[Freeipa-users] Replica installation failing
Bret Wortman
bret.wortman at damascusgrp.com
Tue Mar 19 16:39:19 UTC 2013
I had already blown away the new replica and reinstalled it as F17, but I
did so using the exact same replica file and it installed perfectly,
without a hitch this time. It even passed the checks that had required me
to use --skip-conncheck when installing on F18. I'll try it again in the
near future on another VM and get back to you.
*
*
*Bret Wortman*
<http://damascusgrp.com/>
http://damascusgrp.com/ <http://bretwortman.com/>
http://twitter.com/BretWortman
On Tue, Mar 19, 2013 at 12:31 PM, Martin Kosek <mkosek at redhat.com> wrote:
> I tried this scenario and it worked for me. I installed a FreeIPA master
> on F17
> machine (freeipa-server-2.2.2-1.fc17.x86_64), created a replica info file
> for
> fedora 18 machine and run ipa-replica-install on this one
> (freeipa-server-3.1.2-1.fc18.x86_64) and the installation was successful.
>
> If you still have the development environment, can you please:
> 1) Try to make sure you have up-to-date freeipa on f17 and f18, then
> 2) Create a new replica info file for the replica, copy it on a replica
> 3) Install the replica
>
> If it fails again, we will need to investigate 389-ds-base logs on both
> server
> and replica machines to see if that helps us see the root cause.
>
> Martin
>
> On 03/19/2013 03:42 PM, Bret Wortman wrote:
> > I'm now rebuilding on F17 and Martin's going to try my scenario, which
> should
> > have worked. Who knows, I may have borked it somehow.
> >
> > —
> > Bret Wortman
> >
> >
> > On Tue, Mar 19, 2013 at 10:19 AM, Bret Wortman <
> bret.wortman at damascusgrp.com
> > <mailto:bret.wortman at damascusgrp.com>> wrote:
> >
> > Generation difference. Wrong version of the software -- the F18
> version
> > apparently can't read the data generated by my F17 server. And
> backing it
> > down appears to be nontrivial. Upgrading the master to F18 is a
> nonstarter
> > as F18 isn't exactly stable in our environment. I guess I'm going to
> > rebuild this box on F17 and try again.
> >
> > I'm kind of surprised that there isn't better backward compatibility
> here;
> > is it hard to maintain the ability to read the old formats, or are
> packages
> > you depend on changing too quickly? I'm not trying to be critical or
> start
> > a flame war here, just to understand. :-)
> >
> >
> > _
> > _
> > *Bret Wortman*
> > <http://damascusgrp.com/>
> > http://damascusgrp.com/ <http://bretwortman.com/>
> > http://twitter.com/BretWortman
> >
> >
> > On Tue, Mar 19, 2013 at 8:48 AM, Martin Kosek <mkosek at redhat.com
> > <mailto:mkosek at redhat.com>> wrote:
> >
> > Ok. This looks like dirsrv errors from the master machine. Are
> there
> > also any
> > interesting errors on the replica machine?
> >
> > Martin
> >
> > On 03/19/2013 01:45 PM, Bret Wortman wrote:
> > > Yes, it's still resolvable.
> > >
> > > In the errors log:
> > >
> > > [19/Mar/2013:08:39:53 -0400] slapi_ldap_bind - Error: could
> not send
> > startTLS
> > > request: error -1 (Can't contact LDAP server) errno 107
> (Transport
> > endpoint is
> > > not connected)
> > > [19/Mar/2013:08:39:53 -0400] NSMMReploicationPlugin -
> > > agmt="cn=meTojsipa.damascusgrp.com <
> http://meTojsipa.damascusgrp.com>
> > <http://meTojsipa.damascusgrp.com>"
> > > (jsipa:389) : Replication bind with SIMPLE auth failed: LDAP
> error -1
> > (Can't
> > > contact LDAQP server) ((null))
> > >
> > > and then the first error repeats every few seconds for a while.
> > >
> > > jsipa.damascusgrp.com <http://jsipa.damascusgrp.com>
> > <http://jsipa.damascusgrp.com> is resolvable on
> > > ipamaster.damascusgrp.com <http://ipamaster.damascusgrp.com>
> > <http://ipamaster.damascusgrp.com>.
> > >
> > > I _have_ noticed that when doing the ipa-server-install
> --uninstall
> > to clean up
> > > after this, that some ports (389, 636) don't get released
> unless I
> > reboot. I
> > > don't know if that's related or a red herring.
> > >
> > >
> > > _
> > > _
> > > *Bret Wortman*
> > > <http://damascusgrp.com/>
> > > http://damascusgrp.com/ <http://bretwortman.com/>
> > > http://twitter.com/BretWortman
> > >
> > >
> > > On Tue, Mar 19, 2013 at 8:30 AM, Martin Kosek <
> mkosek at redhat.com
> > <mailto:mkosek at redhat.com>
> > > <mailto:mkosek at redhat.com <mailto:mkosek at redhat.com>>> wrote:
> > >
> > > On 03/19/2013 01:12 PM, Bret Wortman wrote:
> > > > Preparation of the replica data file went without a
> hitch, but on
> > > installation:
> > > >
> > > > # ipa-replica-install --setup-dns --no-forwarders
> > > > replica-info-jsipa.damascusgrp.com
> > <http://replica-info-jsipa.damascusgrp.com>
> > > <http://replica-info-jsipa.damascusgrp.com>
> > > <http://replica-info-jsipa.damascusgrp.com>
> > > > --skip-conncheck
> > > > Directory Manager (existing master) password:
> > > >
> > > > Configuring NTP daemon (ntpd)
> > > > :
> > > > Configuring directory server (dirsrv): Estimated time 1
> minute
> > > > :
> > > > :
> > > > [21/30]: setting up initial replication
> > > > Starting replication, please wait until this has
> completed.
> > > > [ipamaster.damascusgrp.com <
> http://ipamaster.damascusgrp.com>
> > <http://ipamaster.damascusgrp.com>
> > > <http://ipamaster.damascusgrp.com>] reports: Update
> > > > failed! Status: [-1 - LDAP error: Can't contact LDAP
> server]
> > > > :
> > > > # getenforce
> > > > Disabled
> > > > # systemctl status iptables.service
> > > > iptables.service
> > > > Loaded: error (Reason: No such file or
> directory)
> > > > Active: inactive(dead)
> > > >
> > > > #
> > > >
> > > > Any ideas? This is a brand-new server just set up via
> > kickstart. It's running
> > > > Fedora 18 and IPA 3.1.0-2.fc18.
> > > >
> > > > _
> > > > _
> > > > *Bret Wortman*
> > > > <http://damascusgrp.com/>
> > > > http://damascusgrp.com/ <http://bretwortman.com/>
> > > > http://twitter.com/BretWortman
> > > >
> > >
> > > Hello Bret,
> > >
> > > Is ipamaster.damascusgrp.com <
> http://ipamaster.damascusgrp.com>
> > <http://ipamaster.damascusgrp.com> still
> > > resolvable from the replica machine? I would
> > > try running:
> > >
> > > # host ipamaster.damascusgrp.com
> > <http://ipamaster.damascusgrp.com> <
> http://ipamaster.damascusgrp.com>
> > >
> > > ... after the failed ipa-replica-install. There were
> issues in
> > the past when
> > > /etc/resolv.conf changed during replica installation and
> caused
> > similar error
> > > in a middle of ipa-replica-install.
> > >
> > > If the DNS resolution is OK, I would also check
> > > /var/log/dirsvr/slapd-INST/errors on replica and on master
> - are
> > there any
> > > relevant errors?
> > >
> > > Martin
> > >
> > >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130319/af998d46/attachment.htm>
More information about the Freeipa-users
mailing list