[Freeipa-users] CentOS 7 replica installation failing

John Williams john.1209 at yahoo.com
Thu Apr 7 11:34:26 UTC 2016 


      From: Petr Vobornik <pvoborni at redhat.com>
 To: John Williams <john.1209 at yahoo.com>; "Freeipa-users at redhat.com" <Freeipa-users at redhat.com> 
 Sent: Thursday, April 7, 2016 7:11 AM
 Subject: Re: [Freeipa-users] CentOS 7 replica installation failing
   
On 04/07/2016 06:12 AM, John Williams wrote:
> I've setup an initial FreeIPA instance on a CentOS 7 host.  The install went 
> without a hitch.  I can login to the GUI with no problems.  However, I am not 
> able to install the replica on another CentOS 7 host.  I get the following errors:
> 
> [root at ipa2 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders 
> /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheck

It was run with '--skip-conncheck'. Is there a reason? If you remove it,
what does it complain about?

In general, using --skip-conncheck should be avoided because it may hide
errors.

You could also check master server
/var/log/dirsrv/slapd-your-instance/access and errors logs if there is
some connection attempt from the replica visible.

And maybe /var/log/ipareplica-install.log contains more info.
I ran the skip connections, because when I ran it initially without the skip connections, I got the following messages:
The following UDP ports could not be verified as open: 88, 464This can happen if they are already bound to an applicationand ipa-replica-conncheck cannot attach own UDP responder.
Remote master check failed with following error message(s):Warning: Permanently added 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of known hosts.Could not chdir to home directory /home/admin: No such file or directoryPort check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 (TCP), 80 (TCP), 443 (TCP)
ipa.ipapython.install.cli.install_tool(Replica): ERROR    Connection check failed!Please fix your network settings according to error messages above.If the check results are not valid it can be skipped with --skip-conncheck parameter.
There is nothing blocking the connections, and the initial IPA server seems to be working fine.
Here are some snippets from the log:

 File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 525, in install_check    options.setup_ca, config.ca_ds_port, options.admin_password)  File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 91, in replica_conn_check    "\nIf the check results are not valid it can be skipped with --skip-conncheck parameter.")
2016-04-07T11:30:06Z DEBUG The ipa-replica-install command failed, exception: SystemExit: Connection check failed!Please fix your network settings according to error messages above.If the check results are not valid it can be skipped with --skip-conncheck parameter.2016-04-07T11:30:06Z ERROR Connection check failed!Please fix your network settings according to error messages above.If the check results are not valid it can be skipped with --skip-conncheck parameter.
Here are some more logs:
[root at ipa2 ~]# tail -30 /var/log/ipareplica-conncheck.logCould not chdir to home directory /home/admin: No such file or directorydebug1: client_input_channel_req: channel 0 rtype exit-status reply 0debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0debug1: channel 0: free: client-session, nchannels 1debug1: fd 1 clearing O_NONBLOCKdebug1: fd 2 clearing O_NONBLOCKTransferred: sent 3032, received 2584 bytes, in 0.0 secondsBytes per second: sent 131062.5, received 111697.1debug1: Exit status 0
2016-04-07T11:30:02Z DEBUG Starting external process2016-04-07T11:30:02Z DEBUG args='/bin/ssh' '-o StrictHostKeychecking=no' '-o UserKnownHostsFile=/tmp/tmpCbCb50' 'admin at ipa1.nrln.us' '/usr/sbin/ipa-replica-conncheck --replica ipa2.nrln.us'2016-04-07T11:30:05Z DEBUG Process finished, return code=12016-04-07T11:30:05Z DEBUG stdout=Check connection from master to remote replica 'ipa2.nrln.us':   Directory Service: Unsecure port (389): FAILED   Directory Service: Secure port (636): FAILED   Kerberos KDC: TCP (88): FAILED   Kerberos KDC: UDP (88): WARNING   Kerberos Kpasswd: TCP (464): FAILED   Kerberos Kpasswd: UDP (464): WARNING   HTTP Server: Unsecure port (80): FAILED   HTTP Server: Secure port (443): FAILEDThe following UDP ports could not be verified as open: 88, 464This can happen if they are already bound to an applicationand ipa-replica-conncheck cannot attach own UDP responder.
2016-04-07T11:30:05Z DEBUG stderr=Warning: Permanently added 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of known hosts.Could not chdir to home directory /home/admin: No such file or directoryPort check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 (TCP), 80 (TCP), 443 (TCP)
These two hosts are on the same subnet, nor firewall, or IPTables running.  That's why the error message confusing.
Any suggestions?
> WARNING: conflicting time&date synchronization service 'chronyd' will
> be disabled in favor of ntpd
> 
> Directory Manager (existing master) password:
> 
> Existing BIND configuration detected, overwrite? [no]: yes
> Using reverse zone(s) 1.168.192.in-addr.arpa.
> Configuring NTP daemon (ntpd)
>    [1/4]: stopping ntpd
>    [2/4]: writing configuration
>    [3/4]: configuring ntpd to start on boot
>    [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv). Estimated time: 1 minute
>    [1/38]: creating directory server user
>    [2/38]: creating directory server instance
>    [3/38]: adding default schema
>    [4/38]: enabling memberof plugin
>    [5/38]: enabling winsync plugin
>    [6/38]: configuring replication version plugin
>    [7/38]: enabling IPA enrollment plugin
>    [8/38]: enabling ldapi
>    [9/38]: configuring uniqueness plugin
>    [10/38]: configuring uuid plugin
>    [11/38]: configuring modrdn plugin
>    [12/38]: configuring DNS plugin
>    [13/38]: enabling entryUSN plugin
>    [14/38]: configuring lockout plugin
>    [15/38]: creating indices
>    [16/38]: enabling referential integrity plugin
>    [17/38]: configuring ssl for ds instance
>    [18/38]: configuring certmap.conf
>    [19/38]: configure autobind for root
>    [20/38]: configure new location for managed entries
>    [21/38]: configure dirsrv ccache
>    [22/38]: enable SASL mapping fallback
>    [23/38]: restarting directory server
>    [24/38]: setting up initial replication
> Starting replication, please wait until this has completed.
> 
> [ipa1.nrln.us] reports: Update failed! Status: [-1  - LDAP error: Can't contact 
> LDAP server]
> 
>    [error] RuntimeError: Failed to start replication
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    Failed to start 
> replication
> 
> 
> The error message is misleading. The two hosts sit on the same subnet.  All 
> firewalls are off.  Selinux is disabled.  Here is an nmap port scan from the 
> replica to the master:
> 
> 
> [root at ipa2 ~]# nmap ipa1
> 
> Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-07 00:12 EDT
> Nmap scan report for ipa1 (192.168.1.38)
> Host is up (0.000086s latency).
> rDNS record for 192.168.1.38: ipa1.nrln.us
> Not shown: 990 closed ports
> PORT    STATE SERVICE
> 22/tcp  open  ssh
> 80/tcp  open  http
> 88/tcp  open  kerberos-sec
> 389/tcp  open  ldap
> 443/tcp  open  https
> 464/tcp  open  kpasswd5
> 636/tcp  open  ldapssl
> 749/tcp  open  kerberos-adm
> 8080/tcp open  http-proxy
> 8443/tcp open  https-alt
> MAC Address: 52:54:00:33:34:F0 (QEMU Virtual NIC)
> 
> Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
> [root at ipa2 ~]#
> 
> 
> Why do I get this message?
> 
> TIA!!
> 
> 
> 


-- 
Petr Vobornik


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160407/b21b7f42/attachment.htm>

More information about the Freeipa-users mailing list