[Freeipa-users] ipa replica install fails

Petr Spacek pspacek at redhat.com
Tue Feb 5 15:59:05 UTC 2013 

On 5.2.2013 15:45, Rajnesh Kumar Siwal wrote:
> Finally , I installed it with "--skip-conncheck":-
> Now DNS fails to start.
> I tried ipa-dns-install too:-
>
> [root at ipa2 log]# ipa-dns-install
> The log file for this installation can be found in
> /var/log/ipaserver-install.log
> ==============================================================================
> This program will setup DNS for the IPA Server.
>
> This includes:
>    * Configure DNS (bind)
>
> To accept the default shown in brackets, press the Enter key.
> Existing BIND configuration detected, overwrite? [no]: yes
> DNS is already configured in this IPA server.
> [root at ipa2 log]# /etc/init.d/ipa status
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> DNS Service: STOPPED
> MEMCACHE Service: RUNNING
> HTTP Service: RUNNING
> CA Service: RUNNING
> [root at ipa2 log]# /etc/init.d/named restart
> Stopping named:                                            [  OK  ]
> Starting named:                                            [FAILED]
>
> ---------------------------------------------------------------------------------------------
> DNS logs :-
> Feb  5 09:40:19 ipa2 named[19873]:
> ----------------------------------------------------
> Feb  5 09:40:19 ipa2 named[19873]: BIND 9 is maintained by Internet
> Systems Consortium,
> Feb  5 09:40:19 ipa2 named[19873]: Inc. (ISC), a non-profit 501(c)(3)
> public-benefit
> Feb  5 09:40:19 ipa2 named[19873]: corporation.  Support and training
> for BIND 9 are
> Feb  5 09:40:19 ipa2 named[19873]: available at https://www.isc.org/support
> Feb  5 09:40:19 ipa2 named[19873]:
> ----------------------------------------------------
> Feb  5 09:40:19 ipa2 named[19873]: adjusted limit on open files from
> 102400 to 1048576
> Feb  5 09:40:19 ipa2 named[19873]: found 2 CPUs, using 2 worker threads
> Feb  5 09:40:19 ipa2 named[19873]: using up to 4096 sockets
> Feb  5 09:40:19 ipa2 named[19873]: loading configuration from '/etc/named.conf'
> Feb  5 09:40:19 ipa2 named[19873]: using default UDP/IPv4 port range:
> [1024, 65535]
> Feb  5 09:40:19 ipa2 named[19873]: using default UDP/IPv6 port range:
> [1024, 65535]
> Feb  5 09:40:19 ipa2 named[19873]: listening on IPv6 interfaces, port 53
> Feb  5 09:40:19 ipa2 named[19873]: listening on IPv4 interface lo, 127.0.0.1#53
> Feb  5 09:40:19 ipa2 named[19873]: listening on IPv4 interface eth0,
> 172.31.254.205#53
> Feb  5 09:40:19 ipa2 named[19873]: generating session key for dynamic DNS
> Feb  5 09:40:19 ipa2 named[19873]: sizing zone task pool based on 6 zones
> Feb  5 09:40:19 ipa2 named[19873]: set up managed keys zone for view
> _default, file 'dynamic/managed-keys.bind'
> Feb  5 09:40:19 ipa2 named[19873]: GSSAPI Error: Unspecified GSS
> failure.  Minor code may provide more information (Mutual
> authentication failed)
> Feb  5 09:40:19 ipa2 named[19873]: bind to LDAP server failed: Local error
> Feb  5 09:40:19 ipa2 named[19873]: loading configuration: failure
> Feb  5 09:40:19 ipa2 named[19873]: exiting (due to fatal error)
> Feb  5 09:40:28 ipa2 kernel: IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:22:6b:12:99:bc:08:00 SRC=0.0.0.0
> DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=60 ID=0 PROTO=UDP
> SPT=68 DPT=67 LEN=308
> [root at ipa2 log]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at XYZ.DMZ
> Valid starting     Expires            Service principal
> 02/05/13 14:32:56  02/06/13 14:32:24  krbtgt/XYZ.DMZ at XYZ.DMZ
> 02/05/13 14:33:16  02/06/13 14:31:34  ldap/ipa2.xyz.dmz at XYZ.DMZ

The important line is:
 > Feb  5 09:40:19 ipa2 named[19873]: GSSAPI Error: Unspecified GSS
 > failure.  Minor code may provide more information (Mutual
 > authentication failed)

Did you poke to /etc/named.keytab in any way? Is this server the first 
installation with this host name? (I.e. was there a host with the same DNS 
name in the past?)

I don't understand what went wrong.

Please provide output from following commands (in this order):
$ klist -ket /etc/named.keytab
$ kinit -kt DNS/ipa2.xyz.dmz at XYZ.DMZ
$ klist

Simo, is it possible to do something like "kadmin -p admin" and "getprinc 
DNS/ipa2.xyz.dmz at XYZ.DMZ"?

It fails:

kadmin:  getprinc DNS/host.redhat.com at E.TEST
get_principal: Operation requires ``get'' privilege while retrieving 
"DNS/host.redhat.com at E.TEST".

How it is possible to retrieve kvno and other details for IPA principals?

Petr^2 Spacek


> On Tue, Feb 5, 2013 at 7:45 PM, Rajnesh Kumar Siwal
> <rajnesh.siwal at gmail.com> wrote:
>> Hi Rob,
>>
>> Thanks for the quick reply.
>> I tried logging iptables in the replica also, but no log for dropped packet :-
>> I would appreciate if you could please let me know what these login actually do.
>> 1. Looks to me as getting tgt for admin
>> 2. Is it trying to login though ssh to ipa1 server ?
>> ----------------------------------------------------------------------
>> Get credentials to log in to remote master
>>   admin at XYZ.DMZ password:
>>
>>   Execute check on remote master
>>   admin at ipa1.xyz.dmz's password:
>> ----------------------------------------------------------------------
>>
>> SELINUX is disabled at both the ends.
>>
>> Is there any other log file that may suggest something.
>> It would be great if we could figure out whats the cause of the error.
>> -----------------------------------------------------------------------------------------------------------------------
>>
>> On Tue, Feb 5, 2013 at 7:35 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>> Rajnesh Kumar Siwal wrote:
>>>>
>>>> We are trying to setup the IPA replication but it says "Connection
>>>> check failed!".
>>>> We disabled the firewall and found the same result.
>>>>
>>>>
>>>> -----------------------------------------------------------------------------------------------------------------------
>>>> [root at ipa2 /]# ipa-replica-install -d --setup-ca --setup-dns
>>>> --forwarder 64.71.0.60 /var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg
>>>> ipa         : DEBUG    /usr/sbin/ipa-replica-install was invoked with
>>>> argument "/var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg" and options:
>>>> {'no_forwarders': False, 'conf_ssh': False, 'conf_sshd': False,
>>>> 'ui_redirect': True, 'reverse_zone': None, 'trust_sshfp': False,
>>>> 'unattended': False, 'no_host_dns': False, 'ip_address': None,
>>>> 'no_reverse': False, 'setup_dns': True, 'create_sshfp': True,
>>>> 'setup_ca': True, 'forwarders': [CheckedIPAddress('64.71.0.60')],
>>>> 'debug': True, 'conf_ntp': True, 'skip_conncheck': False}
>>>> ipa         : DEBUG    Loading Index file from
>>>> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>>>> ipa         : DEBUG    Loading StateFile from
>>>> '/var/lib/ipa/sysrestore/sysrestore.state'
>>>> ipa         : DEBUG    Loading Index file from
>>>> '/var/lib/ipa/sysrestore/sysrestore.index'
>>>> Directory Manager (existing master) password:
>>>>
>>>> ipa         : DEBUG    args=/usr/bin/gpg --batch --homedir
>>>> /tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg --passphrase-fd 0 --yes --no-tty
>>>> -o /tmp/tmpRGaqDpipa/files.tar -d
>>>> /var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg
>>>> ipa         : DEBUG    stdout=
>>>> ipa         : DEBUG    stderr=gpg: WARNING: unsafe permissions on
>>>> homedir `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg'
>>>> gpg: keyring `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg/secring.gpg' created
>>>> gpg: keyring `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg/pubring.gpg' created
>>>> gpg: 3DES encrypted data
>>>> gpg: encrypted with 1 passphrase
>>>> gpg: WARNING: message was not integrity protected
>>>>
>>>> ipa         : DEBUG    args=tar xf /tmp/tmpRGaqDpipa/files.tar -C
>>>> /tmp/tmpRGaqDpipa
>>>> ipa         : DEBUG    stdout=
>>>> ipa         : DEBUG    stderr=
>>>> Run connection check to master
>>>> Check connection from replica to remote master 'ipa1.xyz.dmz':
>>>>      Directory Service: Unsecure port (389): OK
>>>>      Directory Service: Secure port (636): OK
>>>>      Kerberos KDC: TCP (88): OK
>>>>      Kerberos Kpasswd: TCP (464): OK
>>>>      HTTP Server: Unsecure port (80): OK
>>>>      HTTP Server: Secure port (443): OK
>>>>      PKI-CA: Directory Service port (7389): OK
>>>>
>>>> The following list of ports use UDP protocol and would need to be
>>>> checked manually:
>>>>      Kerberos KDC: UDP (88): SKIPPED
>>>>      Kerberos Kpasswd: UDP (464): SKIPPED
>>>>
>>>> Connection from replica to master is OK.
>>>> Start listening on required ports for remote master check
>>>> Get credentials to log in to remote master
>>>> admin at XYZ.DMZ password:
>>>>
>>>> Execute check on remote master
>>>> admin at ipa1.xyz.dmz's password:
>>>>
>>>> Remote master check failed with following error message(s):
>>>>
>>>> ipa         : DEBUG    args=/usr/sbin/ipa-replica-conncheck --master
>>>> ipa1.xyz.dmz --auto-master-check --realm XYZ.DMZ --principal admin
>>>> --hostname ipa2.xyz.dmz --check-ca
>>>> Connection check failed!
>>>> Please fix your network settings according to error messages above.
>>>> If the check results are not valid it can be skipped with
>>>> --skip-conncheck parameter.
>>>>
>>>> --------------------------------------------------------------------------------------------------------------------------------------------------------------
>>>> Please suggest
>>>
>>>
>>> Each server has its own iptables configuration.
>>>
>>> The test from the replica to the master succeeded. What failed is the
>>> connection test from the master to the replica, so I'd look at the iptables
>>> configuration on the replica machine.
>>>
>>> If that turns out ok it could be a false positive. You can add the
>>> --skip-conncheck to the ipa-replica-install command to skip this test.

More information about the Freeipa-users mailing list