<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi all,<br>
<br>
I'm trying to set up a FreeIPA replica on a new Fedora 16 VM.<br>
The process fails when ipa-replica-install starts checking for
connectivity from the master server side towards the new replica.<br>
<tt><br>
</tt>
<blockquote><tt># ipa-replica-install -N
/var/lib/ipa/replica-info-ldaps01.example.com.gpg<br>
[... lines of output ...]<br>
Execute check on remote master<br>
<br>
Remote master check failed with following error message(s):<br>
<br>
Connection check failed!<br>
Please fix your network settings according to error messages
above.<br>
If the check results are not valid it can be skipped with
--skip-conncheck parameter.</tt><br>
</blockquote>
<br>
Running the connectivity check on its own from the server gives me
the following output:<br>
<blockquote><tt>Check connection from master to remote replica
'ldaps01.example.com':<br>
Directory Service: Unsecure port (389): FAILED<br>
Directory Service: Secure port (636): FAILED<br>
Kerberos KDC: TCP (88): FAILED<br>
Kerberos KDC: UDP (88): OK<br>
Kerberos Kpasswd: TCP (464): FAILED<br>
Kerberos Kpasswd: UDP (464): OK<br>
HTTP Server: Unsecure port (80): FAILED<br>
HTTP Server: Secure port (443): FAILED<br>
Port check failed! Inaccessible port(s): 389, 636, 88, 464, 80,
443</tt><br>
</blockquote>
<br>
To actually see what's going on, I run 'netstat -tuan' to see what
ports are open while ipa-replica-install waits for me to type my
admin password (just before the remote master check):<br>
<blockquote><tt>[root@ldaps01 ~]# netstat -tuan</tt><br>
<tt>Active Internet connections (servers and established)</tt><br>
<tt>Proto Recv-Q Send-Q Local Address Foreign
Address State</tt><br>
<tt>tcp 0 0 0.0.0.0:22
0.0.0.0:* LISTEN</tt><br>
<tt>tcp 0 0 127.0.0.1:25
0.0.0.0:* LISTEN</tt><br>
<tt>tcp 0 0 192.168.98.10:22
192.168.10.128:12548 ESTABLISHED</tt><br>
<tt>tcp 0 48 192.168.98.10:22
192.168.10.128:12597 ESTABLISHED</tt><br>
<tt>tcp 0 0 :::80
:::* LISTEN</tt><br>
<tt>tcp 0 0 :::464
:::* LISTEN</tt><br>
<tt>tcp 0 0 :::88
:::* LISTEN</tt><br>
<tt>tcp 0 0 :::443
:::* LISTEN</tt><br>
<tt>tcp 0 0 :::636
:::* LISTEN</tt><br>
<tt>tcp 0 0 :::389
:::* LISTEN</tt><br>
<tt>udp 0 0 192.168.98.10:123 0.0.0.0:*</tt><br>
<tt>udp 0 0 127.0.0.1:123 0.0.0.0:*</tt><br>
<tt>udp 0 0 0.0.0.0:123 0.0.0.0:*</tt><br>
<tt>udp 0 0 :::464 :::*</tt><br>
<tt>udp 0 0 :::88 :::*</tt><br>
<tt>udp 0 0 :::123 :::*</tt><br>
</blockquote>
It seems that the replica procedure automatically binds to IPv6
addresses (although I've disabled IPv6 on eth0 and on loopback,
remove IPv6 entries from /etc/hosts and /etc/resolve.conf).<br>
<br>
NTP listens on both ipv4 and ipv6 locahost but that's because I
choose to handle it a separate service on its own.<br>
<br>
FreeIPA server is 2.1.4-5 on both ldap (master) and ldaps01 (slave).<br>
<br>
Regards,<br>
Dimitris<br>
<pre class="moz-signature" cols="72">--
Dimitris Tsompanidis
</pre>
</body>
</html>