[Freeipa-users] Replica installation failing
Martin Kosek
mkosek at redhat.com
Tue Mar 19 16:31:07 UTC 2013
I tried this scenario and it worked for me. I installed a FreeIPA master on F17
machine (freeipa-server-2.2.2-1.fc17.x86_64), created a replica info file for
fedora 18 machine and run ipa-replica-install on this one
(freeipa-server-3.1.2-1.fc18.x86_64) and the installation was successful.
If you still have the development environment, can you please:
1) Try to make sure you have up-to-date freeipa on f17 and f18, then
2) Create a new replica info file for the replica, copy it on a replica
3) Install the replica
If it fails again, we will need to investigate 389-ds-base logs on both server
and replica machines to see if that helps us see the root cause.
Martin
On 03/19/2013 03:42 PM, Bret Wortman wrote:
> I'm now rebuilding on F17 and Martin's going to try my scenario, which should
> have worked. Who knows, I may have borked it somehow.
>
> —
> Bret Wortman
>
>
> On Tue, Mar 19, 2013 at 10:19 AM, Bret Wortman <bret.wortman at damascusgrp.com
> <mailto:bret.wortman at damascusgrp.com>> wrote:
>
> Generation difference. Wrong version of the software -- the F18 version
> apparently can't read the data generated by my F17 server. And backing it
> down appears to be nontrivial. Upgrading the master to F18 is a nonstarter
> as F18 isn't exactly stable in our environment. I guess I'm going to
> rebuild this box on F17 and try again.
>
> I'm kind of surprised that there isn't better backward compatibility here;
> is it hard to maintain the ability to read the old formats, or are packages
> you depend on changing too quickly? I'm not trying to be critical or start
> a flame war here, just to understand. :-)
>
>
> _
> _
> *Bret Wortman*
> <http://damascusgrp.com/>
> http://damascusgrp.com/ <http://bretwortman.com/>
> http://twitter.com/BretWortman
>
>
> On Tue, Mar 19, 2013 at 8:48 AM, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
>
> Ok. This looks like dirsrv errors from the master machine. Are there
> also any
> interesting errors on the replica machine?
>
> Martin
>
> On 03/19/2013 01:45 PM, Bret Wortman wrote:
> > Yes, it's still resolvable.
> >
> > In the errors log:
> >
> > [19/Mar/2013:08:39:53 -0400] slapi_ldap_bind - Error: could not send
> startTLS
> > request: error -1 (Can't contact LDAP server) errno 107 (Transport
> endpoint is
> > not connected)
> > [19/Mar/2013:08:39:53 -0400] NSMMReploicationPlugin -
> > agmt="cn=meTojsipa.damascusgrp.com <http://meTojsipa.damascusgrp.com>
> <http://meTojsipa.damascusgrp.com>"
> > (jsipa:389) : Replication bind with SIMPLE auth failed: LDAP error -1
> (Can't
> > contact LDAQP server) ((null))
> >
> > and then the first error repeats every few seconds for a while.
> >
> > jsipa.damascusgrp.com <http://jsipa.damascusgrp.com>
> <http://jsipa.damascusgrp.com> is resolvable on
> > ipamaster.damascusgrp.com <http://ipamaster.damascusgrp.com>
> <http://ipamaster.damascusgrp.com>.
> >
> > I _have_ noticed that when doing the ipa-server-install --uninstall
> to clean up
> > after this, that some ports (389, 636) don't get released unless I
> reboot. I
> > don't know if that's related or a red herring.
> >
> >
> > _
> > _
> > *Bret Wortman*
> > <http://damascusgrp.com/>
> > http://damascusgrp.com/ <http://bretwortman.com/>
> > http://twitter.com/BretWortman
> >
> >
> > On Tue, Mar 19, 2013 at 8:30 AM, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>
> > <mailto:mkosek at redhat.com <mailto:mkosek at redhat.com>>> wrote:
> >
> > On 03/19/2013 01:12 PM, Bret Wortman wrote:
> > > Preparation of the replica data file went without a hitch, but on
> > installation:
> > >
> > > # ipa-replica-install --setup-dns --no-forwarders
> > > replica-info-jsipa.damascusgrp.com
> <http://replica-info-jsipa.damascusgrp.com>
> > <http://replica-info-jsipa.damascusgrp.com>
> > <http://replica-info-jsipa.damascusgrp.com>
> > > --skip-conncheck
> > > Directory Manager (existing master) password:
> > >
> > > Configuring NTP daemon (ntpd)
> > > :
> > > Configuring directory server (dirsrv): Estimated time 1 minute
> > > :
> > > :
> > > [21/30]: setting up initial replication
> > > Starting replication, please wait until this has completed.
> > > [ipamaster.damascusgrp.com <http://ipamaster.damascusgrp.com>
> <http://ipamaster.damascusgrp.com>
> > <http://ipamaster.damascusgrp.com>] reports: Update
> > > failed! Status: [-1 - LDAP error: Can't contact LDAP server]
> > > :
> > > # getenforce
> > > Disabled
> > > # systemctl status iptables.service
> > > iptables.service
> > > Loaded: error (Reason: No such file or directory)
> > > Active: inactive(dead)
> > >
> > > #
> > >
> > > Any ideas? This is a brand-new server just set up via
> kickstart. It's running
> > > Fedora 18 and IPA 3.1.0-2.fc18.
> > >
> > > _
> > > _
> > > *Bret Wortman*
> > > <http://damascusgrp.com/>
> > > http://damascusgrp.com/ <http://bretwortman.com/>
> > > http://twitter.com/BretWortman
> > >
> >
> > Hello Bret,
> >
> > Is ipamaster.damascusgrp.com <http://ipamaster.damascusgrp.com>
> <http://ipamaster.damascusgrp.com> still
> > resolvable from the replica machine? I would
> > try running:
> >
> > # host ipamaster.damascusgrp.com
> <http://ipamaster.damascusgrp.com> <http://ipamaster.damascusgrp.com>
> >
> > ... after the failed ipa-replica-install. There were issues in
> the past when
> > /etc/resolv.conf changed during replica installation and caused
> similar error
> > in a middle of ipa-replica-install.
> >
> > If the DNS resolution is OK, I would also check
> > /var/log/dirsvr/slapd-INST/errors on replica and on master - are
> there any
> > relevant errors?
> >
> > Martin
> >
> >
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list