[Freeipa-users] trouble creating a replica in the cloud

Rob Crittenden rcritten at redhat.com
Wed Feb 12 18:36:15 UTC 2014 

Dmitri Pal wrote:
> On 02/11/2014 05:02 PM, Todd Maugh wrote:
>> Hey Guys,
>>
>> So I have my master and replica up in my datacenter.
>>
>> I have a client, I have a winsync agreement, I have a password sync.
>>
>> It's working lovely.
>>
>> So Now I have spun up an AWS instance of redh hat 6.5  (same as my
>> master and first replica)
>>
>> I run the ipa replica and it fails
>>
>>
>> ipa-replica-install --setup-ca --setup-dns --no-forwarders
>> /var/lib/ipa/replica-info-se-idm-03.boingo.com.gpg
>> Directory Manager (existing master) password:
>>
>> Run connection check to master
>> Check connection from replica to remote master 'se-idm-01.boingo.com':
>>    Directory Service: Unsecure port (389): OK
>>    Directory Service: Secure port (636): OK
>>    Kerberos KDC: TCP (88): OK
>>    Kerberos Kpasswd: TCP (464): OK
>>    HTTP Server: Unsecure port (80): OK
>>    HTTP Server: Secure port (443): OK
>>    PKI-CA: Directory Service port (7389): OK
>>
>> The following list of ports use UDP protocol and would need to be
>> checked manually:
>>    Kerberos KDC: UDP (88): SKIPPED
>>    Kerberos Kpasswd: UDP (464): SKIPPED
>>
>> Connection from replica to master is OK.
>> Start listening on required ports for remote master check
>> Get credentials to log in to remote master
>> admin at BOINGO.COM password:
>>
>> Execute check on remote master
>> Check connection from master to remote replica 'se-idm-03.boingo.com':
>>    Directory Service: Unsecure port (389): OK
>>    Directory Service: Secure port (636): OK
>>    Kerberos KDC: TCP (88): OK
>>    Kerberos KDC: UDP (88): OK
>>    Kerberos Kpasswd: TCP (464): OK
>>    Kerberos Kpasswd: UDP (464): OK
>>    HTTP Server: Unsecure port (80): OK
>>    HTTP Server: Secure port (443): OK
>>    PKI-CA: Directory Service port (7389): OK
>>
>> Connection from master to replica is OK.
>>
>> Connection check OK
>> Configuring NTP daemon (ntpd)
>>   [1/4]: stopping ntpd
>>   [2/4]: writing configuration
>>   [3/4]: configuring ntpd to start on boot
>>   [4/4]: starting ntpd
>> Done configuring NTP daemon (ntpd).
>> Configuring directory server for the CA (pkids): Estimated time 30 seconds
>>   [1/3]: creating directory server user
>>   [2/3]: creating directory server instance
>> ipa         : CRITICAL failed to create ds instance Command
>> '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3'
>> returned non-zero exit status 1
>>   [3/3]: restarting directory server
>> ipa         : CRITICAL Failed to restart the directory server. See the
>> installation log for details.
>> Done configuring directory server for the CA (pkids).
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>> Can't contact LDAP server
>>
>>
>> I check the log file and this is what I get
>>
>> 2014-02-11T19:55:48Z DEBUG calling setup-ds.pl
>> 2014-02-11T19:57:53Z DEBUG args=/usr/sbin/setup-ds.pl --silent
>> --logfile - -f /tmp/tmpo9ROF3
>> 2014-02-11T19:57:53Z DEBUG stdout=[11/Feb/2014:14:57:53 -0500]
>> createprlistensockets - PR_Bind() on All Interfaces port 7389 failed:
>> Netscape Portable Runtime error -5966 (Access Denied.)
>> [11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All
>> Interfaces port 7389 failed: Netscape Portable Runtime error -5966
>> (Access Denied.)
>> [14/02/11:14:57:53] - [Setup] Info Could not start the directory
>> server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'.
>> The last line from the error log was '[11/Feb/2014:14:57:53 -0500] create
>> prlistensockets - PR_Bind() on All Interfaces port 7389 failed:
>> Netscape Portable Runtime error -5966 (Access Denied.)
>> '.  Error: Unknown error 256
>> Could not start the directory server using command
>> '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'.  The last line from the
>> error log was '[11/Feb/2014:14:57:53 -0500] createprlistensockets -
>> PR_Bind() on All
>> Interfaces port 7389 failed: Netscape Portable Runtime error -5966
>> (Access Denied.)
>> '.  Error: Unknown error 256
>> [14/02/11:14:57:53] - [Setup] Fatal Error: Could not create directory
>> server instance 'PKI-IPA'.
>> Error: Could not create directory server instance 'PKI-IPA'.
>> [14/02/11:14:57:53] - [Setup] Fatal Exiting . . .
>> Log file is '-'
>>
>> Exiting . . .
>> Log file is '-'
>>
>>
>>
>>
>> Please help
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Bind failed. This usually happens when the system has an identity crisis
> and tries to bind to the interface that is not there.

Access Denied is a bit unexpected though it may have to do with the AWS 
network config. Any SELinux errors or anything in /var/log/messages?

Running IPA in AWS is a bit strange because of the dynamic nature of 
AWS. Have you seen 
http://cloud-mechanic.blogspot.com/2013/10/diversion-kerberos-freeipa-in-aws-ec2.html

rob

More information about the Freeipa-users mailing list