[Freeipa-users] FreeIPA 2.1.3 Replication Install Failure
Rich Megginson
rmeggins at redhat.com
Thu Nov 10 00:27:12 UTC 2011
On 11/09/2011 05:11 PM, JR Aquino wrote:
> Upon a FreeIPA Replica install, I am failing at:
> Configuring Kerberos KDC: Estimated time 30 seconds
> [1/9]: adding sasl mappings to the directory
> [2/9]: writing stash file from DS
> [3/9]: configuring KDC
> [4/9]: creating a keytab for the directory
> [5/9]: creating a keytab for the machine
> [6/9]: adding the password extension to the directory
> [7/9]: enable GSSAPI for replication
> creation of replica failed: list index out of range
>
> Per an IRC session with Rich, it looks like ldap/authdev1.qai.example.com at EXAMPLE.COM<mailto:ldap/authdev1.qai.example.com at EXAMPLE.COM> is not being created at all... So when the replica slave goes to search for it, it yields an empty list and throws the python exception...
>
> Does anyone know how and when that principal should be getting created/inserted?
>
> The /var/log/ipareplica-install.log:
>
> <snipit>
> 2011-11-17 12:50:14,708 DEBUG stderr=ldap_initialize( ldap://authdev1.qai.example.com )
>
> 2011-11-17 12:50:14,708 DEBUG duration: 0 seconds
> 2011-11-17 12:50:14,708 DEBUG [7/9]: enable GSSAPI for replication
> 2011-11-17 12:50:14,746 INFO Changing agreement cn=meToauthdev2.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
> 2011-11-17 12:50:15,756 INFO Changing agreement cn=meToauthdev2.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config to restore original schedule 0000-2359 0123456
> 2011-11-17 12:50:16,787 INFO Replication Update in progress: FALSE: status: -1 Incremental update has failed and requires administrator actionSystem error: start: 0: end: 0
> 2011-11-17 12:50:16,791 INFO Changing agreement cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
> 2011-11-17 12:50:17,802 INFO Changing agreement cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config to restore original schedule 0000-2359 0123456
> 2011-11-17 12:50:18,816 INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20111110000049Z: end: 20111110000049Z
> 2011-11-17 12:50:18,865 DEBUG list index out of range
> File "/usr/sbin/ipa-replica-install", line 483, in<module>
> main()
>
> File "/usr/sbin/ipa-replica-install", line 444, in main
> install_krb(config, setup_pkinit=options.setup_pkinit)
>
> File "/usr/sbin/ipa-replica-install", line 156, in install_krb
> setup_pkinit, pkcs12_info)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 212, in create_replica
> self.start_creation("Configuring Kerberos KDC", 30)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 248, in start_creation
> method()
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 553, in __convert_to_gssapi_replication
> r_bindpw=self.dm_password)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 798, in convert_to_gssapi_replication
> self.gssapi_update_agreements(self.conn, r_conn)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 532, in gssapi_update_agreements
> self.setup_krb_princs_as_replica_binddns(a, b)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 525, in setup_krb_princs_as_replica_binddns
> mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)]
One problem is at this point in the code, a_pn is [] - so the check for
a_pn is None fails. I think the error checking here needs to be improved.
But the real problem is that this search fails (from the master server
dirsrv access log below):
[09/Nov/2011:15:40:04 -0800] conn=29 op=6 SRCH base="dc=example,dc=com"
scope=2
filter="(krbPrincipalName=ldap/authdev1.qai.example.com at example.COM)"
attrs=ALL
[09/Nov/2011:15:40:04 -0800] conn=29 op=6 RESULT err=0 tag=101
nentries=0 etime=0
note - nentries=0 means not found.
Who adds this entry?
>
> The Master server dirsrv access log:
> [09/Nov/2011:15:39:44 -0800] conn=28 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication manager,cn=config"
> [09/Nov/2011:15:39:44 -0800] conn=28 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
> [09/Nov/2011:15:39:44 -0800] conn=28 op=2 RESULT err=0 tag=101 nentries=1 etime=0
> [09/Nov/2011:15:39:44 -0800] conn=28 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
> [09/Nov/2011:15:39:44 -0800] conn=28 op=3 RESULT err=0 tag=101 nentries=1 etime=0
> [09/Nov/2011:15:39:44 -0800] conn=28 op=4 EXT oid="2.16.840.1.113730.3.5.12"
> [09/Nov/2011:15:39:44 -0800] conn=28 op=4 RESULT err=0 tag=120 nentries=0 etime=0
> [09/Nov/2011:15:40:00 -0800] conn=29 fd=76 slot=76 SSL connection from 10.230.6.100 to 10.230.6.96
> [09/Nov/2011:15:40:00 -0800] conn=29 SSL 256-bit AES
> [09/Nov/2011:15:40:00 -0800] conn=29 op=0 BIND dn="cn=Directory Manager" method=128 version=3
> [09/Nov/2011:15:40:00 -0800] conn=29 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
> [09/Nov/2011:15:40:00 -0800] conn=29 op=1 SRCH base="cn=config,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-directory"
> [09/Nov/2011:15:40:00 -0800] conn=29 op=1 RESULT err=0 tag=101 nentries=1 etime=0
> [09/Nov/2011:15:40:01 -0800] conn=28 op=5 UNBIND
> [09/Nov/2011:15:40:01 -0800] conn=28 op=5 fd=75 closed - U1
> [09/Nov/2011:15:40:01 -0800] conn=30 fd=75 slot=75 connection from 10.230.6.100 to 10.230.6.96
> [09/Nov/2011:15:40:01 -0800] conn=30 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [09/Nov/2011:15:40:01 -0800] conn=30 op=0 RESULT err=0 tag=120 nentries=0 etime=0
> [09/Nov/2011:15:40:01 -0800] conn=30 SSL 256-bit AES
> [09/Nov/2011:15:40:01 -0800] conn=30 op=1 BIND dn="cn=replication manager,cn=config" method=128 version=3
> [09/Nov/2011:15:40:01 -0800] conn=30 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication manager,cn=config"
> [09/Nov/2011:15:40:01 -0800] conn=30 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
> [09/Nov/2011:15:40:01 -0800] conn=30 op=2 RESULT err=0 tag=101 nentries=1 etime=0
> [09/Nov/2011:15:40:01 -0800] conn=30 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
> [09/Nov/2011:15:40:01 -0800] conn=30 op=3 RESULT err=0 tag=101 nentries=1 etime=0
> [09/Nov/2011:15:40:01 -0800] conn=30 op=4 EXT oid="2.16.840.1.113730.3.5.12"
> [09/Nov/2011:15:40:01 -0800] conn=30 op=4 RESULT err=0 tag=120 nentries=0 etime=0
> [09/Nov/2011:15:40:02 -0800] conn=29 op=2 SRCH base="cn=config" scope=2 filter="(&(nsDS5ReplicaHost=authdev1.qai.example.com)(|(objectClass=nsDSWindowsReplicationAgreement)(objectClass=nsds5ReplicationAgreement)))" attrs=ALL
> [09/Nov/2011:15:40:02 -0800] conn=29 op=2 RESULT err=0 tag=101 nentries=1 etime=0
> [09/Nov/2011:15:40:02 -0800] conn=29 op=3 MOD dn="cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config"
> [09/Nov/2011:15:40:02 -0800] conn=29 op=3 RESULT err=0 tag=103 nentries=0 etime=0
> [09/Nov/2011:15:40:03 -0800] conn=29 op=4 MOD dn="cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config"
> [09/Nov/2011:15:40:03 -0800] conn=29 op=4 RESULT err=0 tag=103 nentries=0 etime=0
> [09/Nov/2011:15:40:04 -0800] conn=29 op=5 SRCH base="cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(objectClass=*)" attrs="cn nsds5replicaUpdateInProgress nsds5replicaLastUpdateStatus nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd"
> [09/Nov/2011:15:40:04 -0800] conn=29 op=5 RESULT err=0 tag=101 nentries=1 etime=0
> [09/Nov/2011:15:40:04 -0800] conn=29 op=6 SRCH base="dc=example,dc=com" scope=2 filter="(krbPrincipalName=ldap/authdev1.qai.example.com at example.COM<mailto:krbPrincipalName=ldap/authdev1.qai.example.com at example.COM>)" attrs=ALL
> [09/Nov/2011:15:40:04 -0800] conn=29 op=6 RESULT err=0 tag=101 nentries=0 etime=0
> [09/Nov/2011:15:40:04 -0800] conn=29 op=7 UNBIND
> [09/Nov/2011:15:40:04 -0800] conn=29 op=7 fd=76 closed - U1
> [09/Nov/2011:15:40:08 -0800] conn=30 op=5 UNBIND
> [09/Nov/2011:15:40:08 -0800] conn=30 op=5 fd=75 closed - U1
> [09/Nov/2011:15:40:08 -0800] conn=31 fd=75 slot=75 connection from 10.230.6.100 to 10.230.6.96
> [09/Nov/2011:15:40:08 -0800] conn=31 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [09/Nov/2011:15:40:08 -0800] conn=31 op=0 RESULT err=0 tag=120 nentries=0 etime=0
> [09/Nov/2011:15:40:08 -0800] conn=31 SSL 256-bit AES
> [09/Nov/2011:15:40:08 -0800] conn=31 op=1 BIND dn="cn=replication manager,cn=config" method=128 version=3
> [09/Nov/2011:15:40:08 -0800] conn=31 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication manager,cn=config"
> [09/Nov/2011:15:40:08 -0800] conn=31 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
> [09/Nov/2011:15:40:08 -0800] conn=31 op=2 RESULT err=0 tag=101 nentries=1 etime=0
> [09/Nov/2011:15:40:08 -0800] conn=31 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
> [09/Nov/2011:15:40:08 -0800] conn=31 op=3 RESULT err=0 tag=101 nentries=1 etime=0
> [09/Nov/2011:15:40:08 -0800] conn=31 op=4 EXT oid="2.16.840.1.113730.3.5.12"
> [09/Nov/2011:15:40:08 -0800] conn=31 op=4 RESULT err=0 tag=120 nentries=0 etime=0
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Jr Aquino, GCIH, GWAPT | Sr. Information Security Specialist
> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
> T: +1 805.690.3478
> jr.aquino at citrixonline.com<mailto:jr.aquino at citrixonline.com>
> http://www.citrixonline.com
>
>
> [cid:image001.jpg at 01CB2FE6.2B7BFA80]
> Access Your PC or Mac From Anywhere: www.gotomypc.com
> Online Meetings Made Easy: www.gotomeeting.com
> Web Events Made Easy: www.gotowebinar.com
> Remote Support Made Easy: www.gotoassist.com
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111109/2e437e19/attachment.htm>
More information about the Freeipa-users
mailing list