[Freeipa-users] Failing to add Fedora 20 replica to Centos6.7 ipa server

giuseppe.calignano at finantix.com giuseppe.calignano at finantix.com
Tue Feb 9 15:26:26 UTC 2016 

Hi, I desperately need your help/advice with our ipa update process.
Briefly, we'd like to update our IPA 3.0 installation based on CentOS 6.7 
to a newer version, and I read that the way of doing it is to create a new 
replica with a newer version of IPA server.
Before writing this post, I browsed for similar issues (there are many of 
them with similar outcome) and tried to apply the suggested solutions but 
no luck. I also tried previous versions of Fedora (18 and 19) but again no 
luck.
It seems I'm stuck and I don't know how to proceed :(

Thank you in advance to anyhow who will take the time to read my message 
:) Let's start!

Right now we have a single running on Centos 6.7, and we are planning to 
create a replica with Fedora 20 which has IPA 3.3

Here are the details of the master (ipaserver)
[root at ipaserver ~]# uname -a
Linux ipaserver.it.fx.lan 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 
UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

[root at ipaserver ~]# rpm -qa|grep -E 'freeipa-server|pki-ca'
ipa-pki-ca-theme-9.0.3-7.el6.noarch
pki-ca-9.0.3-43.el6.noarch

And here are the details of the replica (ipaserver-ha2
Replica server on Fedora 20:
[root at ipaserver-ha2 ~]# uname -a
Linux ipaserver-ha2.it.fx.lan 3.19.8-100.fc20.x86_64 #1 SMP Tue May 12 
17:08:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

[root at ipaserver-ha2 ~]# rpm -qa|grep -E 'freeipa-server|pki-ca'
pki-ca-10.1.2-7.fc20.noarch
freeipa-server-3.3.5-1.fc20.x86_64

Here are the steps I made:
Before starting the replica I updated the schema of the master with the 
copy-schema-to-ca.py script
I prepared the replica certificates on the server ("ipa-replica-prepare 
ipaserver-ha2.it.fx.lan --ip-address 10.0.0.10") and transferred to the 
replica server on the same folder
The I ran the replica install and here's the output:
[root at ipaserver-ha2 ~]# ipa-replica-install --setup-ca --setup-dns 
--no-forwarders --no-ntp 
/var/lib/ipa/replica-info-ipaserver-ha2.it.fx.lan.gpg 
Directory Manager (existing master) password: 

Run connection check to master
Check connection from replica to remote master 'ipaserver.it.fx.lan':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin at IT.FX.LAN password: 

Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'ipaserver-ha2.it.fx.lan':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

Connection from master to replica is OK.

Connection check OK
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/34]: creating directory server user
  [2/34]: creating directory server instance
  [3/34]: adding default schema
  [4/34]: enabling memberof plugin
  [5/34]: enabling winsync plugin
  [6/34]: configuring replication version plugin
  [7/34]: enabling IPA enrollment plugin
  [8/34]: enabling ldapi
  [9/34]: configuring uniqueness plugin
  [10/34]: configuring uuid plugin
  [11/34]: configuring modrdn plugin
  [12/34]: configuring DNS plugin
  [13/34]: enabling entryUSN plugin
  [14/34]: configuring lockout plugin
  [15/34]: creating indices
  [16/34]: enabling referential integrity plugin
  [17/34]: configuring ssl for ds instance
  [18/34]: configuring certmap.conf
  [19/34]: configure autobind for root
  [20/34]: configure new location for managed entries
  [21/34]: configure dirsrv ccache
  [22/34]: enable SASL mapping fallback
  [23/34]: restarting directory server
  [24/34]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded

  [25/34]: updating schema
  [26/34]: setting Auto Member configuration
  [27/34]: enabling S4U2Proxy delegation
  [28/34]: initializing group membership
  [29/34]: adding master entry
  [30/34]: configuring Posix uid/gid generation
  [31/34]: adding replication acis
  [32/34]: enabling compatibility plugin
  [33/34]: tuning directory server
  [34/34]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 
seconds
  [1/19]: creating certificate server user
  [2/19]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command 
'/usr/sbin/pkispawn -s CA -f /tmp/tmpoqFGBW' returned non-zero exit status 
1

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed


Here are the log files on the replica server:





On the master I extraced the access log of the http server:
10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET 
/ca/rest/securityDomain/domainInfo HTTP/1.1" 404 317
10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET /ca/admin/ca/getDomainXML 
HTTP/1.1" 200 1593
10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET /ca/rest/account/login 
HTTP/1.1" 404 305
10.0.0.10 - - [09/Feb/2016:15:30:45 +0100] "POST /ca/admin/ca/getCertChain 
HTTP/1.0" 200 1410
10.0.0.10 - - [09/Feb/2016:15:30:46 +0100] "GET /ca/rest/account/login 
HTTP/1.1" 404 305
10.0.0.10 - - [09/Feb/2016:15:30:46 +0100] "POST /ca/admin/ca/getCookie 
HTTP/1.1" 200 4092
10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST /ca/admin/ca/getDomainXML 
HTTP/1.0" 200 1593
10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST /ca/admin/ca/getCertChain 
HTTP/1.0" 200 1410
10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST 
/ca/admin/ca/updateNumberRange HTTP/1.0" 404 313
10.0.0.8 - - [09/Feb/2016:15:30:47 +0100] "POST 
/ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154
10.0.0.10 - - [09/Feb/2016:15:30:48 +0100] "POST 
/ca/admin/ca/updateNumberRange HTTP/1.0" 404 313
10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST 
/ca/ee/ca/updateNumberRange HTTP/1.0" 200 163
10.0.0.8 - - [09/Feb/2016:15:30:48 +0100] "POST 
/ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154
10.0.0.10 - - [09/Feb/2016:15:30:48 +0100] "POST 
/ca/ee/ca/updateNumberRange HTTP/1.0" 200 163
10.0.0.10 - - [09/Feb/2016:15:30:49 +0100] "POST 
/ca/admin/ca/updateNumberRange HTTP/1.0" 404 313
10.0.0.8 - - [09/Feb/2016:15:30:49 +0100] "POST 
/ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154
10.0.0.10 - - [09/Feb/2016:15:30:49 +0100] "POST 
/ca/ee/ca/updateNumberRange HTTP/1.0" 200 157
10.0.0.8 - - [09/Feb/2016:15:30:50 +0100] "POST 
/ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154
10.0.0.10 - - [09/Feb/2016:15:30:50 +0100] "POST 
/ca/admin/ca/getConfigEntries HTTP/1.0" 200 13746
10.0.0.8 - - [09/Feb/2016:15:31:41 +0100] "POST 
/ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154
10.0.0.10 - - [09/Feb/2016:15:31:41 +0100] "POST /ca/ee/ca/profileSubmit 
HTTP/1.0" 200 1459
10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST /ca/admin/ca/getDomainXML 
HTTP/1.0" 200 1593
10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST 
/ca/admin/ca/updateDomainXML HTTP/1.0" 404 311
10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST 
/ca/agent/ca/updateDomainXML HTTP/1.0" 200 115



Best regards,

Giuseppe Calignano
IT Manager


Mobile: +39 335 7864 963 | Office: + 39 041 258 7618 | Email: 
giuseppe.calignano at finantix.com | skype: quasaro
Via della Pila, 13 | I-30175 Marghera | Venezia | Italy

CONFIDENTIALITY NOTICE - This message may contain privileged and 
confidential information intended only for the use of the addressee named 
above. If you are not the intended recipient of this message, you are 
hereby notified that any use, dissemination, distribution or reproduction 
of this message is prohibited. If you have received this message in error, 
please notify Finantix immediately via email to the sender.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160209/c5b3c51f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1185 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160209/c5b3c51f/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipareplica-install.log
Type: application/octet-stream
Size: 153830 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160209/c5b3c51f/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-ca-spawn.20160209153022.log
Type: application/octet-stream
Size: 421105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160209/c5b3c51f/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug
Type: application/octet-stream
Size: 212597 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160209/c5b3c51f/attachment-0002.obj>

More information about the Freeipa-users mailing list