[Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation
Petr Vobornik
pvoborni at redhat.com
Tue Jun 2 13:53:26 UTC 2015
On 06/02/2015 02:20 PM, Ludwig Krispenz wrote:
>
> On 06/02/2015 12:09 PM, Oleg Fayans wrote:
>> Hi all,
>>
>> The following error was caught during replica installation (I used all
>> the latest patches from Ludwig and Martin Basti):
- except ldap.TYPE_OR_VALUE_EXISTS:
+ except (ldap.TYPE_OR_VALUE_EXISTS, ldap.NO_SUCH_OBJECT):
What happens if all replicas are updated and domain level is raised? I
don't think that the group will be populated. Or will it be? Without it,
topology plugin won't work, right?
There should be a moment where all the DNs are added.
>>
>> root at localhost:/home/ofayans/rpms]$ ipa-replica-install --setup-ca
>> --setup-dns --forwarder 10.38.5.26
>> /var/lib/ipa/replica-info-replica1.zaeba.li.gpg
> the topology plugin needs a replica binddngroup to be able to setup
> agrements without having to modify cn=config. If the replica is
> installed from an older version, this group doesn't exist and adding
> members to it fails.
> The attached patch should handle this
>> Directory Manager (existing master) password:
>>
>> Existing BIND configuration detected, overwrite? [no]: yes
>> Adding [192.168.122.210 replica1.zaeba.li] to your /etc/hosts file
>> Checking forwarders, please wait ...
>> Using reverse zone(s) 122.168.192.in-addr.arpa.
>> Run connection check to master
>> Check connection from replica to remote master 'upgrademaster.zaeba.li':
>> Directory Service: Unsecure port (389): OK
>> Directory Service: Secure port (636): OK
>> Kerberos KDC: TCP (88): OK
>> Kerberos Kpasswd: TCP (464): OK
>> HTTP Server: Unsecure port (80): OK
>> HTTP Server: Secure port (443): OK
>>
>> The following list of ports use UDP protocol and would need to be
>> checked manually:
>> Kerberos KDC: UDP (88): SKIPPED
>> Kerberos Kpasswd: UDP (464): SKIPPED
>>
>> Connection from replica to master is OK.
>> Start listening on required ports for remote master check
>> Get credentials to log in to remote master
>> admin at ZAEBA.LI password:
>>
>> Check SSH connection to remote master
>> Execute check on remote master
>> Check connection from master to remote replica 'replica1.zaeba.li':
>> Directory Service: Unsecure port (389): OK
>> Directory Service: Secure port (636): OK
>> Kerberos KDC: TCP (88): OK
>> Kerberos KDC: UDP (88): OK
>> Kerberos Kpasswd: TCP (464): OK
>> Kerberos Kpasswd: UDP (464): OK
>> HTTP Server: Unsecure port (80): OK
>> HTTP Server: Secure port (443): OK
>>
>> Connection from master to replica is OK.
>>
>> Connection check OK
>> Configuring NTP daemon (ntpd)
>> [1/4]: stopping ntpd
>> [2/4]: writing configuration
>> [3/4]: configuring ntpd to start on boot
>> [4/4]: starting ntpd
>> Done configuring NTP daemon (ntpd).
>> Configuring directory server (dirsrv): Estimated time 1 minute
>> [1/37]: creating directory server user
>> [2/37]: creating directory server instance
>> [3/37]: adding default schema
>> [4/37]: enabling memberof plugin
>> [5/37]: enabling winsync plugin
>> [6/37]: configuring replication version plugin
>> [7/37]: enabling IPA enrollment plugin
>> [8/37]: enabling ldapi
>> [9/37]: configuring uniqueness plugin
>> [10/37]: configuring uuid plugin
>> [11/37]: configuring modrdn plugin
>> [12/37]: configuring DNS plugin
>> [13/37]: enabling entryUSN plugin
>> [14/37]: configuring lockout plugin
>> [15/37]: configuring topology plugin
>> [16/37]: creating indices
>> [17/37]: enabling referential integrity plugin
>> [18/37]: configuring ssl for ds instance
>> [19/37]: configuring certmap.conf
>> [20/37]: configure autobind for root
>> [21/37]: configure new location for managed entries
>> [22/37]: configure dirsrv ccache
>> [23/37]: enable SASL mapping fallback
>> [24/37]: restarting directory server
>> [25/37]: setting up initial replication
>> Starting replication, please wait until this has completed.
>> Update in progress, 7 seconds elapsed
>> Update succeeded
>>
>> [26/37]: updating schema
>> [27/37]: setting Auto Member configuration
>> [28/37]: enabling S4U2Proxy delegation
>> [29/37]: importing CA certificates from LDAP
>> [30/37]: initializing group membership
>> [31/37]: adding master entry
>> ipa : CRITICAL Failed to load master-entry.ldif: Command
>> ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpFlM3mD' '-H'
>> 'ldap://replica1.zaeba.li:389' '-x' '-D' 'cn=Directory Manager' '-y'
>> '/tmp/tmpk_R0Lm'' returned non-zero exit status 68
>> [32/37]: initializing domain level
>> [33/37]: configuring Posix uid/gid generation
>> [34/37]: adding replication acis
>> [35/37]: enabling compatibility plugin
>> [36/37]: tuning directory server
>> [37/37]: configuring directory to start on boot
>> Done configuring directory server (dirsrv).
>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
>> 30 seconds
>> [1/21]: creating certificate server user
>> [2/21]: configuring certificate server instance
>> [3/21]: stopping certificate server instance to update CS.cfg
>> [4/21]: backing up CS.cfg
>> [5/21]: disabling nonces
>> [6/21]: set up CRL publishing
>> [7/21]: enable PKIX certificate path discovery and validation
>> [8/21]: starting certificate server instance
>> [9/21]: creating RA agent certificate database
>> [10/21]: importing CA chain to RA certificate database
>> [11/21]: fixing RA database permissions
>> [12/21]: setting up signing cert profile
>> [13/21]: set certificate subject base
>> [14/21]: enabling Subject Key Identifier
>> [15/21]: enabling Subject Alternative Name
>> [16/21]: enabling CRL and OCSP extensions for certificates
>> [17/21]: setting audit signing renewal to 2 years
>> [18/21]: configure certmonger for renewals
>> [19/21]: configure certificate renewals
>> [20/21]: configure Server-Cert certificate renewal
>> [21/21]: Configure HTTP to proxy connections
>> Done configuring certificate server (pki-tomcatd).
>> Restarting the directory and certificate servers
>> Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
>> [1/8]: adding sasl mappings to the directory
>> [2/8]: configuring KDC
>> [3/8]: creating a keytab for the directory
>> [4/8]: creating a keytab for the machine
>> [5/8]: adding the password extension to the directory
>> [6/8]: enable GSSAPI for replication
>> [error] NO_SUCH_OBJECT: {'desc': 'No such object'}
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> Traceback (most recent call last):
>> File "/sbin/ipa-replica-install", line 162, in <module>
>> fail_message=fail_message)
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> line 760, in run_script
>> message, exitcode = handle_error(error, log_file_name)
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> line 799, in handle_error
>> type(error).__name__, error.args[0]['info']), 1
>> KeyError: 'info'
>>
>> It needs to be noted, that the replica file was prepared on the master
>> running standard 4.1.2 freeipa-server.
>>
>> The log is attached
>>
--
Petr Vobornik
More information about the Freeipa-devel
mailing list