[Freeipa-users] ipa replica install fails

Rajnesh Kumar Siwal rajnesh.siwal at gmail.com
Tue Feb 5 14:15:27 UTC 2013 

Hi Rob,

Thanks for the quick reply.
I tried logging iptables in the replica also, but no log for dropped packet :-
I would appreciate if you could please let me know what these login actually do.
1. Looks to me as getting tgt for admin
2. Is it trying to login though ssh to ipa1 server ?
----------------------------------------------------------------------
Get credentials to log in to remote master
 admin at XYZ.DMZ password:

 Execute check on remote master
 admin at ipa1.xyz.dmz's password:
----------------------------------------------------------------------

SELINUX is disabled at both the ends.

Is there any other log file that may suggest something.
It would be great if we could figure out whats the cause of the error.
-----------------------------------------------------------------------------------------------------------------------

On Tue, Feb 5, 2013 at 7:35 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Rajnesh Kumar Siwal wrote:
>>
>> We are trying to setup the IPA replication but it says "Connection
>> check failed!".
>> We disabled the firewall and found the same result.
>>
>>
>> -----------------------------------------------------------------------------------------------------------------------
>> [root at ipa2 /]# ipa-replica-install -d --setup-ca --setup-dns
>> --forwarder 64.71.0.60 /var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg
>> ipa         : DEBUG    /usr/sbin/ipa-replica-install was invoked with
>> argument "/var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg" and options:
>> {'no_forwarders': False, 'conf_ssh': False, 'conf_sshd': False,
>> 'ui_redirect': True, 'reverse_zone': None, 'trust_sshfp': False,
>> 'unattended': False, 'no_host_dns': False, 'ip_address': None,
>> 'no_reverse': False, 'setup_dns': True, 'create_sshfp': True,
>> 'setup_ca': True, 'forwarders': [CheckedIPAddress('64.71.0.60')],
>> 'debug': True, 'conf_ntp': True, 'skip_conncheck': False}
>> ipa         : DEBUG    Loading Index file from
>> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>> ipa         : DEBUG    Loading StateFile from
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>> ipa         : DEBUG    Loading Index file from
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>> Directory Manager (existing master) password:
>>
>> ipa         : DEBUG    args=/usr/bin/gpg --batch --homedir
>> /tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg --passphrase-fd 0 --yes --no-tty
>> -o /tmp/tmpRGaqDpipa/files.tar -d
>> /var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg
>> ipa         : DEBUG    stdout=
>> ipa         : DEBUG    stderr=gpg: WARNING: unsafe permissions on
>> homedir `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg'
>> gpg: keyring `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg/secring.gpg' created
>> gpg: keyring `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg/pubring.gpg' created
>> gpg: 3DES encrypted data
>> gpg: encrypted with 1 passphrase
>> gpg: WARNING: message was not integrity protected
>>
>> ipa         : DEBUG    args=tar xf /tmp/tmpRGaqDpipa/files.tar -C
>> /tmp/tmpRGaqDpipa
>> ipa         : DEBUG    stdout=
>> ipa         : DEBUG    stderr=
>> Run connection check to master
>> Check connection from replica to remote master 'ipa1.xyz.dmz':
>>     Directory Service: Unsecure port (389): OK
>>     Directory Service: Secure port (636): OK
>>     Kerberos KDC: TCP (88): OK
>>     Kerberos Kpasswd: TCP (464): OK
>>     HTTP Server: Unsecure port (80): OK
>>     HTTP Server: Secure port (443): OK
>>     PKI-CA: Directory Service port (7389): OK
>>
>> The following list of ports use UDP protocol and would need to be
>> checked manually:
>>     Kerberos KDC: UDP (88): SKIPPED
>>     Kerberos Kpasswd: UDP (464): SKIPPED
>>
>> Connection from replica to master is OK.
>> Start listening on required ports for remote master check
>> Get credentials to log in to remote master
>> admin at XYZ.DMZ password:
>>
>> Execute check on remote master
>> admin at ipa1.xyz.dmz's password:
>>
>> Remote master check failed with following error message(s):
>>
>> ipa         : DEBUG    args=/usr/sbin/ipa-replica-conncheck --master
>> ipa1.xyz.dmz --auto-master-check --realm XYZ.DMZ --principal admin
>> --hostname ipa2.xyz.dmz --check-ca
>> Connection check failed!
>> Please fix your network settings according to error messages above.
>> If the check results are not valid it can be skipped with
>> --skip-conncheck parameter.
>>
>> --------------------------------------------------------------------------------------------------------------------------------------------------------------
>> Please suggest
>
>
> Each server has its own iptables configuration.
>
> The test from the replica to the master succeeded. What failed is the
> connection test from the master to the replica, so I'd look at the iptables
> configuration on the replica machine.
>
> If that turns out ok it could be a false positive. You can add the
> --skip-conncheck to the ipa-replica-install command to skip this test.
>
> rob



-- 
Regards,
Rajnesh Kumar Siwal

More information about the Freeipa-users mailing list