It's still running.
Here's the error log from slapd during that run:
[01/May/2018:19:22:24.567650453 -0500] - ERR - NSMMReplicationPlugin -
multimaster_extop_StartNSDS50ReplicationRequest - conn=42 op=5
replica="dc=company,dc=internal": Unable to acquire replica: error:
permission denied
[01/May/2018:19:22:24.613143629 -0500] - ERR - NSMMReplicationPlugin -
multimaster_extop_StartNSDS50ReplicationRequest - conn=43 op=5
replica="dc=company,dc=internal": Unable to acquire replica: error:
permission denied
[01/May/2018:19:22:31.445153171 -0500] - INFO - NSMMReplicationPlugin -
repl5_tot_run - Beginning total update of replica
"agmt="cn=meToipa-11.company.internal" (ipa-11:389)".
[01/May/2018:19:22:31.672485209 -0500] - NOTICE - NSMMReplicationPlugin -
replica_subentry_check - Need to create replication keep alive entry
<cn=repl keep alive 7,dc=company,dc=internal>
[01/May/2018:19:22:31.674922201 -0500] - INFO - NSMMReplicationPlugin -
replica_subentry_create - add dn: cn=repl keep alive
7,dc=company,dc=internal
objectclass: top
objectclass: ldapsubentry
objectclass: extensibleObject
cn: repl keep alive 7
[01/May/2018:19:22:36.125109819 -0500] - ERR - NSMMReplicationPlugin -
multimaster_extop_StartNSDS50ReplicationRequest - conn=44 op=5
replica="dc=company,dc=internal": Unable to acquire replica: error:
permission denied
[01/May/2018:19:22:36.598178749 -0500] - INFO - NSMMReplicationPlugin -
repl5_tot_run - Finished total update of replica
"agmt="cn=meToipa-11.company.internal" (ipa-11:389)". Sent 503 entries.
[01/May/2018:19:27:40.482836683 -0500] - ERR - NSMMReplicationPlugin -
bind_and_check_pwp - agmt="cn=meToipa-11.company.internal" (ipa-11:389) -
Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP
server) ()
ipa-11 is the Pi I'm trying to set up replication on. Looks like there was
a problem setting up replication due to permissions? But the other replica
started up just fine ...
On Thu, May 3, 2018 at 3:13 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Jonathan Vaughn wrote:
>
>> Here's the output from ipa-replica-install :
>>
>> # ipa-replica-install
>> WARNING: conflicting time&date synchronization service 'chronyd' will
>> be disabled in favor of ntpd
>>
>> Password for admin@COMPANY.INTERNAL:
>> Run connection check to master
>> Connection check OK
>> Configuring NTP daemon (ntpd)
>> [1/4]: stopping ntpd
>> [2/4]: writing configuration
>> [3/4]: configuring ntpd to start on boot
>> [4/4]: starting ntpd
>> Done configuring NTP daemon (ntpd).
>> Configuring directory server (dirsrv). Estimated time: 30 seconds
>> [1/41]: creating directory server instance
>> [2/41]: enabling ldapi
>> [3/41]: configure autobind for root
>> [4/41]: stopping directory server
>> [5/41]: updating configuration in dse.ldif
>> [6/41]: starting directory server
>> [7/41]: adding default schema
>> [8/41]: enabling memberof plugin
>> [9/41]: enabling winsync plugin
>> [10/41]: configuring replication version plugin
>> [11/41]: enabling IPA enrollment plugin
>> [12/41]: configuring uniqueness plugin
>> [13/41]: configuring uuid plugin
>> [14/41]: configuring modrdn plugin
>> [15/41]: configuring DNS plugin
>> [16/41]: enabling entryUSN plugin
>> [17/41]: configuring lockout plugin
>> [18/41]: configuring topology plugin
>> [19/41]: creating indices
>> [20/41]: enabling referential integrity plugin
>> [21/41]: configuring certmap.conf
>> [22/41]: configure new location for managed entries
>> [23/41]: configure dirsrv ccache
>> [24/41]: enabling SASL mapping fallback
>> [25/41]: restarting directory server
>> [26/41]: creating DS keytab
>> [27/41]: ignore time skew for initial replication
>> [28/41]: setting up initial replication
>> Starting replication, please wait until this has completed.
>> Update in progress, 11 seconds elapsed
>> Update succeeded
>>
>> [29/41]: prevent time skew after initial replication
>> [30/41]: adding sasl mappings to the directory
>> [31/41]: updating schema
>> [32/41]: setting Auto Member configuration
>> [33/41]: enabling S4U2Proxy delegation
>> [error] NetworkError: cannot connect to 'ldapi://%2Fvar%2Frun%2Fslapd-
>> COMPANY-INTERNAL.socket':
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> ipapython.admintool: ERROR cannot connect to
>> 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket':
>> ipapython.admintool: ERROR The ipa-replica-install command failed. See
>> /var/log/ipareplica-install.log for more information
>>
>> And here's the /var/log/ipareplica-install.log from just before it fails
>> to the failure:
>>
>> 2018-05-02T00:22:44Z DEBUG [32/41]: setting Auto Member configuration
>> 2018-05-02T00:22:44Z DEBUG Starting external process
>> 2018-05-02T00:22:44Z DEBUG args=/usr/bin/ldapmodify -v -f
>> /tmp/tmpt7bxf4x1 -H ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket
>> -Y EXTERNAL
>> 2018-05-02T00:22:45Z DEBUG Process finished, return code=0
>> 2018-05-02T00:22:45Z DEBUG stdout=add nsslapd-pluginConfigArea:
>> cn=automember,cn=etc,dc=company,dc=internal
>> modifying entry "cn=Auto Membership Plugin,cn=plugins,cn=config"
>> modify complete
>>
>>
>> 2018-05-02T00:22:45Z DEBUG stderr=ldap_initialize(
>> ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket/??base )
>> SASL/EXTERNAL authentication started
>> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> SASL SSF: 0
>>
>> 2018-05-02T00:22:45Z DEBUG duration: 0 seconds
>> 2018-05-02T00:22:45Z DEBUG [33/41]: enabling S4U2Proxy delegation
>> 2018-05-02T00:22:45Z DEBUG Traceback (most recent call last):
>> File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line
>> 979, in error_handler
>> yield
>> File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line
>> 1572, in update_entry
>> self.conn.modify_s(str(entry.dn), modlist)
>> File "/usr/lib/python3.6/site-packages/ldap/ldapobject.py", line 600,
>> in modify_s
>> return self.modify_ext_s(dn,modlist,None,None)
>> File "/usr/lib/python3.6/site-packages/ldap/ldapobject.py", line 573,
>> in modify_ext_s
>> resp_type, resp_data, resp_msgid, resp_ctrls =
>> self.result3(msgid,all=1,timeout=self.timeout)
>> File "/usr/lib/python3.6/site-packages/ldap/ldapobject.py", line 714,
>> in result3
>> resp_ctrl_classes=resp_ctrl_classes
>> File "/usr/lib/python3.6/site-packages/ldap/ldapobject.py", line 721,
>> in result4
>> ldap_result = self._ldap_call(self._l.result
>> 4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
>> File "/usr/lib/python3.6/site-packages/ldap/ldapobject.py", line 294,
>> in _ldap_call
>> result = func(*args,**kwargs)
>> ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server"}
>>
>> During handling of the above exception, another exception occurred:
>>
>> Traceback (most recent call last):
>> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
>> line 506, in start_creation
>> run_step(full_msg, method)
>> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
>> line 496, in run_step
>> method()
>> File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py",
>> line 977, in __setup_s4u2proxy
>> __add_principal('ipa-http-delegation', 'HTTP', self)
>> File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py",
>> line 973, in __add_principal
>> api.Backend.ldap2.update_entry(entry)
>> File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line
>> 1572, in update_entry
>> self.conn.modify_s(str(entry.dn), modlist)
>> File "/usr/lib/python3.6/contextlib.py", line 99, in __exit__
>> self.gen.throw(type, value, traceback)
>> File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line
>> 1028, in error_handler
>> error=info)
>> ipalib.errors.NetworkError: cannot connect to
>> 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket':
>>
>> 2018-05-02T00:22:45Z DEBUG [error] NetworkError: cannot connect to
>> 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket':
>> 2018-05-02T00:22:45Z DEBUG Destroyed connection context.ldap2_2991558640
>> 2018-05-02T00:22:45Z DEBUG Backing up system configuration file
>> '/etc/ipa/default.conf'
>> 2018-05-02T00:22:45Z DEBUG Saving Index File to
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>> 2018-05-02T00:22:45Z DEBUG File
>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py",
>> line 174, in execute
>> return_value = self.run()
>> File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py",
>> line 319, in run
>> cfgr.run()
>> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py",
>> line 364, in run
>> self.execute()
>> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py",
>> line 388, in execute
>> for _nothing in self._executor():
>> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py",
>> line 430, in __runner
>> exc_handler(exc_info)
>> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py",
>> line 459, in _handle_execute_exception
>> self._handle_exception(exc_info)
>> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py",
>> line 449, in _handle_exception
>> six.reraise(*exc_info)
>> File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
>> raise value
>> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py",
>> line 420, in __runner
>> step()
>> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py",
>> line 417, in <lambda>
>> step = lambda: next(self.__gen)
>> File "/usr/lib/python3.6/site-packages/ipapython/install/util.py",
>> line 81, in run_generator_with_yield_from
>> six.reraise(*exc_info)
>> File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
>> raise value
>> File "/usr/lib/python3.6/site-packages/ipapython/install/util.py",
>> line 59, in run_generator_with_yield_from
>> value = gen.send(prev_value)
>> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py",
>> line 654, in _configure
>> next(executor)
>> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py",
>> line 430, in __runner
>> exc_handler(exc_info)
>> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py",
>> line 459, in _handle_execute_exception
>> self._handle_exception(exc_info)
>> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py",
>> line 517, in _handle_exception
>> self.__parent._handle_exception(exc_info)
>> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py",
>> line 449, in _handle_exception
>> six.reraise(*exc_info)
>> File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
>> raise value
>> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py",
>> line 514, in _handle_exception
>> super(ComponentBase, self)._handle_exception(exc_info)
>> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py",
>> line 449, in _handle_exception
>> six.reraise(*exc_info)
>> File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
>> raise value
>> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py",
>> line 420, in __runner
>> step()
>> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py",
>> line 417, in <lambda>
>> step = lambda: next(self.__gen)
>> File "/usr/lib/python3.6/site-packages/ipapython/install/util.py",
>> line 81, in run_generator_with_yield_from
>> six.reraise(*exc_info)
>> File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
>> raise value
>> File "/usr/lib/python3.6/site-packages/ipapython/install/util.py",
>> line 59, in run_generator_with_yield_from
>> value = gen.send(prev_value)
>> File "/usr/lib/python3.6/site-packages/ipapython/install/common.py",
>> line 66, in _install
>> for unused in self._installer(self.parent):
>> File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py",
>> line 622, in main
>> replica_install(self)
>> File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py",
>> line 388, in decorated
>> func(installer)
>> File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py",
>> line 1407, in install
>> pkcs12_info=dirsrv_pkcs12_info)
>> File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py",
>> line 110, in install_replica_ds
>> setup_pkinit=not options.no_pkinit,
>> File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py",
>> line 419, in create_replica
>> self.start_creation(runtime=30)
>> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
>> line 506, in start_creation
>> run_step(full_msg, method)
>> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
>> line 496, in run_step
>> method()
>> File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py",
>> line 977, in __setup_s4u2proxy
>> __add_principal('ipa-http-delegation', 'HTTP', self)
>> File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py",
>> line 973, in __add_principal
>> api.Backend.ldap2.update_entry(entry)
>> File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line
>> 1572, in update_entry
>> self.conn.modify_s(str(entry.dn), modlist)
>> File "/usr/lib/python3.6/contextlib.py", line 99, in __exit__
>> self.gen.throw(type, value, traceback)
>> File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line
>> 1028, in error_handler
>> error=info)
>>
>> 2018-05-02T00:22:45Z DEBUG The ipa-replica-install command failed,
>> exception: NetworkError: cannot connect to 'ldapi://%2Fvar%2Frun%2Fslapd-
>> COMPANY-INTERNAL.socket':
>> 2018-05-02T00:22:45Z ERROR cannot connect to
>> 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket':
>> 2018-05-02T00:22:45Z ERROR The ipa-replica-install command failed. See
>> /var/log/ipareplica-install.log for more information
>>
>> Maybe it just is trying to soon and it hasn't fully started yet? Because
>> now I see that the previous step ALSO shows the URL encoded socket path,
>> and it worked fine - but it looks like the previous step used ldapmodify,
>> but the failing step was accessing LDAP from Python? Perhaps it works fine
>> one way and not the other ?
>>
>
> I won't rule it out but I doubt it. Is ns-slapd still running at this
> point? This could happen, for example, if ns-slapd crashed after enabling
> the automember plugin. The DS error log might have something to say as well.
>
> rob
>
>
>> On Wed, May 2, 2018 at 3:29 PM, Rob Crittenden <rcrit...@redhat.com
>> <mailto:rcrit...@redhat.com>> wrote:
>>
>> Jonathan Vaughn via FreeIPA-users wrote:
>>
>> Yes, I know, not recommended etc, low performance. I'm not going
>> to run the CA on it. I just want to have a backup LDAP/Kerberos
>> server.
>>
>> Right now I'm just trying to test things out. I've got a master
>> and a replica (so you could say two masters I suppose) running
>> in Virtualbox VMs, and I'm trying to set up a 3rd replica on a
>> Pi. All are Fedors 27. I had to downgrade httpd due to
>> https://pagure.io/freeipa/issue/7493
>> <https://pagure.io/freeipa/issue/7493> to even set up the first
>> VM replica, but this issue is separate.
>>
>> Currently, the problem is it can't connect to it's own LDAP
>> instance due to some kind of error ... ipa-replica-install
>> worked fine on the x86_64 VM but on the armv71 Pi 3B when it
>> tries to connect to LDAPI instead of
>> using 'ldapi:///var/run//slapd-COMPANY-INTERNAL.socket' it
>> uses 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket'.
>>
>> So it seems there is yet another ARM (or non-x86_64) bug ...
>> similar to the problem with httpd and passing the KRB5CCNAME
>> properly https://pagure.io/freeipa/issue/7337
>> <https://pagure.io/freeipa/issue/7337>
>>
>> Any ideas on where to look to patch in a fix to this so it uses
>> the correct filename? The socket file is there ... and (at the
>> time it tries) LDAP is running.
>>
>>
>> What makes you think the ldapi URI is the problem?
>>
>> Can you share the logs?
>>
>> rob
>>
>>
>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
