[Freeipa-users] FreeIPA (Add Replica fails on GSSAPI)
Bjarne Blichfeldt
BJB at jndata.dk
Thu Jul 14 05:18:28 UTC 2016
Well, I just had the same problem, but in my case I also tried to install a ca:
“ipa-replica-install --setup-ca …..”
Without “--set-up” the installation succeeded.
Regards,
Bjarne
From: Devin Acosta [mailto:linuxguru.co at gmail.com]
Sent: 12. juli 2016 21:35
To: freeipa-users at redhat.com
Subject: [Freeipa-users] FreeIPA (Add Replica fails on GSSAPI)
I am trying to add a 4th replica to my FreeIPA installation. I am running the latest CentOS 7.2 (full updates) and i have tried multiple times and fails every time in same location. When it fails I remove the replication agreements and try again and keeps failing in same location.
[root at ipa03-aws centos]# ipa-replica-install replica-info-ipa03-aws.rsinc.local.gpg
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd
Directory Manager (existing master) password:
Run connection check to master
Check connection from replica to remote master 'ipa01-aws.rsinc.local':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
The following list of ports use UDP protocol and would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin at RSINC.LOCAL<mailto:admin at RSINC.LOCAL> password:
Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'ipa03-aws.rsinc.local':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
Connection from master to replica is OK.
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
[1/38]: creating directory server user
[2/38]: creating directory server instance
[3/38]: adding default schema
[4/38]: enabling memberof plugin
[5/38]: enabling winsync plugin
[6/38]: configuring replication version plugin
[7/38]: enabling IPA enrollment plugin
[8/38]: enabling ldapi
[9/38]: configuring uniqueness plugin
[10/38]: configuring uuid plugin
[11/38]: configuring modrdn plugin
[12/38]: configuring DNS plugin
[13/38]: enabling entryUSN plugin
[14/38]: configuring lockout plugin
[15/38]: creating indices
[16/38]: enabling referential integrity plugin
[17/38]: configuring ssl for ds instance
[18/38]: configuring certmap.conf
[19/38]: configure autobind for root
[20/38]: configure new location for managed entries
[21/38]: configure dirsrv ccache
[22/38]: enable SASL mapping fallback
[23/38]: restarting directory server
[24/38]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded
[25/38]: updating schema
[26/38]: setting Auto Member configuration
[27/38]: enabling S4U2Proxy delegation
[28/38]: importing CA certificates from LDAP
[29/38]: initializing group membership
[30/38]: adding master entry
[31/38]: initializing domain level
[32/38]: configuring Posix uid/gid generation
[33/38]: adding replication acis
[34/38]: enabling compatibility plugin
[35/38]: activating sidgen plugin
[36/38]: activating extdom plugin
[37/38]: tuning directory server
[38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
[1/8]: adding sasl mappings to the directory
[2/8]: configuring KDC
[3/8]: creating a keytab for the directory
[4/8]: creating a keytab for the machine
[5/8]: adding the password extension to the directory
[6/8]: enable GSSAPI for replication
[error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted.
Replication error message: Can't acquire busy replica
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the ldap service principals is missing. Replication agreement cannot be converted.
Replication error message: Can't acquire busy replica
Please see attached file for the full log file.
Any help would be appreciated!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160714/06213a08/attachment.htm>
More information about the Freeipa-users
mailing list