[Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Joseph, Matthew (EXP)
matthew.joseph at lmco.com
Wed Apr 10 14:13:30 UTC 2013
Hey Rob,
Here is the output from cerutil -L -d /etc/dirsrv/slapd-DOMAIN-CA/
Server:
Server-Cert u,u,u
Client:
Server-Cert u,u,u
Matt
-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: Wednesday, April 10, 2013 11:01 AM
To: Joseph, Matthew (EXP); Nathan Kinder
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Joseph, Matthew (EXP) wrote:
> Hey Rob,
>
> Yes I've tried to do that. Everytime I try to run an ipa-replica-install I make sure I create a new replica file from the server.
Well, it is confusing because this worked once, when you got the error about replication ID.
I guess I'd use certutil to compare what /etc/dirsrv/slapd-REALM looks like on the replica vs the existing master.
The error is related to SSL trust.
rob
>
>
> Matt
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Wednesday, April 10, 2013 10:47 AM
> To: Joseph, Matthew (EXP); Nathan Kinder
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
>
> Joseph, Matthew (EXP) wrote:
>> Hey,
>>
>> I'm still trying to figure out this error but I am getting nothing.
>>
>> Anyone have any suggestions or ideas on why this is failing?
>
> Is there a chance you're using a replica file prepared from a different IPA installation? I'd probably go ahead and use ipa-replica-prepare to create a new file and try installing that.
>
> rob
>
>>
>> Matt
>>
>> *From:*freeipa-users-bounces at redhat.com
>> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Joseph,
>> Matthew
>> (EXP)
>> *Sent:* Monday, April 08, 2013 12:30 PM
>> *To:* Nathan Kinder
>> *Cc:* freeipa-users at redhat.com
>> *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install
>> errors
>>
>> Hey,
>>
>>
>> Yup, the client side says the following;
>>
>> Op=-1 fd=64 closed - Peer does not recognize and trust the CA that
>> issued your certificate.
>>
>> Matt
>>
>> *From:*Nathan Kinder [mailto:nkinder at redhat.com]
>> *Sent:* Monday, April 08, 2013 12:28 PM
>> *To:* Joseph, Matthew (EXP)
>> *Cc:* freeipa-users at redhat.com
>> *Subject:* Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install
>> errors
>>
>> On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote:
>>
>> Hey,
>>
>> So on the IPA server under the access logs I am getting the
>> following error.
>>
>> Error: could not send startTLS request: Error -11 (connect error)
>> errno 0 (success)
>>
>> Any ideas?
>>
>> Does the access log on the receiving side show a connection attempt
>> from the master at the same time? The access log will be located at
>> /var/log/dirsrv/slapd-<DOMAIN>/access.
>>
>> -NGK
>>
>> Matt
>>
>> *From:*Nathan Kinder [mailto:nkinder at redhat.com]
>> *Sent:* Thursday, April 04, 2013 6:00 PM
>> *To:* Joseph, Matthew (EXP)
>> *Cc:* freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
>> *Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors
>>
>> On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote:
>>
>> Hello,
>>
>> I'm trying to setup a replica server with ipa-2.2.0-16 on both the
>> Server and the Replica Server.
>>
>> Here are the steps I ran (From the Red Hat 6.3 IdM Administration
>> Guide);
>>
>> ------------------------
>>
>> *IPA_Server:*
>>
>> ipa-replica-prepare ipareplica.example.com --ip-address
>> 192.168.1.2
>>
>> scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@
>> ipareplica:/var/lib/ipa/
>>
>> *IPA_Replica:*
>>
>> ipa-replica-install --setup-ca --setup-dns
>> /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg
>>
>> ------------------------------
>>
>> Below is the error I am getting when running
>> ipa-replica-install;
>>
>> Directory Manager (existing master) password:
>>
>> Run connection check to master
>>
>> Check connection from replica to remote master 'IPA_Server.domain.ca':
>>
>> Directory Service: Unsecure port (389): OK
>>
>> Directory Service: Secure port (636): OK
>>
>> Kerberos KDC: TCP (88): OK
>>
>> Kerberos Kpasswd: TCP (464): OK
>>
>> HTTP Server: Unsecure port (80): OK
>>
>> HTTP Server: Secure port (443): OK
>>
>> PKI-CA: Directory Service port (7389): OK
>>
>> The following list of ports use UDP protocol and would need to
>> be
>>
>> checked manually:
>>
>> Kerberos KDC: UDP (88): SKIPPED
>>
>> Kerberos Kpasswd: UDP (464): SKIPPED
>>
>> Connection from replica to master is OK.
>>
>> Start listening on required ports for remote master check
>>
>> Get credentials to log in to remote master
>>
>> admin at domain.ca <mailto:admin at domain.ca> password:
>>
>> Execute check on remote master
>>
>> Check connection from master to remote replica 'IPA_Replica.domain.ca':
>>
>> Directory Service: Unsecure port (389): OK
>>
>> Directory Service: Secure port (636): OK
>>
>> Kerberos KDC: TCP (88): OK
>>
>> Kerberos KDC: UDP (88): OK
>>
>> Kerberos Kpasswd: TCP (464): OK
>>
>> Kerberos Kpasswd: UDP (464): OK
>>
>> HTTP Server: Unsecure port (80): OK
>>
>> HTTP Server: Secure port (443): OK
>>
>> PKI-CA: Directory Service port (7389): OK
>>
>> Connection from master to replica is OK.
>>
>> Connection check OK
>>
>> Configuring ntpd
>>
>> [1/4]: stopping ntpd
>>
>> [2/4]: writing configuration
>>
>> [3/4]: configuring ntpd to start on boot
>>
>> [4/4]: starting ntpd
>>
>> done configuring ntpd.
>>
>> Configuring directory server for the CA: Estimated time 30
>> seconds
>>
>> [1/3]: creating directory server user
>>
>> [2/3]: creating directory server instance
>>
>> [3/3]: restarting directory server
>>
>> done configuring pkids.
>>
>> Configuring certificate server: Estimated time 3 minutes 30
>> seconds
>>
>> [1/13]: creating certificate server user
>>
>> [2/13]: creating pki-ca instance
>>
>> [3/13]: configuring certificate server instance
>>
>> [4/13]: disabling nonces
>>
>> [5/13]: creating RA agent certificate database
>>
>> [6/13]: importing CA chain to RA certificate database
>>
>> [7/13]: fixing RA database permissions
>>
>> [8/13]: setting up signing cert profile
>>
>> [9/13]: set up CRL publishing
>>
>> [10/13]: set certificate subject base
>>
>> [11/13]: enabling Subject Key Identifier
>>
>> [12/13]: configuring certificate server to start on boot
>>
>> [13/13]: Configure HTTP to proxy connections
>>
>> done configuring pki-cad.
>>
>> Restarting the directory and certificate servers
>>
>> Configuring directory server: Estimated time 1 minute
>>
>> [1/30]: creating directory server user
>>
>> [2/30]: creating directory server instance
>>
>> [3/30]: adding default schema
>>
>> [4/30]: enabling memberof plugin
>>
>> [5/30]: enabling referential integrity plugin
>>
>> [6/30]: enabling winsync plugin
>>
>> [7/30]: configuring replication version plugin
>>
>> [8/30]: enabling IPA enrollment plugin
>>
>> [9/30]: enabling ldapi
>>
>> [10/30]: configuring uniqueness plugin
>>
>> [11/30]: configuring uuid plugin
>>
>> [12/30]: configuring modrdn plugin
>>
>> [13/30]: enabling entryUSN plugin
>>
>> [14/30]: configuring lockout plugin
>>
>> [15/30]: creating indices
>>
>> [16/30]: configuring ssl for ds instance
>>
>> [17/30]: configuring certmap.conf
>>
>> [18/30]: configure autobind for root
>>
>> [19/30]: configure new location for managed entries
>>
>> [20/30]: restarting directory server
>>
>> [21/30]: setting up initial replication
>>
>> Starting replication, please wait until this has completed.
>>
>> [IPA_Server.domain.ca] reports: Update failed! Status: [-11 -
>> System error]
>>
>> creation of replica failed: Failed to start replication
>>
>> Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the
>> following error;
>>
>> NSMMReplicationPlugin - agmt="cn=metoIPA_Server.domain.ca"
>> (ipa_server:389): Replica has a different generation ID than the
>> local data.
>>
>> This is probably just fallout from the replica initialization failure.
>> If a replica is never initialized, it will get a generation ID
>> mismatch error when the master contacts it.
>>
>> Any thoughts or ideas on this issue? Searching google I don't see
>> anyone getting the Status:-11 - System Error.
>>
>> There was a bug in 389-ds-base that was fixed a while back where
>> negative LDAP error codes were all printed as "System Error". The
>> -11 is a connection error. Here is how it is defined in /usr/include/ldap.h:
>>
>> #define LDAP_CONNECT_ERROR (-11)
>>
>> It sounds like this connection error is occurring when it tries to
>> initialize the replica. It might help to enable replication level
>> logging on the master, then trying to run ipa-replica-install again.
>> The errors in the 389 DS errors log might point to the problem. To
>> enable replication level logging, you can perform the following
>> operation with ldapmodify as "cn=Directory Manager":
>>
>> ------------------------------------------
>> dn: cn=config
>> changetype: modify
>> replace: nsslapd-errorlog-level
>> nsslapd-errorlog-level: 8192
>> ------------------------------------------
>>
>> When you are finished debugging the issue, don't forget to change the
>> log level back to "0".
>>
>> -NGK
>>
>> Thanks,
>>
>> Matt
>>
>>
>>
>>
>> _______________________________________________
>>
>> Freeipa-users mailing list
>>
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
More information about the Freeipa-users
mailing list