[Freeipa-users] strange replica creation problem

Rob Crittenden rcritten at redhat.com
Mon Nov 17 18:22:18 UTC 2014 

Janelle wrote:
> I did find that as the work-around - just trying to understand why it
> comes up sometimes...
> Did you find any issues with the workings of a replica if you had to
> resort to this method?

The conncheck is a reaction to a slew of problems people had setting up
replicas and because we don't have direct firewall integration. It
provides a way to detect errors that will eventually cause an
installation to fail. It isn't necessary to run which is why we provided
the skip option.

As for why the ssh fails, you'd need to check the system logs on the IPA
master where it is failing. The ssh is only used so we can test the
reverse connection, it isn't used once the installation itself starts.

rob

> 
> Thanks.
> 
> ~J
> 
> On 11/17/14 10:57 AM, Craig White wrote:
>>
>> Janelle, this may not be that useful but I found it worthwhile to
>> resort to

>>
>>  
>>
>> –skip-conncheck
>>
>>  
>>
>> When setting up the replica – pretty much for the same reason.
>>
>>  
>>
>> Craig White
>>
>> System Administrator
>>
>> O623-201-8179   M602-377-9752
>>
>>  
>>
>> cid:image001.png at 01CF86FE.42D51630
>>
>>  
>>
>> SkyTouch Technology     4225 E. Windrose Dr.     Phoenix, AZ 85032
>>
>>  
>>
>> *From:*freeipa-users-bounces at redhat.com
>> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Janelle
>> *Sent:* Monday, November 17, 2014 7:43 AM
>> *To:* freeipa-users at redhat.com
>> *Subject:* [Freeipa-users] strange replica creation problem
>>
>>  
>>
>> Happy Monday everyone,
>>
>> I have a strange issue I am seeing with replica creations, but it does
>> not seem to be consistent.  Sometimes, when trying to install the
>> replica I get errors trying to connect to the master via SSH:
>>
>> /[root at ipa3 ~]# ipa-replica-install
>> /var/lib/ipa/replica-info-ipa3.xyzzy.com.gpg
>> Directory Manager (existing master) password:
>>
>> Run connection check to master
>> Check connection from replica to remote master 'ipa2.xyzzy.com':
>>    Directory Service: Unsecure port (389): OK
>>    Directory Service: Secure port (636): OK
>>    Kerberos KDC: TCP (88): OK
>>    Kerberos Kpasswd: TCP (464): OK
>>    HTTP Server: Unsecure port (80): OK
>>    HTTP Server: Secure port (443): OK
>>
>> The following list of ports use UDP protocol and would need to be
>> checked manually:
>>    Kerberos KDC: UDP (88): SKIPPED
>>    Kerberos Kpasswd: UDP (464): SKIPPED
>>
>> Connection from replica to master is OK.
>> Start listening on required ports for remote master check
>> Get credentials to log in to remote master
>> admin at XYZZY.COM <mailto:admin at XYZZY.COM> password:
>>
>> Check SSH connection to remote master
>> admin at ipa2.xyzzy.com <mailto:admin at ipa2.xyzzy.com>'s password:
>> admin at ipa2.xyzzy.com <mailto:admin at ipa2.xyzzy.com>'s password:
>> Could not SSH into remote host. Error output:
>>     OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013
>>     debug1: Reading configuration data /etc/ssh/ssh_config
>>     debug1: /etc/ssh/ssh_config line 51: Applying options for */
>>
>>
>> ssh via root and all the hosts - using keys - works just fine. I don't
>> understand why this is happening on some hosts and not others.
>>
>>
>> Any ideas?
>> ~J
>>
> 
> 
>

More information about the Freeipa-users mailing list