<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 06/02/2015 12:09 PM, Oleg Fayans
wrote:<br>
</div>
<blockquote cite="mid:556D80E5.6050802@redhat.com" type="cite">Hi
all,
<br>
<br>
The following error was caught during replica installation (I used
all the latest patches from Ludwig and Martin Basti):
<br>
<br>
root@localhost:/home/ofayans/rpms]$ ipa-replica-install --setup-ca
--setup-dns --forwarder 10.38.5.26
/var/lib/ipa/replica-info-replica1.zaeba.li.gpg
<br>
</blockquote>
the topology plugin needs a replica binddngroup to be able to setup
agrements without having to modify cn=config. If the replica is
installed from an older version, this group doesn't exist and adding
members to it fails.<br>
The attached patch should handle this<br>
<blockquote cite="mid:556D80E5.6050802@redhat.com" type="cite">Directory
Manager (existing master) password:
<br>
<br>
Existing BIND configuration detected, overwrite? [no]: yes
<br>
Adding [192.168.122.210 replica1.zaeba.li] to your /etc/hosts file
<br>
Checking forwarders, please wait ...
<br>
Using reverse zone(s) 122.168.192.in-addr.arpa.
<br>
Run connection check to master
<br>
Check connection from replica to remote master
'upgrademaster.zaeba.li':
<br>
Directory Service: Unsecure port (389): OK
<br>
Directory Service: Secure port (636): OK
<br>
Kerberos KDC: TCP (88): OK
<br>
Kerberos Kpasswd: TCP (464): OK
<br>
HTTP Server: Unsecure port (80): OK
<br>
HTTP Server: Secure port (443): OK
<br>
<br>
The following list of ports use UDP protocol and would need to be
<br>
checked manually:
<br>
Kerberos KDC: UDP (88): SKIPPED
<br>
Kerberos Kpasswd: UDP (464): SKIPPED
<br>
<br>
Connection from replica to master is OK.
<br>
Start listening on required ports for remote master check
<br>
Get credentials to log in to remote master
<br>
<a class="moz-txt-link-abbreviated" href="mailto:admin@ZAEBA.LI">admin@ZAEBA.LI</a> password:
<br>
<br>
Check SSH connection to remote master
<br>
Execute check on remote master
<br>
Check connection from master to remote replica
'replica1.zaeba.li':
<br>
Directory Service: Unsecure port (389): OK
<br>
Directory Service: Secure port (636): OK
<br>
Kerberos KDC: TCP (88): OK
<br>
Kerberos KDC: UDP (88): OK
<br>
Kerberos Kpasswd: TCP (464): OK
<br>
Kerberos Kpasswd: UDP (464): OK
<br>
HTTP Server: Unsecure port (80): OK
<br>
HTTP Server: Secure port (443): OK
<br>
<br>
Connection from master to replica is OK.
<br>
<br>
Connection check OK
<br>
Configuring NTP daemon (ntpd)
<br>
[1/4]: stopping ntpd
<br>
[2/4]: writing configuration
<br>
[3/4]: configuring ntpd to start on boot
<br>
[4/4]: starting ntpd
<br>
Done configuring NTP daemon (ntpd).
<br>
Configuring directory server (dirsrv): Estimated time 1 minute
<br>
[1/37]: creating directory server user
<br>
[2/37]: creating directory server instance
<br>
[3/37]: adding default schema
<br>
[4/37]: enabling memberof plugin
<br>
[5/37]: enabling winsync plugin
<br>
[6/37]: configuring replication version plugin
<br>
[7/37]: enabling IPA enrollment plugin
<br>
[8/37]: enabling ldapi
<br>
[9/37]: configuring uniqueness plugin
<br>
[10/37]: configuring uuid plugin
<br>
[11/37]: configuring modrdn plugin
<br>
[12/37]: configuring DNS plugin
<br>
[13/37]: enabling entryUSN plugin
<br>
[14/37]: configuring lockout plugin
<br>
[15/37]: configuring topology plugin
<br>
[16/37]: creating indices
<br>
[17/37]: enabling referential integrity plugin
<br>
[18/37]: configuring ssl for ds instance
<br>
[19/37]: configuring certmap.conf
<br>
[20/37]: configure autobind for root
<br>
[21/37]: configure new location for managed entries
<br>
[22/37]: configure dirsrv ccache
<br>
[23/37]: enable SASL mapping fallback
<br>
[24/37]: restarting directory server
<br>
[25/37]: setting up initial replication
<br>
Starting replication, please wait until this has completed.
<br>
Update in progress, 7 seconds elapsed
<br>
Update succeeded
<br>
<br>
[26/37]: updating schema
<br>
[27/37]: setting Auto Member configuration
<br>
[28/37]: enabling S4U2Proxy delegation
<br>
[29/37]: importing CA certificates from LDAP
<br>
[30/37]: initializing group membership
<br>
[31/37]: adding master entry
<br>
ipa : CRITICAL Failed to load master-entry.ldif: Command
''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpFlM3mD' '-H'
'<a class="moz-txt-link-freetext" href="ldap://replica1.zaeba.li:389">ldap://replica1.zaeba.li:389</a>' '-x' '-D' 'cn=Directory Manager'
'-y' '/tmp/tmpk_R0Lm'' returned non-zero exit status 68
<br>
[32/37]: initializing domain level
<br>
[33/37]: configuring Posix uid/gid generation
<br>
[34/37]: adding replication acis
<br>
[35/37]: enabling compatibility plugin
<br>
[36/37]: tuning directory server
<br>
[37/37]: configuring directory to start on boot
<br>
Done configuring directory server (dirsrv).
<br>
Configuring certificate server (pki-tomcatd): Estimated time 3
minutes 30 seconds
<br>
[1/21]: creating certificate server user
<br>
[2/21]: configuring certificate server instance
<br>
[3/21]: stopping certificate server instance to update CS.cfg
<br>
[4/21]: backing up CS.cfg
<br>
[5/21]: disabling nonces
<br>
[6/21]: set up CRL publishing
<br>
[7/21]: enable PKIX certificate path discovery and validation
<br>
[8/21]: starting certificate server instance
<br>
[9/21]: creating RA agent certificate database
<br>
[10/21]: importing CA chain to RA certificate database
<br>
[11/21]: fixing RA database permissions
<br>
[12/21]: setting up signing cert profile
<br>
[13/21]: set certificate subject base
<br>
[14/21]: enabling Subject Key Identifier
<br>
[15/21]: enabling Subject Alternative Name
<br>
[16/21]: enabling CRL and OCSP extensions for certificates
<br>
[17/21]: setting audit signing renewal to 2 years
<br>
[18/21]: configure certmonger for renewals
<br>
[19/21]: configure certificate renewals
<br>
[20/21]: configure Server-Cert certificate renewal
<br>
[21/21]: Configure HTTP to proxy connections
<br>
Done configuring certificate server (pki-tomcatd).
<br>
Restarting the directory and certificate servers
<br>
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
<br>
[1/8]: adding sasl mappings to the directory
<br>
[2/8]: configuring KDC
<br>
[3/8]: creating a keytab for the directory
<br>
[4/8]: creating a keytab for the machine
<br>
[5/8]: adding the password extension to the directory
<br>
[6/8]: enable GSSAPI for replication
<br>
[error] NO_SUCH_OBJECT: {'desc': 'No such object'}
<br>
<br>
Your system may be partly configured.
<br>
Run /usr/sbin/ipa-server-install --uninstall to clean up.
<br>
<br>
Traceback (most recent call last):
<br>
File "/sbin/ipa-replica-install", line 162, in <module>
<br>
fail_message=fail_message)
<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 760, in run_script
<br>
message, exitcode = handle_error(error, log_file_name)
<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 799, in handle_error
<br>
type(error).__name__, error.args[0]['info']), 1
<br>
KeyError: 'info'
<br>
<br>
It needs to be noted, that the replica file was prepared on the
master running standard 4.1.2 freeipa-server.
<br>
<br>
The log is attached
<br>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>