[Freeipa-users] Upgrade from 3x to 4x cant create first replica.

Chris Mohler cmohler at oberlin.edu
Mon Feb 9 17:12:28 UTC 2015 

On 02/09/2015 11:36 AM, Martin Kosek wrote:
> On 02/09/2015 05:16 PM, Chris Mohler wrote:
>> On 02/09/2015 10:18 AM, Martin Kosek wrote:
>>> On 02/07/2015 12:27 AM, Chris Mohler wrote:
>>>> I'm having some troubles. I have an older IPA install Version 3.0.0. on Centos
>>>> 6.6. It's currently the only master for my domain. I have about 4k user
>>>> accounts on here and it's a live system called "idm"
>>>>
>>>> I'm trying to upgrade to V4.x as I am hoping to fix some issues I am having.
>>>> (clients can't auth unless service sssd is restarted multiple times "10 (User
>>>> not known to the underlying authentication module") I think this is possibly
>>>> unrelated and the topic for another thread.
>>>>
>>>> I created a new VM and installed Fedora Server 21 and FreeIPA 4.1.2 it's called
>>>> "ipa"
>>> Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
>>> in, so you can also use that platform if you are used to it.
>>>
>>>> on the master "idm" I ran "ipa-replica-prepare" and transfered the file to the
>>>> future replica "ipa" Then I ran the install replica script ipa-replica-install
>>>> --setup-ca /home/svradm/replica-info-ipa.cs.oberlin.edu.gpg
>>>> Things went well until it failed
>>>>
>>>> [24/35]: setting up initial replication
>>>> Starting replication, please wait until this has completed.
>>>> Update in progress, 133 seconds elapsed
>>>> Update in progress yet not in progress
>>>>
>>>> Update in progress yet not in progress
>>>>
>>>> Update in progress yet not in progress
>>>>
>>>> [idm.cs.oberlin.edu] reports: Update failed! Status: [10 Total update
>>>> abortedLDAP error: Referral]
>>>>
>>>> [error] RuntimeError: Failed to start replication
>>>>
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>
>>>> Please help I'm getting nowhere by myself.
>>> Can you please look on the master you are replicating from and look for errors
>>> in /var/log/messages or DS errors log?
>>>
>>> Maybe you will see messages like "ns-slapd: encoded packet size too big (xxxxxx
>>>> 65536)" that are know to pop up more with CentOS 6.6.
>> Hi Martin,
>> Thanks for the reply and help I appreciate it.
>>
>>> Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
>>> in, so you can also use that platform if you are used to it.
>> Good to know. I try to be distro agnostic. I've used Redhat 7.1 then went
>> Solaris, then Ubuntu, Now I'm back for Centos and Fedora. I guess I'm equally
>> uncomfortable with either version.
>>
>> That Said. Is there any reason that I could or should not have a replica on a
>> Fedora 21 server and 2nd replica on a Centos 7.1 later? My understanding is the
>> more the merrier.
> It should just work. Just note that in case of Fedora Server, these are
> upstream/Fedora bits which are only tested upstream. So if you for example
> break something in Fedora 21 (not likely to happen though ;-) and then get the
> change *replicated* to RHEL production instance, I do not think Red Hat support
> would be happy with that.
>
> Also, if for example upstream releases FreeIPA 4.2, I would not just plug it in
> your production RHEL instance is it would upgrade all the data for 4.2 level -
> which should get more downstream testing before Red Hat can rubber stamp it.
>
> TLDR; if you are happy with the upstream level of support (this list/IRC/Trac),
> knock yourself out :-)
>
>>> Can you please look on the master you are replicating from and look for errors
>>> in /var/log/messages or DS errors log?
>> I tried to setup the replica again just now so I have some fresh logs.
>>
>>  From the Dirserv error log
>> [08/Feb/2015:22:14:48 -0500] - 389-Directory/1.2.11.15 B2014.314.1342 starting up
>> [08/Feb/2015:22:14:48 -0500] schema-compat-plugin - warning: no entries set up
>> under cn=computers, cn=compat,dc=cs,dc=oberlin,dc=edu
>> [08/Feb/2015:22:14:50 -0500] - slapd started.  Listening on All Interfaces port
>> 389 for LDAP requests
>> [08/Feb/2015:22:14:50 -0500] - Listening on All Interfaces port 636 for LDAPS
>> requests
>> [08/Feb/2015:22:14:50 -0500] - Listening on
>> /var/run/slapd-CS-OBERLIN-EDU.socket for LDAPI requests
>> [09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin -
>> agmt="cn=meToipa.cs.oberlin.edu" (ipa:389): Schema replication update failed:
>> Server is unwilling to perform
>> [09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Warning: unable to
>> replicate schema to host ipa.cs.oberlin.edu, port 389. Continuing with total
>> update session.
>> [09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Beginning total update of
>> replica "agmt="cn=meToipa.cs.oberlin.edu" (ipa:389)"
>>
>> To be fair and not duplicate efforts I have had the following error
>> [08/Feb/2015:08:51:26 -0500] - WARNING: userRoot: entry cache size 10485760B is
>> less than db size 12115968B; We recommend to increase the
>> entry cache size nsslapd-cachememsize.
>>
>> To which I have asked another question "how do I change the entry cache size"
>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00114.html
>> I now get additional errors which I would guess are possibly related.
> IMO, they this should not be related (should not break replication). I do not
> see anything useful in the error log though. Did you also check
> /var/log/messages for the errors log I sent?
/var/log/messgaes on the Centos Master only has one entry from today.

Feb  9 05:50:00 idm rngd: failed fips test (An error about the rngd package)

Do I need to increase the verbosity over the default settings to get 
replication errors? Or is there a config file that needs a debug option 
in FreeIpa?

/var/log/messages on the client Fedora system isn't much more interesting

Feb  9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL 
alert:         TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled
Feb  9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL 
alert:         TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled
Feb  9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL 
alert:         TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled
Feb  9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL 
alert:         TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled
Feb  9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL 
alert:         TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
Feb  9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL 
alert:         TLS_RSA_WITH_AES_128_CBC_SHA: enabled
Feb  9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL 
alert:         TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
Feb  9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL 
alert:         TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
Feb  9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL 
alert:         TLS_RSA_WITH_AES_256_CBC_SHA: enabled
Feb  9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL 
alert:         TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
Feb  9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL 
alert:         TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
Feb  9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] - SSL 
alert:         TLS_RSA_WITH_SEED_CBC_SHA: enabled
Feb  9 10:40:25 ipa ns-slapd: [09/Feb/2015:10:40:25 -0500] SSL 
Initialization - SSL version range: min: TLS1.0, max: TLS1.2
Feb  9 10:55:25 ipa ntpd[1011]: 0.0.0.0 c612 02 freq_set ntpd -5.531 PPM
Feb  9 10:55:25 ipa ntpd[1011]: 0.0.0.0 c615 05 clock_sync
Feb  9 11:01:02 ipa systemd: Starting Paths.
Feb  9 11:01:02 ipa systemd: Reached target Paths.
Feb  9 11:01:02 ipa systemd: Starting Timers.
Feb  9 11:01:02 ipa systemd: Reached target Timers.
Feb  9 11:01:02 ipa systemd: Starting Sockets.
Feb  9 11:01:02 ipa systemd: Reached target Sockets.
Feb  9 11:01:02 ipa systemd: Starting Basic System.
Feb  9 11:01:02 ipa systemd: Reached target Basic System.
Feb  9 11:01:02 ipa systemd: Starting Default.
Feb  9 11:01:02 ipa systemd: Reached target Default.
Feb  9 11:01:02 ipa systemd: Startup finished in 7ms.

I searched /var/log/messages and the archived message logs on the master 
Centos server for "encoded packet size too big", "encoded packet", 
"slapd", and "encoded" and did not find any results.

Thanks,
-Chris

More information about the Freeipa-users mailing list