[Freeipa-users] IPA 4.4 replica installation failing
Baird, Josh
jbaird at follett.com
Fri Nov 18 14:21:25 UTC 2016
Martin,
Yes, this is the exact scenario. My lab started with a RHEL 7.2 master/replica with 'domain level' set to 0.
I raised the 'domain level' to 1, and now I'm trying to introduce a new replica into the environment.
I will check on 'nsds5replicabinddn' and report back.
Thanks,
Josh
-----Original Message-----
From: Martin Babinsky [mailto:mbabinsk at redhat.com]
Sent: Friday, November 18, 2016 3:17 AM
To: Baird, Josh <jbaird at follett.com>; 'freeipa-users at redhat.com' <freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] IPA 4.4 replica installation failing
On 11/17/2016 03:51 PM, Baird, Josh wrote:
> Hi all,
>
> In my IPA 4.4 lab (RHEL 7.3), I'm trying to install/configure a new replica, and I seem to be hitting something similar to #5412 [1].
>
> The 'ipa-replica-install' is getting stuck on:
>
> [4/26]: creating installation admin user
>
> Dirsrv error logs on the new replica:
>
> [17/Nov/2016:08:45:09.342813042 -0600] NSMMReplicationPlugin - agmt="cn=caToimqa-d1-dc01.qa-unix.domain.com" (imqa-d1-dc01:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later.
>
> Dirsrv access logs on existing master:
>
> [17/Nov/2016:08:39:59.244698389 -0600] conn=121 op=83 RESULT err=0
> tag=101 nentries=0 etime=0
> [17/Nov/2016:08:40:00.248620354 -0600] conn=121 op=84 SRCH
> base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca"
> scope=0 filter="(objectClass=*)" attrs=ALL
> [17/Nov/2016:08:40:00.248917257 -0600] conn=121 op=84 RESULT err=0
> tag=101 nentries=0 etime=0
> [17/Nov/2016:08:40:01.253067200 -0600] conn=121 op=85 SRCH
> base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca"
> scope=0 filter="(objectClass=*)" attrs=ALL
> [17/Nov/2016:08:40:01.253481728 -0600] conn=121 op=85 RESULT err=0
> tag=101 nentries=0 etime=0
> [17/Nov/2016:08:40:02.257477560 -0600] conn=121 op=86 SRCH
> base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca"
> scope=0 filter="(objectClass=*)" attrs=ALL
> [17/Nov/2016:08:40:02.257813691 -0600] conn=121 op=86 RESULT err=0
> tag=101 nentries=0 etime=0
> [17/Nov/2016:08:40:03.261805482 -0600] conn=121 op=88 SRCH
> base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca"
> scope=0 filter="(objectClass=*)" attrs=ALL
> [17/Nov/2016:08:40:03.262310788 -0600] conn=121 op=88 RESULT err=0
> tag=101 nentries=0 etime=0
>
> Dirsrv logs on the existing master:
>
> [17/Nov/2016:08:40:20.644554573 -0600] NSMMReplicationPlugin -
> conn=120 op=13 replica="o=ipaca": Unable to acquire replica: error:
> permission denied
> [17/Nov/2016:08:41:57.858672215 -0600] NSMMReplicationPlugin -
> conn=123 op=5 replica="o=ipaca": Unable to acquire replica: error:
> permission denied
> [17/Nov/2016:08:45:09.334188374 -0600] NSMMReplicationPlugin -
> conn=130 op=5 replica="o=ipaca": Unable to acquire replica: error:
> permission denied
>
> Has anyone else experienced this issue?
>
> Thanks,
>
> Josh
>
> [1] https://fedorahosted.org/freeipa/ticket/5412
>
>
Hi Josh,
in the original ticket the issue was occuring when creating CA replica against 7.2 master upgraded to 7.3 with domain level raised to 1. Do you have the same scenario?
Also, during the stuck installation can you check for the presence of replica's LDAP principal in 'nsds5replicabinddn' attribute on master's 'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry?
I would also check for the reverse, i.e. if the master's LDAP principal is in the 'nsds5replicabinddn' attribute on replica's 'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry.
--
Martin^3 Babinsky
More information about the Freeipa-users
mailing list