[Freeipa-users] replication setup failure

Steven Jones Steven.Jones at vuw.ac.nz
Thu Mar 3 19:30:22 UTC 2011 

Hi

The original ipa master has a running LDAP, the replica does not so the
install failed on it.....so I cant give you an ldapsearch output from
the replica.

Here's the master's output....

=================
# extended LDIF
#
# LDAPv3
# base <dc=ipa,dc=ac,dc=nz> with scope subtree
# filter: krbprincipalname=ldap/*
# requesting: dn 
#

# ldap/fed14-64-ipam001.ipa.ac.nz at IPA.AC.NZ, services, accounts, ipa.ac.nz
dn: krbprincipalname=ldap/fed14-64-ipam001.ipa.ac.nz at IPA.AC.NZ,cn=services,cn=
 accounts,dc=ipa,dc=ac,dc=nz

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
===============

On Wed, 2011-03-02 at 23:32 -0500, Rob Crittenden wrote:
> Steven Jones wrote:
> > 8><----
> > starting replication, please wait until this has completed.
> > Update in progress
> > Update in progress
> > Update in progress
> > Update in progress
> > Update in progress
> > Update succeeded
> >    [21/27]: adding replication acis
> >    [22/27]: initializing group membership
> >    [23/27]: adding master entry
> >    [24/27]: configuring Posix uid/gid generation
> >    [25/27]: enabling compatibility plugin
> >    [26/27]: tuning directory server
> >    [27/27]: configuring directory to start on boot
> > done configuring dirsrv.
> > Configuring Kerberos KDC: Estimated time 30 seconds
> >    [1/9]: adding sasl mappings to the directory
> >    [2/9]: writing stash file from DS
> >    [3/9]: configuring KDC
> >    [4/9]: creating a keytab for the directory
> >    [5/9]: creating a keytab for the machine
> >    [6/9]: adding the password extension to the directory
> >    [7/9]: enable GSSAPI for replication
> > creation of replica failed: list index out of range
> >
> > Your system may be partly configured.
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > [root at fed14-64-ipam002 ~]#
> >
> >
> >   messages log
> > ==================
> > Mar  3 00:12:04 fed14-64-ipam002 kernel: [11214.180151] ns-slapd[7867]:
> > segfault at 0 ip 00007f
> > e9a7fd5de4 sp 00007fe9617e0910 error 4 in libipa_uuid.so[7fe9a7fd3000
> > +5000]
> > ==================
> >
> > Replica install log
> > ==================
> > 8><----
> > 2011-03-03 00:12:14,977 INFO Changing agreement
> > cn=meTofed14-64-ipam002.ipa.ac.nz,cn=replica,cn
> > =dc\3Dipa\2Cdc\3Dac\2Cdc\3Dnz,cn=mapping tree,cn=config to restore
> > original schedule 0000-2359
> > 0123456
> > 2011-03-03 00:12:15,997 INFO Replication Update in progress: FALSE:
> > status: 0 Replica acquired
> > successfully: Incremental update succeeded: start: 20110302111214Z: end:
> > 20110302111214Z
> > 2011-03-03 00:12:16,048 DEBUG list index out of range
> >    File "/usr/sbin/ipa-replica-install", line 507, in<module>
> >      main()
> >
> >    File "/usr/sbin/ipa-replica-install", line 468, in main
> >      install_krb(config, setup_pkinit=options.setup_pkinit)
> >
> >    File "/usr/sbin/ipa-replica-install", line 216, in install_krb
> >      setup_pkinit, pkcs12_info)
> >
> >    File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
> > line 211, in create
> > _replica
> >      self.start_creation("Configuring Kerberos KDC", 30)
> >
> >    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> > line 283, in start_crea
> > tion
> >      method()
> >
> >    File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
> > line 556, in __conv
> > ert_to_gssapi_replication
> >      r_bindpw=self.dm_password)
> >
> >    File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> > line 688, in conver
> > t_to_gssapi_replication
> >      self.gssapi_update_agreements(self.conn, r_conn)
> >   File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> > line 458, in gssapi
> > _update_agreements
> >      self.setup_krb_princs_as_replica_binddns(a, b)
> >
> >    File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> > line 451, in setup_
> > krb_princs_as_replica_binddns
> >      mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)]
> > ====================
> >
> >
> > So how to fix?
> >
> > regards
> >
> > Steven
> >
> 
> Ok, this is a new one and may be similar to other hostname issues you've 
> run into. Can you give me the output of this search:
> 
> ldapsearch -x -b 'dc=example,dc=com' 'krbprincipalname=ldap/*' dn
> 
> I would expect the same results from both your new replica and your 
> existing master but if they're different that would be good to know.
> 
> I'm going to guess that either we stored a non-fqdn or we're searching 
> for a non-fqdn (we'll have to infer that, I think, if you have the fqdn 
> stored in LDAP).
> 
> We are doing a very specific search for the principal for the hostnames 
> on each side of the replication agreement, I'm guessing that we're not 
> finding one of them and we haven't taken that into consideration. I 
> filed https://fedorahosted.org/freeipa/ticket/1044 for this.
> 
> rob

More information about the Freeipa-users mailing list