[Freeipa-users] CA replication
Tamas Papp
tompos at martos.bme.hu
Mon Dec 30 17:28:28 UTC 2013
hi All,
I'm trying to replicate the CA server:
$ ipa-replica-install -p XXXXXXX --setup-ca -d --mkhomedir
replica-info-ipa11.bpo.cxn.gpg
Without --setup-ca it works correctly.
The output of the above command:
[...]
ipa : DEBUG Starting external process
ipa : DEBUG args=/bin/systemctl is-enabled dirsrv.target
ipa : DEBUG Process finished, return code=1
ipa : DEBUG stdout=disabled
ipa : DEBUG stderr=
ipa : DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
ipa : DEBUG Starting external process
ipa : DEBUG args=/bin/systemctl disable dirsrv.target
ipa : DEBUG Process finished, return code=0
ipa : DEBUG stdout=
ipa : DEBUG stderr=
ipa : DEBUG duration: 0 seconds
ipa : DEBUG Done configuring directory server (dirsrv).
Done configuring directory server (dirsrv).
ipa : DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
ipa : DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
ipa : DEBUG Configuring certificate server (pki-tomcatd):
Estimated time 3 minutes 30 seconds
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
30 seconds
ipa : DEBUG [1/19]: creating certificate server user
[1/19]: creating certificate server user
ipa : DEBUG ca user pkiuser exists
ipa : DEBUG duration: 0 seconds
ipa : DEBUG [2/19]: configuring certificate server instance
[2/19]: configuring certificate server instance
ipa : DEBUG Contents of pkispawn configuration file
(/tmp/tmpoRxk1S):
[CA]
pki_security_domain_name = IPA
pki_enable_proxy = True
pki_restart_configured_instance = False
pki_backup_keys = True
pki_backup_password = XXXXXXXX
pki_client_database_dir = /tmp/tmp-XPC2YR
pki_client_database_password = XXXXXXXX
pki_client_database_purge = False
pki_client_pkcs12_password = XXXXXXXX
pki_admin_name = admin
pki_admin_uid = admin
pki_admin_email = root at localhost
pki_admin_password = XXXXXXXX
pki_admin_nickname = ipa-ca-agent
pki_admin_subject_dn = cn=ipa-ca-agent,O=CXN
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_ds_ldap_port = 389
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=ipaca
pki_ds_database = ipaca
pki_subsystem_subject_dn = cn=CA Subsystem,O=CXN
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=CXN
pki_ssl_server_subject_dn = cn=ipa11.bpo.cxn,O=CXN
pki_audit_signing_subject_dn = cn=CA Audit,O=CXN
pki_ca_signing_subject_dn = cn=Certificate Authority,O=CXN
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ssl_server_nickname = Server-Cert cert-pki-ca
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_ca_signing_nickname = caSigningCert cert-pki-ca
pki_security_domain_hostname = ipa12.bpo.cxn
pki_security_domain_https_port = 443
pki_security_domain_user = admin
pki_security_domain_password = XXXXXXXX
pki_clone = True
pki_clone_pkcs12_path = /tmp/ca.p12
pki_clone_pkcs12_password = XXXXXXXX
pki_clone_replication_security = TLS
pki_clone_replication_master_port = 389
pki_clone_replication_clone_port = 389
pki_clone_replicate_schema = False
pki_clone_uri = https://ipa12.bpo.cxn:443
ipa : DEBUG Starting external process
ipa : DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpoRxk1S
And it's waiting here forever, not even timeout.
strace output of pkispawn shows up it's trying to get data from the
local ldap service:
open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=281, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7f46307e2000
read(4, "127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4\n::1 localhost localhost.localdomain
localhost6 localhost6.localdomain6\n\n10.0.0.73\tipa12.bpo.cxn
ipa12\n10.128.0.5\tipa31.bph.cxn ipa31\n10.128.0.6\tipa32.bph.cxn
ipa32\n10.0.0.12\tipa11.bpo.cxn ipa11\n", 4096) = 281
read(4, "", 4096) = 0
close(4) = 0
munmap(0x7f46307e2000, 4096) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
setsockopt(4, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
setsockopt(4, SOL_TCP, TCP_NODELAY, [1], 4) = 0
connect(4, {sa_family=AF_INET, sin_port=htons(389),
sin_addr=inet_addr("10.0.0.12")}, 16) = 0
write(4, "0%\2\1\1c
\4\0\n\1\0\n\1\0\2\1\0\2\1\0\1\1\0\207\vobjectClass0\0", 39) = 39
poll([{fd=4, events=POLLIN|POLLPRI}], 1, 4294967295
If I run ldapsearch -x -h ipa11, then indeed, I can see the same behaviour.
strace output of ns-slapd:
[pid 2028] accept(6, {sa_family=AF_INET6, sin6_port=htons(59587),
inet_pton(AF_INET6, "::ffff:10.0.0.12", &sin6_addr), sin6_flowinfo=0,
sin6_scope_id=0}, [28]) = 24
[pid 2028] fcntl(24, F_GETFL) = 0x2 (flags O_RDWR)
[pid 2028] fcntl(24, F_SETFL, O_RDWR|O_NONBLOCK) = 0
[pid 2028] fcntl(24, F_DUPFD, 64) = 109
[pid 2028] close(24) = 0
[pid 2028] setsockopt(109, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
[pid 2028] setsockopt(109, SOL_TCP, TCP_NODELAY, [0], 4) = 0
[pid 2028] getsockname(109, {sa_family=AF_INET6, sin6_port=htons(389),
inet_pton(AF_INET6, "::ffff:10.0.0.12", &sin6_addr), sin6_flowinfo=0,
sin6_scope_id=0}, [28]) = 0
[pid 2028] poll([{fd=28, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7,
events=POLLIN}, {fd=8, events=POLLIN}, {fd=109, events=POLLIN}, {fd=64,
events=POLLIN}, {fd=66, events=POLLIN}, {fd=65, events=POLLIN}], 8, 250)
= 1 ([{fd=109, revents=POLLIN}])
[pid 2028] poll([{fd=28, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7,
events=POLLIN}, {fd=8, events=POLLIN}, {fd=64, events=POLLIN}, {fd=66,
events=POLLIN}, {fd=65, events=POLLIN}], 7, 250 <unfinished ...>
[pid 2030] <... select resumed> ) = 0 (Timeout)
(Yes, it is ip6)
Both servers are KVMs, the source is F19, destination is F20.
What do I miss?
Thanks,
tamas
More information about the Freeipa-users
mailing list