[Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted
Kilian Ries
mail at kilian-ries.de
Fri Apr 15 08:14:32 UTC 2016
Hi,
on auht01 i see the following error just before installation fails:
[14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err=9999 Unknown error 9999
[14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999
[14/Apr/2016:15:57:09 +0200] - str2entry_fast: entry has no dn
[14/Apr/2016:15:57:09 +0200] id2entry - str2entry returned NULL for id 252, string=""
[14/Apr/2016:15:57:09 +0200] - dn2entry_ext: the dn "krbprincipalname=ldap/auth02.intern.eu at INTERN.EU,cn=services,cn=accounts,dc=intern,dc=eu" was in the entryrdn index, but it did not exist in id2entry of instance userRoot.
[14/Apr/2016:15:57:09 +0200] entryrdn-index - _entryrdn_insert_key: Same DN (dn: krbprincipalname=ldap/auth02.intern.eu at INTERN.EU,cn=services,cn=accounts,dc=intern,dc=eu) is already in the entryrdn file with different ID 252. Expected ID is 625.
[14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err=9999 Unknown error 9999
[14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999
[14/Apr/2016:15:57:19 +0200] - str2entry_fast: entry has no dn
[14/Apr/2016:15:57:19 +0200] id2entry - str2entry returned NULL for id 252, string=""
[14/Apr/2016:15:57:21 +0200] - str2entry_fast: entry has no dn
[14/Apr/2016:16:02:01 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://auth02.intern.eu:389/o%3Dipaca) failed.
Greets
Kilian
________________________________________
Von: freeipa-users-bounces at redhat.com <freeipa-users-bounces at redhat.com> im Auftrag von Ludwig Krispenz <lkrispen at redhat.com>
Gesendet: Donnerstag, 14. April 2016 16:46
An: freeipa-users at redhat.com
Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted
On 04/14/2016 04:19 PM, Kilian Ries wrote:
> Hello Rob,
>
> thanks for your explanations. I followed your hints and did a complete uninstall and started over with a fresh installation. I ended up with exactly the same error as the first time...
>
> I did the following steps:
>
>
> auth01$ ipa-replica-manage del auth02
>
> auth02$ ipa-server-install --uninstall
>
> auth01$ ipa-replica-prepare --ip-address 192.168.210.181 auth02.intern.eu
>
> auth02$ ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.210.40 /root/replica-info-auth02.intern.eu.gpg
>
>
> Are there other logfiles i can check for more specific errors?
you should have a look to the DS error logs in /var/log/dirsrv on both
instances
>
> Greets
> Kilian
>
> ________________________________________
> Von: Rob Crittenden <rcritten at redhat.com>
> Gesendet: Mittwoch, 13. April 2016 16:18
> An: Kilian Ries; freeipa-users at redhat.com
> Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted
>
> Kilian Ries wrote:
>> Does nobody have an idea whats the problem here?
> TL;DR you are best off deleting this failed replica install and trying
> again.
>
> Initial replication is done over TLS. When replication is completed both
> sides of the agreement are converted to using GSSAPI and both ldap
> principals are needed to do this. Given that replication just completed
> both principals should be available but rarely one is not (hence the
> vague-ish error message).
>
> In this case the new ldap principal for the new replica wasn't found on
> the remote master so things blew up.
>
> There is no continuing the installation after this type of failure so
> you'll need to remove the failed install as a master on auth01
> (ipa-replica-manage del auth02...) and then run ipa-server-install
> --uninstall on autho02 and try again.
>
> rob
>
>>
>> Thanks
>>
>> Kilian
>>
>>
>>
>> ------------------------------------------------------------------------
>> *Von:* freeipa-users-bounces at redhat.com
>> <freeipa-users-bounces at redhat.com> im Auftrag von Kilian Ries
>> <mail at kilian-ries.de>
>> *Gesendet:* Mittwoch, 6. April 2016 10:41
>> *An:* freeipa-users at redhat.com
>> *Betreff:* [Freeipa-users] Error setting up Replication: ldap service
>> principals is missing. Replication agreement cannot be converted
>>
>> Hello,
>>
>>
>> i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm
>> trying to add an replication partner.
>>
>>
>> During the installation i got the following error:
>>
>>
>> ###
>>
>> Restarting the directory and certificate servers
>>
>> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
>>
>> [1/8]: adding sasl mappings to the directory
>>
>> [2/8]: configuring KDC
>>
>> [3/8]: creating a keytab for the directory
>>
>> [4/8]: creating a keytab for the machine
>>
>> [5/8]: adding the password extension to the directory
>>
>> [6/8]: enable GSSAPI for replication
>>
>> [error] RuntimeError: One of the ldap service principals is missing.
>> Replication agreement cannot be converted.
>>
>> Your system may be partly configured.
>>
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the
>> ldap service principals is missing. Replication agreement cannot be
>> converted.
>>
>> ###
>>
>>
>>
>> The installation Log shows the following:
>>
>>
>>
>> ###
>>
>> 2016-04-06T08:22:34Z INFO Getting ldap service principals for
>> conversion: (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) and
>> (krbprincipalname=ldap/auth01.intern.eu at INTERN.EU)
>>
>> 2016-04-06T08:22:34Z DEBUG Unable to find entry for
>> (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) on auth01.intern.eu:636
>>
>> 2016-04-06T08:22:34Z INFO Setting agreement
>> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping
>> tree,cn=config schedule to 2358-2359 0 to force synch
>>
>> 2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement
>> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping
>> tree,cn=config
>>
>> 2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status:
>> 0 Replica acquired successfully: Incremental update succeeded: start: 0:
>> end: 0
>>
>> 2016-04-06T08:22:36Z DEBUG Traceback (most recent call last):
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 418, in start_creation
>>
>> run_step(full_msg, method)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 408, in run_step
>>
>> method()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
>> line 438, in __convert_to_gssapi_replication
>>
>> r_bindpw=self.dm_password)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>> line 1104, in convert_to_gssapi_replication
>>
>> self.gssapi_update_agreements(self.conn, r_conn)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>> line 797, in gssapi_update_agreements
>>
>> self.setup_krb_princs_as_replica_binddns(a, b)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>> line 767, in setup_krb_princs_as_replica_binddns
>>
>> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>> line 751, in get_replica_principal_dns
>>
>> raise RuntimeError(error)
>>
>> RuntimeError: One of the ldap service principals is missing. Replication
>> agreement cannot be converted.
>>
>>
>> 2016-04-06T08:22:36Z DEBUG [error] RuntimeError: One of the ldap
>> service principals is missing. Replication agreement cannot be converted.
>>
>> 2016-04-06T08:22:36Z DEBUG File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
>> execute
>>
>> return_value = self.run()
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
>> line 311, in run
>>
>> cfgr.run()
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 281, in run
>>
>> self.execute()
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 303, in execute
>>
>> for nothing in self._executor():
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 343, in __runner
>>
>> self._handle_exception(exc_info)
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 365, in _handle_exception
>>
>> util.raise_exc_info(exc_info)
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 333, in __runner
>>
>> step()
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 87, in run_generator_with_yield_from
>>
>> raise_exc_info(exc_info)
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 65, in run_generator_with_yield_from
>>
>> value = gen.send(prev_value)
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 524, in _configure
>>
>> executor.next()
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 343, in __runner
>>
>> self._handle_exception(exc_info)
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 421, in _handle_exception
>>
>> self.__parent._handle_exception(exc_info)
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 365, in _handle_exception
>>
>> util.raise_exc_info(exc_info)
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 418, in _handle_exception
>>
>> super(ComponentBase, self)._handle_exception(exc_info)
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 365, in _handle_exception
>>
>> util.raise_exc_info(exc_info)
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 333, in __runner
>>
>> step()
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 87, in run_generator_with_yield_from
>>
>> raise_exc_info(exc_info)
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 65, in run_generator_with_yield_from
>>
>> value = gen.send(prev_value)
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
>> line 63, in _install
>>
>> for nothing in self._installer(self.parent):
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>> line 879, in main
>>
>> install(self)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>> line 295, in decorated
>>
>> func(installer)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>> line 586, in install
>>
>> krb = install_krb(config, setup_pkinit=not options.no_pkinit)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>> line 93, in install_krb
>>
>> setup_pkinit, pkcs12_info)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
>> line 214, in create_replica
>>
>> self.start_creation(runtime=30)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 418, in start_creation
>>
>> run_step(full_msg, method)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 408, in run_step
>>
>> method()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
>> line 438, in __convert_to_gssapi_replication
>>
>> r_bindpw=self.dm_password)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>> line 1104, in convert_to_gssapi_replication
>>
>> self.gssapi_update_agreements(self.conn, r_conn)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>> line 797, in gssapi_update_agreements
>>
>> self.setup_krb_princs_as_replica_binddns(a, b)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>> line 767, in setup_krb_princs_as_replica_binddns
>>
>> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>> line 751, in get_replica_principal_dns
>>
>> raise RuntimeError(error)
>>
>>
>> 2016-04-06T08:22:36Z DEBUG The ipa-replica-install command failed,
>> exception: RuntimeError: One of the ldap service principals is missing.
>> Replication agreement cannot be converted.
>>
>> 2016-04-06T08:22:36Z ERROR One of the ldap service principals is
>> missing. Replication agreement cannot be converted.
>>
>> ###
>>
>>
>>
>> Can anybody help me?
>>
>>
>> Thanks
>>
>> Greets
>>
>> Kilian
>>
>>
>>
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list