[Freeipa-users] ipa replica installation help
Petr Vobornik
pvoborni at redhat.com
Thu Jan 5 08:12:03 UTC 2017
On 01/05/2017 07:10 AM, Ben .T.George wrote:
> HI
>
> yes i did the same and still port is not listening.
>
> [root at zkwipamstr01 ~]# cat /etc/hosts
> 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
> ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
> 10.151.4.64 zkwipamstr01.kw.example.com <http://zkwipamstr01.kw.example.com>
> zkwipamstr01
> 10.151.4.65 zkwiparepa01.kw.example.com <http://zkwiparepa01.kw.example.com>
> zkwiparepa01
> [root at zkwipamstr01 ~]# systemctl restart pki-tomcatd at pki-tomcat
> [root at zkwipamstr01 ~]# netstat -tunap | grep 8009
>
>
> Regards
> Ben
Also IPv6 stack needs to be enabled.
>
> On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale <ftweedal at redhat.com
> <mailto:ftweedal at redhat.com>> wrote:
>
> On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George wrote:
> > HI
> >
> > port 8009 is not listening in master server
> >
> > and i added ::1 localhost localhost.localdomain localhost6
> > localhost6.localdomain6 in hosts file.
> >
>
> Did you add this to the host file on the master (then `systemctl
> restart pki-tomcatd at pki-tomcat` and confirm it is listening on port
> 8009)? Or just the client you are trying to promote?
>
> It is needed on the master. Won't hurt to make this change to
> /etc/hosts on both machines, though.
>
> HTH,
> Fraser
>
> > still getting same error
> >
> > [28/44]: restarting directory server
> > ipa : CRITICAL Failed to restart the directory server (Command
> > '/bin/systemctl restart dirsrv at KW-EXAMPLE-COM.service' returned non-zero
> > exit status 1). See the installation log for details.
> > [29/44]: setting up initial replication
> > [error] error: [Errno 111] Connection refused
> > Your system may be partly configured.
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> > ipa.ipapython.install.cli.install_tool(Replica): ERROR [Errno 111]
> > Connection refused
> > ipa.ipapython.install.cli.install_tool(Replica): ERROR The
> > ipa-replica-install command failed. See /var/log/ipareplica-install.log for
> > more information
> >
> >
> > Also ipv6 is disabled on both nodes
> >
> > Regards,
> > Ben
> >
> > On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik <pvoborni at redhat.com
> <mailto:pvoborni at redhat.com>> wrote:
> >
> > > On 01/04/2017 10:59 AM, Ben .T.George wrote:
> > > > HI
> > > >
> > > > i tried the method mentioned on that document and it end up with below
> > > error. My
> > > > DNS is managed by external box and i dont want to create any DNS record
> > > on these
> > > > servers.
> > > >
> > > > and the command which i tried is(non client server)
> > > >
> > > > ipa-replica-install --principal admin --admin-password P at ssw0rd --domain
> > > > kw.example.com <http://kw.example.com> <http://kw.example.com> --server
> > > zkwipamstr01.kw.example.com <http://zkwipamstr01.kw.example.com>
> > > > <http://zkwipamstr01.kw.example.com <http://zkwipamstr01.kw.example.com>>
> > > >
> > > >
> > > >
> > > > ipa : CRITICAL Failed to restart the directory server (Command
> > > > '/bin/systemctl restart dirsrv at KW-EXAMPLE-COM.service' returned
> > > non-zero exit
> > > > status 1). See the installation log for details.
> > > > [29/44]: setting up initial replication
> > > > [error] error: [Errno 111] Connection refused
> > > > Your system may be partly configured.
> > > > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > > >
> > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR [Errno 111]
> > > Connection
> > > > refused
> > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR The
> > > > ipa-replica-install command failed. See /var/log/ipareplica-install.log
> > > for more
> > > > information
> > >
> > > This looks like bug https://fedorahosted.org/freeipa/ticket/6575
> <https://fedorahosted.org/freeipa/ticket/6575>
> > >
> > > To verify that, could you check if master server internally listens on
> > > port 8009 or if ipareplica-install.log contains CA_UNREACHABLE string
> > > near step 27.
> > >
> > > Usual fix is to add following line to /etc/hosts
> > > ::1 localhost localhost.localdomain localhost6
> > > localhost6.localdomain6
> > >
> > >
> > > > [root at zkwiparepa01 ~]# /bin/systemctl restart
> > > dirsrv at KW-EXAMPLE-COM.service
> > > > Job for dirsrv at KW-EXAMPLE-COM.service failed because the control
> > > process exited
> > > > with error code. See "systemctl status dirsrv at KW-EXAMPLE-COM.service"
> > > and
> > > > "journalctl -xe" for details.
> > > >
> > > > [root at zkwiparepa01 ~]# systemctl status dirsrv at KW-EXAMPLE-COM.service
> > > > ● dirsrv at KW-EXAMPLE-COM.service - 389 Directory Server KW-EXAMPLE-COM.
> > > > Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled;
> > > vendor
> > > > preset: disabled)
> > > > Active: failed (Result: exit-code) since Wed 2017-01-04 12:54:46
> > > AST; 13s ago
> > > > Process: 14893 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i
> > > > /var/run/dirsrv/slapd-%i.pid (code=exited, status=1/FAILURE)
> > > > Process: 14887 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl
> > > > /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS)
> > > > Main PID: 14893 (code=exited, status=1/FAILURE)
> > > >
> > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
> <http://zkwiparepa01.kw.example.com> <http://zkwiparepa01.kw.
> > > example.com <http://example.com>>
> > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.177617891 +0300] Error:
> > > > betxnpostoperation plu...arted
> > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
> <http://zkwiparepa01.kw.example.com> <http://zkwiparepa01.kw.
> > > example.com <http://example.com>>
> > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.178379752 +0300] Error: object
> > > plugin
> > > > Roles Pl...arted
> > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
> <http://zkwiparepa01.kw.example.com> <http://zkwiparepa01.kw.
> > > example.com <http://example.com>>
> > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.179162340 +0300] Error:
> > > preoperation
> > > > plugin su...arted
> > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
> <http://zkwiparepa01.kw.example.com> <http://zkwiparepa01.kw.
> > > example.com <http://example.com>>
> > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.179993432 +0300] Error: object
> > > plugin USN
> > > > is n...arted
> > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
> <http://zkwiparepa01.kw.example.com> <http://zkwiparepa01.kw.
> > > example.com <http://example.com>>
> > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.181305209 +0300] Error: object
> > > plugin
> > > > Views is...arted
> > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
> <http://zkwiparepa01.kw.example.com> <http://zkwiparepa01.kw.
> > > example.com <http://example.com>>
> > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.182094981 +0300] Error:
> > > extendedop plugin
> > > > whoa...arted
> > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
> <http://zkwiparepa01.kw.example.com> <http://zkwiparepa01.kw.
> > > example.com <http://example.com>>
> > > > systemd[1]: dirsrv at KW-EXAMPLE-COM.service: main process exited,
> > > code=exited,
> > > > status=1/FAILURE
> > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
> <http://zkwiparepa01.kw.example.com> <http://zkwiparepa01.kw.
> > > example.com <http://example.com>>
> > > > systemd[1]: Failed to start 389 Directory Server KW-EXAMPLE-COM..
> > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
> <http://zkwiparepa01.kw.example.com> <http://zkwiparepa01.kw.
> > > example.com <http://example.com>>
> > > > systemd[1]: Unit dirsrv at KW-EXAMPLE-COM.service entered failed state.
> > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
> <http://zkwiparepa01.kw.example.com> <http://zkwiparepa01.kw.
> > > example.com <http://example.com>>
> > > > systemd[1]: dirsrv at KW-EXAMPLE-COM.service failed.
> > > > Hint: Some lines were ellipsized, use -l to show in full.
> > > >
> > > >
> > > >
> > > > Regards,
> > > > Ben
> > > >
> > > >
> > > > On Wed, Jan 4, 2017 at 11:19 AM, Martin Babinsky <mbabinsk at redhat.com
> <mailto:mbabinsk at redhat.com>
> > > > <mailto:mbabinsk at redhat.com <mailto:mbabinsk at redhat.com>>> wrote:
> > > >
> > > > On 01/04/2017 07:21 AM, Ben .T.George wrote:
> > > >
> > > > HI
> > > >
> > > > while trying to create ipa replica, i am getting below error,
> > > >
> > > > Replica creation using 'ipa-replica-prepare' to generate replica
> > > file
> > > > is supported only in 0-level IPA domain.
> > > >
> > > > The current IPA domain level is 1 and thus the replica must
> > > > be created by promoting an existing IPA client.
> > > >
> > > > To set up a replica use the following procedure:
> > > > 1.) set up a client on the host using 'ipa-client-install'
> > > > 2.) promote the client to replica running
> > > 'ipa-replica-install'
> > > > *without* replica file specified
> > > >
> > > > 'ipa-replica-prepare' is allowed only in domain level 0
> > > > The ipa-replica-prepare command failed.
> > > >
> > > >
> > > > i have IPA master server without AD integration and DNS is
> > > managed by
> > > > 3rd party appliances.
> > > >
> > > >
> > > >
> > > > Regards,
> > > > Ben
> > > >
> > > >
> > > >
> > > > Hi Ben,
> > > >
> > > > If you installed IPA 4.4 server then domain level 1 is the default.
> > > This
> > > > domain level uses different mechanism to stand up replicas. See the
> > > latest
> > > > IdM documentation[1] for more details.
> > > >
> > > > [1]
> > > > https://access.redhat.com/documentation/en-US/Red_Hat_
> <https://access.redhat.com/documentation/en-US/Red_Hat_>
> > > Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_
> > > Guide/creating-the-replica.html
> > > > <https://access.redhat.com/documentation/en-US/Red_Hat_
> <https://access.redhat.com/documentation/en-US/Red_Hat_>
> > > Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_
> > > Guide/creating-the-replica.html>
> > > >
> > > > --
> > > > Martin^3 Babinsky
> > > >
> > > > --
> > > > Manage your subscription for the Freeipa-users mailing list:
> > > > https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
> > > > <https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>>
> > > > Go to http://freeipa.org for more info on the project
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > > --
> > > Petr Vobornik
> > >
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
> > Go to http://freeipa.org for more info on the project
>
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list