<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 06/19/2015 04:27 PM, Oleg Fayans
wrote:<br>
</div>
<blockquote cite="mid:558426BD.5090402@redhat.com" type="cite">Hi
everybody,
<br>
<br>
While preparing the replica files on the latest IPA master I've
noticed the following error messages in the dirsrv error log:
<br>
<br>
[19/Jun/2015:15:26:10 +0200] NSMMReplicationPlugin -
agmt="cn=masterAgreement1-vm-244.idm.lab.eng.brq.redhat.com-pki-tomcat"
(vm-244:389): Replication bind with SIMPLE auth failed: LDAP error
-1 (Can't contact LDAP server) ()
<br>
[19/Jun/2015:15:26:10 +0200] - Entry "uid=admin,ou=people,o=ipaca"
-- attribute "krbExtraData" not allowed
<br>
</blockquote>
<br>
Hi Oleg,<br>
<br>
Here this message is about a problem of schema. 'krbPrincipalAux' is
needed objectclass to get 'krbExtraData', but the
"uid=admin,ou=people,o=ipaca"<br>
has not this oc<br>
<br>
ldapsearch -LLL -D "cn=directory manager" -w Secret123 -b "o=ipaca"
uid=admin objectclass<br>
dn: uid=admin,ou=people,o=ipaca<br>
objectclass: top<br>
objectclass: person<br>
objectclass: organizationalPerson<br>
objectclass: inetOrgPerson<br>
objectclass: cmsuser<br>
<br>
Should ipaca admin be a kerberosed entry ?<br>
<br>
thanks<br>
thierry<br>
<blockquote cite="mid:558426BD.5090402@redhat.com" type="cite">[19/Jun/2015:15:26:13
+0200] slapi_ldap_bind - Error: could not send startTLS request:
error -1 (Can't contact LDAP server) errno 0 (Success)
<br>
<br>
Though the stdout of the replica preparation reports success, when
I later use the resulting gpg file to actually setup a replica the
setup process fails with the following output:
<br>
<br>
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
<br>
[1/8]: adding sasl mappings to the directory
<br>
[2/8]: configuring KDC
<br>
[3/8]: creating a keytab for the directory
<br>
[4/8]: creating a keytab for the machine
<br>
[5/8]: adding the password extension to the directory
<br>
[6/8]: enable GSSAPI for replication
<br>
[error] RuntimeError: One of the ldap service principals is
missing. Replication agreement cannot be converted.
<br>
Replication error message: Unable to acquire replicaLDAP error: No
such object
<br>
Your system may be partly configured.
<br>
Run /usr/sbin/ipa-server-install --uninstall to clean up.
<br>
<br>
ipa.ipapython.install.cli.install_tool(Replica): ERROR One of
the ldap service principals is missing. Replication agreement
cannot be converted.
<br>
Replication error message: Unable to acquire replicaLDAP error: No
such object
<br>
<br>
The corresponding part of the ipareplica-install.log is attached
<br>
<br>
I've encountered this already twice. The strangest part is that I
prepared 3 replicas simultaneously: 2 of them installed
successfully and one - failed. All three replicas were launched
from the same vm-template
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>