[Freeipa-users] FreeIPA (Add Replica fails on GSSAPI)

Bjarne Blichfeldt BJB at jndata.dk
Thu Jul 14 05:18:28 UTC 2016 

Well, I just had the same problem, but in my case I also tried to install a ca:
“ipa-replica-install --setup-ca …..”

Without “--set-up”  the installation succeeded.

Regards,
Bjarne



From: Devin Acosta [mailto:linuxguru.co at gmail.com]
Sent: 12. juli 2016 21:35
To: freeipa-users at redhat.com
Subject: [Freeipa-users] FreeIPA (Add Replica fails on GSSAPI)

I am trying to add a 4th replica to my FreeIPA installation. I am running the latest CentOS 7.2 (full updates) and i have tried multiple times and fails every time in same location. When it fails I remove the replication agreements and try again and keeps failing in same location.


[root at ipa03-aws centos]# ipa-replica-install replica-info-ipa03-aws.rsinc.local.gpg
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'ipa01-aws.rsinc.local':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin at RSINC.LOCAL<mailto:admin at RSINC.LOCAL> password:

Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'ipa03-aws.rsinc.local':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

Connection from master to replica is OK.

Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/38]: creating directory server user
  [2/38]: creating directory server instance
  [3/38]: adding default schema
  [4/38]: enabling memberof plugin
  [5/38]: enabling winsync plugin
  [6/38]: configuring replication version plugin
  [7/38]: enabling IPA enrollment plugin
  [8/38]: enabling ldapi
  [9/38]: configuring uniqueness plugin
  [10/38]: configuring uuid plugin
  [11/38]: configuring modrdn plugin
  [12/38]: configuring DNS plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: creating indices
  [16/38]: enabling referential integrity plugin
  [17/38]: configuring ssl for ds instance
  [18/38]: configuring certmap.conf
  [19/38]: configure autobind for root
  [20/38]: configure new location for managed entries
  [21/38]: configure dirsrv ccache
  [22/38]: enable SASL mapping fallback
  [23/38]: restarting directory server
  [24/38]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded

  [25/38]: updating schema
  [26/38]: setting Auto Member configuration
  [27/38]: enabling S4U2Proxy delegation
  [28/38]: importing CA certificates from LDAP
  [29/38]: initializing group membership
  [30/38]: adding master entry
  [31/38]: initializing domain level
  [32/38]: configuring Posix uid/gid generation
  [33/38]: adding replication acis
  [34/38]: enabling compatibility plugin
  [35/38]: activating sidgen plugin
  [36/38]: activating extdom plugin
  [37/38]: tuning directory server
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
  [1/8]: adding sasl mappings to the directory
  [2/8]: configuring KDC
  [3/8]: creating a keytab for the directory
  [4/8]: creating a keytab for the machine
  [5/8]: adding the password extension to the directory
  [6/8]: enable GSSAPI for replication
  [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted.
Replication error message: Can't acquire busy replica
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    One of the ldap service principals is missing. Replication agreement cannot be converted.
Replication error message: Can't acquire busy replica

Please see attached file for the full log file.

Any help would be appreciated!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160714/06213a08/attachment.htm>

More information about the Freeipa-users mailing list