[Freeipa-users] ipa replica install fails
Rajnesh Kumar Siwal
rajnesh.siwal at gmail.com
Tue Feb 5 14:15:27 UTC 2013
Hi Rob,
Thanks for the quick reply.
I tried logging iptables in the replica also, but no log for dropped packet :-
I would appreciate if you could please let me know what these login actually do.
1. Looks to me as getting tgt for admin
2. Is it trying to login though ssh to ipa1 server ?
----------------------------------------------------------------------
Get credentials to log in to remote master
admin at XYZ.DMZ password:
Execute check on remote master
admin at ipa1.xyz.dmz's password:
----------------------------------------------------------------------
SELINUX is disabled at both the ends.
Is there any other log file that may suggest something.
It would be great if we could figure out whats the cause of the error.
-----------------------------------------------------------------------------------------------------------------------
On Tue, Feb 5, 2013 at 7:35 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Rajnesh Kumar Siwal wrote:
>>
>> We are trying to setup the IPA replication but it says "Connection
>> check failed!".
>> We disabled the firewall and found the same result.
>>
>>
>> -----------------------------------------------------------------------------------------------------------------------
>> [root at ipa2 /]# ipa-replica-install -d --setup-ca --setup-dns
>> --forwarder 64.71.0.60 /var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg
>> ipa : DEBUG /usr/sbin/ipa-replica-install was invoked with
>> argument "/var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg" and options:
>> {'no_forwarders': False, 'conf_ssh': False, 'conf_sshd': False,
>> 'ui_redirect': True, 'reverse_zone': None, 'trust_sshfp': False,
>> 'unattended': False, 'no_host_dns': False, 'ip_address': None,
>> 'no_reverse': False, 'setup_dns': True, 'create_sshfp': True,
>> 'setup_ca': True, 'forwarders': [CheckedIPAddress('64.71.0.60')],
>> 'debug': True, 'conf_ntp': True, 'skip_conncheck': False}
>> ipa : DEBUG Loading Index file from
>> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>> ipa : DEBUG Loading StateFile from
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>> ipa : DEBUG Loading Index file from
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>> Directory Manager (existing master) password:
>>
>> ipa : DEBUG args=/usr/bin/gpg --batch --homedir
>> /tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg --passphrase-fd 0 --yes --no-tty
>> -o /tmp/tmpRGaqDpipa/files.tar -d
>> /var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg
>> ipa : DEBUG stdout=
>> ipa : DEBUG stderr=gpg: WARNING: unsafe permissions on
>> homedir `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg'
>> gpg: keyring `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg/secring.gpg' created
>> gpg: keyring `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg/pubring.gpg' created
>> gpg: 3DES encrypted data
>> gpg: encrypted with 1 passphrase
>> gpg: WARNING: message was not integrity protected
>>
>> ipa : DEBUG args=tar xf /tmp/tmpRGaqDpipa/files.tar -C
>> /tmp/tmpRGaqDpipa
>> ipa : DEBUG stdout=
>> ipa : DEBUG stderr=
>> Run connection check to master
>> Check connection from replica to remote master 'ipa1.xyz.dmz':
>> Directory Service: Unsecure port (389): OK
>> Directory Service: Secure port (636): OK
>> Kerberos KDC: TCP (88): OK
>> Kerberos Kpasswd: TCP (464): OK
>> HTTP Server: Unsecure port (80): OK
>> HTTP Server: Secure port (443): OK
>> PKI-CA: Directory Service port (7389): OK
>>
>> The following list of ports use UDP protocol and would need to be
>> checked manually:
>> Kerberos KDC: UDP (88): SKIPPED
>> Kerberos Kpasswd: UDP (464): SKIPPED
>>
>> Connection from replica to master is OK.
>> Start listening on required ports for remote master check
>> Get credentials to log in to remote master
>> admin at XYZ.DMZ password:
>>
>> Execute check on remote master
>> admin at ipa1.xyz.dmz's password:
>>
>> Remote master check failed with following error message(s):
>>
>> ipa : DEBUG args=/usr/sbin/ipa-replica-conncheck --master
>> ipa1.xyz.dmz --auto-master-check --realm XYZ.DMZ --principal admin
>> --hostname ipa2.xyz.dmz --check-ca
>> Connection check failed!
>> Please fix your network settings according to error messages above.
>> If the check results are not valid it can be skipped with
>> --skip-conncheck parameter.
>>
>> --------------------------------------------------------------------------------------------------------------------------------------------------------------
>> Please suggest
>
>
> Each server has its own iptables configuration.
>
> The test from the replica to the master succeeded. What failed is the
> connection test from the master to the replica, so I'd look at the iptables
> configuration on the replica machine.
>
> If that turns out ok it could be a false positive. You can add the
> --skip-conncheck to the ipa-replica-install command to skip this test.
>
> rob
--
Regards,
Rajnesh Kumar Siwal
More information about the Freeipa-users
mailing list