[Freeipa-users] problem with replica install

Rob Crittenden rcritten at redhat.com
Tue Nov 1 19:15:19 UTC 2011 

Steven Jones wrote:
> Hi,
>
> No fix for this?

Are both running the same version of IPA? Does ipa-replica-conncheck 
exist on the master?

What this does is on the replica it checks to be sure it can talk to the 
master. Then it starts listeners on a bunch of ports and tries to log 
into the master to see if it can talk to them. This second step is what 
is failing, it doesn't seem to be doing anything on the master at all.

rob

>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Monday, 31 October 2011 1:47 p.m.
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] problem with replica install
>
> Couple of logs I have found.....
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Monday, 31 October 2011 10:03 a.m.
> Cc: freeipa-users at redhat.com
> Subject: [Freeipa-users] problem with replica install
>
> Hi,
>
> I am getting this failure,
>
> [root at vuwunicoipamt02 ipa]# ipa-replica-install --setup-dns --forwarder=130.195.85.25 --forwarder=130.195.98.151 --no-reverse /var/lib/ipa/replica-info-vuwunicoipamt02.unix.vuw.ac.nz.gpg
> Directory Manager (existing master) password:
>
> Run connection check to master
> Check connection from replica to remote master 'vuwunicoipamt01.unix.vuw.ac.nz':
>     Directory Service: Unsecure port (389): OK
>     Directory Service: Secure port (636): OK
>     Kerberos KDC: TCP (88): OK
>     Kerberos KDC: UDP (88): OK
>     Kerberos Kpasswd: TCP (464): OK
>     Kerberos Kpasswd: UDP (464): OK
>     HTTP Server: port 80 (80): OK
>     HTTP Server: port 443(https) (443): OK
>
> Connection from replica to master is OK.
> Start listening on required ports for remote master check
> Get credentials to log in to remote master
> Password for admin at UNIX.VUW.AC.NZ:
> Execute check on remote master
>
> Remote master check failed with following error message(s):
>
> Connection check failed!
> Please fix your network settings according to error messages above.
> If the check results are not valid it can be skipped with --skip-conncheck parameter.
>
> On the first master my firewall ruleset is,
>
>
> ===========8><--------master firewall ruleset--------
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:88
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:389
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:464
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:636
> ACCEPT     tcp  --  130.195.87.247       0.0.0.0/0           tcp dpt:9443
> ACCEPT     tcp  --  130.195.87.247       0.0.0.0/0           tcp dpt:9444
> ACCEPT     tcp  --  130.195.87.247       0.0.0.0/0           tcp dpt:9445
> ACCEPT     tcp  --  130.195.87.247       0.0.0.0/0           tcp dpt:7389
> ACCEPT     tcp  --  130.195.87.248       0.0.0.0/0           tcp dpt:9443
> ACCEPT     tcp  --  130.195.87.248       0.0.0.0/0           tcp dpt:9444
> ACCEPT     tcp  --  130.195.87.248       0.0.0.0/0           tcp dpt:9445
> ACCEPT     tcp  --  130.195.87.248       0.0.0.0/0           tcp dpt:7389
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:88
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:123
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:464
> ==========8><------
>
> Cant see what else I have missed......
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Monday, 31 October 2011 8:21 a.m.
> To: Simo Sorce
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Unique world wide UIDS
>
> Hi,
>
> Yeah I kind of wondered after ipv4 being so well known that "we" only went to 32bit...
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: Simo Sorce [simo at redhat.com]
> Sent: Monday, 31 October 2011 3:41 a.m.
> To: Steven Jones
> Cc: Rob Crittenden; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Unique world wide UIDS
>
> I would rather lobby the Linux kernel people to give me 128bit IDs
> That would solve all problems, as the chance of collision in a carefully
> randomly selected 90something bit prefix are basically none.
>
> Simo.
>
> On Thu, 2011-10-27 at 20:40 +0000, Steven Jones wrote:
>> Yes I can appreciate that, we have done the same thing im '500'...
>>
>> oops....
>>
>> As an educational setup we are looking to federate worldwide, that
>> means Shibboleth or similar....a unique UID per academic world wide
>>   might be worthwhile....there wont be 2billion
>> academics...students...well i guess that would one day be a "ipv4"
>> problem.
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Friday, 28 October 2011 9:34 a.m.
>> To: Steven Jones
>> Cc: Adam Young; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Unique world wide UIDS
>>
>> Steven Jones wrote:
>>> Hi,
>>>
>>> Well if you understand Peak Oil and that the "green revolution" was
>> actually truning fossil fuel into food ie we eat oil....only having
>> 2billion UIDs wont be a problem.
>>>
>>> :/
>>
>> Many, many organizations start with the same uid base, 500 or 1000.
>> When
>> company A buys company B there are tons and tons of uid collisions. If
>> each started at a random start point then the chances of collision,
>> while not zero, are much lower.
>>
>> Our goal wasn't to guarantee uniqueness in the universe, just to make
>> integration hopefully easier in the future when namespaces are merged.
>>
>> rob
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list