[Freeipa-users] replication setup failure
Steven Jones
Steven.Jones at vuw.ac.nz
Thu Mar 3 19:30:22 UTC 2011
Hi
The original ipa master has a running LDAP, the replica does not so the
install failed on it.....so I cant give you an ldapsearch output from
the replica.
Here's the master's output....
=================
# extended LDIF
#
# LDAPv3
# base <dc=ipa,dc=ac,dc=nz> with scope subtree
# filter: krbprincipalname=ldap/*
# requesting: dn
#
# ldap/fed14-64-ipam001.ipa.ac.nz at IPA.AC.NZ, services, accounts, ipa.ac.nz
dn: krbprincipalname=ldap/fed14-64-ipam001.ipa.ac.nz at IPA.AC.NZ,cn=services,cn=
accounts,dc=ipa,dc=ac,dc=nz
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
===============
On Wed, 2011-03-02 at 23:32 -0500, Rob Crittenden wrote:
> Steven Jones wrote:
> > 8><----
> > starting replication, please wait until this has completed.
> > Update in progress
> > Update in progress
> > Update in progress
> > Update in progress
> > Update in progress
> > Update succeeded
> > [21/27]: adding replication acis
> > [22/27]: initializing group membership
> > [23/27]: adding master entry
> > [24/27]: configuring Posix uid/gid generation
> > [25/27]: enabling compatibility plugin
> > [26/27]: tuning directory server
> > [27/27]: configuring directory to start on boot
> > done configuring dirsrv.
> > Configuring Kerberos KDC: Estimated time 30 seconds
> > [1/9]: adding sasl mappings to the directory
> > [2/9]: writing stash file from DS
> > [3/9]: configuring KDC
> > [4/9]: creating a keytab for the directory
> > [5/9]: creating a keytab for the machine
> > [6/9]: adding the password extension to the directory
> > [7/9]: enable GSSAPI for replication
> > creation of replica failed: list index out of range
> >
> > Your system may be partly configured.
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > [root at fed14-64-ipam002 ~]#
> >
> >
> > messages log
> > ==================
> > Mar 3 00:12:04 fed14-64-ipam002 kernel: [11214.180151] ns-slapd[7867]:
> > segfault at 0 ip 00007f
> > e9a7fd5de4 sp 00007fe9617e0910 error 4 in libipa_uuid.so[7fe9a7fd3000
> > +5000]
> > ==================
> >
> > Replica install log
> > ==================
> > 8><----
> > 2011-03-03 00:12:14,977 INFO Changing agreement
> > cn=meTofed14-64-ipam002.ipa.ac.nz,cn=replica,cn
> > =dc\3Dipa\2Cdc\3Dac\2Cdc\3Dnz,cn=mapping tree,cn=config to restore
> > original schedule 0000-2359
> > 0123456
> > 2011-03-03 00:12:15,997 INFO Replication Update in progress: FALSE:
> > status: 0 Replica acquired
> > successfully: Incremental update succeeded: start: 20110302111214Z: end:
> > 20110302111214Z
> > 2011-03-03 00:12:16,048 DEBUG list index out of range
> > File "/usr/sbin/ipa-replica-install", line 507, in<module>
> > main()
> >
> > File "/usr/sbin/ipa-replica-install", line 468, in main
> > install_krb(config, setup_pkinit=options.setup_pkinit)
> >
> > File "/usr/sbin/ipa-replica-install", line 216, in install_krb
> > setup_pkinit, pkcs12_info)
> >
> > File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
> > line 211, in create
> > _replica
> > self.start_creation("Configuring Kerberos KDC", 30)
> >
> > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> > line 283, in start_crea
> > tion
> > method()
> >
> > File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
> > line 556, in __conv
> > ert_to_gssapi_replication
> > r_bindpw=self.dm_password)
> >
> > File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> > line 688, in conver
> > t_to_gssapi_replication
> > self.gssapi_update_agreements(self.conn, r_conn)
> > File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> > line 458, in gssapi
> > _update_agreements
> > self.setup_krb_princs_as_replica_binddns(a, b)
> >
> > File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> > line 451, in setup_
> > krb_princs_as_replica_binddns
> > mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)]
> > ====================
> >
> >
> > So how to fix?
> >
> > regards
> >
> > Steven
> >
>
> Ok, this is a new one and may be similar to other hostname issues you've
> run into. Can you give me the output of this search:
>
> ldapsearch -x -b 'dc=example,dc=com' 'krbprincipalname=ldap/*' dn
>
> I would expect the same results from both your new replica and your
> existing master but if they're different that would be good to know.
>
> I'm going to guess that either we stored a non-fqdn or we're searching
> for a non-fqdn (we'll have to infer that, I think, if you have the fqdn
> stored in LDAP).
>
> We are doing a very specific search for the principal for the hostnames
> on each side of the replication agreement, I'm guessing that we're not
> finding one of them and we haven't taken that into consideration. I
> filed https://fedorahosted.org/freeipa/ticket/1044 for this.
>
> rob
More information about the Freeipa-users
mailing list