Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted
Kilian Ries wrote: I'm not quite familiar with the db2index.pl script ... what am i doing wrong? db2index.pl -n userRoot -D cn=admin -w ldap_bind: No such object (32) Failed to search the server for indexes, error (32) db2index.pl -n userRoot -D cn=admin -w -v -t entryrdn ldap_bind: No such object (32) Failed to add task entry "cn=db2index_2016_4_15_16_44_19, cn=index, cn=tasks, cn=config" error (32) Use 'cn=Directory Manager' instead of cn=admin rob Von: Ludwig Krispenz <lkris...@redhat.com> Gesendet: Freitag, 15. April 2016 12:31 An: Kilian Ries Cc: freeipa-users@redhat.com Betreff: Re: AW: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted On 04/15/2016 10:14 AM, Kilian Ries wrote: Hi, on auht01 i see the following error just before installation fails: [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err= Unknown error [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc= [14/Apr/2016:15:57:09 +0200] - str2entry_fast: entry has no dn [14/Apr/2016:15:57:09 +0200] id2entry - str2entry returned NULL for id 252, string="" [14/Apr/2016:15:57:09 +0200] - dn2entry_ext: the dn "krbprincipalname=ldap/auth02.intern...@intern.eu,cn=services,cn=accounts,dc=intern,dc=eu" was in the entryrdn index, but it did not exist in id2entry of instance userRoot. [14/Apr/2016:15:57:09 +0200] entryrdn-index - _entryrdn_insert_key: Same DN (dn: krbprincipalname=ldap/auth02.intern...@intern.eu,cn=services,cn=accounts,dc=intern,dc=eu) is already in the entryrdn file with different ID 252. Expected ID is 625. [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err= Unknown error [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc= [14/Apr/2016:15:57:19 +0200] - str2entry_fast: entry has no dn [14/Apr/2016:15:57:19 +0200] id2entry - str2entry returned NULL for id 252, string="" [14/Apr/2016:15:57:21 +0200] - str2entry_fast: entry has no dn this looks like a database/index corruption. There are traces for the ldapprincipal for auth02in the database, but teh index and the database are inconsistent. you can try to reindex teh database and see if this helps: db2index.pl -D ... -w .. -Z -t entryrdn #only this index or db2index.pl -D ... -w .. -Z # full reindex [14/Apr/2016:16:02:01 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://auth02.intern.eu:389/o%3Dipaca) failed. Greets Kilian Von: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> im Auftrag von Ludwig Krispenz <lkris...@redhat.com> Gesendet: Donnerstag, 14. April 2016 16:46 An: freeipa-users@redhat.com Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted On 04/14/2016 04:19 PM, Kilian Ries wrote: Hello Rob, thanks for your explanations. I followed your hints and did a complete uninstall and started over with a fresh installation. I ended up with exactly the same error as the first time... I did the following steps: auth01$ ipa-replica-manage del auth02 auth02$ ipa-server-install --uninstall auth01$ ipa-replica-prepare --ip-address 192.168.210.181 auth02.intern.eu auth02$ ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.210.40 /root/replica-info-auth02.intern.eu.gpg Are there other logfiles i can check for more specific errors? you should have a look to the DS error logs in /var/log/dirsrv on both instances Greets Kilian Von: Rob Crittenden <rcrit...@redhat.com> Gesendet: Mittwoch, 13. April 2016 16:18 An: Kilian Ries; freeipa-users@redhat.com Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted Kilian Ries wrote: Does nobody have an idea whats the problem here? TL;DR you are best off deleting this failed replica install and trying again. Initial replication is done over TLS. When replication is completed both sides of the agreement are converted to using GSSAPI and both ldap principals are needed to do this. Given that replication just completed both principals should be available but rarely one is not (hence the vague-ish error message). In this case the new ldap principal for the new replica wasn't found on the remote master so things blew up. There is no continuing the installation after this type of failure so you'll need to remove the failed install as a master on auth01 (ipa-replica-manage del auth02...) and then run ipa-server-install --uninstall on autho02 and try again. rob Thanks Kilian *Von:* freeipa-users-boun...@redhat.com <freeipa-users-boun...@red
Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted
On 04/15/2016 10:14 AM, Kilian Ries wrote: Hi, on auht01 i see the following error just before installation fails: [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err= Unknown error [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc= [14/Apr/2016:15:57:09 +0200] - str2entry_fast: entry has no dn [14/Apr/2016:15:57:09 +0200] id2entry - str2entry returned NULL for id 252, string="" [14/Apr/2016:15:57:09 +0200] - dn2entry_ext: the dn "krbprincipalname=ldap/auth02.intern...@intern.eu,cn=services,cn=accounts,dc=intern,dc=eu" was in the entryrdn index, but it did not exist in id2entry of instance userRoot. [14/Apr/2016:15:57:09 +0200] entryrdn-index - _entryrdn_insert_key: Same DN (dn: krbprincipalname=ldap/auth02.intern...@intern.eu,cn=services,cn=accounts,dc=intern,dc=eu) is already in the entryrdn file with different ID 252. Expected ID is 625. [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err= Unknown error [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc= [14/Apr/2016:15:57:19 +0200] - str2entry_fast: entry has no dn [14/Apr/2016:15:57:19 +0200] id2entry - str2entry returned NULL for id 252, string="" [14/Apr/2016:15:57:21 +0200] - str2entry_fast: entry has no dn this looks like a database/index corruption. There are traces for the ldapprincipal for auth02in the database, but teh index and the database are inconsistent. you can try to reindex teh database and see if this helps: db2index.pl -D ... -w .. -Z -t entryrdn #only this index or db2index.pl -D ... -w .. -Z # full reindex [14/Apr/2016:16:02:01 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://auth02.intern.eu:389/o%3Dipaca) failed. Greets Kilian Von: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> im Auftrag von Ludwig Krispenz <lkris...@redhat.com> Gesendet: Donnerstag, 14. April 2016 16:46 An: freeipa-users@redhat.com Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted On 04/14/2016 04:19 PM, Kilian Ries wrote: Hello Rob, thanks for your explanations. I followed your hints and did a complete uninstall and started over with a fresh installation. I ended up with exactly the same error as the first time... I did the following steps: auth01$ ipa-replica-manage del auth02 auth02$ ipa-server-install --uninstall auth01$ ipa-replica-prepare --ip-address 192.168.210.181 auth02.intern.eu auth02$ ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.210.40 /root/replica-info-auth02.intern.eu.gpg Are there other logfiles i can check for more specific errors? you should have a look to the DS error logs in /var/log/dirsrv on both instances Greets Kilian Von: Rob Crittenden <rcrit...@redhat.com> Gesendet: Mittwoch, 13. April 2016 16:18 An: Kilian Ries; freeipa-users@redhat.com Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted Kilian Ries wrote: Does nobody have an idea whats the problem here? TL;DR you are best off deleting this failed replica install and trying again. Initial replication is done over TLS. When replication is completed both sides of the agreement are converted to using GSSAPI and both ldap principals are needed to do this. Given that replication just completed both principals should be available but rarely one is not (hence the vague-ish error message). In this case the new ldap principal for the new replica wasn't found on the remote master so things blew up. There is no continuing the installation after this type of failure so you'll need to remove the failed install as a master on auth01 (ipa-replica-manage del auth02...) and then run ipa-server-install --uninstall on autho02 and try again. rob Thanks Kilian *Von:* freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> im Auftrag von Kilian Ries <m...@kilian-ries.de> *Gesendet:* Mittwoch, 6. April 2016 10:41 *An:* freeipa-users@redhat.com *Betreff:* [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted Hello, i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm trying to add an replication partner. During the installation i got the following error: ### Restarting the directory and certificate servers Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/8]: adding sasl mappings to the directory [2/8]: configuring KDC [3/8]: creating a keytab for the directory [4/8]: creating a keytab for the machine [5/8]: adding the password extension to the direc
Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted
Kilian Ries wrote: Does nobody have an idea whats the problem here? TL;DR you are best off deleting this failed replica install and trying again. Initial replication is done over TLS. When replication is completed both sides of the agreement are converted to using GSSAPI and both ldap principals are needed to do this. Given that replication just completed both principals should be available but rarely one is not (hence the vague-ish error message). In this case the new ldap principal for the new replica wasn't found on the remote master so things blew up. There is no continuing the installation after this type of failure so you'll need to remove the failed install as a master on auth01 (ipa-replica-manage del auth02...) and then run ipa-server-install --uninstall on autho02 and try again. rob Thanks Kilian *Von:* freeipa-users-boun...@redhat.comim Auftrag von Kilian Ries *Gesendet:* Mittwoch, 6. April 2016 10:41 *An:* freeipa-users@redhat.com *Betreff:* [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted Hello, i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm trying to add an replication partner. During the installation i got the following error: ### Restarting the directory and certificate servers Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/8]: adding sasl mappings to the directory [2/8]: configuring KDC [3/8]: creating a keytab for the directory [4/8]: creating a keytab for the machine [5/8]: adding the password extension to the directory [6/8]: enable GSSAPI for replication [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROROne of the ldap service principals is missing. Replication agreement cannot be converted. ### The installation Log shows the following: ### 2016-04-06T08:22:34Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/auth02.intern...@intern.eu) and (krbprincipalname=ldap/auth01.intern...@intern.eu) 2016-04-06T08:22:34Z DEBUG Unable to find entry for (krbprincipalname=ldap/auth02.intern...@intern.eu) on auth01.intern.eu:636 2016-04-06T08:22:34Z INFO Setting agreement cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping tree,cn=config 2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 0: end: 0 2016-04-06T08:22:36Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 438, in __convert_to_gssapi_replication r_bindpw=self.dm_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1104, in convert_to_gssapi_replication self.gssapi_update_agreements(self.conn, r_conn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 797, in gssapi_update_agreements self.setup_krb_princs_as_replica_binddns(a, b) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 767, in setup_krb_princs_as_replica_binddns (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 751, in get_replica_principal_dns raise RuntimeError(error) RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. 2016-04-06T08:22:36Z DEBUG [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. 2016-04-06T08:22:36Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303, in execute for nothing in self._executor(): File
Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted
Does nobody have an idea whats the problem here? Thanks Kilian Von: freeipa-users-boun...@redhat.comim Auftrag von Kilian Ries Gesendet: Mittwoch, 6. April 2016 10:41 An: freeipa-users@redhat.com Betreff: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted Hello, i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm trying to add an replication partner. During the installation i got the following error: ### Restarting the directory and certificate servers Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/8]: adding sasl mappings to the directory [2/8]: configuring KDC [3/8]: creating a keytab for the directory [4/8]: creating a keytab for the machine [5/8]: adding the password extension to the directory [6/8]: enable GSSAPI for replication [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROROne of the ldap service principals is missing. Replication agreement cannot be converted. ### The installation Log shows the following: ### 2016-04-06T08:22:34Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/auth02.intern...@intern.eu) and (krbprincipalname=ldap/auth01.intern...@intern.eu) 2016-04-06T08:22:34Z DEBUG Unable to find entry for (krbprincipalname=ldap/auth02.intern...@intern.eu) on auth01.intern.eu:636 2016-04-06T08:22:34Z INFO Setting agreement cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping tree,cn=config 2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 0: end: 0 2016-04-06T08:22:36Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 438, in __convert_to_gssapi_replication r_bindpw=self.dm_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1104, in convert_to_gssapi_replication self.gssapi_update_agreements(self.conn, r_conn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 797, in gssapi_update_agreements self.setup_krb_princs_as_replica_binddns(a, b) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 767, in setup_krb_princs_as_replica_binddns (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 751, in get_replica_principal_dns raise RuntimeError(error) RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. 2016-04-06T08:22:36Z DEBUG [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. 2016-04-06T08:22:36Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 524, in _configure executor.next() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner