[Pki-devel] [Freeipa-devel] Proxy/Port work status

Thu Aug 25 11:41:50 UTC 2011

Adam Young wrote:
> Had some success earlier today, but I seem to be unable to replicate it.
> I've been working with the "full" proxy.conf file lately,. and even that
> seems to be preventing a replica. It is quite possible that the problem
> is something on one of the two systems, as I've found that
> install/uninstall often leaves some of the files being owned by
> non-existent users. At this point, I'm not sure if the patch I've
> submitted will work on a vanilla system. Testing it has proven to be a
> pretty time consuming endeavour.
>
>
> Here's what I've gotten it down to:
>
> ON One machine, run
>
> ipa-server-install -U -r ` hostname | tr '[:lower:]' '[:upper:]'` -p
> freeipa4all -a freeipa4all --setup-dns --no-forwarders
>
>
> once that succeeds, I have to reset /etc/resolv.conf as the lab DNS
> server gets removed:
>
> cp ~/resolve.conf /etc

You could also not use --setup-dns on the master.

>
> then
>
> ipa-replica-prepare $REPLICA
>
> scp /var/lib/ipa/replica-info-$REPLICA.gpg root@$REPLICA:
>
> On the replica:
>
> ipa-replica-install --setup-ca replica-info-$HOSTNAME.gpg
>
> I have firewall off on master and replica
>
>
> At one point I had a replica install that worked with the Proxy, so I
> know it is possible, but for the last couple of hours this last command
> has been failing with:
>
> creation of replica failed: Configuration of CA failed
>
>
>
> pkisilent reports the failure in the debug log, but not the URL it is
> trying to reach. I'm going to modify it to give some more information in
> the morning.
>
>
> I'm not seeing anything in /var/log/httpd/error|access.log on the
> master, which is weird.
>
>
> I see this in /var/log/ipareplica-conncheck.log. We should not be trying
> to do anything in /home/admin
>
>
> 2011-08-24 21:52:18,544 DEBUG stderr=
> 2011-08-24 21:52:19,521 DEBUG args=/usr/bin/ssh -q -o
> StrictHostKeychecking=no -o UserKnownHostsFile=/dev/null
> admin at vm-088.idm.lab.bos.redhat.com /usr/sbin/ipa-replica-conncheck
> --replica vm-116.idm.lab.bos.redhat.com --check-ca
> 2011-08-24 21:52:19,521 DEBUG stdout=Check connection from master to
> remote replica 'vm-116.idm.lab.bos.redhat.com':
> Directory Service: Unsecure port (389): OK
> Directory Service: Secure port (636): OK
> Kerberos (88): OK
> PKI-CA: Directory Service port (7389): OK
> PKI-CA: Agent secure port (9443): OK
> PKI-CA: EE secure port (9444): OK
> PKI-CA: Admin secure port (9445): OK
> PKI-CA: EE secure client auth port (9446): OK
> PKI-CA: Unsecure port (9180): OK
>
> Connection from master to replica is OK.
>
> 2011-08-24 21:52:19,522 DEBUG stderr=Could not chdir to home directory
> /home/admin: No such file or directory

We ssh to the remote machine so we can be sure that the firewall is open 
in both directions. This is just a side-effect of authenticating as admin.

>
>
> Ade Lee noticed that the replica install is failing before it ever
> attempts to talk to the Master, which corresponds with what I am seeing.
> I see in the PKI install log that
>
> [2011-08-24 22:23:50] [error] FAILED run_command("/sbin/service pki-cad
> restart pki-ca"), exit status=1 output="Stopping pki-ca: [FAILED]
> Starting pki-ca: [ OK ]^M"
>
>
> Running this command by hand gets the same output.
>
> In less /var/log/pki-ca/catalina.out
>
> /var/lib/pki-ca/logs/catalina.out: Permission denied
> /var/log/pki-ca/catalina.out (END)
>
>
> SO it looks like another cleanup issue.

I don't think so. pkiremove removes all pki-ca directories including logs.

You might try strace on it to see what is going on.

rob