[Freeipa-users] Failing to add Fedora 20 replica to Centos6.7 ipa server

Quasar quasar7 at gmail.com
Thu Feb 11 09:46:39 UTC 2016 

Hi, I desperately need your help/advice with our ipa update process.
Briefly, we'd like to update our IPA 3.0 installation based on CentOS 6.7
to a newer version, and I read that the way of doing it is to create a new
replica with a newer version of IPA server.
Before writing this post, I browsed for similar issues (there are many of
them with similar outcome) and tried to apply the suggested solutions but
no luck. I also tried previous versions of Fedora (18 and 19) but again no
luck.
It seems I'm stuck and I don't know how to proceed :(

Thank you in advance to anyhow who will take the time to read my message :)
Let's start!

Right now we have a single running on Centos 6.7, and we are planning to
create a replica with Fedora 20 which has IPA 3.3

Here are the details of the master (CentOS 6.7, hostname ipaserver)
[root at ipaserver ~]# uname -a
Linux ipaserver.it.fx.lan 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21
UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

[root at ipaserver ~]# rpm -qa|grep -E 'freeipa-server|pki-ca'
ipa-pki-ca-theme-9.0.3-7.el6.noarch
pki-ca-9.0.3-43.el6.noarch

And here are the details of the replica (Fedoraa 20, hostname ipaserver-ha2)
[root at ipaserver-ha2 ~]# uname -a
Linux ipaserver-ha2.it.fx.lan 3.19.8-100.fc20.x86_64 #1 SMP Tue May 12
17:08:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

[root at ipaserver-ha2 ~]# rpm -qa|grep -E 'freeipa-server|pki-ca'
pki-ca-10.1.2-7.fc20.noarch
freeipa-server-3.3.5-1.fc20.x86_64

Here are the steps I made:
Before starting the replica I updated the schema of the master with the
copy-schema-to-ca.py script
I prepared the replica certificates on the server ("ipa-replica-prepare
ipaserver-ha2.it.fx.lan --ip-address 10.0.0.10") and transferred to the
replica server on the same folder
The I ran the replica install and here's the output:
[root at ipaserver-ha2 ~]# ipa-replica-install --setup-ca --setup-dns
--no-forwarders --no-ntp
/var/lib/ipa/replica-info-ipaserver-ha2.it.fx.lan.gpg
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'ipaserver.it.fx.lan':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin at IT.FX.LAN password:

Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'ipaserver-ha2.it.fx.lan':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

Connection from master to replica is OK.

Connection check OK
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/34]: creating directory server user
  [2/34]: creating directory server instance
  [3/34]: adding default schema
  [4/34]: enabling memberof plugin
  [5/34]: enabling winsync plugin
  [6/34]: configuring replication version plugin
  [7/34]: enabling IPA enrollment plugin
  [8/34]: enabling ldapi
  [9/34]: configuring uniqueness plugin
  [10/34]: configuring uuid plugin
  [11/34]: configuring modrdn plugin
  [12/34]: configuring DNS plugin
  [13/34]: enabling entryUSN plugin
  [14/34]: configuring lockout plugin
  [15/34]: creating indices
  [16/34]: enabling referential integrity plugin
  [17/34]: configuring ssl for ds instance
  [18/34]: configuring certmap.conf
  [19/34]: configure autobind for root
  [20/34]: configure new location for managed entries
  [21/34]: configure dirsrv ccache
  [22/34]: enable SASL mapping fallback
  [23/34]: restarting directory server
  [24/34]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded

  [25/34]: updating schema
  [26/34]: setting Auto Member configuration
  [27/34]: enabling S4U2Proxy delegation
  [28/34]: initializing group membership
  [29/34]: adding master entry
  [30/34]: configuring Posix uid/gid generation
  [31/34]: adding replication acis
  [32/34]: enabling compatibility plugin
  [33/34]: tuning directory server
  [34/34]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30
seconds
  [1/19]: creating certificate server user
  [2/19]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpoqFGBW' returned non-zero exit status 1

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed


Log files on the replica server are attached.


On the master I extraced the access log of the http server:
10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET
/ca/rest/securityDomain/domainInfo HTTP/1.1" 404 317
10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET /ca/admin/ca/getDomainXML
HTTP/1.1" 200 1593
10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET /ca/rest/account/login
HTTP/1.1" 404 305
10.0.0.10 - - [09/Feb/2016:15:30:45 +0100] "POST /ca/admin/ca/getCertChain
HTTP/1.0" 200 1410
10.0.0.10 - - [09/Feb/2016:15:30:46 +0100] "GET /ca/rest/account/login
HTTP/1.1" 404 305
10.0.0.10 - - [09/Feb/2016:15:30:46 +0100] "POST /ca/admin/ca/getCookie
HTTP/1.1" 200 4092
10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST /ca/admin/ca/getDomainXML
HTTP/1.0" 200 1593
10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST /ca/admin/ca/getCertChain
HTTP/1.0" 200 1410
10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST
/ca/admin/ca/updateNumberRange HTTP/1.0" 404 313
10.0.0.8 - - [09/Feb/2016:15:30:47 +0100] "POST /ca/ee/ca/tokenAuthenticate
HTTP/1.0" 200 154
10.0.0.10 - - [09/Feb/2016:15:30:48 +0100] "POST
/ca/admin/ca/updateNumberRange HTTP/1.0" 404 313
10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST
/ca/ee/ca/updateNumberRange HTTP/1.0" 200 163
10.0.0.8 - - [09/Feb/2016:15:30:48 +0100] "POST /ca/ee/ca/tokenAuthenticate
HTTP/1.0" 200 154
10.0.0.10 - - [09/Feb/2016:15:30:48 +0100] "POST
/ca/ee/ca/updateNumberRange HTTP/1.0" 200 163
10.0.0.10 - - [09/Feb/2016:15:30:49 +0100] "POST
/ca/admin/ca/updateNumberRange HTTP/1.0" 404 313
10.0.0.8 - - [09/Feb/2016:15:30:49 +0100] "POST /ca/ee/ca/tokenAuthenticate
HTTP/1.0" 200 154
10.0.0.10 - - [09/Feb/2016:15:30:49 +0100] "POST
/ca/ee/ca/updateNumberRange HTTP/1.0" 200 157
10.0.0.8 - - [09/Feb/2016:15:30:50 +0100] "POST /ca/ee/ca/tokenAuthenticate
HTTP/1.0" 200 154
10.0.0.10 - - [09/Feb/2016:15:30:50 +0100] "POST
/ca/admin/ca/getConfigEntries HTTP/1.0" 200 13746
10.0.0.8 - - [09/Feb/2016:15:31:41 +0100] "POST /ca/ee/ca/tokenAuthenticate
HTTP/1.0" 200 154
10.0.0.10 - - [09/Feb/2016:15:31:41 +0100] "POST /ca/ee/ca/profileSubmit
HTTP/1.0" 200 1459
10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST /ca/admin/ca/getDomainXML
HTTP/1.0" 200 1593
10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST
/ca/admin/ca/updateDomainXML HTTP/1.0" 404 311
10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST
/ca/agent/ca/updateDomainXML HTTP/1.0" 200 115


-- 
Giuseppe Calignano
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160211/41c0f6fb/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug
Type: application/octet-stream
Size: 212597 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160211/41c0f6fb/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipareplica-install.log
Type: text/x-log
Size: 153830 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160211/41c0f6fb/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-ca-spawn.20160209153022.log
Type: text/x-log
Size: 421105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160211/41c0f6fb/attachment-0001.bin>

More information about the Freeipa-users mailing list