Bret Wortman via FreeIPA-users wrote: > I'm trying to update our IPA servers to newer OSes and IPA versions. What > I've done so far: > > 1. run "ipa-replica-prepare" on the original main server, ipa1. > 2. Copied the resulting file to ipa1c7. > 3. Tried to import that file via "ipa-replica-install > replica-info-ipa2c7.our.net.gpg --skip-conncheck --setup-dns > --auto-forwarders". This typically fails: > > =========== > > [root@ipa2c7 ~]# ipa-replica-install replica-info-ipa2c7.our.net.gpg > --skip-conncheck --setup-dns --auto-forwarders > Directory Manager (existing master) password: > > ipaserver.install.server.replicainstall: ERROR Could not resolve hostname > ipa1.our.net using DNS. Clients may not function properly. Please check your > DNS setup. (Note that this check queries IPA DNS directly and ignores > /etc/hosts.) > Continue? [no]: yes > Checking DNS forwarders, please wait ... > Configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv). Estimated time: 30 seconds > [1/42]: creating directory server instance > [2/42]: enabling ldapi > [3/42]: configure autobind for root > [4/42]: stopping directory server > [5/42]: updating configuration in dse.ldif > [6/42]: starting directory server > [7/42]: adding default schema > [8/42]: enabling memberof plugin > [9/42]: enabling winsync plugin > [10/42]: configure password logging > [11/42]: configuring replication version plugin > [12/42]: enabling IPA enrollment plugin > [13/42]: configuring uniqueness plugin > [14/42]: configuring uuid plugin > [15/42]: configuring modrdn plugin > [16/42]: configuring DNS plugin > [17/42]: enabling entryUSN plugin > [18/42]: configuring lockout plugin > [19/42]: configuring topology plugin > [20/42]: creating indices > [21/42]: enabling referential integrity plugin > [22/42]: configuring certmap.conf > [23/42]: configure new location for managed entries > [24/42]: configure dirsrv ccache > [25/42]: enabling SASL mapping fallback > [26/42]: restarting directory server > [27/42]: creating DS keytab > [28/42]: ignore time skew for initial replication > [29/42]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 3 seconds elapsed > Update succeeded > > [30/42]: prevent time skew after initial replication > [31/42]: adding sasl mappings to the directory > [32/42]: updating schema > [33/42]: setting Auto Member configuration > [34/42]: enabling S4U2Proxy delegation > [35/42]: initializing group membership > [36/42]: adding master entry > ipaserver.install.service: CRITICAL Failed to load master-entry.ldif: Command > '/usr/bin/ldapmodify -v -f /tmp/tmp2nlWU3 -H > ldapi://%2fvar%2frun%2fslapd-OUR-NET.socket -Y EXTERNAL' returned non-zero > exit status 68 > [error] CalledProcessError: Command '/usr/bin/ldapmodify -v -f > /tmp/tmp2nlWU3 -H ldapi://%2fvar%2frun%2fslapd-OUR-NET.socket -Y EXTERNAL' > returned non-zero exit status 68 > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipapython.admintool: ERROR Command '/usr/bin/ldapmodify -v -f > /tmp/tmp2nlWU3 -H ldapi://%2fvar%2frun%2fslapd-OUR-NET.socket -Y EXTERNAL' > returned non-zero exit status 68 > ipapython.admintool: ERROR The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > [root@ipa2c7 ~]# host ipa1.our.net > ipa1.our.net has address 192.168.2.61 > > =========== > > So I'm not sure why the DNS query is failing but it appears to be > intermittent at best. > > Also, after near-misses when the ldap error occurs, I often get informed that > we have an existing replication agreement that needs to be removed. When I > follow the indicated steps: > > =========== > > [root@ipa1 ~]# ipa-replica-manage del ipa2c7.our.net --force > Directory Manager password: > > Connection to 'ipa2c7.our.net' failed: > Forcing removal of ipa2c7.our.net > Skipping calculation to determine if one or more masters would be orphaned. > Deleting replication agreements between ipa2c7.our.net and ipa1.our.net, > ipa2.our.net, ipa3.our.net > Failed to get list of agreements from 'ipa2c7.our.net': > Forcing removal on 'ipa1.our.net' > Any DNA range on 'ipa2c7.our.net' will be lost > Deleted replication agreement from 'ipa1.our.net' to 'ipa2c7.our.net' > 'ipa2.our.net' has no replication agreement for 'ipa2c7.our.net' > Unable to remove replication agreement for ipa2c7.our.net from ipa2.our.net. > Failed to determine agreement type for 'ipa3.our.net': > Unable to remove replication agreement for ipa2c7.our.net from ipa3.our.net. > Background task created to clean replication data. This may take a while. > This may be safely interrupted with Ctrl+C > ^C > Wait for task interrupted. It will continue to run in the background > Failed to cleanup ipa2c7.our.net entries: Not allowed on non-leaf entry > You may need to manually remove them from the tree > Failed to cleanup ipa2c7.our.net DNS entries: no matching entry found > You may need to manually remove them from the tree > [root@ipa1 ~]# > > =========== > > Is there something obvious that I've missed? > >
The installation error 68 means Already Exists. I'd suggest digging through your existing server to find all references to this new host, both in dc=example,dc=test and cn=config. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure