 AM, Kilian Ries wrote:

Hi,

on auht01 i see the following error just before installation fails:


[14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, 
err= Unknown error 
[14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=
[14/Apr/2016:15:57:09 +0200] - str2entry_fast: entry has no dn
[14/Apr/2016:15:57:09 +0200] id2entry - str2entry returned NULL for id 252, 
string=""
[14/Apr/2016:15:57:09 +0200] - dn2entry_ext: the dn 
"krbprincipalname=ldap/auth02.intern...@intern.eu,cn=services,cn=accounts,dc=intern,dc=eu"
 was in the entryrdn index, but it did not exist in id2entry of instance userRoot.
[14/Apr/2016:15:57:09 +0200] entryrdn-index - _entryrdn_insert_key: Same DN 
(dn: 
krbprincipalname=ldap/auth02.intern...@intern.eu,cn=services,cn=accounts,dc=intern,dc=eu)
 is already in the entryrdn file with different ID 252.  Expected ID is 625.
[14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, 
err= Unknown error 
[14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=
[14/Apr/2016:15:57:19 +0200] - str2entry_fast: entry has no dn
[14/Apr/2016:15:57:19 +0200] id2entry - str2entry returned NULL for id 252, 
string=""
[14/Apr/2016:15:57:21 +0200] - str2entry_fast: entry has no dn

this looks like a database/index corruption. There are traces for the
ldapprincipal for auth02in the database, but teh index and the database
are inconsistent. you can try to reindex teh database and see if this helps:
db2index.pl -D ... -w .. -Z  -t entryrdn  #only this index
or
db2index.pl -D ... -w .. -Z  # full reindex



[14/Apr/2016:16:02:01 +0200] attrlist_replace - attr_replace (nsslapd-referral, 
ldap://auth02.intern.eu:389/o%3Dipaca) failed.


Greets
Kilian



Von: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> im Auftrag 
von Ludwig Krispenz <lkris...@redhat.com>
Gesendet: Donnerstag, 14. April 2016 16:46
An: freeipa-users@redhat.com
Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service 
principals is missing. Replication agreement cannot be converted

On 04/14/2016 04:19 PM, Kilian Ries wrote:

Hello Rob,

thanks for your explanations. I followed your hints and did a complete 
uninstall and started over with a fresh installation. I ended up with exactly 
the same error as the first time...

I did the following steps:


auth01$ ipa-replica-manage del auth02

auth02$ ipa-server-install --uninstall

auth01$ ipa-replica-prepare --ip-address 192.168.210.181 auth02.intern.eu

auth02$ ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.210.40 
/root/replica-info-auth02.intern.eu.gpg


Are there other logfiles i can check for more specific errors?

you should have a look to the DS error logs in /var/log/dirsrv on both
instances

Greets
Kilian


Von: Rob Crittenden <rcrit...@redhat.com>
Gesendet: Mittwoch, 13. April 2016 16:18
An: Kilian Ries; freeipa-users@redhat.com
Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service 
principals is missing. Replication agreement cannot be converted

Kilian Ries wrote:

Does nobody have an idea whats the problem here?

TL;DR you are best off deleting this failed replica install and trying
again.

Initial replication is done over TLS. When replication is completed both
sides of the agreement are converted to using GSSAPI and both ldap
principals are needed to do this. Given that replication just completed
both principals should be available but rarely one is not (hence the
vague-ish error message).

In this case the new ldap principal for the new replica wasn't found on
the remote master so things blew up.

There is no continuing the installation after this type of failure so
you'll need to remove the failed install as a master on auth01
(ipa-replica-manage del auth02...) and then run ipa-server-install
--uninstall on autho02 and try again.

rob


Thanks

Kilian




*Von:* freeipa-users-boun...@redhat.com
<freeipa-users-boun...@red

Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted

2016-04-15 Thread Ludwig Krispenz 


On 04/15/2016 10:14 AM, Kilian Ries wrote:

Hi,

on auht01 i see the following error just before installation fails:


[14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, 
err= Unknown error 
[14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=
[14/Apr/2016:15:57:09 +0200] - str2entry_fast: entry has no dn
[14/Apr/2016:15:57:09 +0200] id2entry - str2entry returned NULL for id 252, 
string=""
[14/Apr/2016:15:57:09 +0200] - dn2entry_ext: the dn 
"krbprincipalname=ldap/auth02.intern...@intern.eu,cn=services,cn=accounts,dc=intern,dc=eu"
 was in the entryrdn index, but it did not exist in id2entry of instance userRoot.
[14/Apr/2016:15:57:09 +0200] entryrdn-index - _entryrdn_insert_key: Same DN 
(dn: 
krbprincipalname=ldap/auth02.intern...@intern.eu,cn=services,cn=accounts,dc=intern,dc=eu)
 is already in the entryrdn file with different ID 252.  Expected ID is 625.
[14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, 
err= Unknown error 
[14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=
[14/Apr/2016:15:57:19 +0200] - str2entry_fast: entry has no dn
[14/Apr/2016:15:57:19 +0200] id2entry - str2entry returned NULL for id 252, 
string=""
[14/Apr/2016:15:57:21 +0200] - str2entry_fast: entry has no dn
this looks like a database/index corruption. There are traces for the 
ldapprincipal for auth02in the database, but teh index and the database 
are inconsistent. you can try to reindex teh database and see if this helps:

db2index.pl -D ... -w .. -Z  -t entryrdn  #only this index
or
db2index.pl -D ... -w .. -Z  # full reindex



[14/Apr/2016:16:02:01 +0200] attrlist_replace - attr_replace (nsslapd-referral, 
ldap://auth02.intern.eu:389/o%3Dipaca) failed.


Greets
Kilian



Von: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> im Auftrag 
von Ludwig Krispenz <lkris...@redhat.com>
Gesendet: Donnerstag, 14. April 2016 16:46
An: freeipa-users@redhat.com
Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service 
principals is missing. Replication agreement cannot be converted

On 04/14/2016 04:19 PM, Kilian Ries wrote:

Hello Rob,

thanks for your explanations. I followed your hints and did a complete 
uninstall and started over with a fresh installation. I ended up with exactly 
the same error as the first time...

I did the following steps:


auth01$ ipa-replica-manage del auth02

auth02$ ipa-server-install --uninstall

auth01$ ipa-replica-prepare --ip-address 192.168.210.181 auth02.intern.eu

auth02$ ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.210.40 
/root/replica-info-auth02.intern.eu.gpg


Are there other logfiles i can check for more specific errors?

you should have a look to the DS error logs in /var/log/dirsrv on both
instances

Greets
Kilian


Von: Rob Crittenden <rcrit...@redhat.com>
Gesendet: Mittwoch, 13. April 2016 16:18
An: Kilian Ries; freeipa-users@redhat.com
Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service 
principals is missing. Replication agreement cannot be converted

Kilian Ries wrote:

Does nobody have an idea whats the problem here?

TL;DR you are best off deleting this failed replica install and trying
again.

Initial replication is done over TLS. When replication is completed both
sides of the agreement are converted to using GSSAPI and both ldap
principals are needed to do this. Given that replication just completed
both principals should be available but rarely one is not (hence the
vague-ish error message).

In this case the new ldap principal for the new replica wasn't found on
the remote master so things blew up.

There is no continuing the installation after this type of failure so
you'll need to remove the failed install as a master on auth01
(ipa-replica-manage del auth02...) and then run ipa-server-install
--uninstall on autho02 and try again.

rob


Thanks

Kilian




*Von:* freeipa-users-boun...@redhat.com
<freeipa-users-boun...@redhat.com> im Auftrag von Kilian Ries
<m...@kilian-ries.de>
*Gesendet:* Mittwoch, 6. April 2016 10:41
*An:* freeipa-users@redhat.com
*Betreff:* [Freeipa-users] Error setting up Replication: ldap service
principals is missing. Replication agreement cannot be converted

Hello,


i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm
trying to add an replication partner.


During the installation i got the following error:


###

Restarting the directory and certificate servers

Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds

 [1/8]: adding sasl mappings to the directory

 [2/8]: configuring KDC

 [3/8]: creating a keytab for the directory

 [4/8]: creating a keytab for the machine

 [5/8]: adding the password extension to the direc

Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted

2016-04-13 Thread Rob Crittenden 

Kilian Ries wrote:

Does nobody have an idea whats the problem here?


TL;DR you are best off deleting this failed replica install and trying 
again.


Initial replication is done over TLS. When replication is completed both 
sides of the agreement are converted to using GSSAPI and both ldap 
principals are needed to do this. Given that replication just completed 
both principals should be available but rarely one is not (hence the 
vague-ish error message).


In this case the new ldap principal for the new replica wasn't found on 
the remote master so things blew up.


There is no continuing the installation after this type of failure so 
you'll need to remove the failed install as a master on auth01 
(ipa-replica-manage del auth02...) and then run ipa-server-install 
--uninstall on autho02 and try again.


rob




Thanks

Kilian




*Von:* freeipa-users-boun...@redhat.com
 im Auftrag von Kilian Ries

*Gesendet:* Mittwoch, 6. April 2016 10:41
*An:* freeipa-users@redhat.com
*Betreff:* [Freeipa-users] Error setting up Replication: ldap service
principals is missing. Replication agreement cannot be converted

Hello,


i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm
trying to add an replication partner.


During the installation i got the following error:


###

Restarting the directory and certificate servers

Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds

   [1/8]: adding sasl mappings to the directory

   [2/8]: configuring KDC

   [3/8]: creating a keytab for the directory

   [4/8]: creating a keytab for the machine

   [5/8]: adding the password extension to the directory

   [6/8]: enable GSSAPI for replication

   [error] RuntimeError: One of the ldap service principals is missing.
Replication agreement cannot be converted.

Your system may be partly configured.

Run /usr/sbin/ipa-server-install --uninstall to clean up.


ipa.ipapython.install.cli.install_tool(Replica): ERROROne of the
ldap service principals is missing. Replication agreement cannot be
converted.

###



The installation Log shows the following:



###

2016-04-06T08:22:34Z INFO Getting ldap service principals for
conversion: (krbprincipalname=ldap/auth02.intern...@intern.eu) and
(krbprincipalname=ldap/auth01.intern...@intern.eu)

2016-04-06T08:22:34Z DEBUG Unable to find entry for
(krbprincipalname=ldap/auth02.intern...@intern.eu) on auth01.intern.eu:636

2016-04-06T08:22:34Z INFO Setting agreement
cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping
tree,cn=config schedule to 2358-2359 0 to force synch

2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement
cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping
tree,cn=config

2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status:
0 Replica acquired successfully: Incremental update succeeded: start: 0:
end: 0

2016-04-06T08:22:36Z DEBUG Traceback (most recent call last):

   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation

 run_step(full_msg, method)

   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step

 method()

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
line 438, in __convert_to_gssapi_replication

 r_bindpw=self.dm_password)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 1104, in convert_to_gssapi_replication

 self.gssapi_update_agreements(self.conn, r_conn)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 797, in gssapi_update_agreements

 self.setup_krb_princs_as_replica_binddns(a, b)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 767, in setup_krb_princs_as_replica_binddns

 (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 751, in get_replica_principal_dns

 raise RuntimeError(error)

RuntimeError: One of the ldap service principals is missing. Replication
agreement cannot be converted.


2016-04-06T08:22:36Z DEBUG   [error] RuntimeError: One of the ldap
service principals is missing. Replication agreement cannot be converted.

2016-04-06T08:22:36Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute

 return_value = self.run()

   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 311, in run

 cfgr.run()

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 281, in run

 self.execute()

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 303, in execute

 for nothing in self._executor():

   File

Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted

2016-04-13 Thread Kilian Ries 
Does nobody have an idea whats the problem here?


Thanks

Kilian



Von: freeipa-users-boun...@redhat.com  im 
Auftrag von Kilian Ries 
Gesendet: Mittwoch, 6. April 2016 10:41
An: freeipa-users@redhat.com
Betreff: [Freeipa-users] Error setting up Replication: ldap service principals 
is missing. Replication agreement cannot be converted


Hello,


i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm trying to 
add an replication partner.


During the installation i got the following error:


###

Restarting the directory and certificate servers

Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds

  [1/8]: adding sasl mappings to the directory

  [2/8]: configuring KDC

  [3/8]: creating a keytab for the directory

  [4/8]: creating a keytab for the machine

  [5/8]: adding the password extension to the directory

  [6/8]: enable GSSAPI for replication

  [error] RuntimeError: One of the ldap service principals is missing. 
Replication agreement cannot be converted.

Your system may be partly configured.

Run /usr/sbin/ipa-server-install --uninstall to clean up.


ipa.ipapython.install.cli.install_tool(Replica): ERROROne of the ldap 
service principals is missing. Replication agreement cannot be converted.

###



The installation Log shows the following:



###

2016-04-06T08:22:34Z INFO Getting ldap service principals for conversion: 
(krbprincipalname=ldap/auth02.intern...@intern.eu) and 
(krbprincipalname=ldap/auth01.intern...@intern.eu)

2016-04-06T08:22:34Z DEBUG Unable to find entry for 
(krbprincipalname=ldap/auth02.intern...@intern.eu) on auth01.intern.eu:636

2016-04-06T08:22:34Z INFO Setting agreement 
cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping
 tree,cn=config schedule to 2358-2359 0 to force synch

2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement 
cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping
 tree,cn=config

2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status: 0 
Replica acquired successfully: Incremental update succeeded: start: 0: end: 0

2016-04-06T08:22:36Z DEBUG Traceback (most recent call last):

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
418, in start_creation

run_step(full_msg, method)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
408, in run_step

method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", 
line 438, in __convert_to_gssapi_replication

r_bindpw=self.dm_password)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", 
line 1104, in convert_to_gssapi_replication

self.gssapi_update_agreements(self.conn, r_conn)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", 
line 797, in gssapi_update_agreements

self.setup_krb_princs_as_replica_binddns(a, b)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", 
line 767, in setup_krb_princs_as_replica_binddns

(a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", 
line 751, in get_replica_principal_dns

raise RuntimeError(error)

RuntimeError: One of the ldap service principals is missing. Replication 
agreement cannot be converted.


2016-04-06T08:22:36Z DEBUG   [error] RuntimeError: One of the ldap service 
principals is missing. Replication agreement cannot be converted.

2016-04-06T08:22:36Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute

return_value = self.run()

  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311, 
in run

cfgr.run()

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281, 
in run

self.execute()

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303, 
in execute

for nothing in self._executor():

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, 
in __runner

self._handle_exception(exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, 
in _handle_exception

util.raise_exc_info(exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, 
in __runner

step()

  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, 
in run_generator_with_yield_from

raise_exc_info(exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, 
in run_generator_with_yield_from

value = gen.send(prev_value)

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 524, 
in _configure

executor.next()

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, 
in __runner