[Freeipa-users] RHEL 7 Upgrade experience so far

Mon Aug 4 02:45:34 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> 
> 
> 
> Whether related or not I am getting the following in my RHEL 6.5
> IPA instance /var/log/dirsrv/slapd-PKI-CA/debug log:
> 
> [26/Jul/2014:20:23:23 +0000] slapi_ldap_bind - Error: could not
> send startTLS re quest: error -1 (Can't contact LDAP server) errno
> 107 (Transport endpoint is not connected) [26/Jul/2014:20:23:23
> +0000] NSMMReplicationPlugin - agmt="cn=masterAgreement1-i 
> pa2.example.com-pki-ca" (ipa2:7389): Replication bind with SIMPLE
> auth failed: LD AP error -1 (Can't contact LDAP server) ((null)) 
> [26/Jul/2014:20:23:37 +0000] slapi_ldap_bind - Error: could not
> send startTLS re quest: error -1 (Can't contact LDAP server) errno
> 107 (Transport endpoint is not connected) [26/Jul/2014:20:23:48
> +0000] slapi_ldap_bind - Error: could not send startTLS re quest:
> error -1 (Can't contact LDAP server) errno 107 (Transport endpoint
> is not connected)
> 
> And these errors just continue to be logged.
> 
> When attempting to run ipa-ca-install -d on the RHEL 7 replica
> (all other services are on there running fine) I receive the
> following:
> 
> ipa         : CRITICAL failed to configure ca instance Command 
> '/usr/sbin/pkispawn -vv -s CA -f /tmp/tmpqd0WwF' returned non-zero 
> exit status 1 ipa         : DEBUG      File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>
> 
line 638, in run_script
> return_value = main_function()
> 
> File "/usr/sbin/ipa-ca-install", line 179, in main CA =
> cainstance.install_replica_ca(config, postinstall=True)
> 
> File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>
> 
line 1678, in install_replica_ca
> subject_base=config.subject_base)
> 
> File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>
> 
line 478, in configure_instance
> self.start_creation(runtime=210)
> 
> File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 364, in start_creation method()
> 
> File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>
> 
line 604, in __spawn_instance
> raise RuntimeError('Configuration of CA failed')
> 
> ipa         : DEBUG    The ipa-ca-install command failed,
> exception: RuntimeError: Configuration of CA failed
> 
> Your system may be partly configured. Run
> /usr/sbin/ipa-server-install --uninstall to clean up.
> 
> Configuration of CA failed
> 
> 
> So this behavior changed after restarting the IPA service on the
> RHEL 6.5 system.
> 
> So at this point I have a RHEL 6.5 system and a RHEL 7 replica of 
> everything except the CA. The RHEL 6.5 system, when the IPA service
> is restarted throws an error, perhaps from schema change?
> 
> Any ideas?
> 
> -Erinn
> 
> 

I went in and debugged this a bit further by changing the verbosity
for nsslapd-errorlog-level. It appears that the rhel 6.5 system is
attempting to connect to the RHEL 7 system on port 7389 and since the
RHEL 7 system does not have the CA installed this would obviously
fail. This leads me to believe that there is cruft in the directory
that is pointing to the wrong place. I don't think this will fix my
second group of errors, but how does one view the replication
agreements specifically for the ca?

As well I omitted to lines from the ipa-ca-install error which are
probably pertinent:

ERROR:  Unable to access directory server: Server is unwilling to perform

ipa         : DEBUG    stderr=

- -Erinn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJT3vPJAAoJEFg7BmJL2iPOv+MH/iRgdN+7R5q3BtQE9RcoZHss
eMoUIEwAji/I1ddHklZc03p9fU5HTHlKKqRcfRGLA5nka5q3g4ZKlqh+N4BVoZrq
2wGxhD4Qh1Ye3TzwuB2Ex2oXQmRqrd96irdUnu/nf5LoFz0eBMPOcdAGRX6uMyoa
lRF91cLX4HlA3neL0cSGsAp376WGMnU/EWdnriGmORkkoIqmYkR/38GYPCC3qoYG
hYJK/YjInQxv1B5bXCJ/IQC3xgKkeXlzDiChp4rLNSJXWByxX3hcxTZ51YqTE49d
t+yNIGkQk73yojW7WBluw2IidYXFEqqO/ORTMsd2mWUHDaGID+G3q9VCLdRHp/s=
=Qv14
-----END PGP SIGNATURE-----