[Freeipa-users] CentOS 7 replica installation failing
Petr Vobornik
pvoborni at redhat.com
Thu Apr 7 12:01:08 UTC 2016
On 04/07/2016 01:34 PM, John Williams wrote:
>
>
> --------------------------------------------------------------------------------
> *From:* Petr Vobornik <pvoborni at redhat.com>
> *To:* John Williams <john.1209 at yahoo.com>; "Freeipa-users at redhat.com"
> <Freeipa-users at redhat.com>
> *Sent:* Thursday, April 7, 2016 7:11 AM
> *Subject:* Re: [Freeipa-users] CentOS 7 replica installation failing
>
> On 04/07/2016 06:12 AM, John Williams wrote:
> > I've setup an initial FreeIPA instance on a CentOS 7 host. The install went
> > without a hitch. I can login to the GUI with no problems. However, I am not
> > able to install the replica on another CentOS 7 host. I get the following
> errors:
> >
> > [root at ipa2 <mailto:root at ipa2> ~]# ipa-replica-install --setup-ca --setup-dns
> --no-forwarders
> > /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheck
>
> It was run with '--skip-conncheck'. Is there a reason? If you remove it,
> what does it complain about?
>
> In general, using --skip-conncheck should be avoided because it may hide
> errors.
>
> You could also check master server
> /var/log/dirsrv/slapd-your-instance/access and errors logs if there is
> some connection attempt from the replica visible.
>
> And maybe /var/log/ipareplica-install.log contains more info.
>
> I ran the skip connections, because when I ran it initially without the skip
> connections, I got the following messages:
>
> The following UDP ports could not be verified as open: 88, 464
> This can happen if they are already bound to an application
> and ipa-replica-conncheck cannot attach own UDP responder.
>
> Remote master check failed with following error message(s):
> Warning: Permanently added 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of
> known hosts.
> Could not chdir to home directory /home/admin: No such file or directory
> Port check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464
> (TCP), 80 (TCP), 443 (TCP)
>
> ipa.ipapython.install.cli.install_tool(Replica): ERROR Connection check failed!
> Please fix your network settings according to error messages above.
> If the check results are not valid it can be skipped with --skip-conncheck
> parameter.
>
> There is nothing blocking the connections, and the initial IPA server seems to
> be working fine.
>
> Here are some snippets from the log:
>
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 525, in install_check
> options.setup_ca, config.ca_ds_port, options.admin_password)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> line 91, in replica_conn_check
> "\nIf the check results are not valid it can be skipped with
> --skip-conncheck parameter.")
>
> 2016-04-07T11:30:06Z DEBUG The ipa-replica-install command failed, exception:
> SystemExit: Connection check failed!
> Please fix your network settings according to error messages above.
> If the check results are not valid it can be skipped with --skip-conncheck
> parameter.
> 2016-04-07T11:30:06Z ERROR Connection check failed!
> Please fix your network settings according to error messages above.
> If the check results are not valid it can be skipped with --skip-conncheck
> parameter.
>
> Here are some more logs:
>
> [root at ipa2 ~]# tail -30 /var/log/ipareplica-conncheck.log
> Could not chdir to home directory /home/admin: No such file or directory
> debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
> debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0
> debug1: channel 0: free: client-session, nchannels 1
> debug1: fd 1 clearing O_NONBLOCK
> debug1: fd 2 clearing O_NONBLOCK
> Transferred: sent 3032, received 2584 bytes, in 0.0 seconds
> Bytes per second: sent 131062.5, received 111697.1
> debug1: Exit status 0
>
> 2016-04-07T11:30:02Z DEBUG Starting external process
> 2016-04-07T11:30:02Z DEBUG args='/bin/ssh' '-o StrictHostKeychecking=no' '-o
> UserKnownHostsFile=/tmp/tmpCbCb50' 'admin at ipa1.nrln.us'
> '/usr/sbin/ipa-replica-conncheck --replica ipa2.nrln.us'
> 2016-04-07T11:30:05Z DEBUG Process finished, return code=1
> 2016-04-07T11:30:05Z DEBUG stdout=Check connection from master to remote replica
> 'ipa2.nrln.us':
> Directory Service: Unsecure port (389): FAILED
> Directory Service: Secure port (636): FAILED
> Kerberos KDC: TCP (88): FAILED
> Kerberos KDC: UDP (88): WARNING
> Kerberos Kpasswd: TCP (464): FAILED
> Kerberos Kpasswd: UDP (464): WARNING
> HTTP Server: Unsecure port (80): FAILED
> HTTP Server: Secure port (443): FAILED
> The following UDP ports could not be verified as open: 88, 464
> This can happen if they are already bound to an application
> and ipa-replica-conncheck cannot attach own UDP responder.
>
> 2016-04-07T11:30:05Z DEBUG stderr=Warning: Permanently added
> 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of known hosts.
> Could not chdir to home directory /home/admin: No such file or directory
> Port check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464
> (TCP), 80 (TCP), 443 (TCP)
>
> These two hosts are on the same subnet, nor firewall, or IPTables running.
> That's why the error message confusing.
>
> Any suggestions?
The error suggest that master is not able to contact replica on any port.
Is DNS ok?
What does `nmap ipa2.nrln.us` return?
>
> > WARNING: conflicting time&date synchronization service 'chronyd' will
> > be disabled in favor of ntpd
> >
> > Directory Manager (existing master) password:
> >
> > Existing BIND configuration detected, overwrite? [no]: yes
> > Using reverse zone(s) 1.168.192.in-addr.arpa.
> > Configuring NTP daemon (ntpd)
> > [1/4]: stopping ntpd
> > [2/4]: writing configuration
> > [3/4]: configuring ntpd to start on boot
> > [4/4]: starting ntpd
> > Done configuring NTP daemon (ntpd).
> > Configuring directory server (dirsrv). Estimated time: 1 minute
> > [1/38]: creating directory server user
> > [2/38]: creating directory server instance
> > [3/38]: adding default schema
> > [4/38]: enabling memberof plugin
> > [5/38]: enabling winsync plugin
> > [6/38]: configuring replication version plugin
> > [7/38]: enabling IPA enrollment plugin
> > [8/38]: enabling ldapi
> > [9/38]: configuring uniqueness plugin
> > [10/38]: configuring uuid plugin
> > [11/38]: configuring modrdn plugin
> > [12/38]: configuring DNS plugin
> > [13/38]: enabling entryUSN plugin
> > [14/38]: configuring lockout plugin
> > [15/38]: creating indices
> > [16/38]: enabling referential integrity plugin
> > [17/38]: configuring ssl for ds instance
> > [18/38]: configuring certmap.conf
> > [19/38]: configure autobind for root
> > [20/38]: configure new location for managed entries
> > [21/38]: configure dirsrv ccache
> > [22/38]: enable SASL mapping fallback
> > [23/38]: restarting directory server
> > [24/38]: setting up initial replication
> > Starting replication, please wait until this has completed.
> >
> > [ipa1.nrln.us] reports: Update failed! Status: [-1 - LDAP error: Can't contact
> > LDAP server]
> >
> > [error] RuntimeError: Failed to start replication
> > Your system may be partly configured.
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> > ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to start
> > replication
> >
> >
> > The error message is misleading. The two hosts sit on the same subnet. All
> > firewalls are off. Selinux is disabled. Here is an nmap port scan from the
> > replica to the master:
> >
> >
> > [root at ipa2 <mailto:root at ipa2> ~]# nmap ipa1
> >
> > Starting Nmap 6.40 ( http://nmap.org <http://nmap.org/>) at 2016-04-07 00:12 EDT
> > Nmap scan report for ipa1 (192.168.1.38)
> > Host is up (0.000086s latency).
> > rDNS record for 192.168.1.38: ipa1.nrln.us
> > Not shown: 990 closed ports
> > PORT STATE SERVICE
> > 22/tcp open ssh
> > 80/tcp open http
> > 88/tcp open kerberos-sec
> > 389/tcp open ldap
> > 443/tcp open https
> > 464/tcp open kpasswd5
> > 636/tcp open ldapssl
> > 749/tcp open kerberos-adm
> > 8080/tcp open http-proxy
> > 8443/tcp open https-alt
> > MAC Address: 52:54:00:33:34:F0 (QEMU Virtual NIC)
> >
> > Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
> > [root at ipa2 <mailto:root at ipa2> ~]#
> >
> >
> > Why do I get this message?
> >
--
Petr Vobornik
More information about the Freeipa-users
mailing list