<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 10/27/2016 10:48 AM, Jochen Demmer
wrote:<br>
</div>
<blockquote
cite="mid:cf9488bd-8c9b-876d-bcc9-728ee1f38153@winteltosh.de"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">Am 27.10.2016 um 10:21 schrieb Martin
Basti:<br>
</div>
<blockquote
cite="mid:d9caa4dd-8c8e-595b-6876-8df516afb3fc@redhat.com"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 27.10.2016 10:02, Jochen Demmer
wrote:<br>
</div>
<blockquote
cite="mid:8dc96dc9-838b-844f-fc16-20eeaf2619de@winteltosh.de"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">Am 26.10.2016 um 17:31 schrieb
Martin Basti:<br>
</div>
<blockquote
cite="mid:2d166fde-b04e-28fc-4fd6-8cc636416af7@redhat.com"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 26.10.2016 17:25, Jochen
Demmer wrote:<br>
</div>
<blockquote
cite="mid:5ed2b215-6b51-db8f-f897-86d129367889@winteltosh.de"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">Am 26.10.2016 um 16:48
schrieb Martin Basti:<br>
</div>
<blockquote
cite="mid:087c11ce-dae5-8584-c31b-f9233c3412b0@redhat.com"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 26.10.2016 16:42, Jochen
Demmer wrote:<br>
</div>
<blockquote
cite="mid:2ded2848-a5ef-8e5e-591e-9c98dc6fe8f0@winteltosh.de"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">Am 26.10.2016 um 16:27
schrieb Martin Basti:<br>
</div>
<blockquote
cite="mid:5e55e85e-6b11-e56a-914b-42594aa703b4@redhat.com"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 26.10.2016 16:10,
Jochen Demmer wrote:<br>
</div>
<blockquote
cite="mid:68ba2f75-2ec3-205e-99bb-26737965f4c3@winteltosh.de"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Hi,<br>
<br>
my answers also inline.<br>
<br>
<div class="moz-cite-prefix">Am 26.10.2016 um
15:38 schrieb Martin Basti:<br>
</div>
<blockquote
cite="mid:36079a29-0ccd-9aa7-5e7e-9eb3f99e6089@redhat.com"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<p>Hi, comments inline<br>
</p>
<br>
<div class="moz-cite-prefix">On 26.10.2016
14:28, Jochen Demmer wrote:<br>
</div>
<blockquote
cite="mid:6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de"
type="cite">
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
Hi,<br>
<br>
I've been running and using a single FreeIPA
server successfully, i.e.:<br>
Fedora 24<br>
freeipa-server-4.3.2-2.fc24.x86_64<br>
This server is only available via IPv6,
because I can't get public lPv4 addresses no
more.<br>
<br>
Now I want to setup a FreeIPA replica at
another site also running IPv6, Fedora 24 and
freeipa-server-4.3.2-2.fc24.x86_64<br>
First I run "ipa-client-install" which
succeeds without an error.<br>
When I invoke "ipa-replica-install" I get this
error:<br>
ipa : ERROR Could not resolve
hostname <b>hostname.mydoma.in</b> using DNS.
Clients may not function properly. Please
check your DNS setup. (Note that this check
queries IPA DNS directly and ignores
/etc/hosts.)<br>
LOG:<br>
2016-10-26T12:14:39Z DEBUG Search DNS server <b>hostname.mydoma.in</b>
(['2a01:f11:1:1::1', '2a01:f11:1:1::1',
'2a01:f11:1:1::1']) for <b>hostname.mydoma.in</b><br>
</blockquote>
<br>
Can you check with dig or host command if the
hostname is really resolvable on that machine?
do you have proper resolver in /etc/resolv.conf?<br>
</blockquote>
There is a resolver given in /etc/resolv.conf.
When I do "host
<<hostname.mydoma.in>>" I get the
right IPv6 back.<br>
</blockquote>
That is weird because IPA is doing basically the
same.<br>
<br>
<blockquote
cite="mid:68ba2f75-2ec3-205e-99bb-26737965f4c3@winteltosh.de"
type="cite">
<blockquote
cite="mid:36079a29-0ccd-9aa7-5e7e-9eb3f99e6089@redhat.com"
type="cite"> <br>
<blockquote
cite="mid:6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de"
type="cite"> <br>
<b>hostname.mydoma.in</b> is actually the DNS
entry for the old FreeIPA server, which
actually resolves, but only to an IPv6 address
of course.<br>
I can continue the installation though by
entering "yes".<br>
<br>
I then get asked:<br>
Enter the IP address to use, or press Enter to
finish.<br>
Please provide the IP address to be used for
this host name:<br>
<br>
When I enter the IPv6 address of the new
replica host it doesn't accept but infinitely
asks this question instead.<br>
</blockquote>
<br>
Have you pressed enter twice? It should end
prompt and continue with installation<br>
</blockquote>
Enter without an IP -> No usable IP address
provided nor resolved.<br>
Enter with an IP -> Error: Invalid IP Address
2a02:1:2:3::4 cannot use IP network address
2a02:1:2:3::4 </blockquote>
<br>
How do you have configured IP address on your
interface? Does it have prefix /128?<br>
</blockquote>
Yes, that's right. It's an IP being assigned
statefully by a DHCPv6 server.<br>
There is also another dynamic IP within the same
prefix having /64. I don't want to use this one of
course, because its IID changes.<br>
<br>
</blockquote>
Could you set (temporarily) prefix for that address to
/64 and re-run installer? IPA 4.3 has check that
prevents you to use /128 prefix<br>
</blockquote>
Well now I don't even get asked for the IP. The setup
wizard continues, but I now get this error:<br>
<br>
[27/43]: restarting directory server<br>
ipa : CRITICAL Failed to restart the directory
server (Command '/bin/systemctl restart <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:dirsrv@MY-REALM.service">dirsrv@MY-REALM.service</a>'
returned non-zero exit status 1). See the installation log
for details.<br>
[28/43]: setting up initial replication<br>
[error] error: [Errno 111] Connection refused<br>
<br>
LOG:<br>
2016-10-26T15:14:46Z DEBUG Process finished, return code=1<br>
2016-10-26T15:14:46Z DEBUG stdout=<br>
2016-10-26T15:14:46Z DEBUG stderr=Job for <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:dirsrv@MY-REALM.service">dirsrv@MY-REALM.service</a>
failed because the control process exited with error code.
See "systemctl status <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:dirsrv@MY-REALM.service">dirsrv@MY-REALM.service</a>"
and "journalctl -xe" for details.<br>
2016-10-26T15:14:46Z CRITICAL Failed to restart the
directory server (Command '/bin/systemctl restart <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:dirsrv@MY-REALM.service">dirsrv@MY-REALM.service</a>'
returned non-zero exit status 1). See the installation log
for details.<br>
2016-10-26T15:14:46Z DEBUG duration: 1 seconds<br>
2016-10-26T15:14:46Z DEBUG [28/43]: setting up initial
replication<br>
2016-10-26T15:14:56Z DEBUG Traceback (most recent call
last):<br>
<br>
When I try to restart manually with, "/bin/systemctl
restart <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:dirsrv@MY-REALM.service">dirsrv@MY-REALM.service</a>"<br>
this is what systemd logs:<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://paste.fedoraproject.org/461439/raw/">https://paste.fedoraproject.org/461439/raw/</a><br>
<br>
<br>
</blockquote>
<br>
Could you please check /var/log/dirsrv/slapd-*/errors there
might be more details.<br>
<br>
Did you reused an old IPA server for this installation?<br>
<br>
Martin<br>
</blockquote>
This is what the logfile says:<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://paste.fedoraproject.org/461685/raw/">https://paste.fedoraproject.org/461685/raw/</a><br>
<br>
I tried to install this server as a replica a couple of times,
but I even reinstalled all of the software and I keep using <br>
ipa-client-install --uninstall and<br>
ipa-server-install --uninstall<br>
</blockquote>
<br>
It looks that DS database is somehow corrupted, is possible that
there might be some leftovers from previous installations<br>
<br>
start: Failed to start databases, err=-1 BDB0092 Unknown error:
-1<br>
<br>
I'm not sure what that error means, maybe DS guys will know<br>
<br>
Can you run server uninstall twice? It should remove all
leftovers, and then check /var/lib/dirsrv/ if there are any
slapd-* directories, if yes please remove them<br>
<br>
Martin<br>
</blockquote>
I uninstalled freeipa-*, deleted /etc/dirsrv and /var/lib/dirsrv,
rebooted, reinstalled and ran into the exact same problem.<br>
</blockquote>
you get the failure because the certificate database cannot be read<br>
<pre>[26/Oct/2016:17:17:58.018611176 +0200] Can't find certificate Server-Cert in attrcrypt_fetch_private_key: -8174 - security library: bad database.
[26/Oct/2016:17:17:58.104832444 +0200] Can't get private key from cert Server-Cert in attrcrypt_fetch_private_key: -8174 - security library: bad database.
[26/Oct/2016:17:17:58.112911216 +0200] Error: unable to initialize attrcrypt system for userRoot
[26/Oct/2016:17:17:58.116560926 +0200] start: Failed to start databases, err=-1 BDB0092 Unknown error: -1
Martin,
shouldn't ipa install create this, or can there be some leftovers ?
</pre>
<br>
<blockquote
cite="mid:cf9488bd-8c9b-876d-bcc9-728ee1f38153@winteltosh.de"
type="cite">
<blockquote
cite="mid:d9caa4dd-8c8e-595b-6876-8df516afb3fc@redhat.com"
type="cite"> <br>
<blockquote
cite="mid:8dc96dc9-838b-844f-fc16-20eeaf2619de@winteltosh.de"
type="cite">
<blockquote
cite="mid:2d166fde-b04e-28fc-4fd6-8cc636416af7@redhat.com"
type="cite"> <br>
<blockquote
cite="mid:5ed2b215-6b51-db8f-f897-86d129367889@winteltosh.de"
type="cite">
<blockquote
cite="mid:087c11ce-dae5-8584-c31b-f9233c3412b0@redhat.com"
type="cite"> <br>
<br>
<blockquote
cite="mid:2ded2848-a5ef-8e5e-591e-9c98dc6fe8f0@winteltosh.de"
type="cite">
<blockquote
cite="mid:5e55e85e-6b11-e56a-914b-42594aa703b4@redhat.com"
type="cite"> <br>
<blockquote
cite="mid:68ba2f75-2ec3-205e-99bb-26737965f4c3@winteltosh.de"
type="cite">
<blockquote
cite="mid:36079a29-0ccd-9aa7-5e7e-9eb3f99e6089@redhat.com"
type="cite"> <br>
<blockquote
cite="mid:6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de"
type="cite"> <br>
Honestly, I can't see what I might have done
wrong.<br>
Old FreeIPA has hostname is in sync forward
and reverse record.<br>
New FreeIPA host as well has hostname that
symmetrically resolves, even though the
hostname is using another second level domain.<br>
<br>
Any hints?<br>
Jochen Demmer<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
Martin<br>
</blockquote>
Jochen<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Red Hat GmbH, <a class="moz-txt-link-freetext" href="http://www.de.redhat.com/">http://www.de.redhat.com/</a>, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander</pre>
</body>
</html>