[Freeipa-users] trouble creating a replica in the cloud

Petr Spacek pspacek at redhat.com
Thu Feb 13 08:13:42 UTC 2014 

On 13.2.2014 01:13, Todd Maugh wrote:
> thanks Guys, turns out this was a redhat bug in the 6.4 image of the aws instance, so I built in 6.5
>
> and was able to get past it, but now I'm  failing with this:
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Unexpected error - see /var/log/ipareplica-install.log for details:
> ObjectclassViolation: missing attribute "idnsSOAserial" required by object class "idnsZone"
>
> i tried attaching the log file but unfortunately its 30 mb trying to compress

That is interesting. Which version of ipa-server package you are trying to 
install? Is it RHEL or CentOS 6.5?

My guess that you have DNS installed on one IPA server and now you are 
installing another replica without DNS (without --setup-dns option), right?

May be that you are hitting
https://bugzilla.redhat.com/show_bug.cgi?id=894131
but it was fixed in ipa-3.0.0-22.el6.

Petr^2 Spacek

> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, February 12, 2014 10:36 AM
> To: dpal at redhat.com; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] trouble creating a replica in the cloud
>
> Dmitri Pal wrote:
>> On 02/11/2014 05:02 PM, Todd Maugh wrote:
>>> Hey Guys,
>>>
>>> So I have my master and replica up in my datacenter.
>>>
>>> I have a client, I have a winsync agreement, I have a password sync.
>>>
>>> It's working lovely.
>>>
>>> So Now I have spun up an AWS instance of redh hat 6.5  (same as my
>>> master and first replica)
>>>
>>> I run the ipa replica and it fails
>>>
>>>
>>> ipa-replica-install --setup-ca --setup-dns --no-forwarders
>>> /var/lib/ipa/replica-info-se-idm-03.boingo.com.gpg
>>> Directory Manager (existing master) password:
>>>
>>> Run connection check to master
>>> Check connection from replica to remote master 'se-idm-01.boingo.com':
>>>     Directory Service: Unsecure port (389): OK
>>>     Directory Service: Secure port (636): OK
>>>     Kerberos KDC: TCP (88): OK
>>>     Kerberos Kpasswd: TCP (464): OK
>>>     HTTP Server: Unsecure port (80): OK
>>>     HTTP Server: Secure port (443): OK
>>>     PKI-CA: Directory Service port (7389): OK
>>>
>>> The following list of ports use UDP protocol and would need to be
>>> checked manually:
>>>     Kerberos KDC: UDP (88): SKIPPED
>>>     Kerberos Kpasswd: UDP (464): SKIPPED
>>>
>>> Connection from replica to master is OK.
>>> Start listening on required ports for remote master check
>>> Get credentials to log in to remote master
>>> admin at BOINGO.COM password:
>>>
>>> Execute check on remote master
>>> Check connection from master to remote replica 'se-idm-03.boingo.com':
>>>     Directory Service: Unsecure port (389): OK
>>>     Directory Service: Secure port (636): OK
>>>     Kerberos KDC: TCP (88): OK
>>>     Kerberos KDC: UDP (88): OK
>>>     Kerberos Kpasswd: TCP (464): OK
>>>     Kerberos Kpasswd: UDP (464): OK
>>>     HTTP Server: Unsecure port (80): OK
>>>     HTTP Server: Secure port (443): OK
>>>     PKI-CA: Directory Service port (7389): OK
>>>
>>> Connection from master to replica is OK.
>>>
>>> Connection check OK
>>> Configuring NTP daemon (ntpd)
>>>    [1/4]: stopping ntpd
>>>    [2/4]: writing configuration
>>>    [3/4]: configuring ntpd to start on boot
>>>    [4/4]: starting ntpd
>>> Done configuring NTP daemon (ntpd).
>>> Configuring directory server for the CA (pkids): Estimated time 30 seconds
>>>    [1/3]: creating directory server user
>>>    [2/3]: creating directory server instance
>>> ipa         : CRITICAL failed to create ds instance Command
>>> '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3'
>>> returned non-zero exit status 1
>>>    [3/3]: restarting directory server
>>> ipa         : CRITICAL Failed to restart the directory server. See the
>>> installation log for details.
>>> Done configuring directory server for the CA (pkids).
>>>
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>> Can't contact LDAP server
>>>
>>>
>>> I check the log file and this is what I get
>>>
>>> 2014-02-11T19:55:48Z DEBUG calling setup-ds.pl
>>> 2014-02-11T19:57:53Z DEBUG args=/usr/sbin/setup-ds.pl --silent
>>> --logfile - -f /tmp/tmpo9ROF3
>>> 2014-02-11T19:57:53Z DEBUG stdout=[11/Feb/2014:14:57:53 -0500]
>>> createprlistensockets - PR_Bind() on All Interfaces port 7389 failed:
>>> Netscape Portable Runtime error -5966 (Access Denied.)
>>> [11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All
>>> Interfaces port 7389 failed: Netscape Portable Runtime error -5966
>>> (Access Denied.)
>>> [14/02/11:14:57:53] - [Setup] Info Could not start the directory
>>> server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'.
>>> The last line from the error log was '[11/Feb/2014:14:57:53 -0500] create
>>> prlistensockets - PR_Bind() on All Interfaces port 7389 failed:
>>> Netscape Portable Runtime error -5966 (Access Denied.)
>>> '.  Error: Unknown error 256
>>> Could not start the directory server using command
>>> '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'.  The last line from the
>>> error log was '[11/Feb/2014:14:57:53 -0500] createprlistensockets -
>>> PR_Bind() on All
>>> Interfaces port 7389 failed: Netscape Portable Runtime error -5966
>>> (Access Denied.)
>>> '.  Error: Unknown error 256
>>> [14/02/11:14:57:53] - [Setup] Fatal Error: Could not create directory
>>> server instance 'PKI-IPA'.
>>> Error: Could not create directory server instance 'PKI-IPA'.
>>> [14/02/11:14:57:53] - [Setup] Fatal Exiting . . .
>>> Log file is '-'
>>>
>>> Exiting . . .
>>> Log file is '-'
>>>
>>> Please help
>>
>> Bind failed. This usually happens when the system has an identity crisis
>> and tries to bind to the interface that is not there.
>
> Access Denied is a bit unexpected though it may have to do with the AWS
> network config. Any SELinux errors or anything in /var/log/messages?
>
> Running IPA in AWS is a bit strange because of the dynamic nature of
> AWS. Have you seen
> http://cloud-mechanic.blogspot.com/2013/10/diversion-kerberos-freeipa-in-aws-ec2.html
>
> rob

More information about the Freeipa-users mailing list