[Freeipa-users] ipa replica installation help
Ben .T.George
bentech4you at gmail.com
Mon Jan 9 12:27:37 UTC 2017
Hi LIst,
is there anyone faces/fixed this issue?
Regards,
BEn
On Sun, Jan 8, 2017 at 7:03 AM, Ben .T.George <bentech4you at gmail.com> wrote:
> HI List,
>
> how can i solve this? is this a bug ,normal behavior or any missing
> configuration from my end,
>
> Till now i didn't get ant clue on this.
>
> Regards
> Ben
>
> On Thu, Jan 5, 2017 at 1:21 PM, Fraser Tweedale <ftweedal at redhat.com>
> wrote:
>
>> On Thu, Jan 05, 2017 at 01:08:58PM +0300, Ben .T.George wrote:
>> > HI
>> >
>> > there is no filrewall running on both servers,
>> >
>> > [root at zkwipamstr01 ~]# systemctl status firewalld
>> > ● firewalld.service - firewalld - dynamic firewall daemon
>> > Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled;
>> > vendor preset: enabled)
>> > Active: inactive (dead)
>> > Docs: man:firewalld(1)
>> >
>> > [root at zkwipamstr01 ~]# sestatus
>> > SELinux status: disabled
>> >
>> OK, very well. And actually, forget about my idea about connecting
>> to port 8009 from client - that is not what happens at all. It is
>> the end of day for me and my brain checked out :/
>>
>> I shall continue analysis of your problem tomorrow.
>>
>> Thanks,
>> Fraser
>>
>> >
>> > On Thu, Jan 5, 2017 at 1:05 PM, Fraser Tweedale <ftweedal at redhat.com>
>> wrote:
>> >
>> > > On Thu, Jan 05, 2017 at 12:43:47PM +0300, Ben .T.George wrote:
>> > > > HI,
>> > > >
>> > > > on master server and replica server, i have enabled ipv6
>> > > >
>> > > > below on master server
>> > > >
>> > > > [root at zkwipamstr01 ~]# ip addr | grep inet6
>> > > >
>> > > > inet6 fe80::250:56ff:fea0:3857/64 scope link
>> > > >
>> > > > [root at zkwipamstr01 ~]# systemctl restart pki-tomcatd at pki-tomcat
>> > > > [root at zkwipamstr01 ~]# netstat -tunap | grep 8009
>> > > > tcp6 0 0 ::1:8009 :::*
>> > > LISTEN
>> > > > 12692/java
>> > > >
>> > > >
>> > > > after that 8009 is listening on master server.
>> > > >
>> > > > on replica side uninstalled ipa and tried to enrolled again. Do i
>> need to
>> > > > enable any service replica side?
>> > > >
>> > > > [28/44]: restarting directory server
>> > > > ipa : CRITICAL Failed to restart the directory server
>> (Command
>> > > > '/bin/systemctl restart dirsrv at KW-EXAMPLE-COM.service' returned
>> non-zero
>> > > > exit status 1). See the installation log for details.
>> > > > [29/44]: setting up initial replication
>> > > > [error] error: [Errno 111] Connection refused
>> > > > Your system may be partly configured.
>> > > > Run /usr/sbin/ipa-server-install --uninstall to clean up.
>> > > >
>> > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR [Errno
>> 111]
>> > > > Connection refused
>> > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR The
>> > > > ipa-replica-install command failed. See
>> /var/log/ipareplica-install.log
>> > > for
>> > > > more information
>> > > > [root at zkwiparepa01 ~]# systemctl restart pki-tomcatd at pki-tomcat
>> > > > Job for pki-tomcatd at pki-tomcat.service failed because the control
>> > > process
>> > > > exited with error code. See "systemctl status
>> > > pki-tomcatd at pki-tomcat.service"
>> > > > and "journalctl -xe" for details.
>> > > >
>> > > > Still same error.
>> > > >
>> > > > is this service restart pki-tomcatd at pki-tomcat only applicable on
>> master
>> > > > server?
>> > > >
>> > > Yes, because no CA has been created on replica (yet).
>> > >
>> > > Can you confirm that your firewall (if any/enabled) on master is
>> > > letting the traffic from client/replica through to :8009?
>> > > Executing: ``nc -v $MASTER_IP 8009`` from the client machine
>> > > suffices to check.
>> > >
>> > > Thanks,
>> > > Fraser
>> > >
>> > > > Regards,
>> > > > Ben
>> > > >
>> > > >
>> > > > On Thu, Jan 5, 2017 at 11:12 AM, Petr Vobornik <pvoborni at redhat.com
>> >
>> > > wrote:
>> > > >
>> > > > > On 01/05/2017 07:10 AM, Ben .T.George wrote:
>> > > > > > HI
>> > > > > >
>> > > > > > yes i did the same and still port is not listening.
>> > > > > >
>> > > > > > [root at zkwipamstr01 ~]# cat /etc/hosts
>> > > > > > 127.0.0.1 localhost localhost.localdomain localhost4
>> > > > > localhost4.localdomain4
>> > > > > > ::1 localhost localhost.localdomain localhost6
>> > > > > localhost6.localdomain6
>> > > > > > 10.151.4.64 zkwipamstr01.kw.example.com <http://zkwipamstr01.kw
>> .
>> > > > > example.com>
>> > > > > > zkwipamstr01
>> > > > > > 10.151.4.65 zkwiparepa01.kw.example.com <http://zkwiparepa01.kw
>> .
>> > > > > example.com>
>> > > > > > zkwiparepa01
>> > > > > > [root at zkwipamstr01 ~]# systemctl restart pki-tomcatd at pki-tomcat
>> > > > > > [root at zkwipamstr01 ~]# netstat -tunap | grep 8009
>> > > > > >
>> > > > > >
>> > > > > > Regards
>> > > > > > Ben
>> > > > >
>> > > > > Also IPv6 stack needs to be enabled.
>> > > > >
>> > > > > >
>> > > > > > On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale <
>> ftweedal at redhat.com
>> > > > > > <mailto:ftweedal at redhat.com>> wrote:
>> > > > > >
>> > > > > > On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George
>> wrote:
>> > > > > > > HI
>> > > > > > >
>> > > > > > > port 8009 is not listening in master server
>> > > > > > >
>> > > > > > > and i added ::1 localhost localhost.localdomain
>> > > localhost6
>> > > > > > > localhost6.localdomain6 in hosts file.
>> > > > > > >
>> > > > > >
>> > > > > > Did you add this to the host file on the master (then
>> `systemctl
>> > > > > > restart pki-tomcatd at pki-tomcat` and confirm it is
>> listening on
>> > > port
>> > > > > > 8009)? Or just the client you are trying to promote?
>> > > > > >
>> > > > > > It is needed on the master. Won't hurt to make this change
>> to
>> > > > > > /etc/hosts on both machines, though.
>> > > > > >
>> > > > > > HTH,
>> > > > > > Fraser
>> > > > > >
>> > > > > > > still getting same error
>> > > > > > >
>> > > > > > > [28/44]: restarting directory server
>> > > > > > > ipa : CRITICAL Failed to restart the directory
>> server
>> > > > > (Command
>> > > > > > > '/bin/systemctl restart dirsrv at KW-EXAMPLE-COM.service'
>> > > returned
>> > > > > non-zero
>> > > > > > > exit status 1). See the installation log for details.
>> > > > > > > [29/44]: setting up initial replication
>> > > > > > > [error] error: [Errno 111] Connection refused
>> > > > > > > Your system may be partly configured.
>> > > > > > > Run /usr/sbin/ipa-server-install --uninstall to clean up.
>> > > > > > >
>> > > > > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR
>> > > [Errno
>> > > > > 111]
>> > > > > > > Connection refused
>> > > > > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR
>> The
>> > > > > > > ipa-replica-install command failed. See
>> > > > > /var/log/ipareplica-install.log for
>> > > > > > > more information
>> > > > > > >
>> > > > > > >
>> > > > > > > Also ipv6 is disabled on both nodes
>> > > > > > >
>> > > > > > > Regards,
>> > > > > > > Ben
>> > > > > > >
>> > > > > > > On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik <
>> > > > > pvoborni at redhat.com
>> > > > > > <mailto:pvoborni at redhat.com>> wrote:
>> > > > > > >
>> > > > > > > > On 01/04/2017 10:59 AM, Ben .T.George wrote:
>> > > > > > > > > HI
>> > > > > > > > >
>> > > > > > > > > i tried the method mentioned on that document and it
>> end
>> > > up
>> > > > > with below
>> > > > > > > > error. My
>> > > > > > > > > DNS is managed by external box and i dont want to
>> create
>> > > any
>> > > > > DNS record
>> > > > > > > > on these
>> > > > > > > > > servers.
>> > > > > > > > >
>> > > > > > > > > and the command which i tried is(non client server)
>> > > > > > > > >
>> > > > > > > > > ipa-replica-install --principal admin
>> --admin-password
>> > > > > P at ssw0rd --domain
>> > > > > > > > > kw.example.com <http://kw.example.com> <
>> > > http://kw.example.com>
>> > > > > --server
>> > > > > > > > zkwipamstr01.kw.example.com <http://zkwipamstr01.kw.
>> > > example.com
>> > > > > >
>> > > > > > > > > <http://zkwipamstr01.kw.example.com <
>> > > http://zkwipamstr01.kw.
>> > > > > example.com>>
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > > > ipa : CRITICAL Failed to restart the
>> directory
>> > > server
>> > > > > (Command
>> > > > > > > > > '/bin/systemctl restart dirsrv at KW-EXAMPLE-COM.service
>> '
>> > > > > returned
>> > > > > > > > non-zero exit
>> > > > > > > > > status 1). See the installation log for details.
>> > > > > > > > > [29/44]: setting up initial replication
>> > > > > > > > > [error] error: [Errno 111] Connection refused
>> > > > > > > > > Your system may be partly configured.
>> > > > > > > > > Run /usr/sbin/ipa-server-install --uninstall to
>> clean up.
>> > > > > > > > >
>> > > > > > > > > ipa.ipapython.install.cli.install_tool(Replica):
>> ERROR
>> > > > > [Errno 111]
>> > > > > > > > Connection
>> > > > > > > > > refused
>> > > > > > > > > ipa.ipapython.install.cli.install_tool(Replica):
>> ERROR
>> > > The
>> > > > > > > > > ipa-replica-install command failed. See
>> > > > > /var/log/ipareplica-install.log
>> > > > > > > > for more
>> > > > > > > > > information
>> > > > > > > >
>> > > > > > > > This looks like bug https://fedorahosted.org/
>> > > > > freeipa/ticket/6575
>> > > > > > <https://fedorahosted.org/freeipa/ticket/6575>
>> > > > > > > >
>> > > > > > > > To verify that, could you check if master server
>> internally
>> > > > > listens on
>> > > > > > > > port 8009 or if ipareplica-install.log contains
>> > > CA_UNREACHABLE
>> > > > > string
>> > > > > > > > near step 27.
>> > > > > > > >
>> > > > > > > > Usual fix is to add following line to /etc/hosts
>> > > > > > > > ::1 localhost localhost.localdomain
>> localhost6
>> > > > > > > > localhost6.localdomain6
>> > > > > > > >
>> > > > > > > >
>> > > > > > > > > [root at zkwiparepa01 ~]# /bin/systemctl restart
>> > > > > > > > dirsrv at KW-EXAMPLE-COM.service
>> > > > > > > > > Job for dirsrv at KW-EXAMPLE-COM.service failed
>> because the
>> > > > > control
>> > > > > > > > process exited
>> > > > > > > > > with error code. See "systemctl status
>> > > > > dirsrv at KW-EXAMPLE-COM.service"
>> > > > > > > > and
>> > > > > > > > > "journalctl -xe" for details.
>> > > > > > > > >
>> > > > > > > > > [root at zkwiparepa01 ~]# systemctl status
>> > > > > dirsrv at KW-EXAMPLE-COM.service
>> > > > > > > > > ● dirsrv at KW-EXAMPLE-COM.service - 389 Directory
>> Server
>> > > > > KW-EXAMPLE-COM.
>> > > > > > > > > Loaded: loaded (/usr/lib/systemd/system/dirsrv@
>> > > .service;
>> > > > > enabled;
>> > > > > > > > vendor
>> > > > > > > > > preset: disabled)
>> > > > > > > > > Active: failed (Result: exit-code) since Wed
>> > > 2017-01-04
>> > > > > 12:54:46
>> > > > > > > > AST; 13s ago
>> > > > > > > > > Process: 14893 ExecStart=/usr/sbin/ns-slapd -D
>> > > > > /etc/dirsrv/slapd-%i -i
>> > > > > > > > > /var/run/dirsrv/slapd-%i.pid (code=exited,
>> > > status=1/FAILURE)
>> > > > > > > > > Process: 14887 ExecStartPre=/usr/sbin/ds_
>> > > > > systemd_ask_password_acl
>> > > > > > > > > /etc/dirsrv/slapd-%i/dse.ldif (code=exited,
>> > > status=0/SUCCESS)
>> > > > > > > > > Main PID: 14893 (code=exited, status=1/FAILURE)
>> > > > > > > > >
>> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > > <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > > > > example.com <http://example.com>>
>> > > > > > > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.177617891
>> +0300]
>> > > > > Error:
>> > > > > > > > > betxnpostoperation plu...arted
>> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > > <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > > > > example.com <http://example.com>>
>> > > > > > > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.178379752
>> +0300]
>> > > > > Error: object
>> > > > > > > > plugin
>> > > > > > > > > Roles Pl...arted
>> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > > <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > > > > example.com <http://example.com>>
>> > > > > > > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.179162340
>> +0300]
>> > > > > Error:
>> > > > > > > > preoperation
>> > > > > > > > > plugin su...arted
>> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > > <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > > > > example.com <http://example.com>>
>> > > > > > > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.179993432
>> +0300]
>> > > > > Error: object
>> > > > > > > > plugin USN
>> > > > > > > > > is n...arted
>> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > > <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > > > > example.com <http://example.com>>
>> > > > > > > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.181305209
>> +0300]
>> > > > > Error: object
>> > > > > > > > plugin
>> > > > > > > > > Views is...arted
>> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > > <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > > > > example.com <http://example.com>>
>> > > > > > > > > ns-slapd[14893]: [04/Jan/2017:12:54:46.182094981
>> +0300]
>> > > > > Error:
>> > > > > > > > extendedop plugin
>> > > > > > > > > whoa...arted
>> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > > <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > > > > example.com <http://example.com>>
>> > > > > > > > > systemd[1]: dirsrv at KW-EXAMPLE-COM.service: main
>> process
>> > > > > exited,
>> > > > > > > > code=exited,
>> > > > > > > > > status=1/FAILURE
>> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > > <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > > > > example.com <http://example.com>>
>> > > > > > > > > systemd[1]: Failed to start 389 Directory Server
>> > > > > KW-EXAMPLE-COM..
>> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > > <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > > > > example.com <http://example.com>>
>> > > > > > > > > systemd[1]: Unit dirsrv at KW-EXAMPLE-COM.service
>> entered
>> > > > > failed state.
>> > > > > > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com
>> > > > > > <http://zkwiparepa01.kw.example.com> <
>> http://zkwiparepa01.kw.
>> > > > > > > > example.com <http://example.com>>
>> > > > > > > > > systemd[1]: dirsrv at KW-EXAMPLE-COM.service failed.
>> > > > > > > > > Hint: Some lines were ellipsized, use -l to show in
>> full.
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > > > Regards,
>> > > > > > > > > Ben
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > > > On Wed, Jan 4, 2017 at 11:19 AM, Martin Babinsky <
>> > > > > mbabinsk at redhat.com
>> > > > > > <mailto:mbabinsk at redhat.com>
>> > > > > > > > > <mailto:mbabinsk at redhat.com <mailto:
>> mbabinsk at redhat.com
>> > > >>>
>> > > > > wrote:
>> > > > > > > > >
>> > > > > > > > > On 01/04/2017 07:21 AM, Ben .T.George wrote:
>> > > > > > > > >
>> > > > > > > > > HI
>> > > > > > > > >
>> > > > > > > > > while trying to create ipa replica, i am
>> getting
>> > > > > below error,
>> > > > > > > > >
>> > > > > > > > > Replica creation using 'ipa-replica-prepare'
>> to
>> > > > > generate replica
>> > > > > > > > file
>> > > > > > > > > is supported only in 0-level IPA domain.
>> > > > > > > > >
>> > > > > > > > > The current IPA domain level is 1 and thus
>> the
>> > > > > replica must
>> > > > > > > > > be created by promoting an existing IPA
>> client.
>> > > > > > > > >
>> > > > > > > > > To set up a replica use the following
>> procedure:
>> > > > > > > > > 1.) set up a client on the host using
>> > > > > 'ipa-client-install'
>> > > > > > > > > 2.) promote the client to replica
>> running
>> > > > > > > > 'ipa-replica-install'
>> > > > > > > > > *without* replica file specified
>> > > > > > > > >
>> > > > > > > > > 'ipa-replica-prepare' is allowed only in
>> domain
>> > > level
>> > > > > 0
>> > > > > > > > > The ipa-replica-prepare command failed.
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > > > i have IPA master server without AD
>> integration
>> > > and
>> > > > > DNS is
>> > > > > > > > managed by
>> > > > > > > > > 3rd party appliances.
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > > > Regards,
>> > > > > > > > > Ben
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > > > Hi Ben,
>> > > > > > > > >
>> > > > > > > > > If you installed IPA 4.4 server then domain
>> level 1 is
>> > > > > the default.
>> > > > > > > > This
>> > > > > > > > > domain level uses different mechanism to stand up
>> > > > > replicas. See the
>> > > > > > > > latest
>> > > > > > > > > IdM documentation[1] for more details.
>> > > > > > > > >
>> > > > > > > > > [1]
>> > > > > > > > > https://access.redhat.com/docu
>> mentation/en-US/Red_Hat_
>> > > > > > <https://access.redhat.com/documentation/en-US/Red_Hat_>
>> > > > > > > > Enterprise_Linux/7/html/Linux_Domain_Identity_
>> > > > > Authentication_and_Policy_
>> > > > > > > > Guide/creating-the-replica.html
>> > > > > > > > > <https://access.redhat.com/
>> > > documentation/en-US/Red_Hat_
>> > > > > > <https://access.redhat.com/documentation/en-US/Red_Hat_>
>> > > > > > > > Enterprise_Linux/7/html/Linux_Domain_Identity_
>> > > > > Authentication_and_Policy_
>> > > > > > > > Guide/creating-the-replica.html>
>> > > > > > > > >
>> > > > > > > > > --
>> > > > > > > > > Martin^3 Babinsky
>> > > > > > > > >
>> > > > > > > > > --
>> > > > > > > > > Manage your subscription for the Freeipa-users
>> mailing
>> > > > > list:
>> > > > > > > > > https://www.redhat.com/mailman
>> /listinfo/freeipa-users
>> > > > > > <https://www.redhat.com/mailman/listinfo/freeipa-users>
>> > > > > > > > > <https://www.redhat.com/
>> > > mailman/listinfo/freeipa-users
>> > > > > > <https://www.redhat.com/mailman/listinfo/freeipa-users>>
>> > > > > > > > > Go to http://freeipa.org for more info on the
>> project
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > >
>> > > > > > > >
>> > > > > > > > --
>> > > > > > > > Petr Vobornik
>> > > > > > > >
>> > > > > >
>> > > > > > > --
>> > > > > > > Manage your subscription for the Freeipa-users mailing
>> list:
>> > > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > > > > > <https://www.redhat.com/mailman/listinfo/freeipa-users>
>> > > > > > > Go to http://freeipa.org for more info on the project
>> > > > > >
>> > > > > >
>> > > > >
>> > > > >
>> > > > > --
>> > > > > Petr Vobornik
>> > > > >
>> > >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170109/a47a9e92/attachment.htm>
More information about the Freeipa-users
mailing list