[Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted
Kilian Ries
mail at kilian-ries.de
Thu Apr 14 14:19:07 UTC 2016
Hello Rob,
thanks for your explanations. I followed your hints and did a complete uninstall and started over with a fresh installation. I ended up with exactly the same error as the first time...
I did the following steps:
auth01$ ipa-replica-manage del auth02
auth02$ ipa-server-install --uninstall
auth01$ ipa-replica-prepare --ip-address 192.168.210.181 auth02.intern.eu
auth02$ ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.210.40 /root/replica-info-auth02.intern.eu.gpg
Are there other logfiles i can check for more specific errors?
Greets
Kilian
________________________________________
Von: Rob Crittenden <rcritten at redhat.com>
Gesendet: Mittwoch, 13. April 2016 16:18
An: Kilian Ries; freeipa-users at redhat.com
Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted
Kilian Ries wrote:
> Does nobody have an idea whats the problem here?
TL;DR you are best off deleting this failed replica install and trying
again.
Initial replication is done over TLS. When replication is completed both
sides of the agreement are converted to using GSSAPI and both ldap
principals are needed to do this. Given that replication just completed
both principals should be available but rarely one is not (hence the
vague-ish error message).
In this case the new ldap principal for the new replica wasn't found on
the remote master so things blew up.
There is no continuing the installation after this type of failure so
you'll need to remove the failed install as a master on auth01
(ipa-replica-manage del auth02...) and then run ipa-server-install
--uninstall on autho02 and try again.
rob
>
>
> Thanks
>
> Kilian
>
>
>
> ------------------------------------------------------------------------
> *Von:* freeipa-users-bounces at redhat.com
> <freeipa-users-bounces at redhat.com> im Auftrag von Kilian Ries
> <mail at kilian-ries.de>
> *Gesendet:* Mittwoch, 6. April 2016 10:41
> *An:* freeipa-users at redhat.com
> *Betreff:* [Freeipa-users] Error setting up Replication: ldap service
> principals is missing. Replication agreement cannot be converted
>
> Hello,
>
>
> i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm
> trying to add an replication partner.
>
>
> During the installation i got the following error:
>
>
> ###
>
> Restarting the directory and certificate servers
>
> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
>
> [1/8]: adding sasl mappings to the directory
>
> [2/8]: configuring KDC
>
> [3/8]: creating a keytab for the directory
>
> [4/8]: creating a keytab for the machine
>
> [5/8]: adding the password extension to the directory
>
> [6/8]: enable GSSAPI for replication
>
> [error] RuntimeError: One of the ldap service principals is missing.
> Replication agreement cannot be converted.
>
> Your system may be partly configured.
>
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
>
> ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the
> ldap service principals is missing. Replication agreement cannot be
> converted.
>
> ###
>
>
>
> The installation Log shows the following:
>
>
>
> ###
>
> 2016-04-06T08:22:34Z INFO Getting ldap service principals for
> conversion: (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) and
> (krbprincipalname=ldap/auth01.intern.eu at INTERN.EU)
>
> 2016-04-06T08:22:34Z DEBUG Unable to find entry for
> (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) on auth01.intern.eu:636
>
> 2016-04-06T08:22:34Z INFO Setting agreement
> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping
> tree,cn=config schedule to 2358-2359 0 to force synch
>
> 2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement
> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping
> tree,cn=config
>
> 2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status:
> 0 Replica acquired successfully: Incremental update succeeded: start: 0:
> end: 0
>
> 2016-04-06T08:22:36Z DEBUG Traceback (most recent call last):
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 418, in start_creation
>
> run_step(full_msg, method)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 408, in run_step
>
> method()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
> line 438, in __convert_to_gssapi_replication
>
> r_bindpw=self.dm_password)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> line 1104, in convert_to_gssapi_replication
>
> self.gssapi_update_agreements(self.conn, r_conn)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> line 797, in gssapi_update_agreements
>
> self.setup_krb_princs_as_replica_binddns(a, b)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> line 767, in setup_krb_princs_as_replica_binddns
>
> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> line 751, in get_replica_principal_dns
>
> raise RuntimeError(error)
>
> RuntimeError: One of the ldap service principals is missing. Replication
> agreement cannot be converted.
>
>
> 2016-04-06T08:22:36Z DEBUG [error] RuntimeError: One of the ldap
> service principals is missing. Replication agreement cannot be converted.
>
> 2016-04-06T08:22:36Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> execute
>
> return_value = self.run()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
> line 311, in run
>
> cfgr.run()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 281, in run
>
> self.execute()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 303, in execute
>
> for nothing in self._executor():
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 343, in __runner
>
> self._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 365, in _handle_exception
>
> util.raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 333, in __runner
>
> step()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 87, in run_generator_with_yield_from
>
> raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 65, in run_generator_with_yield_from
>
> value = gen.send(prev_value)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 524, in _configure
>
> executor.next()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 343, in __runner
>
> self._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 421, in _handle_exception
>
> self.__parent._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 365, in _handle_exception
>
> util.raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 418, in _handle_exception
>
> super(ComponentBase, self)._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 365, in _handle_exception
>
> util.raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 333, in __runner
>
> step()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 87, in run_generator_with_yield_from
>
> raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 65, in run_generator_with_yield_from
>
> value = gen.send(prev_value)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
> line 63, in _install
>
> for nothing in self._installer(self.parent):
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 879, in main
>
> install(self)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 295, in decorated
>
> func(installer)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 586, in install
>
> krb = install_krb(config, setup_pkinit=not options.no_pkinit)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 93, in install_krb
>
> setup_pkinit, pkcs12_info)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
> line 214, in create_replica
>
> self.start_creation(runtime=30)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 418, in start_creation
>
> run_step(full_msg, method)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 408, in run_step
>
> method()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
> line 438, in __convert_to_gssapi_replication
>
> r_bindpw=self.dm_password)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> line 1104, in convert_to_gssapi_replication
>
> self.gssapi_update_agreements(self.conn, r_conn)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> line 797, in gssapi_update_agreements
>
> self.setup_krb_princs_as_replica_binddns(a, b)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> line 767, in setup_krb_princs_as_replica_binddns
>
> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> line 751, in get_replica_principal_dns
>
> raise RuntimeError(error)
>
>
> 2016-04-06T08:22:36Z DEBUG The ipa-replica-install command failed,
> exception: RuntimeError: One of the ldap service principals is missing.
> Replication agreement cannot be converted.
>
> 2016-04-06T08:22:36Z ERROR One of the ldap service principals is
> missing. Replication agreement cannot be converted.
>
> ###
>
>
>
> Can anybody help me?
>
>
> Thanks
>
> Greets
>
> Kilian
>
>
>
More information about the Freeipa-users
mailing list