[Freeipa-users] FreeIPA 2.1.3 Replication Install Failure

JR Aquino JR.Aquino at citrix.com
Thu Nov 10 00:11:41 UTC 2011


Upon a FreeIPA Replica install, I am failing at:
Configuring Kerberos KDC: Estimated time 30 seconds
  [1/9]: adding sasl mappings to the directory
  [2/9]: writing stash file from DS
  [3/9]: configuring KDC
  [4/9]: creating a keytab for the directory
  [5/9]: creating a keytab for the machine
  [6/9]: adding the password extension to the directory
  [7/9]: enable GSSAPI for replication
creation of replica failed: list index out of range

Per an IRC session with Rich, it looks like ldap/authdev1.qai.example.com at EXAMPLE.COM<mailto:ldap/authdev1.qai.example.com at EXAMPLE.COM> is not being created at all... So when the replica slave goes to search for it, it yields an empty list and throws the python exception...

Does anyone know how and when that principal should be getting created/inserted?

The /var/log/ipareplica-install.log:

<snipit>
2011-11-17 12:50:14,708 DEBUG stderr=ldap_initialize( ldap://authdev1.qai.example.com )

2011-11-17 12:50:14,708 DEBUG   duration: 0 seconds
2011-11-17 12:50:14,708 DEBUG   [7/9]: enable GSSAPI for replication
2011-11-17 12:50:14,746 INFO Changing agreement cn=meToauthdev2.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
2011-11-17 12:50:15,756 INFO Changing agreement cn=meToauthdev2.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config to restore original schedule 0000-2359 0123456
2011-11-17 12:50:16,787 INFO Replication Update in progress: FALSE: status: -1 Incremental update has failed and requires administrator actionSystem error: start: 0: end: 0
2011-11-17 12:50:16,791 INFO Changing agreement cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
2011-11-17 12:50:17,802 INFO Changing agreement cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config to restore original schedule 0000-2359 0123456
2011-11-17 12:50:18,816 INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20111110000049Z: end: 20111110000049Z
2011-11-17 12:50:18,865 DEBUG list index out of range
  File "/usr/sbin/ipa-replica-install", line 483, in <module>
    main()

  File "/usr/sbin/ipa-replica-install", line 444, in main
    install_krb(config, setup_pkinit=options.setup_pkinit)

  File "/usr/sbin/ipa-replica-install", line 156, in install_krb
    setup_pkinit, pkcs12_info)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 212, in create_replica
    self.start_creation("Configuring Kerberos KDC", 30)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 248, in start_creation
    method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 553, in __convert_to_gssapi_replication
    r_bindpw=self.dm_password)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 798, in convert_to_gssapi_replication
    self.gssapi_update_agreements(self.conn, r_conn)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 532, in gssapi_update_agreements
    self.setup_krb_princs_as_replica_binddns(a, b)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 525, in setup_krb_princs_as_replica_binddns
    mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)]


The Master server dirsrv access log:
[09/Nov/2011:15:39:44 -0800] conn=28 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication manager,cn=config"
[09/Nov/2011:15:39:44 -0800] conn=28 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[09/Nov/2011:15:39:44 -0800] conn=28 op=2 RESULT err=0 tag=101 nentries=1 etime=0
[09/Nov/2011:15:39:44 -0800] conn=28 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[09/Nov/2011:15:39:44 -0800] conn=28 op=3 RESULT err=0 tag=101 nentries=1 etime=0
[09/Nov/2011:15:39:44 -0800] conn=28 op=4 EXT oid="2.16.840.1.113730.3.5.12"
[09/Nov/2011:15:39:44 -0800] conn=28 op=4 RESULT err=0 tag=120 nentries=0 etime=0
[09/Nov/2011:15:40:00 -0800] conn=29 fd=76 slot=76 SSL connection from 10.230.6.100 to 10.230.6.96
[09/Nov/2011:15:40:00 -0800] conn=29 SSL 256-bit AES
[09/Nov/2011:15:40:00 -0800] conn=29 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[09/Nov/2011:15:40:00 -0800] conn=29 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[09/Nov/2011:15:40:00 -0800] conn=29 op=1 SRCH base="cn=config,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-directory"
[09/Nov/2011:15:40:00 -0800] conn=29 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[09/Nov/2011:15:40:01 -0800] conn=28 op=5 UNBIND
[09/Nov/2011:15:40:01 -0800] conn=28 op=5 fd=75 closed - U1
[09/Nov/2011:15:40:01 -0800] conn=30 fd=75 slot=75 connection from 10.230.6.100 to 10.230.6.96
[09/Nov/2011:15:40:01 -0800] conn=30 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[09/Nov/2011:15:40:01 -0800] conn=30 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[09/Nov/2011:15:40:01 -0800] conn=30 SSL 256-bit AES
[09/Nov/2011:15:40:01 -0800] conn=30 op=1 BIND dn="cn=replication manager,cn=config" method=128 version=3
[09/Nov/2011:15:40:01 -0800] conn=30 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication manager,cn=config"
[09/Nov/2011:15:40:01 -0800] conn=30 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[09/Nov/2011:15:40:01 -0800] conn=30 op=2 RESULT err=0 tag=101 nentries=1 etime=0
[09/Nov/2011:15:40:01 -0800] conn=30 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[09/Nov/2011:15:40:01 -0800] conn=30 op=3 RESULT err=0 tag=101 nentries=1 etime=0
[09/Nov/2011:15:40:01 -0800] conn=30 op=4 EXT oid="2.16.840.1.113730.3.5.12"
[09/Nov/2011:15:40:01 -0800] conn=30 op=4 RESULT err=0 tag=120 nentries=0 etime=0
[09/Nov/2011:15:40:02 -0800] conn=29 op=2 SRCH base="cn=config" scope=2 filter="(&(nsDS5ReplicaHost=authdev1.qai.example.com)(|(objectClass=nsDSWindowsReplicationAgreement)(objectClass=nsds5ReplicationAgreement)))" attrs=ALL
[09/Nov/2011:15:40:02 -0800] conn=29 op=2 RESULT err=0 tag=101 nentries=1 etime=0
[09/Nov/2011:15:40:02 -0800] conn=29 op=3 MOD dn="cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config"
[09/Nov/2011:15:40:02 -0800] conn=29 op=3 RESULT err=0 tag=103 nentries=0 etime=0
[09/Nov/2011:15:40:03 -0800] conn=29 op=4 MOD dn="cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config"
[09/Nov/2011:15:40:03 -0800] conn=29 op=4 RESULT err=0 tag=103 nentries=0 etime=0
[09/Nov/2011:15:40:04 -0800] conn=29 op=5 SRCH base="cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(objectClass=*)" attrs="cn nsds5replicaUpdateInProgress nsds5replicaLastUpdateStatus nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd"
[09/Nov/2011:15:40:04 -0800] conn=29 op=5 RESULT err=0 tag=101 nentries=1 etime=0
[09/Nov/2011:15:40:04 -0800] conn=29 op=6 SRCH base="dc=example,dc=com" scope=2 filter="(krbPrincipalName=ldap/authdev1.qai.example.com at example.COM<mailto:krbPrincipalName=ldap/authdev1.qai.example.com at example.COM>)" attrs=ALL
[09/Nov/2011:15:40:04 -0800] conn=29 op=6 RESULT err=0 tag=101 nentries=0 etime=0
[09/Nov/2011:15:40:04 -0800] conn=29 op=7 UNBIND
[09/Nov/2011:15:40:04 -0800] conn=29 op=7 fd=76 closed - U1
[09/Nov/2011:15:40:08 -0800] conn=30 op=5 UNBIND
[09/Nov/2011:15:40:08 -0800] conn=30 op=5 fd=75 closed - U1
[09/Nov/2011:15:40:08 -0800] conn=31 fd=75 slot=75 connection from 10.230.6.100 to 10.230.6.96
[09/Nov/2011:15:40:08 -0800] conn=31 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[09/Nov/2011:15:40:08 -0800] conn=31 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[09/Nov/2011:15:40:08 -0800] conn=31 SSL 256-bit AES
[09/Nov/2011:15:40:08 -0800] conn=31 op=1 BIND dn="cn=replication manager,cn=config" method=128 version=3
[09/Nov/2011:15:40:08 -0800] conn=31 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication manager,cn=config"
[09/Nov/2011:15:40:08 -0800] conn=31 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[09/Nov/2011:15:40:08 -0800] conn=31 op=2 RESULT err=0 tag=101 nentries=1 etime=0
[09/Nov/2011:15:40:08 -0800] conn=31 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[09/Nov/2011:15:40:08 -0800] conn=31 op=3 RESULT err=0 tag=101 nentries=1 etime=0
[09/Nov/2011:15:40:08 -0800] conn=31 op=4 EXT oid="2.16.840.1.113730.3.5.12"
[09/Nov/2011:15:40:08 -0800] conn=31 op=4 RESULT err=0 tag=120 nentries=0 etime=0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino, GCIH, GWAPT | Sr. Information Security Specialist
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
T:  +1 805.690.3478
jr.aquino at citrixonline.com<mailto:jr.aquino at citrixonline.com>
http://www.citrixonline.com


[cid:image001.jpg at 01CB2FE6.2B7BFA80]
Access Your PC or Mac From Anywhere:  www.gotomypc.com
Online Meetings Made Easy:  www.gotomeeting.com
Web Events Made Easy:    www.gotowebinar.com
Remote Support Made Easy:  www.gotoassist.com




-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3720 bytes
Desc: image001.jpg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111110/06b11ef3/attachment.jpg>


More information about the Freeipa-users mailing list