[Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation
Ludwig Krispenz
lkrispen at redhat.com
Tue Jun 2 12:20:42 UTC 2015
On 06/02/2015 12:09 PM, Oleg Fayans wrote:
> Hi all,
>
> The following error was caught during replica installation (I used all
> the latest patches from Ludwig and Martin Basti):
>
> root at localhost:/home/ofayans/rpms]$ ipa-replica-install --setup-ca
> --setup-dns --forwarder 10.38.5.26
> /var/lib/ipa/replica-info-replica1.zaeba.li.gpg
the topology plugin needs a replica binddngroup to be able to setup
agrements without having to modify cn=config. If the replica is
installed from an older version, this group doesn't exist and adding
members to it fails.
The attached patch should handle this
> Directory Manager (existing master) password:
>
> Existing BIND configuration detected, overwrite? [no]: yes
> Adding [192.168.122.210 replica1.zaeba.li] to your /etc/hosts file
> Checking forwarders, please wait ...
> Using reverse zone(s) 122.168.192.in-addr.arpa.
> Run connection check to master
> Check connection from replica to remote master 'upgrademaster.zaeba.li':
> Directory Service: Unsecure port (389): OK
> Directory Service: Secure port (636): OK
> Kerberos KDC: TCP (88): OK
> Kerberos Kpasswd: TCP (464): OK
> HTTP Server: Unsecure port (80): OK
> HTTP Server: Secure port (443): OK
>
> The following list of ports use UDP protocol and would need to be
> checked manually:
> Kerberos KDC: UDP (88): SKIPPED
> Kerberos Kpasswd: UDP (464): SKIPPED
>
> Connection from replica to master is OK.
> Start listening on required ports for remote master check
> Get credentials to log in to remote master
> admin at ZAEBA.LI password:
>
> Check SSH connection to remote master
> Execute check on remote master
> Check connection from master to remote replica 'replica1.zaeba.li':
> Directory Service: Unsecure port (389): OK
> Directory Service: Secure port (636): OK
> Kerberos KDC: TCP (88): OK
> Kerberos KDC: UDP (88): OK
> Kerberos Kpasswd: TCP (464): OK
> Kerberos Kpasswd: UDP (464): OK
> HTTP Server: Unsecure port (80): OK
> HTTP Server: Secure port (443): OK
>
> Connection from master to replica is OK.
>
> Connection check OK
> Configuring NTP daemon (ntpd)
> [1/4]: stopping ntpd
> [2/4]: writing configuration
> [3/4]: configuring ntpd to start on boot
> [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv): Estimated time 1 minute
> [1/37]: creating directory server user
> [2/37]: creating directory server instance
> [3/37]: adding default schema
> [4/37]: enabling memberof plugin
> [5/37]: enabling winsync plugin
> [6/37]: configuring replication version plugin
> [7/37]: enabling IPA enrollment plugin
> [8/37]: enabling ldapi
> [9/37]: configuring uniqueness plugin
> [10/37]: configuring uuid plugin
> [11/37]: configuring modrdn plugin
> [12/37]: configuring DNS plugin
> [13/37]: enabling entryUSN plugin
> [14/37]: configuring lockout plugin
> [15/37]: configuring topology plugin
> [16/37]: creating indices
> [17/37]: enabling referential integrity plugin
> [18/37]: configuring ssl for ds instance
> [19/37]: configuring certmap.conf
> [20/37]: configure autobind for root
> [21/37]: configure new location for managed entries
> [22/37]: configure dirsrv ccache
> [23/37]: enable SASL mapping fallback
> [24/37]: restarting directory server
> [25/37]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 7 seconds elapsed
> Update succeeded
>
> [26/37]: updating schema
> [27/37]: setting Auto Member configuration
> [28/37]: enabling S4U2Proxy delegation
> [29/37]: importing CA certificates from LDAP
> [30/37]: initializing group membership
> [31/37]: adding master entry
> ipa : CRITICAL Failed to load master-entry.ldif: Command
> ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpFlM3mD' '-H'
> 'ldap://replica1.zaeba.li:389' '-x' '-D' 'cn=Directory Manager' '-y'
> '/tmp/tmpk_R0Lm'' returned non-zero exit status 68
> [32/37]: initializing domain level
> [33/37]: configuring Posix uid/gid generation
> [34/37]: adding replication acis
> [35/37]: enabling compatibility plugin
> [36/37]: tuning directory server
> [37/37]: configuring directory to start on boot
> Done configuring directory server (dirsrv).
> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
> 30 seconds
> [1/21]: creating certificate server user
> [2/21]: configuring certificate server instance
> [3/21]: stopping certificate server instance to update CS.cfg
> [4/21]: backing up CS.cfg
> [5/21]: disabling nonces
> [6/21]: set up CRL publishing
> [7/21]: enable PKIX certificate path discovery and validation
> [8/21]: starting certificate server instance
> [9/21]: creating RA agent certificate database
> [10/21]: importing CA chain to RA certificate database
> [11/21]: fixing RA database permissions
> [12/21]: setting up signing cert profile
> [13/21]: set certificate subject base
> [14/21]: enabling Subject Key Identifier
> [15/21]: enabling Subject Alternative Name
> [16/21]: enabling CRL and OCSP extensions for certificates
> [17/21]: setting audit signing renewal to 2 years
> [18/21]: configure certmonger for renewals
> [19/21]: configure certificate renewals
> [20/21]: configure Server-Cert certificate renewal
> [21/21]: Configure HTTP to proxy connections
> Done configuring certificate server (pki-tomcatd).
> Restarting the directory and certificate servers
> Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
> [1/8]: adding sasl mappings to the directory
> [2/8]: configuring KDC
> [3/8]: creating a keytab for the directory
> [4/8]: creating a keytab for the machine
> [5/8]: adding the password extension to the directory
> [6/8]: enable GSSAPI for replication
> [error] NO_SUCH_OBJECT: {'desc': 'No such object'}
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Traceback (most recent call last):
> File "/sbin/ipa-replica-install", line 162, in <module>
> fail_message=fail_message)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 760, in run_script
> message, exitcode = handle_error(error, log_file_name)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 799, in handle_error
> type(error).__name__, error.args[0]['info']), 1
> KeyError: 'info'
>
> It needs to be noted, that the replica file was prepared on the master
> running standard 4.1.2 freeipa-server.
>
> The log is attached
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150602/c19b03a6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-lkrispen-0010-accept-missing-binddn-group.patch
Type: text/x-patch
Size: 1175 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150602/c19b03a6/attachment.bin>
More information about the Freeipa-devel
mailing list