[Freeipa-users] Trouble creating replica

Bret Wortman bret.wortman at damascusgrp.com
Wed Feb 20 13:39:08 UTC 2013 

And just in case this is informative:

[root at oldmaster]# pkicontrol start ca PKI-IPA
PKI-IPA is an invalid 'pki-ca' instance
[root at oldmaster]#


*
*
*Bret Wortman*
<http://damascusgrp.com/>
http://damascusgrp.com/ <http://bretwortman.com/>
http://twitter.com/BretWortman


On Wed, Feb 20, 2013 at 8:08 AM, Bret Wortman
<bret.wortman at damascusgrp.com>wrote:

> Digging further into my logs this morning, I've discovered that there's no
> new entries in /var/log/dirsrv/slapd-PKI-IPA since Feb 5 either. How can I
> tell why this isn't running? /var/log/dirsrv/slapd-MY-COM is getting
> updated and logged to, it's just the PKI piece that seems to be dead.
>
> Nothing in /etc/pki-ca has changed since last year, and the last updates
> to /var/lib/dirsrv/slapd-PKI-IPA/db or changelogs occurred on Feb 5. I just
> can't tell what that change was....
>
> Would a key change or certificate change have affected this?
>
> Worst case, if I do something like this:
>
> # ipa-server-install -U --uninstall
> # ipa-server-install
>
> will I lose the hosts, policies & users I already have configured? Does
> this stand a chance of getting me back up to where I can clone this box and
> get healthy again?
>
>
> *
> *
> *Bret Wortman*
> <http://damascusgrp.com/>
> http://damascusgrp.com/ <http://bretwortman.com/>
> http://twitter.com/BretWortman
>
>
> On Tue, Feb 19, 2013 at 2:01 PM, Bret Wortman <
> bret.wortman at damascusgrp.com> wrote:
>
>> No, can't telnet to 7389 or 9444 either one:
>>
>> [root at ipamaster]# telnet oldmaster.my.com 7389
>> Trying 10.0.0.42...
>> telnet: connect to address 10.0.0.42: COnnection refused
>> [root at ipamaster]#
>>
>> I do note that I only have packages called dogtag-*-theme installed:
>>
>> [root at oldmaster]# yum list "*dogtag*"
>> Loaded plugins: lnagpacks, presto, refresh-packagekit
>> Installed Packages
>> dogtag-pki-ca-theme.noarch                  9.0.11-1.fc17
>>  @fedora
>> dogtag-pki-common-theme.noarch              9.0.11-1.fc17
>>  @fedora
>> Available Packages
>> dogtag-pki.noarch                           9.0.0-13.fc17
>>  @fedora
>> :
>>
>> I also noticed that, according to /var/log/pki-ca/catalina.out and
>> /var/log/pki-ca/debug, this hasn't successfully run since 05-Feb. And no,
>> I'm not sure what happened on that day to change things, but I'm trying to
>> find out. (At least, I assume this logdir relates to dogtag....)
>>
>>
>>
>> *
>> *
>> *Bret Wortman*
>> <http://damascusgrp.com/>
>> http://damascusgrp.com/ <http://bretwortman.com/>
>> http://twitter.com/BretWortman
>>
>>
>> On Tue, Feb 19, 2013 at 1:26 PM, Rob Crittenden <rcritten at redhat.com>wrote:
>>
>>> Natxo Asenjo wrote:
>>>
>>>> On Tue, Feb 19, 2013 at 5:58 PM, Bret Wortman
>>>> <bret.wortman at damascusgrp.com <mailto:bret.wortman@**damascusgrp.com<bret.wortman at damascusgrp.com>>>
>>>> wrote:
>>>>
>>>>     Digging a bit deeper, I found this in /var/log/pki-ca/catalina.out:
>>>>
>>>>     :
>>>>     Could not connect to LDAP server host oldmaster.my.com
>>>>     <http://oldmaster.my.com> port 7389 Error
>>>>
>>>>     netscape.ldap.LDAPException: failed to connect to server
>>>>     ldap://oldmaster.my.com:7389 <http://oldmaster.my.com:7389> (91)
>>>>
>>>>
>>>>     This certainly appears to be a problem, but everyone's
>>>>     authenticating against oldmaster just fine. Thoughts, anyone?
>>>>
>>>>
>>>> can you connect to that port (7389) on oldmaster.my.com
>>>> <http://oldmaster.my.com> from the other replica? (try telnetting to
>>>> the
>>>> port: telnet oldmaster.my.com <http://oldmaster.my.com> 7389)
>>>>
>>>
>>> 7389 is port in the 389-ds instance used by dogtag. Is the instance
>>> running on oldmaster?
>>>
>>> It isn't used for authentication which is why you aren't seeing problems
>>> with clients.
>>>
>>> rob
>>>
>>> ______________________________**_________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130220/c1483456/attachment.htm>

More information about the Freeipa-users mailing list