[Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted
Rob Crittenden
rcritten at redhat.com
Fri Apr 15 14:50:57 UTC 2016
Kilian Ries wrote:
> I'm not quite familiar with the db2index.pl script ... what am i doing wrong?
>
> db2index.pl -n userRoot -D cn=admin -w
> ldap_bind: No such object (32)
> Failed to search the server for indexes, error (32)
>
>
> db2index.pl -n userRoot -D cn=admin -w -v -t entryrdn
> ldap_bind: No such object (32)
> Failed to add task entry "cn=db2index_2016_4_15_16_44_19, cn=index, cn=tasks, cn=config" error (32)
Use 'cn=Directory Manager' instead of cn=admin
rob
>
> ________________________________________
> Von: Ludwig Krispenz <lkrispen at redhat.com>
> Gesendet: Freitag, 15. April 2016 12:31
> An: Kilian Ries
> Cc: freeipa-users at redhat.com
> Betreff: Re: AW: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted
>
> On 04/15/2016 10:14 AM, Kilian Ries wrote:
>> Hi,
>>
>> on auht01 i see the following error just before installation fails:
>>
>>
>> [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err=9999 Unknown error 9999
>> [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999
>> [14/Apr/2016:15:57:09 +0200] - str2entry_fast: entry has no dn
>> [14/Apr/2016:15:57:09 +0200] id2entry - str2entry returned NULL for id 252, string=""
>> [14/Apr/2016:15:57:09 +0200] - dn2entry_ext: the dn "krbprincipalname=ldap/auth02.intern.eu at INTERN.EU,cn=services,cn=accounts,dc=intern,dc=eu" was in the entryrdn index, but it did not exist in id2entry of instance userRoot.
>> [14/Apr/2016:15:57:09 +0200] entryrdn-index - _entryrdn_insert_key: Same DN (dn: krbprincipalname=ldap/auth02.intern.eu at INTERN.EU,cn=services,cn=accounts,dc=intern,dc=eu) is already in the entryrdn file with different ID 252. Expected ID is 625.
>> [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err=9999 Unknown error 9999
>> [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999
>> [14/Apr/2016:15:57:19 +0200] - str2entry_fast: entry has no dn
>> [14/Apr/2016:15:57:19 +0200] id2entry - str2entry returned NULL for id 252, string=""
>> [14/Apr/2016:15:57:21 +0200] - str2entry_fast: entry has no dn
> this looks like a database/index corruption. There are traces for the
> ldapprincipal for auth02in the database, but teh index and the database
> are inconsistent. you can try to reindex teh database and see if this helps:
> db2index.pl -D ... -w .. -Z <instance> -t entryrdn #only this index
> or
> db2index.pl -D ... -w .. -Z <instance> # full reindex
>>
>>
>> [14/Apr/2016:16:02:01 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://auth02.intern.eu:389/o%3Dipaca) failed.
>>
>>
>> Greets
>> Kilian
>>
>>
>> ________________________________________
>> Von: freeipa-users-bounces at redhat.com <freeipa-users-bounces at redhat.com> im Auftrag von Ludwig Krispenz <lkrispen at redhat.com>
>> Gesendet: Donnerstag, 14. April 2016 16:46
>> An: freeipa-users at redhat.com
>> Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted
>>
>> On 04/14/2016 04:19 PM, Kilian Ries wrote:
>>> Hello Rob,
>>>
>>> thanks for your explanations. I followed your hints and did a complete uninstall and started over with a fresh installation. I ended up with exactly the same error as the first time...
>>>
>>> I did the following steps:
>>>
>>>
>>> auth01$ ipa-replica-manage del auth02
>>>
>>> auth02$ ipa-server-install --uninstall
>>>
>>> auth01$ ipa-replica-prepare --ip-address 192.168.210.181 auth02.intern.eu
>>>
>>> auth02$ ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.210.40 /root/replica-info-auth02.intern.eu.gpg
>>>
>>>
>>> Are there other logfiles i can check for more specific errors?
>> you should have a look to the DS error logs in /var/log/dirsrv on both
>> instances
>>> Greets
>>> Kilian
>>>
>>> ________________________________________
>>> Von: Rob Crittenden <rcritten at redhat.com>
>>> Gesendet: Mittwoch, 13. April 2016 16:18
>>> An: Kilian Ries; freeipa-users at redhat.com
>>> Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted
>>>
>>> Kilian Ries wrote:
>>>> Does nobody have an idea whats the problem here?
>>> TL;DR you are best off deleting this failed replica install and trying
>>> again.
>>>
>>> Initial replication is done over TLS. When replication is completed both
>>> sides of the agreement are converted to using GSSAPI and both ldap
>>> principals are needed to do this. Given that replication just completed
>>> both principals should be available but rarely one is not (hence the
>>> vague-ish error message).
>>>
>>> In this case the new ldap principal for the new replica wasn't found on
>>> the remote master so things blew up.
>>>
>>> There is no continuing the installation after this type of failure so
>>> you'll need to remove the failed install as a master on auth01
>>> (ipa-replica-manage del auth02...) and then run ipa-server-install
>>> --uninstall on autho02 and try again.
>>>
>>> rob
>>>
>>>> Thanks
>>>>
>>>> Kilian
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>> *Von:* freeipa-users-bounces at redhat.com
>>>> <freeipa-users-bounces at redhat.com> im Auftrag von Kilian Ries
>>>> <mail at kilian-ries.de>
>>>> *Gesendet:* Mittwoch, 6. April 2016 10:41
>>>> *An:* freeipa-users at redhat.com
>>>> *Betreff:* [Freeipa-users] Error setting up Replication: ldap service
>>>> principals is missing. Replication agreement cannot be converted
>>>>
>>>> Hello,
>>>>
>>>>
>>>> i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm
>>>> trying to add an replication partner.
>>>>
>>>>
>>>> During the installation i got the following error:
>>>>
>>>>
>>>> ###
>>>>
>>>> Restarting the directory and certificate servers
>>>>
>>>> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
>>>>
>>>> [1/8]: adding sasl mappings to the directory
>>>>
>>>> [2/8]: configuring KDC
>>>>
>>>> [3/8]: creating a keytab for the directory
>>>>
>>>> [4/8]: creating a keytab for the machine
>>>>
>>>> [5/8]: adding the password extension to the directory
>>>>
>>>> [6/8]: enable GSSAPI for replication
>>>>
>>>> [error] RuntimeError: One of the ldap service principals is missing.
>>>> Replication agreement cannot be converted.
>>>>
>>>> Your system may be partly configured.
>>>>
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>
>>>>
>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the
>>>> ldap service principals is missing. Replication agreement cannot be
>>>> converted.
>>>>
>>>> ###
>>>>
>>>>
>>>>
>>>> The installation Log shows the following:
>>>>
>>>>
>>>>
>>>> ###
>>>>
>>>> 2016-04-06T08:22:34Z INFO Getting ldap service principals for
>>>> conversion: (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) and
>>>> (krbprincipalname=ldap/auth01.intern.eu at INTERN.EU)
>>>>
>>>> 2016-04-06T08:22:34Z DEBUG Unable to find entry for
>>>> (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) on auth01.intern.eu:636
>>>>
>>>> 2016-04-06T08:22:34Z INFO Setting agreement
>>>> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping
>>>> tree,cn=config schedule to 2358-2359 0 to force synch
>>>>
>>>> 2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement
>>>> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping
>>>> tree,cn=config
>>>>
>>>> 2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status:
>>>> 0 Replica acquired successfully: Incremental update succeeded: start: 0:
>>>> end: 0
>>>>
>>>> 2016-04-06T08:22:36Z DEBUG Traceback (most recent call last):
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 418, in start_creation
>>>>
>>>> run_step(full_msg, method)
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 408, in run_step
>>>>
>>>> method()
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
>>>> line 438, in __convert_to_gssapi_replication
>>>>
>>>> r_bindpw=self.dm_password)
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>>>> line 1104, in convert_to_gssapi_replication
>>>>
>>>> self.gssapi_update_agreements(self.conn, r_conn)
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>>>> line 797, in gssapi_update_agreements
>>>>
>>>> self.setup_krb_princs_as_replica_binddns(a, b)
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>>>> line 767, in setup_krb_princs_as_replica_binddns
>>>>
>>>> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100)
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>>>> line 751, in get_replica_principal_dns
>>>>
>>>> raise RuntimeError(error)
>>>>
>>>> RuntimeError: One of the ldap service principals is missing. Replication
>>>> agreement cannot be converted.
>>>>
>>>>
>>>> 2016-04-06T08:22:36Z DEBUG [error] RuntimeError: One of the ldap
>>>> service principals is missing. Replication agreement cannot be converted.
>>>>
>>>> 2016-04-06T08:22:36Z DEBUG File
>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
>>>> execute
>>>>
>>>> return_value = self.run()
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
>>>> line 311, in run
>>>>
>>>> cfgr.run()
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 281, in run
>>>>
>>>> self.execute()
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 303, in execute
>>>>
>>>> for nothing in self._executor():
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 343, in __runner
>>>>
>>>> self._handle_exception(exc_info)
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 365, in _handle_exception
>>>>
>>>> util.raise_exc_info(exc_info)
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 333, in __runner
>>>>
>>>> step()
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>>> line 87, in run_generator_with_yield_from
>>>>
>>>> raise_exc_info(exc_info)
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>>> line 65, in run_generator_with_yield_from
>>>>
>>>> value = gen.send(prev_value)
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 524, in _configure
>>>>
>>>> executor.next()
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 343, in __runner
>>>>
>>>> self._handle_exception(exc_info)
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 421, in _handle_exception
>>>>
>>>> self.__parent._handle_exception(exc_info)
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 365, in _handle_exception
>>>>
>>>> util.raise_exc_info(exc_info)
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 418, in _handle_exception
>>>>
>>>> super(ComponentBase, self)._handle_exception(exc_info)
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 365, in _handle_exception
>>>>
>>>> util.raise_exc_info(exc_info)
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 333, in __runner
>>>>
>>>> step()
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>>> line 87, in run_generator_with_yield_from
>>>>
>>>> raise_exc_info(exc_info)
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>>> line 65, in run_generator_with_yield_from
>>>>
>>>> value = gen.send(prev_value)
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
>>>> line 63, in _install
>>>>
>>>> for nothing in self._installer(self.parent):
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>>>> line 879, in main
>>>>
>>>> install(self)
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>>>> line 295, in decorated
>>>>
>>>> func(installer)
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>>>> line 586, in install
>>>>
>>>> krb = install_krb(config, setup_pkinit=not options.no_pkinit)
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>>>> line 93, in install_krb
>>>>
>>>> setup_pkinit, pkcs12_info)
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
>>>> line 214, in create_replica
>>>>
>>>> self.start_creation(runtime=30)
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 418, in start_creation
>>>>
>>>> run_step(full_msg, method)
>>>>
>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 408, in run_step
>>>>
>>>> method()
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
>>>> line 438, in __convert_to_gssapi_replication
>>>>
>>>> r_bindpw=self.dm_password)
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>>>> line 1104, in convert_to_gssapi_replication
>>>>
>>>> self.gssapi_update_agreements(self.conn, r_conn)
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>>>> line 797, in gssapi_update_agreements
>>>>
>>>> self.setup_krb_princs_as_replica_binddns(a, b)
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>>>> line 767, in setup_krb_princs_as_replica_binddns
>>>>
>>>> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100)
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>>>> line 751, in get_replica_principal_dns
>>>>
>>>> raise RuntimeError(error)
>>>>
>>>>
>>>> 2016-04-06T08:22:36Z DEBUG The ipa-replica-install command failed,
>>>> exception: RuntimeError: One of the ldap service principals is missing.
>>>> Replication agreement cannot be converted.
>>>>
>>>> 2016-04-06T08:22:36Z ERROR One of the ldap service principals is
>>>> missing. Replication agreement cannot be converted.
>>>>
>>>> ###
>>>>
>>>>
>>>>
>>>> Can anybody help me?
>>>>
>>>>
>>>> Thanks
>>>>
>>>> Greets
>>>>
>>>> Kilian
>>>>
>>>>
>>>>
>> --
>> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
>> Commercial register: Amtsgericht Muenchen, HRB 153243,
>> Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
> --
> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
> Commercial register: Amtsgericht Muenchen, HRB 153243,
> Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
>
More information about the Freeipa-users
mailing list