[Freeipa-users] Failing to add Fedora 20 replica to Centos6.7 ipa server

Quasar quasar7 at gmail.com
Thu Feb 11 13:57:04 UTC 2016 

Please disregard this email, as it was duplicated.

Sorry for the incovenience

On Tue, Feb 9, 2016 at 4:26 PM, <giuseppe.calignano at finantix.com> wrote:

> Hi, I desperately need your help/advice with our ipa update process.
> Briefly, we'd like to update our IPA 3.0 installation based on CentOS 6.7
> to a newer version, and I read that the way of doing it is to create a new
> replica with a newer version of IPA server.
> Before writing this post, I browsed for similar issues (there are many of
> them with similar outcome) and tried to apply the suggested solutions but
> no luck. I also tried previous versions of Fedora (18 and 19) but again no
> luck.
> It seems I'm stuck and I don't know how to proceed :(
>
> Thank you in advance to anyhow who will take the time to read my message
> :) Let's start!
>
> Right now we have a single running on Centos 6.7, and we are planning to
> create a replica with Fedora 20 which has IPA 3.3
>
> Here are the details of the master (ipaserver)
> [root at ipaserver ~]# uname -a
> Linux ipaserver.it.fx.lan 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21
> UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
>
> [root at ipaserver ~]# rpm -qa|grep -E 'freeipa-server|pki-ca'
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> pki-ca-9.0.3-43.el6.noarch
>
> And here are the details of the replica (ipaserver-ha2
> Replica server on Fedora 20:
> [root at ipaserver-ha2 ~]# uname -a
> Linux ipaserver-ha2.it.fx.lan 3.19.8-100.fc20.x86_64 #1 SMP Tue May 12
> 17:08:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>
> [root at ipaserver-ha2 ~]# rpm -qa|grep -E 'freeipa-server|pki-ca'
> pki-ca-10.1.2-7.fc20.noarch
> freeipa-server-3.3.5-1.fc20.x86_64
>
> Here are the steps I made:
>
>    - Before starting the replica I updated the schema of the master with
>    the copy-schema-to-ca.py script
>    - I prepared the replica certificates on the server
>    ("ipa-replica-prepare ipaserver-ha2.it.fx.lan --ip-address 10.0.0.10") and
>    transferred to the replica server on the same folder
>    - The I ran the replica install and here's the output:
>
> [root at ipaserver-ha2 ~]# ipa-replica-install --setup-ca --setup-dns
> --no-forwarders --no-ntp
> /var/lib/ipa/replica-info-ipaserver-ha2.it.fx.lan.gpg
> Directory Manager (existing master) password:
>
> Run connection check to master
> Check connection from replica to remote master 'ipaserver.it.fx.lan':
>    Directory Service: Unsecure port (389): OK
>    Directory Service: Secure port (636): OK
>    Kerberos KDC: TCP (88): OK
>    Kerberos Kpasswd: TCP (464): OK
>    HTTP Server: Unsecure port (80): OK
>    HTTP Server: Secure port (443): OK
>    PKI-CA: Directory Service port (7389): OK
>
> The following list of ports use UDP protocol and would need to be
> checked manually:
>    Kerberos KDC: UDP (88): SKIPPED
>    Kerberos Kpasswd: UDP (464): SKIPPED
>
> Connection from replica to master is OK.
> Start listening on required ports for remote master check
> Get credentials to log in to remote master
> admin at IT.FX.LAN password:
>
> Check SSH connection to remote master
> Execute check on remote master
> Check connection from master to remote replica 'ipaserver-ha2.it.fx.lan':
>    Directory Service: Unsecure port (389): OK
>    Directory Service: Secure port (636): OK
>    Kerberos KDC: TCP (88): OK
>    Kerberos KDC: UDP (88): OK
>    Kerberos Kpasswd: TCP (464): OK
>    Kerberos Kpasswd: UDP (464): OK
>    HTTP Server: Unsecure port (80): OK
>    HTTP Server: Secure port (443): OK
>
> Connection from master to replica is OK.
>
> Connection check OK
> Configuring directory server (dirsrv): Estimated time 1 minute
>   [1/34]: creating directory server user
>   [2/34]: creating directory server instance
>   [3/34]: adding default schema
>   [4/34]: enabling memberof plugin
>   [5/34]: enabling winsync plugin
>   [6/34]: configuring replication version plugin
>   [7/34]: enabling IPA enrollment plugin
>   [8/34]: enabling ldapi
>   [9/34]: configuring uniqueness plugin
>   [10/34]: configuring uuid plugin
>   [11/34]: configuring modrdn plugin
>   [12/34]: configuring DNS plugin
>   [13/34]: enabling entryUSN plugin
>   [14/34]: configuring lockout plugin
>   [15/34]: creating indices
>   [16/34]: enabling referential integrity plugin
>   [17/34]: configuring ssl for ds instance
>   [18/34]: configuring certmap.conf
>   [19/34]: configure autobind for root
>   [20/34]: configure new location for managed entries
>   [21/34]: configure dirsrv ccache
>   [22/34]: enable SASL mapping fallback
>   [23/34]: restarting directory server
>   [24/34]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 3 seconds elapsed
> Update succeeded
>
>   [25/34]: updating schema
>   [26/34]: setting Auto Member configuration
>   [27/34]: enabling S4U2Proxy delegation
>   [28/34]: initializing group membership
>   [29/34]: adding master entry
>   [30/34]: configuring Posix uid/gid generation
>   [31/34]: adding replication acis
>   [32/34]: enabling compatibility plugin
>   [33/34]: tuning directory server
>   [34/34]: configuring directory to start on boot
> Done configuring directory server (dirsrv).
> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30
> seconds
>   [1/19]: creating certificate server user
>   [2/19]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command
> '/usr/sbin/pkispawn -s CA -f /tmp/tmpoqFGBW' returned non-zero exit status 1
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Configuration of CA failed
>
>
> Here are the log files on the replica server:
>
>
>
>
>
> On the master I extraced the access log of the http server:
> 10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET
> /ca/rest/securityDomain/domainInfo HTTP/1.1" 404 317
> 10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET /ca/admin/ca/getDomainXML
> HTTP/1.1" 200 1593
> 10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET /ca/rest/account/login
> HTTP/1.1" 404 305
> 10.0.0.10 - - [09/Feb/2016:15:30:45 +0100] "POST /ca/admin/ca/getCertChain
> HTTP/1.0" 200 1410
> 10.0.0.10 - - [09/Feb/2016:15:30:46 +0100] "GET /ca/rest/account/login
> HTTP/1.1" 404 305
> 10.0.0.10 - - [09/Feb/2016:15:30:46 +0100] "POST /ca/admin/ca/getCookie
> HTTP/1.1" 200 4092
> 10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST /ca/admin/ca/getDomainXML
> HTTP/1.0" 200 1593
> 10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST /ca/admin/ca/getCertChain
> HTTP/1.0" 200 1410
> 10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST
> /ca/admin/ca/updateNumberRange HTTP/1.0" 404 313
> 10.0.0.8 - - [09/Feb/2016:15:30:47 +0100] "POST
> /ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154
> 10.0.0.10 - - [09/Feb/2016:15:30:48 +0100] "POST
> /ca/admin/ca/updateNumberRange HTTP/1.0" 404 313
> 10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST
> /ca/ee/ca/updateNumberRange HTTP/1.0" 200 163
> 10.0.0.8 - - [09/Feb/2016:15:30:48 +0100] "POST
> /ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154
> 10.0.0.10 - - [09/Feb/2016:15:30:48 +0100] "POST
> /ca/ee/ca/updateNumberRange HTTP/1.0" 200 163
> 10.0.0.10 - - [09/Feb/2016:15:30:49 +0100] "POST
> /ca/admin/ca/updateNumberRange HTTP/1.0" 404 313
> 10.0.0.8 - - [09/Feb/2016:15:30:49 +0100] "POST
> /ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154
> 10.0.0.10 - - [09/Feb/2016:15:30:49 +0100] "POST
> /ca/ee/ca/updateNumberRange HTTP/1.0" 200 157
> 10.0.0.8 - - [09/Feb/2016:15:30:50 +0100] "POST
> /ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154
> 10.0.0.10 - - [09/Feb/2016:15:30:50 +0100] "POST
> /ca/admin/ca/getConfigEntries HTTP/1.0" 200 13746
> 10.0.0.8 - - [09/Feb/2016:15:31:41 +0100] "POST
> /ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154
> 10.0.0.10 - - [09/Feb/2016:15:31:41 +0100] "POST /ca/ee/ca/profileSubmit
> HTTP/1.0" 200 1459
> 10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST /ca/admin/ca/getDomainXML
> HTTP/1.0" 200 1593
> 10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST
> /ca/admin/ca/updateDomainXML HTTP/1.0" 404 311
> 10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST
> /ca/agent/ca/updateDomainXML HTTP/1.0" 200 115
>
>
>
> Best regards,
>
> *Giuseppe Calignano*
> IT Manager
>
>
> Mobile: +39 335 7864 963 | Office: + 39 041 258 7618 | Email:
> giuseppe.calignano at finantix.com | skype: quasaro
> Via della Pila, 13 | I-30175 Marghera | Venezia | Italy
>
> CONFIDENTIALITY NOTICE - This message may contain privileged and
> confidential information intended only for the use of the addressee named
> above. If you are not the intended recipient of this message, you are
> hereby notified that any use, dissemination, distribution or reproduction
> of this message is prohibited. If you have received this message in error,
> please notify Finantix immediately via email to the sender.
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



-- 
Giuseppe Calignano
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160211/c4d3eac8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1185 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160211/c4d3eac8/attachment.gif>

More information about the Freeipa-users mailing list