[Freeipa-users] Upgrade from 3x to 4x cant create first replica.

Chris Mohler cmohler at oberlin.edu
Mon Feb 9 16:16:22 UTC 2015 

On 02/09/2015 10:18 AM, Martin Kosek wrote:
> On 02/07/2015 12:27 AM, Chris Mohler wrote:
>> I'm having some troubles. I have an older IPA install Version 3.0.0. on Centos
>> 6.6. It's currently the only master for my domain. I have about 4k user
>> accounts on here and it's a live system called "idm"
>>
>> I'm trying to upgrade to V4.x as I am hoping to fix some issues I am having.
>> (clients can't auth unless service sssd is restarted multiple times "10 (User
>> not known to the underlying authentication module") I think this is possibly
>> unrelated and the topic for another thread.
>>
>> I created a new VM and installed Fedora Server 21 and FreeIPA 4.1.2 it's called
>> "ipa"
> Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
> in, so you can also use that platform if you are used to it.
>
>> on the master "idm" I ran "ipa-replica-prepare" and transfered the file to the
>> future replica "ipa" Then I ran the install replica script ipa-replica-install
>> --setup-ca /home/svradm/replica-info-ipa.cs.oberlin.edu.gpg
>> Things went well until it failed
>>
>> [24/35]: setting up initial replication
>> Starting replication, please wait until this has completed.
>> Update in progress, 133 seconds elapsed
>> Update in progress yet not in progress
>>
>> Update in progress yet not in progress
>>
>> Update in progress yet not in progress
>>
>> [idm.cs.oberlin.edu] reports: Update failed! Status: [10 Total update
>> abortedLDAP error: Referral]
>>
>> [error] RuntimeError: Failed to start replication
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> Please help I'm getting nowhere by myself.
> Can you please look on the master you are replicating from and look for errors
> in /var/log/messages or DS errors log?
>
> Maybe you will see messages like "ns-slapd: encoded packet size too big (xxxxxx
>> 65536)" that are know to pop up more with CentOS 6.6.
Hi Martin,
Thanks for the reply and help I appreciate it.

> Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
> in, so you can also use that platform if you are used to it.
Good to know. I try to be distro agnostic. I've used Redhat 7.1 then 
went Solaris, then Ubuntu, Now I'm back for Centos and Fedora. I guess 
I'm equally uncomfortable with either version.

That Said. Is there any reason that I could or should not have a replica 
on a Fedora 21 server and 2nd replica on a Centos 7.1 later? My 
understanding is the more the merrier.

> Can you please look on the master you are replicating from and look for errors
> in /var/log/messages or DS errors log?

I tried to setup the replica again just now so I have some fresh logs.

 From the Dirserv error log
[08/Feb/2015:22:14:48 -0500] - 389-Directory/1.2.11.15 B2014.314.1342 
starting up
[08/Feb/2015:22:14:48 -0500] schema-compat-plugin - warning: no entries 
set up under cn=computers, cn=compat,dc=cs,dc=oberlin,dc=edu
[08/Feb/2015:22:14:50 -0500] - slapd started.  Listening on All 
Interfaces port 389 for LDAP requests
[08/Feb/2015:22:14:50 -0500] - Listening on All Interfaces port 636 for 
LDAPS requests
[08/Feb/2015:22:14:50 -0500] - Listening on 
/var/run/slapd-CS-OBERLIN-EDU.socket for LDAPI requests
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - 
agmt="cn=meToipa.cs.oberlin.edu" (ipa:389): Schema replication update 
failed: Server is unwilling to perform
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Warning: unable to 
replicate schema to host ipa.cs.oberlin.edu, port 389. Continuing with 
total update session.
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Beginning total 
update of replica "agmt="cn=meToipa.cs.oberlin.edu" (ipa:389)"

To be fair and not duplicate efforts I have had the following error
[08/Feb/2015:08:51:26 -0500] - WARNING: userRoot: entry cache size 
10485760B is less than db size 12115968B; We recommend to increase the
entry cache size nsslapd-cachememsize.

To which I have asked another question "how do I change the entry cache 
size"
https://www.redhat.com/archives/freeipa-users/2015-February/msg00114.html
I now get additional errors which I would guess are possibly related.
> |[06/Feb/2015:10:07:35 -0500] - slapd stopped.
> [06/Feb/2015:10:07:37 -0500] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
> [06/Feb/2015:10:07:37 -0500] attr_syntax_create - Error: the SUBSTR matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
> [06/Feb/2015:10:07:37 -0500] - 389-Directory/1.2.11.15  <http://1.2.11.15/>  B2014.314.1342 starting up
> [06/Feb/2015:10:07:37 -0500] - slapd started.  Listening on All Interfaces port 7389 for LDAP requests
> [06/Feb/2015:10:07:37 -0500] - Listening on All Interfaces port 7390 for LDAPS requests|

|
Thanks again for having a look at my problem,
-Chris
|





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150209/0fa84836/attachment.htm>

More information about the Freeipa-users mailing list