[Freeipa-users] ipa-replica-install fails at [6/8]: enable GSSAPI for replication
Devin Acosta
devin at pabstatencio.com
Mon May 9 15:25:18 UTC 2016
Attempting to create replica fails during ipa-replica-install. I have
attached below what I am seeing during attempting to add a replica into
my environment. Currently there are (3) Masters. When I try to add the
(4th) it dies. The 4th node will only be able to talk to ipa01-aws,
ipa02-aws, it will not be able to talk to ipa1-i2x, will that create a
problem? I generated the replica from the ipa01-aws instance.
ipa02-aws.rsinc.local: master
ipa01-aws.rsinc.local: master
ipa1-i2x.rsinc.local: master
[root at idm1-dev centos]# ipa-replica-install --setup-dns
--forwarder=8.8.8.8 --mkhomedir replica-info-idm1-dev.rsinc.local.gpg
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd
Directory Manager (existing master) password:
Existing BIND configuration detected, overwrite? [no]: yes
Checking DNS forwarders, please wait ...
Using reverse zone(s) 0.31.10.in-addr.arpa.
Run connection check to master
Check connection from replica to remote master 'ipa01-aws.rsinc.local':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
The following list of ports use UDP protocol and would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin at RSINC.LOCAL password:
Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'idm1-dev.rsinc.local':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
Connection from master to replica is OK.
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
[1/38]: creating directory server user
[2/38]: creating directory server instance
[3/38]: adding default schema
[4/38]: enabling memberof plugin
[5/38]: enabling winsync plugin
[6/38]: configuring replication version plugin
[7/38]: enabling IPA enrollment plugin
[8/38]: enabling ldapi
[9/38]: configuring uniqueness plugin
[10/38]: configuring uuid plugin
[11/38]: configuring modrdn plugin
[12/38]: configuring DNS plugin
[13/38]: enabling entryUSN plugin
[14/38]: configuring lockout plugin
[15/38]: creating indices
[16/38]: enabling referential integrity plugin
[17/38]: configuring ssl for ds instance
[18/38]: configuring certmap.conf
[19/38]: configure autobind for root
[20/38]: configure new location for managed entries
[21/38]: configure dirsrv ccache
[22/38]: enable SASL mapping fallback
[23/38]: restarting directory server
[24/38]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded
[25/38]: updating schema
[26/38]: setting Auto Member configuration
[27/38]: enabling S4U2Proxy delegation
[28/38]: importing CA certificates from LDAP
[29/38]: initializing group membership
[30/38]: adding master entry
[31/38]: initializing domain level
[32/38]: configuring Posix uid/gid generation
[33/38]: adding replication acis
[34/38]: enabling compatibility plugin
[35/38]: activating sidgen plugin
[36/38]: activating extdom plugin
[37/38]: tuning directory server
[38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
[1/8]: adding sasl mappings to the directory
[2/8]: configuring KDC
[3/8]: creating a keytab for the directory
[4/8]: creating a keytab for the machine
[5/8]: adding the password extension to the directory
[6/8]: enable GSSAPI for replication
[error] RuntimeError: One of the ldap service principals is missing.
Replication agreement cannot be converted.
Replication error message: Can't acquire busy replica
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the
ldap service principals is missing. Replication agreement cannot be
converted.
Replication error message: Can't acquire busy replica
2016-05-09T02:45:27Z DEBUG Backing up system configuration file
'/etc/krb5.keytab'
2016-05-09T02:45:27Z DEBUG Saving Index File to
'/var/lib/ipa/sysrestore/sysrestore.index'
2016-05-09T02:45:27Z DEBUG Starting external process
2016-05-09T02:45:27Z DEBUG args='kadmin.local' '-q' 'ktadd -k
/etc/krb5.keytab host/idm1-dev.rsinc.local at RSINC.LOCAL' '-x'
'ipa-setup-override-restrictions'
2016-05-09T02:45:28Z DEBUG Process finished, return code=0
2016-05-09T02:45:28Z DEBUG stdout=Authenticating as principal
root/admin at RSINC.LOCAL with password.
Entry for principal host/idm1-dev.rsinc.local at RSINC.LOCAL with kvno 2,
encryption type aes256-cts-hmac-sha1-96 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal host/idm1-dev.rsinc.local at RSINC.LOCAL with kvno 2,
encryption type aes128-cts-hmac-sha1-96 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal host/idm1-dev.rsinc.local at RSINC.LOCAL with kvno 2,
encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/idm1-dev.rsinc.local at RSINC.LOCAL with kvno 2,
encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/idm1-dev.rsinc.local at RSINC.LOCAL with kvno 2,
encryption type camellia128-cts-cmac added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal host/idm1-dev.rsinc.local at RSINC.LOCAL with kvno 2,
encryption type camellia256-cts-cmac added to keytab
WRFILE:/etc/krb5.keytab.
2016-05-09T02:45:28Z DEBUG stderr=
2016-05-09T02:45:28Z DEBUG duration: 0 seconds
2016-05-09T02:45:28Z DEBUG [5/8]: adding the password extension to the
directory
2016-05-09T02:45:28Z DEBUG Starting external process
2016-05-09T02:45:28Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f'
'/tmp/tmpQOJQiQ' '-H' 'ldapi://%2fvar%2frun%2fslapd-RSINC-LOCAL.socket'
'-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpsq8EV2'
2016-05-09T02:45:28Z DEBUG Process finished, return code=0
2016-05-09T02:45:28Z DEBUG stdout=add objectclass:
top
nsSlapdPlugin
extensibleObject
add cn:
ipa_pwd_extop
add nsslapd-pluginpath:
libipa_pwd_extop
add nsslapd-plugininitfunc:
ipapwd_init
add nsslapd-plugintype:
extendedop
add nsslapd-pluginbetxn:
on
add nsslapd-pluginenabled:
on
add nsslapd-pluginid:
ipa_pwd_extop
add nsslapd-pluginversion:
1.0
add nsslapd-pluginvendor:
RedHat
add nsslapd-plugindescription:
Support saving passwords in multiple formats for different
consumers (krb5, samba, freeradius, etc.)
add nsslapd-plugin-depends-on-type:
database
add nsslapd-realmTree:
dc=rsinc,dc=local
adding new entry "cn=ipa_pwd_extop,cn=plugins,cn=config"
modify complete
2016-05-09T02:45:28Z DEBUG stderr=ldap_initialize(
ldapi://%2Fvar%2Frun%2Fslapd-RSINC-LOCAL.socket/??base )
2016-05-09T02:45:28Z DEBUG duration: 0 seconds
2016-05-09T02:45:28Z DEBUG [6/8]: enable GSSAPI for replication
2016-05-09T02:45:28Z DEBUG flushing ldaps://idm1-dev.rsinc.local:636
from SchemaCache
2016-05-09T02:45:28Z DEBUG retrieving schema for SchemaCache
url=ldaps://idm1-dev.rsinc.local:636
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7453e18>
2016-05-09T02:45:28Z INFO Setting agreement
cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping
tree,cn=config schedule to 2358-2359 0 to force synch
2016-05-09T02:45:29Z INFO Deleting schedule 2358-2359 0 from agreement
cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping
tree,cn=config
2016-05-09T02:45:30Z INFO Replication Update in progress: FALSE: status:
1 Can't acquire busy replica: start: 0: end: 0
2016-05-09T02:45:30Z DEBUG flushing ldaps://ipa01-aws.rsinc.local:636
from SchemaCache
2016-05-09T02:45:30Z DEBUG retrieving schema for SchemaCache
url=ldaps://ipa01-aws.rsinc.local:636
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x744db48>
2016-05-09T02:45:31Z INFO Setting agreement
cn=meToidm1-dev.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config
schedule to 2358-2359 0 to force synch
2016-05-09T02:45:32Z INFO Deleting schedule 2358-2359 0 from agreement
cn=meToidm1-dev.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config
2016-05-09T02:45:33Z INFO Replication Update in progress: FALSE: status:
0 Replica acquired successfully: Incremental update succeeded: start: 0:
end: 0
2016-05-09T02:45:33Z INFO Getting ldap service principals for
conversion: (krbprincipalname=ldap/idm1-dev.rsinc.local at RSINC.LOCAL) and
(krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL)
2016-05-09T02:45:33Z DEBUG Unable to find entry for
(krbprincipalname=ldap/idm1-dev.rsinc.local at RSINC.LOCAL) on
ipa01-aws.rsinc.local:636
2016-05-09T02:45:33Z INFO Setting agreement
cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping
tree,cn=config schedule to 2358-2359 0 to force synch
2016-05-09T02:45:34Z INFO Deleting schedule 2358-2359 0 from agreement
cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping
tree,cn=config
2016-05-09T02:45:35Z INFO Replication Update in progress: FALSE: status:
1 Can't acquire busy replica: start: 0: end: 0
2016-05-09T02:45:35Z INFO Getting ldap service principals for
conversion: (krbprincipalname=ldap/idm1-dev.rsinc.local at RSINC.LOCAL) and
(krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL)
2016-05-09T02:45:35Z DEBUG Unable to find entry for
(krbprincipalname=ldap/idm1-dev.rsinc.local at RSINC.LOCAL) on
ipa01-aws.rsinc.local:636
2016-05-09T02:45:35Z INFO Setting agreement
cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping
tree,cn=config schedule to 2358-2359 0 to force synch
2016-05-09T02:45:36Z INFO Deleting schedule 2358-2359 0 from agreement
cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping
tree,cn=config
2016-05-09T02:45:37Z INFO Replication Update in progress: FALSE: status:
1 Can't acquire busy replica: start: 0: end: 0
2016-05-09T02:45:37Z INFO Getting ldap service principals for
conversion: (krbprincipalname=ldap/idm1-dev.rsinc.local at RSINC.LOCAL) and
(krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL)
2016-05-09T02:45:37Z DEBUG Unable to find entry for
(krbprincipalname=ldap/idm1-dev.rsinc.local at RSINC.LOCAL) on
ipa01-aws.rsinc.local:636
2016-05-09T02:45:37Z INFO Setting agreement
cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping
tree,cn=config schedule to 2358-2359 0 to force synch
2016-05-09T02:45:38Z INFO Deleting schedule 2358-2359 0 from agreement
cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping
tree,cn=config
2016-05-09T02:45:39Z INFO Replication Update in progress: FALSE: status:
1 Can't acquire busy replica: start: 0: end: 0
2016-05-09T02:45:39Z INFO Getting ldap service principals for
conversion: (krbprincipalname=ldap/idm1-dev.rsinc.local at RSINC.LOCAL) and
(krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL)
2016-05-09T02:45:39Z DEBUG Unable to find entry for
(krbprincipalname=ldap/idm1-dev.rsinc.local at RSINC.LOCAL) on
ipa01-aws.rsinc.local:636
2016-05-09T02:45:39Z INFO Setting agreement
cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping
tree,cn=config schedule to 2358-2359 0 to force synch
2016-05-09T02:45:40Z INFO Deleting schedule 2358-2359 0 from agreement
cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping
tree,cn=config
2016-05-09T02:45:41Z INFO Replication Update in progress: FALSE: status:
1 Can't acquire busy replica: start: 0: end: 0
2016-05-09T02:45:41Z INFO Getting ldap service principals for
conversion: (krbprincipalname=ldap/idm1-dev.rsinc.local at RSINC.LOCAL) and
(krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL)
Thanks.
Devin
More information about the Freeipa-users
mailing list