[Freeipa-users] ipa-replica-install fails because of IPv6?

Martin Basti mbasti at redhat.com
Wed Oct 26 15:31:05 UTC 2016 


On 26.10.2016 17:25, Jochen Demmer wrote:
>
>
> Am 26.10.2016 um 16:48 schrieb Martin Basti:
>>
>>
>>
>> On 26.10.2016 16:42, Jochen Demmer wrote:
>>>
>>>
>>> Am 26.10.2016 um 16:27 schrieb Martin Basti:
>>>>
>>>>
>>>>
>>>> On 26.10.2016 16:10, Jochen Demmer wrote:
>>>>> Hi,
>>>>>
>>>>> my answers also inline.
>>>>>
>>>>> Am 26.10.2016 um 15:38 schrieb Martin Basti:
>>>>>>
>>>>>> Hi, comments inline
>>>>>>
>>>>>>
>>>>>> On 26.10.2016 14:28, Jochen Demmer wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I've been running and using a single FreeIPA server 
>>>>>>> successfully, i.e.:
>>>>>>> Fedora 24
>>>>>>> freeipa-server-4.3.2-2.fc24.x86_64
>>>>>>> This server is only available via IPv6, because I can't get 
>>>>>>> public lPv4 addresses no more.
>>>>>>>
>>>>>>> Now I want to setup a FreeIPA replica at another site also 
>>>>>>> running IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64
>>>>>>> First I run "ipa-client-install" which succeeds without an error.
>>>>>>> When I invoke "ipa-replica-install" I get this error:
>>>>>>> ipa         : ERROR    Could not resolve hostname 
>>>>>>> *hostname.mydoma.in* using DNS. Clients may not function 
>>>>>>> properly. Please check your DNS setup. (Note that this check 
>>>>>>> queries IPA DNS directly and ignores /etc/hosts.)
>>>>>>> LOG:
>>>>>>> 2016-10-26T12:14:39Z DEBUG Search DNS server 
>>>>>>> *hostname.mydoma.in* (['2a01:f11:1:1::1', '2a01:f11:1:1::1', 
>>>>>>> '2a01:f11:1:1::1']) for *hostname.mydoma.in*
>>>>>>
>>>>>> Can you check with dig or host command if the hostname is really 
>>>>>> resolvable on that machine? do you have proper resolver in 
>>>>>> /etc/resolv.conf?
>>>>> There is a resolver given in /etc/resolv.conf. When I do "host 
>>>>> <<hostname.mydoma.in>>" I get the right IPv6 back.
>>>> That is weird because IPA is doing basically the same.
>>>>
>>>>>>
>>>>>>>
>>>>>>> *hostname.mydoma.in* is actually the DNS entry for the old 
>>>>>>> FreeIPA server, which actually resolves, but only to an IPv6 
>>>>>>> address of course.
>>>>>>> I can continue the installation though by entering "yes".
>>>>>>>
>>>>>>> I then get asked:
>>>>>>> Enter the IP address to use, or press Enter to finish.
>>>>>>> Please provide the IP address to be used for this host name:
>>>>>>>
>>>>>>> When I enter the IPv6 address of the new replica host it doesn't 
>>>>>>> accept but infinitely asks this question instead.
>>>>>>
>>>>>> Have you pressed enter twice? It should end prompt and continue 
>>>>>> with installation
>>>>> Enter without an IP -> No usable IP address provided nor resolved.
>>>>> Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 cannot 
>>>>> use IP network address 2a02:1:2:3::4 
>>>>
>>>> How do you have configured IP address on your interface? Does it 
>>>> have prefix /128?
>>> Yes, that's right. It's an IP being assigned statefully by a DHCPv6 
>>> server.
>>> There is also another dynamic IP within the same prefix having /64. 
>>> I don't want to use this one of course, because its IID changes.
>>>
>> Could you set (temporarily) prefix for that address to /64 and re-run 
>> installer? IPA 4.3 has check that prevents you to use /128 prefix
> Well now I don't even get asked for the IP. The setup wizard 
> continues, but I now get this error:
>
>   [27/43]: restarting directory server
> ipa         : CRITICAL Failed to restart the directory server (Command 
> '/bin/systemctl restart dirsrv at MY-REALM.service' returned non-zero 
> exit status 1). See the installation log for details.
>   [28/43]: setting up initial replication
>   [error] error: [Errno 111] Connection refused
>
> LOG:
> 2016-10-26T15:14:46Z DEBUG Process finished, return code=1
> 2016-10-26T15:14:46Z DEBUG stdout=
> 2016-10-26T15:14:46Z DEBUG stderr=Job for dirsrv at MY-REALM.service 
> failed because the control process exited with error code. See 
> "systemctl status dirsrv at MY-REALM.service" and "journalctl -xe" for 
> details.
> 2016-10-26T15:14:46Z CRITICAL Failed to restart the directory server 
> (Command '/bin/systemctl restart dirsrv at MY-REALM.service' returned 
> non-zero exit status 1). See the installation log for details.
> 2016-10-26T15:14:46Z DEBUG   duration: 1 seconds
> 2016-10-26T15:14:46Z DEBUG   [28/43]: setting up initial replication
> 2016-10-26T15:14:56Z DEBUG Traceback (most recent call last):
>
> When I try to restart manually with, "/bin/systemctl restart 
> dirsrv at MY-REALM.service"
>  this is what systemd logs:
> https://paste.fedoraproject.org/461439/raw/
>
>

Could you please check /var/log/dirsrv/slapd-*/errors  there might be 
more details.

Did you reused an old IPA server for this installation?

Martin

>>
>>
>>>>
>>>>>>
>>>>>>>
>>>>>>> Honestly, I can't see what I might have done wrong.
>>>>>>> Old FreeIPA has hostname is in sync forward and reverse record.
>>>>>>> New FreeIPA host as well has hostname that symmetrically 
>>>>>>> resolves, even though the hostname is using another second level 
>>>>>>> domain.
>>>>>>>
>>>>>>> Any hints?
>>>>>>> Jochen Demmer
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Martin
>>>>> Jochen
>>>>>
>>>>
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161026/2cb2e2ea/attachment.htm>

More information about the Freeipa-users mailing list