[Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.
Dmitri Pal
dpal at redhat.com
Tue Mar 10 00:22:30 UTC 2015
On 03/09/2015 05:35 PM, Steven Jones wrote:
>
> Any idea what is going on here please?
>
>
> ==========
>
> [root at vuwunicoipam004 <mailto:root at vuwunicoipam004> ipa-certs]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck
Why are you skipping a connection check?
The check will find issues like this ahead of time.
I suspect there is something wrong with either DNS entries for LDAP
server records or LDAP or Kerberos port is not open between new replica
and master.
At least I would try with connection check on and see if it gives some
hints.
> Checking forwarders, please wait ...
> WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers
> Please fix forwarder configuration to enable DNSSEC support.
> (For BIND 9 add directive "dnssec-enable yes;" to "options {}")
> WARNING: DNSSEC validation will be disabled
> Directory Manager (existing master) password:
>
> Adding [10.100.32.50 vuwunicoipam004.ods.vuw.ac.nz] to your /etc/hosts file
> Using reverse zone(s) 32.100.10.in-addr.arpa.
> Configuring NTP daemon (ntpd)
> [1/4]: stopping ntpd
> [2/4]: writing configuration
> [3/4]: configuring ntpd to start on boot
> [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv): Estimated time 1 minute
> [1/35]: creating directory server user
> [2/35]: creating directory server instance
> [3/35]: adding default schema
> [4/35]: enabling memberof plugin
> [5/35]: enabling winsync plugin
> [6/35]: configuring replication version plugin
> [7/35]: enabling IPA enrollment plugin
> [8/35]: enabling ldapi
> [9/35]: configuring uniqueness plugin
> [10/35]: configuring uuid plugin
> [11/35]: configuring modrdn plugin
> [12/35]: configuring DNS plugin
> [13/35]: enabling entryUSN plugin
> [14/35]: configuring lockout plugin
> [15/35]: creating indices
> [16/35]: enabling referential integrity plugin
> [17/35]: configuring ssl for ds instance
> [18/35]: configuring certmap.conf
> [19/35]: configure autobind for root
> [20/35]: configure new location for managed entries
> [21/35]: configure dirsrv ccache
> [22/35]: enable SASL mapping fallback
> [23/35]: restarting directory server
> [24/35]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 128 seconds elapsed
> [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral]
>
> [error] RuntimeError: Failed to start replication
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Failed to start replication
> [root at vuwunicoipam004 <mailto:root at vuwunicoipam004> ipa-certs]#
> ========
>
> No firewalls are active and the network is a simple vyos virtual router.
>
>
> =====
>
> [root at vuwunicoipam002 <mailto:root at vuwunicoipam002> etc]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root at vuwunicoipam002 <mailto:root at vuwunicoipam002> etc]#
> =====
>
> =====
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root at vuwunicoipam004 <mailto:root at vuwunicoipam004> ipa-certs]#
> =====
>
>
>
>
> regards
>
> Steven
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150309/92bfb13a/attachment.htm>
More information about the Freeipa-users
mailing list