[Freeipa-users] Replica creation problem - IPv6?

Thu Mar 15 13:36:51 UTC 2012

Hi all,

I'm trying to set up a FreeIPA replica on a new Fedora 16 VM.
The process fails when ipa-replica-install starts checking for 
connectivity from the master server side towards the new replica.

    # ipa-replica-install -N
    /var/lib/ipa/replica-info-ldaps01.example.com.gpg
    [... lines of output ...]
    Execute check on remote master

    Remote master check failed with following error message(s):

    Connection check failed!
    Please fix your network settings according to error messages above.
    If the check results are not valid it can be skipped with
    --skip-conncheck parameter.

Running the connectivity check on its own from the server gives me the 
following output:

    Check connection from master to remote replica 'ldaps01.example.com':
        Directory Service: Unsecure port (389): FAILED
        Directory Service: Secure port (636): FAILED
        Kerberos KDC: TCP (88): FAILED
        Kerberos KDC: UDP (88): OK
        Kerberos Kpasswd: TCP (464): FAILED
        Kerberos Kpasswd: UDP (464): OK
        HTTP Server: Unsecure port (80): FAILED
        HTTP Server: Secure port (443): FAILED
    Port check failed! Inaccessible port(s): 389, 636, 88, 464, 80, 443

To actually see what's going on, I run 'netstat -tuan' to see what ports 
are open while ipa-replica-install waits for me to type my admin 
password (just before the remote master check):

    [root at ldaps01 ~]# netstat -tuan
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address               Foreign
    Address             State
    tcp        0      0 0.0.0.0:22                 
    0.0.0.0:*                   LISTEN
    tcp        0      0 127.0.0.1:25               
    0.0.0.0:*                   LISTEN
    tcp        0      0 192.168.98.10:22           
    192.168.10.128:12548        ESTABLISHED
    tcp        0     48 192.168.98.10:22           
    192.168.10.128:12597        ESTABLISHED
    tcp        0      0 :::80                      
    :::*                        LISTEN
    tcp        0      0 :::464                     
    :::*                        LISTEN
    tcp        0      0 :::88                      
    :::*                        LISTEN
    tcp        0      0 :::443                     
    :::*                        LISTEN
    tcp        0      0 :::636                     
    :::*                        LISTEN
    tcp        0      0 :::389                     
    :::*                        LISTEN
    udp        0      0 192.168.98.10:123           0.0.0.0:*
    udp        0      0 127.0.0.1:123               0.0.0.0:*
    udp        0      0 0.0.0.0:123                 0.0.0.0:*
    udp        0      0 :::464                      :::*
    udp        0      0 :::88                       :::*
    udp        0      0 :::123                      :::*

It seems that the replica procedure automatically binds to IPv6 
addresses (although I've disabled IPv6 on eth0 and on loopback, remove 
IPv6 entries from /etc/hosts and /etc/resolve.conf).

NTP listens on both ipv4 and ipv6 locahost but that's because I choose 
to handle it a separate service on its own.

FreeIPA server is 2.1.4-5 on both ldap (master) and ldaps01 (slave).

Regards,
Dimitris

-- 
Dimitris Tsompanidis

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120315/69e532c7/attachment.htm>