[Freeipa-users] Unable to Rebuid Replica

Sina Owolabi notify.sina at gmail.com
Fri Apr 24 09:11:29 UTC 2015 

Hi!

I noticed that my IPA domain masters were out of sync, with users
having to login with different passwords depending on the IPA client
they were connected to. I noticed it was the replica that was the
problem, and I took it down, uninstalled IPA with a
"ipa-server-install --uninstall -U", deleted all the folders based on
Adam Young's blog
(http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/)
and tried to create replica again. It repeatedly fails, and I am
hoping for some insight on how to fix this. Please can anyone help?
I'm running this on RHEL6.6 and I just updated the entire machine.

Installation logs:

Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'services.exampl.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin at EXAMPL.COM password:

Execute check on remote master
Check connection from master to remote replica 'services01.exampl.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

Connection from master to replica is OK.

Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/17]: creating certificate server user
  [2/17]: creating pki-ca instance

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Unexpected error - see /var/log/ipareplica-install.log for details:
CalledProcessError: Command '/usr/bin/pkicreate -pki_instance_root
/var/lib -pki_instance_name pki-ca -subsystem_type ca
-agent_secure_port 9443 -ee_secure_port 9444 -admin_secure_port 9445
-ee_secure_client_auth_port 9446 -unsecure_port 9180
-tomcat_server_port 9701 -redirect conf=/etc/pki-ca -redirect
logs=/var/log/pki-ca -enable_proxy' returned non-zero exit status 255

>From the ipa-replica-install.log:

2015-04-24T09:01:57Z DEBUG /usr/sbin/ipa-replica-install was invoked
with argument "/var/lib/ipa/replica-info-services01.qrios.com.gpg" and
options: {'no_forwarders': False, 'conf_ssh': True, 'conf_sshd': True,
'ui_redirect': True, 'reverse_zone': None, 'trust_sshfp': False,
'unattended': False, 'no_host_dns': False, 'ip_address': None,
'no_reverse': False, 'setup_dns': True, 'create_sshfp': True,
'setup_ca': True, 'forwarders': [CheckedIPAddress('8.8.8.8'),
CheckedIPAddress('8.8.4.4')], 'debug': False, 'conf_ntp': True,
'skip_conncheck': False}
2015-04-24T09:01:57Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2015-04-24T09:01:57Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-04-24T09:01:57Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2015-04-24T09:01:57Z DEBUG args=/usr/sbin/httpd -t -D DUMP_VHOSTS
2015-04-24T09:01:57Z DEBUG stdout=VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:8443         services01.qrios.com (/etc/httpd/conf.d/nss.conf:84)

2015-04-24T09:01:57Z DEBUG stderr=Syntax OK

2015-04-24T09:02:04Z DEBUG args=/usr/bin/gpg --batch --homedir
/tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg --passphrase-fd 0 --yes --no-tty
-o /tmp/tmpo2Cx3jipa/files.tar -d
/var/lib/ipa/replica-info-services01.qrios.com.gpg
2015-04-24T09:02:04Z DEBUG stdout=
2015-04-24T09:02:04Z DEBUG stderr=gpg: WARNING: unsafe permissions on
homedir `/tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg'
gpg: keyring `/tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg/secring.gpg' created
gpg: keyring `/tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg/pubring.gpg' created
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

2015-04-24T09:02:04Z DEBUG args=tar xf /tmp/tmpo2Cx3jipa/files.tar -C
/tmp/tmpo2Cx3jipa
2015-04-24T09:02:04Z DEBUG stdout=
2015-04-24T09:02:04Z DEBUG stderr=
2015-04-24T09:02:04Z DEBUG Installing replica file with version 300 (0
means no version in prepared file).
2015-04-24T09:02:04Z DEBUG Check if services01.qrios.com is a primary
hostname for localhost
2015-04-24T09:02:04Z DEBUG Primary hostname for localhost: services01.qrios.com
2015-04-24T09:02:04Z DEBUG Search DNS for services01.qrios.com
2015-04-24T09:02:04Z DEBUG Check if services01.qrios.com. is not a CNAME
2015-04-24T09:02:04Z DEBUG Check reverse address of 192.168.2.40
2015-04-24T09:02:04Z DEBUG Found reverse name: services01.qrios.com
2015-04-24T09:02:18Z DEBUG args=/usr/sbin/ipa-replica-conncheck
--master services.qrios.com --auto-master-check --realm QRIOS.COM
--principal admin --hostname services01.qrios.com --check-ca
2015-04-24T09:02:18Z DEBUG args=/sbin/ip -family inet -oneline address show
...skipping...
          -unsecure_port=7988                \
          -user=pkiuser                      \
          -group=pkiuser                     \
          -redirect conf=/etc/pki-tps1       \
          -redirect logs=/var/log/pki-tps1   \
          -verbose

IMPORTANT:  Must be run as root!

2015-04-24T09:02:54Z DEBUG stderr=[error] An instance named pki-ca
already exists; please try again.

2015-04-24T09:02:54Z INFO   File
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
line 614, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-replica-install", line 476, in main
    (CA, cs) = cainstance.install_replica_ca(config)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
line 1626, in install_replica_ca
    subject_base=config.subject_base)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
line 626, in configure_instance
    self.start_creation(runtime=210)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
line 358, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
line 770, in create_instance
    ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})

  File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 316, in run
    raise CalledProcessError(p.returncode, args)

2015-04-24T09:02:54Z INFO The ipa-replica-install command failed,
exception: CalledProcessError: Command '/usr/bin/pkicreate
-pki_instance_root /var/lib -pki_instance_name pki-ca -subsystem_type
ca -agent_secure_port 9443 -ee_secure_port 9444 -admin_secure_port
9445 -ee_secure_client_auth_port 9446 -unsecure_port 9180
-tomcat_server_port 9701 -redirect conf=/etc/pki-ca -redirect
logs=/var/log/pki-ca -enable_proxy' returned non-zero exit status 255

More information about the Freeipa-users mailing list