[Freeipa-users] RHEL 7 Upgrade experience so far

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Mon Aug 4 20:41:56 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/04/2014 08:46 AM, Rob Crittenden wrote:
> Erinn Looney-Triggs wrote:
>> On 08/04/2014 04:01 AM, Martin Kosek wrote:
>>> On 08/04/2014 04:45 AM, Erinn Looney-Triggs wrote:
>>>> 
>>>> 
>>>> 
>>>> 
>>>>> Whether related or not I am getting the following in my
>>>>> RHEL 6.5 IPA instance /var/log/dirsrv/slapd-PKI-CA/debug
>>>>> log:
>>>> 
>>>>> [26/Jul/2014:20:23:23 +0000] slapi_ldap_bind - Error:
>>>>> could not send startTLS re quest: error -1 (Can't contact
>>>>> LDAP server) errno 107 (Transport endpoint is not
>>>>> connected) [26/Jul/2014:20:23:23 +0000]
>>>>> NSMMReplicationPlugin - agmt="cn=masterAgreement1-i
>>>>> pa2.example.com-pki-ca" (ipa2:7389): Replication bind with
>>>>> SIMPLE auth failed: LD AP error -1 (Can't contact LDAP
>>>>> server) ((null)) [26/Jul/2014:20:23:37 +0000]
>>>>> slapi_ldap_bind - Error: could not send startTLS re quest:
>>>>> error -1 (Can't contact LDAP server) errno 107 (Transport
>>>>> endpoint is not connected) [26/Jul/2014:20:23:48 +0000]
>>>>> slapi_ldap_bind - Error: could not send startTLS re quest:
>>>>> error -1 (Can't contact LDAP server) errno 107 (Transport
>>>>> endpoint is not connected)
>>>> 
>>>>> And these errors just continue to be logged.
>>>> 
>>>>> When attempting to run ipa-ca-install -d on the RHEL 7
>>>>> replica (all other services are on there running fine) I
>>>>> receive the following:
>>>> 
>>>>> ipa         : CRITICAL failed to configure ca instance
>>>>> Command '/usr/sbin/pkispawn -vv -s CA -f /tmp/tmpqd0WwF'
>>>>> returned non-zero exit status 1 ipa         : DEBUG
>>>>> File 
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>>>
>>>>
>>>>
>>>>>
>>
>>>>> 
line 638, in run_script
>>>>> return_value = main_function()
>>>> 
>>>>> File "/usr/sbin/ipa-ca-install", line 179, in main CA = 
>>>>> cainstance.install_replica_ca(config, postinstall=True)
>>>> 
>>>>> File 
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>>
>>>>
>>>>
>>>>>
>>
>>>>> 
line 1678, in install_replica_ca
>>>>> subject_base=config.subject_base)
>>>> 
>>>>> File 
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>>
>>>>
>>>>
>>>>>
>>
>>>>> 
line 478, in configure_instance
>>>>> self.start_creation(runtime=210)
>>>> 
>>>>> File 
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>>
>>>>>
>>
>>>>> 
line 364, in start_creation method()
>>>> 
>>>>> File 
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>>
>>>>
>>>>
>>>>>
>>
>>>>> 
line 604, in __spawn_instance
>>>>> raise RuntimeError('Configuration of CA failed')
>>>> 
>>>>> ipa         : DEBUG    The ipa-ca-install command failed, 
>>>>> exception: RuntimeError: Configuration of CA failed
>>>> 
>>>>> Your system may be partly configured. Run 
>>>>> /usr/sbin/ipa-server-install --uninstall to clean up.
>>>> 
>>>>> Configuration of CA failed
>>>> 
>>>> 
>>>>> So this behavior changed after restarting the IPA service
>>>>> on the RHEL 6.5 system.
>>>> 
>>>>> So at this point I have a RHEL 6.5 system and a RHEL 7
>>>>> replica of everything except the CA. The RHEL 6.5 system,
>>>>> when the IPA service is restarted throws an error, perhaps
>>>>> from schema change?
>>>> 
>>>>> Any ideas?
>>>> 
>>>>> -Erinn
>>>> 
>>>> 
>>>> 
>>>> I went in and debugged this a bit further by changing the 
>>>> verbosity for nsslapd-errorlog-level. It appears that the
>>>> rhel 6.5 system is attempting to connect to the RHEL 7 system
>>>> on port 7389 and since the RHEL 7 system does not have the CA
>>>> installed this would obviously fail. This leads me to believe
>>>> that there is cruft in the directory that is pointing to the
>>>> wrong place. I don't think this will fix my second group of
>>>> errors, but how does one view the replication agreements
>>>> specifically for the ca?
>>>> 
>>>> As well I omitted to lines from the ipa-ca-install error
>>>> which are probably pertinent:
>>>> 
>>>> ERROR:  Unable to access directory server: Server is
>>>> unwilling to perform
>>>> 
>>>> ipa         : DEBUG    stderr=
>>>> 
>>>> -Erinn
>> 
>>> This is strange. ipa-ca-install/ipa-replica-install --setup-ca 
>>> should create the replication agreement pointing at port 389
>>> on RHEL-7.0, given that the 2 originally separated DS databases
>>> were merged.
>> 
>>> It looks like this is some replication agreement left over
>>> from previous tests.
>> 
>>> Anyway, to list all hosts with PKI, try:
>> 
>>> # ipa-csreplica-manage list Directory Manager password:
>> 
>>> vm-089.idm.lab.bos.redhat.com: master 
>>> vm-086.idm.lab.bos.redhat.com: master
>> 
>>> "master" means that this server has PKI service installed. It
>>> will show different value if there is no PKI service.
>> 
>>> To check PKI replication agreements for specific hostname,
>>> run:
>> 
>>> # ipa-csreplica-manage list `hostname` Directory Manager
>>> password:
>> 
>>> vm-089.idm.lab.bos.redhat.com
>> 
>>> Check "man ipa-csreplica-manage" for advise how to delete or
>>> create the PKI agreements.
>> 
>>> HTH, Martin
>> 
>> 
>> Yeah here is what I get: ipa-csreplica-manage list Directory
>> Manager password:
>> 
>> ipa2.example.com: CA not configured ipa.example.com: master
>> 
>> ipa2 is my rhel7 instance, ipa is the rhel 6.5 instance.
>> 
>> ipa-csreplica-manage list ipa2.example.com Directory Manager
>> password:
>> 
>> Can't contact LDAP server
>> 
>> Which I guess makes sense, however: ipa-csreplica-manage list -v
>> ipa.example.com Directory Manager password:
>> 
>> ipa2.example.com last init status: None last init ended: None 
>> last update status: -1  - LDAP error: Can't contact LDAP server 
>> last update ended: None ipa2.example.com last init status: None 
>> last init ended: None last update status: 0 Replica acquired
>> successfully: Incremental update succeeded last update ended:
>> 2014-08-04 14:43:48+00:00
>> 
>> This seems odd to me, but I don't really know exactly what to
>> expect. Why is ipa2 referenced twice? Why does on have
>> replication succeeding and the other failing?
>> 
>> It currently just feels like something is configured wrong, there
>> is a wrong entry somewhere, but I can't figure it out just yet.
> 
> As Directory Manager, look in cn=mapping tree,cn=config for the
> list of agreements. I'm guessing at least one of those has the
> wrong port.
> 
> The IPA agreement CN takes the form of meTo<somewhere> and CA
> agreements CN uses masterAgreement1-<hostname>-* (or
> cloneAgreement, depending on the side you're on).
> 
> rob
> 

Rob,
Thanks, looking in there I see two entries for my ipa2 instance for CA
replication. However, none should exist as far as I know because at
this point there is no CA replica on ipa2. These safe to delete?

- -Erinn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJT3/APAAoJEFg7BmJL2iPOJi0H/1fSZ2spdvzJtyvHxsNIOGAJ
u8GgopYi7K3/sT/0tHl60zrwe5zfLroWbAN1wWO0MwDuR7HAf10rUpXmgz109tAS
tPAgCpEbLYfJMJJ4DrqL6AbN2Uxy5PzWIdAdzgZcnt4sQeTqHKsmYnpLpHPlHEIW
xuRokQo/qy+t0uuTGC4zHbZuT+FxDBgsIYMTPv0DUYx5e6M3xVIswSWn6NQchUtg
9HfaU2Qn0kk+0eDBhCbbsWoUuyf1NJAdh8Cp+bgCCL1ADmqGQJDyWeYEvqgYqt26
4Pf+q2dxVXDOZLdjx6fXy8zWjF3Cisf62dZ6HOYv4u6vuTK0HRwc78X9bQJjfhM=
=JaA2
-----END PGP SIGNATURE-----

More information about the Freeipa-users mailing list