Re: [Freeipa-users] Upgrade from 3x to 4x cant create first replica.

2015-02-10 Thread Chris Mohler

On 02/09/2015 11:36 AM, Martin Kosek wrote:

On 02/09/2015 05:16 PM, Chris Mohler wrote:

On 02/09/2015 10:18 AM, Martin Kosek wrote:

On 02/07/2015 12:27 AM, Chris Mohler wrote:

I'm having some troubles. I have an older IPA install Version 3.0.0. on Centos
6.6. It's currently the only master for my domain. I have about 4k user
accounts on here and it's a live system called idm

I'm trying to upgrade to V4.x as I am hoping to fix some issues I am having.
(clients can't auth unless service sssd is restarted multiple times 10 (User
not known to the underlying authentication module) I think this is possibly
unrelated and the topic for another thread.

I created a new VM and installed Fedora Server 21 and FreeIPA 4.1.2 it's called
ipa

Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
in, so you can also use that platform if you are used to it.


on the master idm I ran ipa-replica-prepare and transfered the file to the
future replica ipa Then I ran the install replica script ipa-replica-install
--setup-ca /home/svradm/replica-info-ipa.cs.oberlin.edu.gpg
Things went well until it failed

[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 133 seconds elapsed
Update in progress yet not in progress

Update in progress yet not in progress

Update in progress yet not in progress

[idm.cs.oberlin.edu] reports: Update failed! Status: [10 Total update
abortedLDAP error: Referral]

[error] RuntimeError: Failed to start replication

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Please help I'm getting nowhere by myself.

Can you please look on the master you are replicating from and look for errors
in /var/log/messages or DS errors log?

Maybe you will see messages like ns-slapd: encoded packet size too big (xx

65536) that are know to pop up more with CentOS 6.6.

Hi Martin,
Thanks for the reply and help I appreciate it.


Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
in, so you can also use that platform if you are used to it.

Good to know. I try to be distro agnostic. I've used Redhat 7.1 then went
Solaris, then Ubuntu, Now I'm back for Centos and Fedora. I guess I'm equally
uncomfortable with either version.

That Said. Is there any reason that I could or should not have a replica on a
Fedora 21 server and 2nd replica on a Centos 7.1 later? My understanding is the
more the merrier.

It should just work. Just note that in case of Fedora Server, these are
upstream/Fedora bits which are only tested upstream. So if you for example
break something in Fedora 21 (not likely to happen though ;-) and then get the
change *replicated* to RHEL production instance, I do not think Red Hat support
would be happy with that.

Also, if for example upstream releases FreeIPA 4.2, I would not just plug it in
your production RHEL instance is it would upgrade all the data for 4.2 level -
which should get more downstream testing before Red Hat can rubber stamp it.

TLDR; if you are happy with the upstream level of support (this list/IRC/Trac),
knock yourself out :-)


Can you please look on the master you are replicating from and look for errors
in /var/log/messages or DS errors log?

I tried to setup the replica again just now so I have some fresh logs.

 From the Dirserv error log
[08/Feb/2015:22:14:48 -0500] - 389-Directory/1.2.11.15 B2014.314.1342 starting 
up
[08/Feb/2015:22:14:48 -0500] schema-compat-plugin - warning: no entries set up
under cn=computers, cn=compat,dc=cs,dc=oberlin,dc=edu
[08/Feb/2015:22:14:50 -0500] - slapd started.  Listening on All Interfaces port
389 for LDAP requests
[08/Feb/2015:22:14:50 -0500] - Listening on All Interfaces port 636 for LDAPS
requests
[08/Feb/2015:22:14:50 -0500] - Listening on
/var/run/slapd-CS-OBERLIN-EDU.socket for LDAPI requests
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin -
agmt=cn=meToipa.cs.oberlin.edu (ipa:389): Schema replication update failed:
Server is unwilling to perform
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Warning: unable to
replicate schema to host ipa.cs.oberlin.edu, port 389. Continuing with total
update session.
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Beginning total update of
replica agmt=cn=meToipa.cs.oberlin.edu (ipa:389)

To be fair and not duplicate efforts I have had the following error
[08/Feb/2015:08:51:26 -0500] - WARNING: userRoot: entry cache size 10485760B is
less than db size 12115968B; We recommend to increase the
entry cache size nsslapd-cachememsize.

To which I have asked another question how do I change the entry cache size
https://www.redhat.com/archives/freeipa-users/2015-February/msg00114.html
I now get additional errors which I would guess are possibly related.

IMO, they this should not be related (should not break replication). I do not
see anything useful in the error log though. Did you also check
/var/log/messages for the errors log 

Re: [Freeipa-users] Upgrade from 3x to 4x cant create first replica.

2015-02-09 Thread Chris Mohler

On 02/09/2015 10:18 AM, Martin Kosek wrote:

On 02/07/2015 12:27 AM, Chris Mohler wrote:

I'm having some troubles. I have an older IPA install Version 3.0.0. on Centos
6.6. It's currently the only master for my domain. I have about 4k user
accounts on here and it's a live system called idm

I'm trying to upgrade to V4.x as I am hoping to fix some issues I am having.
(clients can't auth unless service sssd is restarted multiple times 10 (User
not known to the underlying authentication module) I think this is possibly
unrelated and the topic for another thread.

I created a new VM and installed Fedora Server 21 and FreeIPA 4.1.2 it's called
ipa

Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
in, so you can also use that platform if you are used to it.


on the master idm I ran ipa-replica-prepare and transfered the file to the
future replica ipa Then I ran the install replica script ipa-replica-install
--setup-ca /home/svradm/replica-info-ipa.cs.oberlin.edu.gpg
Things went well until it failed

[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 133 seconds elapsed
Update in progress yet not in progress

Update in progress yet not in progress

Update in progress yet not in progress

[idm.cs.oberlin.edu] reports: Update failed! Status: [10 Total update
abortedLDAP error: Referral]

[error] RuntimeError: Failed to start replication

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Please help I'm getting nowhere by myself.

Can you please look on the master you are replicating from and look for errors
in /var/log/messages or DS errors log?

Maybe you will see messages like ns-slapd: encoded packet size too big (xx

65536) that are know to pop up more with CentOS 6.6.

Hi Martin,
Thanks for the reply and help I appreciate it.


Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
in, so you can also use that platform if you are used to it.
Good to know. I try to be distro agnostic. I've used Redhat 7.1 then 
went Solaris, then Ubuntu, Now I'm back for Centos and Fedora. I guess 
I'm equally uncomfortable with either version.


That Said. Is there any reason that I could or should not have a replica 
on a Fedora 21 server and 2nd replica on a Centos 7.1 later? My 
understanding is the more the merrier.



Can you please look on the master you are replicating from and look for errors
in /var/log/messages or DS errors log?


I tried to setup the replica again just now so I have some fresh logs.

From the Dirserv error log
[08/Feb/2015:22:14:48 -0500] - 389-Directory/1.2.11.15 B2014.314.1342 
starting up
[08/Feb/2015:22:14:48 -0500] schema-compat-plugin - warning: no entries 
set up under cn=computers, cn=compat,dc=cs,dc=oberlin,dc=edu
[08/Feb/2015:22:14:50 -0500] - slapd started.  Listening on All 
Interfaces port 389 for LDAP requests
[08/Feb/2015:22:14:50 -0500] - Listening on All Interfaces port 636 for 
LDAPS requests
[08/Feb/2015:22:14:50 -0500] - Listening on 
/var/run/slapd-CS-OBERLIN-EDU.socket for LDAPI requests
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - 
agmt=cn=meToipa.cs.oberlin.edu (ipa:389): Schema replication update 
failed: Server is unwilling to perform
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Warning: unable to 
replicate schema to host ipa.cs.oberlin.edu, port 389. Continuing with 
total update session.
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Beginning total 
update of replica agmt=cn=meToipa.cs.oberlin.edu (ipa:389)


To be fair and not duplicate efforts I have had the following error
[08/Feb/2015:08:51:26 -0500] - WARNING: userRoot: entry cache size 
10485760B is less than db size 12115968B; We recommend to increase the

entry cache size nsslapd-cachememsize.

To which I have asked another question how do I change the entry cache 
size

https://www.redhat.com/archives/freeipa-users/2015-February/msg00114.html
I now get additional errors which I would guess are possibly related.

|[06/Feb/2015:10:07:35 -0500] - slapd stopped.
[06/Feb/2015:10:07:37 -0500] attr_syntax_create - Error: the EQUALITY matching 
rule [caseIgnoreIA5Match] is not compatible with the syntax 
[1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[06/Feb/2015:10:07:37 -0500] attr_syntax_create - Error: the SUBSTR matching 
rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax 
[1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[06/Feb/2015:10:07:37 -0500] - 389-Directory/1.2.11.15  http://1.2.11.15/  
B2014.314.1342 starting up
[06/Feb/2015:10:07:37 -0500] - slapd started.  Listening on All Interfaces port 
7389 for LDAP requests
[06/Feb/2015:10:07:37 -0500] - Listening on All Interfaces port 7390 for LDAPS 
requests|


|
Thanks again for having a look at my problem,
-Chris
|





-- 
Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] Upgrade from 3x to 4x cant create first replica.

2015-02-09 Thread Martin Kosek
On 02/09/2015 05:16 PM, Chris Mohler wrote:
 On 02/09/2015 10:18 AM, Martin Kosek wrote:
 On 02/07/2015 12:27 AM, Chris Mohler wrote:
 I'm having some troubles. I have an older IPA install Version 3.0.0. on 
 Centos
 6.6. It's currently the only master for my domain. I have about 4k user
 accounts on here and it's a live system called idm

 I'm trying to upgrade to V4.x as I am hoping to fix some issues I am having.
 (clients can't auth unless service sssd is restarted multiple times 10 
 (User
 not known to the underlying authentication module) I think this is possibly
 unrelated and the topic for another thread.

 I created a new VM and installed Fedora Server 21 and FreeIPA 4.1.2 it's 
 called
 ipa
 Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
 in, so you can also use that platform if you are used to it.

 on the master idm I ran ipa-replica-prepare and transfered the file to 
 the
 future replica ipa Then I ran the install replica script 
 ipa-replica-install
 --setup-ca /home/svradm/replica-info-ipa.cs.oberlin.edu.gpg
 Things went well until it failed

 [24/35]: setting up initial replication
 Starting replication, please wait until this has completed.
 Update in progress, 133 seconds elapsed
 Update in progress yet not in progress

 Update in progress yet not in progress

 Update in progress yet not in progress

 [idm.cs.oberlin.edu] reports: Update failed! Status: [10 Total update
 abortedLDAP error: Referral]

 [error] RuntimeError: Failed to start replication

 Your system may be partly configured.
 Run /usr/sbin/ipa-server-install --uninstall to clean up.

 Please help I'm getting nowhere by myself.
 Can you please look on the master you are replicating from and look for 
 errors
 in /var/log/messages or DS errors log?

 Maybe you will see messages like ns-slapd: encoded packet size too big 
 (xx
 65536) that are know to pop up more with CentOS 6.6.
 Hi Martin,
 Thanks for the reply and help I appreciate it.
 
 Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
 in, so you can also use that platform if you are used to it.
 Good to know. I try to be distro agnostic. I've used Redhat 7.1 then went
 Solaris, then Ubuntu, Now I'm back for Centos and Fedora. I guess I'm equally
 uncomfortable with either version.
 
 That Said. Is there any reason that I could or should not have a replica on a
 Fedora 21 server and 2nd replica on a Centos 7.1 later? My understanding is 
 the
 more the merrier.

It should just work. Just note that in case of Fedora Server, these are
upstream/Fedora bits which are only tested upstream. So if you for example
break something in Fedora 21 (not likely to happen though ;-) and then get the
change *replicated* to RHEL production instance, I do not think Red Hat support
would be happy with that.

Also, if for example upstream releases FreeIPA 4.2, I would not just plug it in
your production RHEL instance is it would upgrade all the data for 4.2 level -
which should get more downstream testing before Red Hat can rubber stamp it.

TLDR; if you are happy with the upstream level of support (this list/IRC/Trac),
knock yourself out :-)

 Can you please look on the master you are replicating from and look for 
 errors
 in /var/log/messages or DS errors log?
 
 I tried to setup the replica again just now so I have some fresh logs.
 
 From the Dirserv error log
 [08/Feb/2015:22:14:48 -0500] - 389-Directory/1.2.11.15 B2014.314.1342 
 starting up
 [08/Feb/2015:22:14:48 -0500] schema-compat-plugin - warning: no entries set up
 under cn=computers, cn=compat,dc=cs,dc=oberlin,dc=edu
 [08/Feb/2015:22:14:50 -0500] - slapd started.  Listening on All Interfaces 
 port
 389 for LDAP requests
 [08/Feb/2015:22:14:50 -0500] - Listening on All Interfaces port 636 for LDAPS
 requests
 [08/Feb/2015:22:14:50 -0500] - Listening on
 /var/run/slapd-CS-OBERLIN-EDU.socket for LDAPI requests
 [09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin -
 agmt=cn=meToipa.cs.oberlin.edu (ipa:389): Schema replication update failed:
 Server is unwilling to perform
 [09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Warning: unable to
 replicate schema to host ipa.cs.oberlin.edu, port 389. Continuing with total
 update session.
 [09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Beginning total update of
 replica agmt=cn=meToipa.cs.oberlin.edu (ipa:389)
 
 To be fair and not duplicate efforts I have had the following error
 [08/Feb/2015:08:51:26 -0500] - WARNING: userRoot: entry cache size 10485760B 
 is
 less than db size 12115968B; We recommend to increase the
 entry cache size nsslapd-cachememsize.
 
 To which I have asked another question how do I change the entry cache size
 https://www.redhat.com/archives/freeipa-users/2015-February/msg00114.html
 I now get additional errors which I would guess are possibly related.

IMO, they this should not be related (should not break replication). I do not
see anything useful in the error log though. Did you also 

Re: [Freeipa-users] Upgrade from 3x to 4x cant create first replica.

2015-02-09 Thread Martin Kosek
On 02/07/2015 12:27 AM, Chris Mohler wrote:
 I'm having some troubles. I have an older IPA install Version 3.0.0. on Centos
 6.6. It's currently the only master for my domain. I have about 4k user
 accounts on here and it's a live system called idm
 
 I'm trying to upgrade to V4.x as I am hoping to fix some issues I am having.
 (clients can't auth unless service sssd is restarted multiple times 10 (User
 not known to the underlying authentication module) I think this is possibly
 unrelated and the topic for another thread.
 
 I created a new VM and installed Fedora Server 21 and FreeIPA 4.1.2 it's 
 called
 ipa

Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
in, so you can also use that platform if you are used to it.

 
 on the master idm I ran ipa-replica-prepare and transfered the file to the
 future replica ipa Then I ran the install replica script ipa-replica-install
 --setup-ca /home/svradm/replica-info-ipa.cs.oberlin.edu.gpg
 Things went well until it failed
 
 [24/35]: setting up initial replication
 Starting replication, please wait until this has completed.
 Update in progress, 133 seconds elapsed
 Update in progress yet not in progress
 
 Update in progress yet not in progress
 
 Update in progress yet not in progress
 
 [idm.cs.oberlin.edu] reports: Update failed! Status: [10 Total update
 abortedLDAP error: Referral]
 
 [error] RuntimeError: Failed to start replication
 
 Your system may be partly configured.
 Run /usr/sbin/ipa-server-install --uninstall to clean up.
 
 Please help I'm getting nowhere by myself.

Can you please look on the master you are replicating from and look for errors
in /var/log/messages or DS errors log?

Maybe you will see messages like ns-slapd: encoded packet size too big (xx
 65536) that are know to pop up more with CentOS 6.6.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] Upgrade from 3x to 4x cant create first replica.

2015-02-09 Thread Chris Mohler

On 02/09/2015 11:36 AM, Martin Kosek wrote:

On 02/09/2015 05:16 PM, Chris Mohler wrote:

On 02/09/2015 10:18 AM, Martin Kosek wrote:

On 02/07/2015 12:27 AM, Chris Mohler wrote:

I'm having some troubles. I have an older IPA install Version 3.0.0. on Centos
6.6. It's currently the only master for my domain. I have about 4k user
accounts on here and it's a live system called idm

I'm trying to upgrade to V4.x as I am hoping to fix some issues I am having.
(clients can't auth unless service sssd is restarted multiple times 10 (User
not known to the underlying authentication module) I think this is possibly
unrelated and the topic for another thread.

I created a new VM and installed Fedora Server 21 and FreeIPA 4.1.2 it's called
ipa

Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
in, so you can also use that platform if you are used to it.


on the master idm I ran ipa-replica-prepare and transfered the file to the
future replica ipa Then I ran the install replica script ipa-replica-install
--setup-ca /home/svradm/replica-info-ipa.cs.oberlin.edu.gpg
Things went well until it failed

[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 133 seconds elapsed
Update in progress yet not in progress

Update in progress yet not in progress

Update in progress yet not in progress

[idm.cs.oberlin.edu] reports: Update failed! Status: [10 Total update
abortedLDAP error: Referral]

[error] RuntimeError: Failed to start replication

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Please help I'm getting nowhere by myself.

Can you please look on the master you are replicating from and look for errors
in /var/log/messages or DS errors log?

Maybe you will see messages like ns-slapd: encoded packet size too big (xx

65536) that are know to pop up more with CentOS 6.6.

Hi Martin,
Thanks for the reply and help I appreciate it.


Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
in, so you can also use that platform if you are used to it.

Good to know. I try to be distro agnostic. I've used Redhat 7.1 then went
Solaris, then Ubuntu, Now I'm back for Centos and Fedora. I guess I'm equally
uncomfortable with either version.

That Said. Is there any reason that I could or should not have a replica on a
Fedora 21 server and 2nd replica on a Centos 7.1 later? My understanding is the
more the merrier.

It should just work. Just note that in case of Fedora Server, these are
upstream/Fedora bits which are only tested upstream. So if you for example
break something in Fedora 21 (not likely to happen though ;-) and then get the
change *replicated* to RHEL production instance, I do not think Red Hat support
would be happy with that.

Also, if for example upstream releases FreeIPA 4.2, I would not just plug it in
your production RHEL instance is it would upgrade all the data for 4.2 level -
which should get more downstream testing before Red Hat can rubber stamp it.

TLDR; if you are happy with the upstream level of support (this list/IRC/Trac),
knock yourself out :-)


Can you please look on the master you are replicating from and look for errors
in /var/log/messages or DS errors log?

I tried to setup the replica again just now so I have some fresh logs.

 From the Dirserv error log
[08/Feb/2015:22:14:48 -0500] - 389-Directory/1.2.11.15 B2014.314.1342 starting 
up
[08/Feb/2015:22:14:48 -0500] schema-compat-plugin - warning: no entries set up
under cn=computers, cn=compat,dc=cs,dc=oberlin,dc=edu
[08/Feb/2015:22:14:50 -0500] - slapd started.  Listening on All Interfaces port
389 for LDAP requests
[08/Feb/2015:22:14:50 -0500] - Listening on All Interfaces port 636 for LDAPS
requests
[08/Feb/2015:22:14:50 -0500] - Listening on
/var/run/slapd-CS-OBERLIN-EDU.socket for LDAPI requests
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin -
agmt=cn=meToipa.cs.oberlin.edu (ipa:389): Schema replication update failed:
Server is unwilling to perform
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Warning: unable to
replicate schema to host ipa.cs.oberlin.edu, port 389. Continuing with total
update session.
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Beginning total update of
replica agmt=cn=meToipa.cs.oberlin.edu (ipa:389)

To be fair and not duplicate efforts I have had the following error
[08/Feb/2015:08:51:26 -0500] - WARNING: userRoot: entry cache size 10485760B is
less than db size 12115968B; We recommend to increase the
entry cache size nsslapd-cachememsize.

To which I have asked another question how do I change the entry cache size
https://www.redhat.com/archives/freeipa-users/2015-February/msg00114.html
I now get additional errors which I would guess are possibly related.

IMO, they this should not be related (should not break replication). I do not
see anything useful in the error log though. Did you also check
/var/log/messages for the errors log