[Freeipa-users] Unable to create a new replica

Francoeur, Louis Louis.Francoeur at esignlive.com
Thu May 5 14:03:22 UTC 2016 

I'm trying to create a new replica and i receive the following message:


onfiguring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
  [1/8]: adding sasl mappings to the directory
  [2/8]: configuring KDC
  [3/8]: creating a keytab for the directory
  [4/8]: creating a keytab for the machine
  [5/8]: adding the password extension to the directory
  [6/8]: enable GSSAPI for replication
  [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted.
Replication error message: Can't acquire busy replica


I have done a multiple time:


ipa-replica-manage del new-ipa.domain.local --force --cleanup


I have validated that my ports are open:

nmap -Pn -p53,80,88,443,389,464,636 existing-ipa

Starting Nmap 6.40 ( http://nmap.org ) at 2016-05-05 13:46 UTC
Nmap scan report for existing-ipa (xxx.xxx.xxx.xxx)
Host is up (0.29s latency).
rDNS record for xxx.xxx.xxx.xxx: existing-ipa.domain.local
PORT    STATE SERVICE
53/tcp  open  domain
80/tcp  open  http
88/tcp  open  kerberos-sec
389/tcp open  ldap
443/tcp open  https
464/tcp open  kpasswd5
636/tcp open  ldapssl

Nmap done: 1 IP address (1 host up) scanned in 0.97 seconds


nmap -Pn -p53,80,88,443,389,464,636 xxx.xxx.xxx.xxx (this is after the failed install - closed means nothing is listening)

Starting Nmap 6.40 ( http://nmap.org ) at 2016-05-05 13:50 UTC
Nmap scan report for new-ipa.domain.local (xxx.xxx.xxx.xxx)
Host is up (0.21s latency).
PORT    STATE  SERVICE
53/tcp  closed domain
80/tcp  closed http
88/tcp  closed kerberos-sec
389/tcp open   ldap
443/tcp closed https
464/tcp closed kpasswd5
636/tcp open   ldapssl

Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds


I am running on Centos 7 with:


ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64
ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64
python-libipa_hbac-1.13.0-40.el7_2.2.x86_64
ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64
sssd-ipa-1.13.0-40.el7_2.2.x86_64
libipa_hbac-1.13.0-40.el7_2.2.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64

The other strange thing i notice at the beginning of the install is:

ipa         : ERROR    Could not resolve hostname new-ipa.domain.local using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.)


But i can find it from the command line with dig/nslookup.


With more debug info, i find it is trying to reach another ipa that he has no access to (geo is too far and ports are closed instead of using resolv.conf).


What am i missing here?


BTW i have multiples replicas installed already.


Thanks

Louis

data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAATAAAABMCAIAAABlDnyqAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAUkZJREFUeNrUvQdgZNV5L37PrdNHZdT7Slptb7C7bKEsHQMG3BLABvL8DLgmL3aaE/s9J3HiVOefZzsOTmzAQBwbbAzGGDALC9t71RZJq941o+kzt7/v3DNzdTVNo7Jr/y/a4c6dc/v5nd/XDxL+5j+pPIuu69RSLEt1nKU9lHXRNK1wA5ReyHrGRo7j4KuqqnR6gY2yLMNhdWMhV24u5o3M2gh/6VPku4acG2nLwhgLuRg4Jrkvcnz41TyIeS/kUsl6vsvL9+StW/K9l3zXXOTGYn4tvGMxDZawzWJuhCw0dYWXKwShpV3mfEzZndXcqBkL6e4mBgg8rF3fiuEMYKCCOMy4hvk+7QKIyrivnI/COvr8dnaJBTyThSFtSa5nzouhr+iFLjkal/bZLeB2MjBpEixsgWsjK4SdgKlM/skg2JyYhDWqiMeVceoCTzgfAvP9ah0X5vucF0B6V3PgXpKDXx1qoa/cFVyhG7gSmCySoPLhkyDQFPwAlqb4mkGDc2CyuIeWjclsostun1P+zLnjwmD5mx0r51Q3rmbHWwxJ0v//EjWLEduuKCbzKYGAQKsmRqjSxGS2dJoTk9RV6dPZ+Cz8uvM9mWLk/KvWKxYv0y5e9L3iDPlbiMbfkhEh+0qI6kikVvIVFgIzIrjmVCNzYHLRnaxIXbFI+GVc+W+KFa+CsHaVNcl8DdgrKios4DkiXWMpjUMarcp2pP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160505/3767935d/attachment.htm>

More information about the Freeipa-users mailing list