[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Shree
shreerajkarulkar at yahoo.com
Tue Feb 18 18:29:46 UTC 2014
Rob
I am giving it a fresh start and I notice similar issues.
1) I wasn't able to use the "--setup-ca" while running the ipa-replica-install on the replica. It stopped the install after the ntpd step see below.
Done configuring NTP daemon (ntpd).
A CA is already configured on this system.
2) So I tried my install command again without the --setup-ca option. It went furthur although it completed it show one error see below.
MY COMMAND: --> ipa-replica-install /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck
the skip-conncheck was needed to complete the install. Connections checks were manually done.
14/31]: configuring lockout plugin
[15/31]: creating indices
[16/31]: enabling referential integrity plugin
[17/31]: configuring ssl for ds instance
ipa : ERROR certmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-MYDOMAIN.COM -n Server-Cert -p /etc/dirsrv/slapd-MYDOMAIN.COM/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_dirsrv MYDOMAIN.COM' returned non-zero exit status 1
[18/31]: configuring certmap.conf
[19/31]: configure autobind for root
.........................................
3) The replica installed fine I can access the same database from the replica's website.
4) I cannot add new clients.
MY COMMAND: --> ipa-client-install --domain=mydomain.com --server=ldap2.mydomain.com --hostname=test500.mydomain.com -d
ldap.mydomain.com = master
ldap2.mydomain.com = replica
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Friday, February 14, 2014 11:40 AM, Rob Crittenden <rcritten at redhat.com> wrote:
Shree wrote:
> 1) 7839 TCP is open between the master and replica, do I need 7389 udp
> also? What about clients and replica?
> I have the following ports opened and tested between master and replica.
> --> 389 (TCP), 636 (TCP), 88 (TCP), 464 (TCP), 80 (TCP), 443 (TCP), 7389
> (TCP)
> and 88 (UDP) 464 (UDP)
> Do I need any more ports opened, I have to work with another team to get
> this done, so it will help having all the information.
No, this list is enough. Still, it can't connect to it. Seeing the
failure output from the connection check might be useful, or at least
confirm the same.
> 2)I see you skip the connection check, what was failing? :-- Yes my
> replica install fails unless I user --skip connection check. I have
> tested the connection with the ports mentioned during the install.
I don't know what to say, the logs pretty clearly indicate that it can't
connect on port 7389.
> 3) In the ipareplica-install log this is reported:
>
> Failed to setup the replication for cloning. :--- Yes but what is the
> solution?
Fix the firewall.
>
> 4) And in the debug log:
>
> :- Also what is the solution for the Java.io error?
Same thing. One failure cascades to another.
rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140218/28f51838/attachment.htm>
More information about the Freeipa-users
mailing list