[Freeipa-users] FreeIPA (Add Replica fails on GSSAPI)

Devin Acosta linuxguru.co at gmail.com
Thu Jul 14 20:16:13 UTC 2016 

When i tried to create the replica from another server, it fails giving me
this?

[root at ipa02-aws ~]# ipa-replica-prepare ipa03-aws.rsinc.local --ip-address
10.40.x.x
Directory Manager (existing master) password:

If you installed IPA with your own certificates using PKCS#12 files you
must provide PKCS#12 files for any replicas you create as well.
The replica must be created on the primary IPA server.

On Thu, Jul 14, 2016 at 8:22 AM, Petr Vobornik <pvoborni at redhat.com> wrote:

> On 07/14/2016 07:18 AM, Bjarne Blichfeldt wrote:
> > Well, I just had the same problem, but in my case I also tried to
> install a ca:
> >
> > “ipa-replica-install --setup-ca …..”
> >
> > Without “--set-up”  the installation succeeded.
> >
> > Regards,
> >
> > Bjarne
> >
>
> The error below is not related to CA.
>
> It tries to check that new replica's ldap service principal was replica
> to master server. The principal is not replicated there and after 60
> attemps it fails.
>
> What is your replication topology? Could it be that other replicas are
> keeping this master busy?
>
> Does installation against other replica work?
>
> Could you provide dirsrv error log of the master from the time of
> installation?
>
> >
> >
> > *From:*Devin Acosta [mailto:linuxguru.co at gmail.com]
> > *Sent:* 12. juli 2016 21:35
> > *To:* freeipa-users at redhat.com
> > *Subject:* [Freeipa-users] FreeIPA (Add Replica fails on GSSAPI)
> >
> > I am trying to add a 4th replica to my FreeIPA installation. I am
> running the
> > latest CentOS 7.2 (full updates) and i have tried multiple times and
> fails every
> > time in same location. When it fails I remove the replication agreements
> and try
> > again and keeps failing in same location.
> >
> > [root at ipa03-aws centos]# ipa-replica-install
> replica-info-ipa03-aws.rsinc.local.gpg
> >
> > WARNING: conflicting time&date synchronization service 'chronyd' will
> >
> > be disabled in favor of ntpd
> >
> > Directory Manager (existing master) password:
> >
> > Run connection check to master
> >
> > Check connection from replica to remote master 'ipa01-aws.rsinc.local':
> >
> >     Directory Service: Unsecure port (389): OK
> >
> >     Directory Service: Secure port (636): OK
> >
> >     Kerberos KDC: TCP (88): OK
> >
> >     Kerberos Kpasswd: TCP (464): OK
> >
> >     HTTP Server: Unsecure port (80): OK
> >
> >     HTTP Server: Secure port (443): OK
> >
> > The following list of ports use UDP protocol and would need to be
> >
> > checked manually:
> >
> >     Kerberos KDC: UDP (88): SKIPPED
> >
> >     Kerberos Kpasswd: UDP (464): SKIPPED
> >
> > Connection from replica to master is OK.
> >
> > Start listening on required ports for remote master check
> >
> > Get credentials to log in to remote master
> >
> > admin at RSINC.LOCAL <mailto:admin at RSINC.LOCAL> password:
> >
> > Check SSH connection to remote master
> >
> > Execute check on remote master
> >
> > Check connection from master to remote replica 'ipa03-aws.rsinc.local':
> >
> >     Directory Service: Unsecure port (389): OK
> >
> >     Directory Service: Secure port (636): OK
> >
> >     Kerberos KDC: TCP (88): OK
> >
> >     Kerberos KDC: UDP (88): OK
> >
> >     Kerberos Kpasswd: TCP (464): OK
> >
> >     Kerberos Kpasswd: UDP (464): OK
> >
> >     HTTP Server: Unsecure port (80): OK
> >
> >     HTTP Server: Secure port (443): OK
> >
> > Connection from master to replica is OK.
> >
> > Connection check OK
> >
> > Configuring NTP daemon (ntpd)
> >
> >    [1/4]: stopping ntpd
> >
> >    [2/4]: writing configuration
> >
> >    [3/4]: configuring ntpd to start on boot
> >
> >    [4/4]: starting ntpd
> >
> > Done configuring NTP daemon (ntpd).
> >
> > Configuring directory server (dirsrv). Estimated time: 1 minute
> >
> >    [1/38]: creating directory server user
> >
> >    [2/38]: creating directory server instance
> >
> >    [3/38]: adding default schema
> >
> >    [4/38]: enabling memberof plugin
> >
> >    [5/38]: enabling winsync plugin
> >
> >    [6/38]: configuring replication version plugin
> >
> >    [7/38]: enabling IPA enrollment plugin
> >
> >    [8/38]: enabling ldapi
> >
> >    [9/38]: configuring uniqueness plugin
> >
> >    [10/38]: configuring uuid plugin
> >
> >    [11/38]: configuring modrdn plugin
> >
> >    [12/38]: configuring DNS plugin
> >
> >    [13/38]: enabling entryUSN plugin
> >
> >    [14/38]: configuring lockout plugin
> >
> >    [15/38]: creating indices
> >
> >    [16/38]: enabling referential integrity plugin
> >
> >    [17/38]: configuring ssl for ds instance
> >
> >    [18/38]: configuring certmap.conf
> >
> >    [19/38]: configure autobind for root
> >
> >    [20/38]: configure new location for managed entries
> >
> >    [21/38]: configure dirsrv ccache
> >
> >    [22/38]: enable SASL mapping fallback
> >
> >    [23/38]: restarting directory server
> >
> >    [24/38]: setting up initial replication
> >
> > Starting replication, please wait until this has completed.
> >
> > Update in progress, 4 seconds elapsed
> >
> > Update succeeded
> >
> >    [25/38]: updating schema
> >
> >    [26/38]: setting Auto Member configuration
> >
> >    [27/38]: enabling S4U2Proxy delegation
> >
> >    [28/38]: importing CA certificates from LDAP
> >
> >    [29/38]: initializing group membership
> >
> >    [30/38]: adding master entry
> >
> >    [31/38]: initializing domain level
> >
> >    [32/38]: configuring Posix uid/gid generation
> >
> >    [33/38]: adding replication acis
> >
> >    [34/38]: enabling compatibility plugin
> >
> >    [35/38]: activating sidgen plugin
> >
> >    [36/38]: activating extdom plugin
> >
> >    [37/38]: tuning directory server
> >
> >    [38/38]: configuring directory to start on boot
> >
> > Done configuring directory server (dirsrv).
> >
> > Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
> >
> >    [1/8]: adding sasl mappings to the directory
> >
> >    [2/8]: configuring KDC
> >
> >    [3/8]: creating a keytab for the directory
> >
> >    [4/8]: creating a keytab for the machine
> >
> >    [5/8]: adding the password extension to the directory
> >
> >    [6/8]: enable GSSAPI for replication
> >
> >    [error] RuntimeError: One of the ldap service principals is missing.
> > Replication agreement cannot be converted.
> >
> > Replication error message: Can't acquire busy replica
> >
> > Your system may be partly configured.
> >
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> > ipa.ipapython.install.cli.install_tool(Replica): ERROR    One of the ldap
> > service principals is missing. Replication agreement cannot be converted.
> >
> > Replication error message: Can't acquire busy replica
> >
> > Please see attached file for the full log file.
> >
> > Any help would be appreciated!
> >
> >
> >
>
>
> --
> Petr Vobornik
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160714/65b0b592/attachment.htm>

More information about the Freeipa-users mailing list