[Freeipa-users] CentOS 7 replica installation failing

Petr Vobornik pvoborni at redhat.com
Thu Apr 7 11:11:26 UTC 2016 

On 04/07/2016 06:12 AM, John Williams wrote:
> I've setup an initial FreeIPA instance on a CentOS 7 host.  The install went 
> without a hitch.  I can login to the GUI with no problems.  However, I am not 
> able to install the replica on another CentOS 7 host.  I get the following errors:
> 
> [root at ipa2 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders 
> /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheck

It was run with '--skip-conncheck'. Is there a reason? If you remove it,
what does it complain about?

In general, using --skip-conncheck should be avoided because it may hide
errors.

You could also check master server
/var/log/dirsrv/slapd-your-instance/access and errors logs if there is
some connection attempt from the replica visible.

And maybe /var/log/ipareplica-install.log contains more info.


> WARNING: conflicting time&date synchronization service 'chronyd' will
> be disabled in favor of ntpd
> 
> Directory Manager (existing master) password:
> 
> Existing BIND configuration detected, overwrite? [no]: yes
> Using reverse zone(s) 1.168.192.in-addr.arpa.
> Configuring NTP daemon (ntpd)
>    [1/4]: stopping ntpd
>    [2/4]: writing configuration
>    [3/4]: configuring ntpd to start on boot
>    [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv). Estimated time: 1 minute
>    [1/38]: creating directory server user
>    [2/38]: creating directory server instance
>    [3/38]: adding default schema
>    [4/38]: enabling memberof plugin
>    [5/38]: enabling winsync plugin
>    [6/38]: configuring replication version plugin
>    [7/38]: enabling IPA enrollment plugin
>    [8/38]: enabling ldapi
>    [9/38]: configuring uniqueness plugin
>    [10/38]: configuring uuid plugin
>    [11/38]: configuring modrdn plugin
>    [12/38]: configuring DNS plugin
>    [13/38]: enabling entryUSN plugin
>    [14/38]: configuring lockout plugin
>    [15/38]: creating indices
>    [16/38]: enabling referential integrity plugin
>    [17/38]: configuring ssl for ds instance
>    [18/38]: configuring certmap.conf
>    [19/38]: configure autobind for root
>    [20/38]: configure new location for managed entries
>    [21/38]: configure dirsrv ccache
>    [22/38]: enable SASL mapping fallback
>    [23/38]: restarting directory server
>    [24/38]: setting up initial replication
> Starting replication, please wait until this has completed.
> 
> [ipa1.nrln.us] reports: Update failed! Status: [-1  - LDAP error: Can't contact 
> LDAP server]
> 
>    [error] RuntimeError: Failed to start replication
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    Failed to start 
> replication
> 
> 
> The error message is misleading. The two hosts sit on the same subnet.  All 
> firewalls are off.  Selinux is disabled.  Here is an nmap port scan from the 
> replica to the master:
> 
> 
> [root at ipa2 ~]# nmap ipa1
> 
> Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-07 00:12 EDT
> Nmap scan report for ipa1 (192.168.1.38)
> Host is up (0.000086s latency).
> rDNS record for 192.168.1.38: ipa1.nrln.us
> Not shown: 990 closed ports
> PORT     STATE SERVICE
> 22/tcp   open  ssh
> 80/tcp   open  http
> 88/tcp   open  kerberos-sec
> 389/tcp  open  ldap
> 443/tcp  open  https
> 464/tcp  open  kpasswd5
> 636/tcp  open  ldapssl
> 749/tcp  open  kerberos-adm
> 8080/tcp open  http-proxy
> 8443/tcp open  https-alt
> MAC Address: 52:54:00:33:34:F0 (QEMU Virtual NIC)
> 
> Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
> [root at ipa2 ~]#
> 
> 
> Why do I get this message?
> 
> TIA!!
> 
> 
> 


-- 
Petr Vobornik

More information about the Freeipa-users mailing list