[Freeipa-users] Failing to add Fedora 20 replica to Centos6.7 ipa server
giuseppe.calignano at finantix.com
giuseppe.calignano at finantix.com
Tue Feb 9 15:26:26 UTC 2016
Hi, I desperately need your help/advice with our ipa update process.
Briefly, we'd like to update our IPA 3.0 installation based on CentOS 6.7
to a newer version, and I read that the way of doing it is to create a new
replica with a newer version of IPA server.
Before writing this post, I browsed for similar issues (there are many of
them with similar outcome) and tried to apply the suggested solutions but
no luck. I also tried previous versions of Fedora (18 and 19) but again no
luck.
It seems I'm stuck and I don't know how to proceed :(
Thank you in advance to anyhow who will take the time to read my message
:) Let's start!
Right now we have a single running on Centos 6.7, and we are planning to
create a replica with Fedora 20 which has IPA 3.3
Here are the details of the master (ipaserver)
[root at ipaserver ~]# uname -a
Linux ipaserver.it.fx.lan 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21
UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
[root at ipaserver ~]# rpm -qa|grep -E 'freeipa-server|pki-ca'
ipa-pki-ca-theme-9.0.3-7.el6.noarch
pki-ca-9.0.3-43.el6.noarch
And here are the details of the replica (ipaserver-ha2
Replica server on Fedora 20:
[root at ipaserver-ha2 ~]# uname -a
Linux ipaserver-ha2.it.fx.lan 3.19.8-100.fc20.x86_64 #1 SMP Tue May 12
17:08:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root at ipaserver-ha2 ~]# rpm -qa|grep -E 'freeipa-server|pki-ca'
pki-ca-10.1.2-7.fc20.noarch
freeipa-server-3.3.5-1.fc20.x86_64
Here are the steps I made:
Before starting the replica I updated the schema of the master with the
copy-schema-to-ca.py script
I prepared the replica certificates on the server ("ipa-replica-prepare
ipaserver-ha2.it.fx.lan --ip-address 10.0.0.10") and transferred to the
replica server on the same folder
The I ran the replica install and here's the output:
[root at ipaserver-ha2 ~]# ipa-replica-install --setup-ca --setup-dns
--no-forwarders --no-ntp
/var/lib/ipa/replica-info-ipaserver-ha2.it.fx.lan.gpg
Directory Manager (existing master) password:
Run connection check to master
Check connection from replica to remote master 'ipaserver.it.fx.lan':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
PKI-CA: Directory Service port (7389): OK
The following list of ports use UDP protocol and would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin at IT.FX.LAN password:
Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'ipaserver-ha2.it.fx.lan':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
Connection from master to replica is OK.
Connection check OK
Configuring directory server (dirsrv): Estimated time 1 minute
[1/34]: creating directory server user
[2/34]: creating directory server instance
[3/34]: adding default schema
[4/34]: enabling memberof plugin
[5/34]: enabling winsync plugin
[6/34]: configuring replication version plugin
[7/34]: enabling IPA enrollment plugin
[8/34]: enabling ldapi
[9/34]: configuring uniqueness plugin
[10/34]: configuring uuid plugin
[11/34]: configuring modrdn plugin
[12/34]: configuring DNS plugin
[13/34]: enabling entryUSN plugin
[14/34]: configuring lockout plugin
[15/34]: creating indices
[16/34]: enabling referential integrity plugin
[17/34]: configuring ssl for ds instance
[18/34]: configuring certmap.conf
[19/34]: configure autobind for root
[20/34]: configure new location for managed entries
[21/34]: configure dirsrv ccache
[22/34]: enable SASL mapping fallback
[23/34]: restarting directory server
[24/34]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded
[25/34]: updating schema
[26/34]: setting Auto Member configuration
[27/34]: enabling S4U2Proxy delegation
[28/34]: initializing group membership
[29/34]: adding master entry
[30/34]: configuring Posix uid/gid generation
[31/34]: adding replication acis
[32/34]: enabling compatibility plugin
[33/34]: tuning directory server
[34/34]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30
seconds
[1/19]: creating certificate server user
[2/19]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpoqFGBW' returned non-zero exit status
1
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Configuration of CA failed
Here are the log files on the replica server:
On the master I extraced the access log of the http server:
10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET
/ca/rest/securityDomain/domainInfo HTTP/1.1" 404 317
10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET /ca/admin/ca/getDomainXML
HTTP/1.1" 200 1593
10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET /ca/rest/account/login
HTTP/1.1" 404 305
10.0.0.10 - - [09/Feb/2016:15:30:45 +0100] "POST /ca/admin/ca/getCertChain
HTTP/1.0" 200 1410
10.0.0.10 - - [09/Feb/2016:15:30:46 +0100] "GET /ca/rest/account/login
HTTP/1.1" 404 305
10.0.0.10 - - [09/Feb/2016:15:30:46 +0100] "POST /ca/admin/ca/getCookie
HTTP/1.1" 200 4092
10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST /ca/admin/ca/getDomainXML
HTTP/1.0" 200 1593
10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST /ca/admin/ca/getCertChain
HTTP/1.0" 200 1410
10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST
/ca/admin/ca/updateNumberRange HTTP/1.0" 404 313
10.0.0.8 - - [09/Feb/2016:15:30:47 +0100] "POST
/ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154
10.0.0.10 - - [09/Feb/2016:15:30:48 +0100] "POST
/ca/admin/ca/updateNumberRange HTTP/1.0" 404 313
10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST
/ca/ee/ca/updateNumberRange HTTP/1.0" 200 163
10.0.0.8 - - [09/Feb/2016:15:30:48 +0100] "POST
/ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154
10.0.0.10 - - [09/Feb/2016:15:30:48 +0100] "POST
/ca/ee/ca/updateNumberRange HTTP/1.0" 200 163
10.0.0.10 - - [09/Feb/2016:15:30:49 +0100] "POST
/ca/admin/ca/updateNumberRange HTTP/1.0" 404 313
10.0.0.8 - - [09/Feb/2016:15:30:49 +0100] "POST
/ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154
10.0.0.10 - - [09/Feb/2016:15:30:49 +0100] "POST
/ca/ee/ca/updateNumberRange HTTP/1.0" 200 157
10.0.0.8 - - [09/Feb/2016:15:30:50 +0100] "POST
/ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154
10.0.0.10 - - [09/Feb/2016:15:30:50 +0100] "POST
/ca/admin/ca/getConfigEntries HTTP/1.0" 200 13746
10.0.0.8 - - [09/Feb/2016:15:31:41 +0100] "POST
/ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154
10.0.0.10 - - [09/Feb/2016:15:31:41 +0100] "POST /ca/ee/ca/profileSubmit
HTTP/1.0" 200 1459
10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST /ca/admin/ca/getDomainXML
HTTP/1.0" 200 1593
10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST
/ca/admin/ca/updateDomainXML HTTP/1.0" 404 311
10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST
/ca/agent/ca/updateDomainXML HTTP/1.0" 200 115
Best regards,
Giuseppe Calignano
IT Manager
Mobile: +39 335 7864 963 | Office: + 39 041 258 7618 | Email:
giuseppe.calignano at finantix.com | skype: quasaro
Via della Pila, 13 | I-30175 Marghera | Venezia | Italy
CONFIDENTIALITY NOTICE - This message may contain privileged and
confidential information intended only for the use of the addressee named
above. If you are not the intended recipient of this message, you are
hereby notified that any use, dissemination, distribution or reproduction
of this message is prohibited. If you have received this message in error,
please notify Finantix immediately via email to the sender.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160209/c5b3c51f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1185 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160209/c5b3c51f/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipareplica-install.log
Type: application/octet-stream
Size: 153830 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160209/c5b3c51f/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-ca-spawn.20160209153022.log
Type: application/octet-stream
Size: 421105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160209/c5b3c51f/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug
Type: application/octet-stream
Size: 212597 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160209/c5b3c51f/attachment-0002.obj>
More information about the Freeipa-users
mailing list