Hey Rob, Yes I've tried to do that. Everytime I try to run an ipa-replica-install I make sure I create a new replica file from the server.
Matt -----Original Message----- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, April 10, 2013 10:47 AM To: Joseph, Matthew (EXP); Nathan Kinder Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Joseph, Matthew (EXP) wrote: > Hey, > > I'm still trying to figure out this error but I am getting nothing. > > Anyone have any suggestions or ideas on why this is failing? Is there a chance you're using a replica file prepared from a different IPA installation? I'd probably go ahead and use ipa-replica-prepare to create a new file and try installing that. rob > > Matt > > *From:*freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, > Matthew > (EXP) > *Sent:* Monday, April 08, 2013 12:30 PM > *To:* Nathan Kinder > *Cc:* freeipa-users@redhat.com > *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install > errors > > Hey, > > > Yup, the client side says the following; > > Op=-1 fd=64 closed - Peer does not recognize and trust the CA that > issued your certificate. > > Matt > > *From:*Nathan Kinder [mailto:nkin...@redhat.com] > *Sent:* Monday, April 08, 2013 12:28 PM > *To:* Joseph, Matthew (EXP) > *Cc:* freeipa-users@redhat.com > *Subject:* Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install > errors > > On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote: > > Hey, > > So on the IPA server under the access logs I am getting the > following error. > > Error: could not send startTLS request: Error -11 (connect error) > errno 0 (success) > > Any ideas? > > Does the access log on the receiving side show a connection attempt > from the master at the same time? The access log will be located at > /var/log/dirsrv/slapd-<DOMAIN>/access. > > -NGK > > Matt > > *From:*Nathan Kinder [mailto:nkin...@redhat.com] > *Sent:* Thursday, April 04, 2013 6:00 PM > *To:* Joseph, Matthew (EXP) > *Cc:* freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> > *Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors > > On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: > > Hello, > > I'm trying to setup a replica server with ipa-2.2.0-16 on both the > Server and the Replica Server. > > Here are the steps I ran (From the Red Hat 6.3 IdM Administration > Guide); > > ------------------------ > > *IPA_Server:* > > ipa-replica-prepare ipareplica.example.com --ip-address > 192.168.1.2 > > scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ > ipareplica:/var/lib/ipa/ > > *IPA_Replica:* > > ipa-replica-install --setup-ca --setup-dns > /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg > > ------------------------------ > > Below is the error I am getting when running ipa-replica-install; > > Directory Manager (existing master) password: > > Run connection check to master > > Check connection from replica to remote master 'IPA_Server.domain.ca': > > Directory Service: Unsecure port (389): OK > > Directory Service: Secure port (636): OK > > Kerberos KDC: TCP (88): OK > > Kerberos Kpasswd: TCP (464): OK > > HTTP Server: Unsecure port (80): OK > > HTTP Server: Secure port (443): OK > > PKI-CA: Directory Service port (7389): OK > > The following list of ports use UDP protocol and would need to be > > checked manually: > > Kerberos KDC: UDP (88): SKIPPED > > Kerberos Kpasswd: UDP (464): SKIPPED > > Connection from replica to master is OK. > > Start listening on required ports for remote master check > > Get credentials to log in to remote master > > ad...@domain.ca <mailto:ad...@domain.ca> password: > > Execute check on remote master > > Check connection from master to remote replica 'IPA_Replica.domain.ca': > > Directory Service: Unsecure port (389): OK > > Directory Service: Secure port (636): OK > > Kerberos KDC: TCP (88): OK > > Kerberos KDC: UDP (88): OK > > Kerberos Kpasswd: TCP (464): OK > > Kerberos Kpasswd: UDP (464): OK > > HTTP Server: Unsecure port (80): OK > > HTTP Server: Secure port (443): OK > > PKI-CA: Directory Service port (7389): OK > > Connection from master to replica is OK. > > Connection check OK > > Configuring ntpd > > [1/4]: stopping ntpd > > [2/4]: writing configuration > > [3/4]: configuring ntpd to start on boot > > [4/4]: starting ntpd > > done configuring ntpd. > > Configuring directory server for the CA: Estimated time 30 seconds > > [1/3]: creating directory server user > > [2/3]: creating directory server instance > > [3/3]: restarting directory server > > done configuring pkids. > > Configuring certificate server: Estimated time 3 minutes 30 > seconds > > [1/13]: creating certificate server user > > [2/13]: creating pki-ca instance > > [3/13]: configuring certificate server instance > > [4/13]: disabling nonces > > [5/13]: creating RA agent certificate database > > [6/13]: importing CA chain to RA certificate database > > [7/13]: fixing RA database permissions > > [8/13]: setting up signing cert profile > > [9/13]: set up CRL publishing > > [10/13]: set certificate subject base > > [11/13]: enabling Subject Key Identifier > > [12/13]: configuring certificate server to start on boot > > [13/13]: Configure HTTP to proxy connections > > done configuring pki-cad. > > Restarting the directory and certificate servers > > Configuring directory server: Estimated time 1 minute > > [1/30]: creating directory server user > > [2/30]: creating directory server instance > > [3/30]: adding default schema > > [4/30]: enabling memberof plugin > > [5/30]: enabling referential integrity plugin > > [6/30]: enabling winsync plugin > > [7/30]: configuring replication version plugin > > [8/30]: enabling IPA enrollment plugin > > [9/30]: enabling ldapi > > [10/30]: configuring uniqueness plugin > > [11/30]: configuring uuid plugin > > [12/30]: configuring modrdn plugin > > [13/30]: enabling entryUSN plugin > > [14/30]: configuring lockout plugin > > [15/30]: creating indices > > [16/30]: configuring ssl for ds instance > > [17/30]: configuring certmap.conf > > [18/30]: configure autobind for root > > [19/30]: configure new location for managed entries > > [20/30]: restarting directory server > > [21/30]: setting up initial replication > > Starting replication, please wait until this has completed. > > [IPA_Server.domain.ca] reports: Update failed! Status: [-11 - > System error] > > creation of replica failed: Failed to start replication > > Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the > following error; > > NSMMReplicationPlugin - agmt="cn=metoIPA_Server.domain.ca" > (ipa_server:389): Replica has a different generation ID than the > local data. > > This is probably just fallout from the replica initialization failure. > If a replica is never initialized, it will get a generation ID > mismatch error when the master contacts it. > > Any thoughts or ideas on this issue? Searching google I don't see > anyone getting the Status:-11 - System Error. > > There was a bug in 389-ds-base that was fixed a while back where > negative LDAP error codes were all printed as "System Error". The -11 > is a connection error. Here is how it is defined in /usr/include/ldap.h: > > #define LDAP_CONNECT_ERROR (-11) > > It sounds like this connection error is occurring when it tries to > initialize the replica. It might help to enable replication level > logging on the master, then trying to run ipa-replica-install again. > The errors in the 389 DS errors log might point to the problem. To > enable replication level logging, you can perform the following > operation with ldapmodify as "cn=Directory Manager": > > ------------------------------------------ > dn: cn=config > changetype: modify > replace: nsslapd-errorlog-level > nsslapd-errorlog-level: 8192 > ------------------------------------------ > > When you are finished debugging the issue, don't forget to change the > log level back to "0". > > -NGK > > Thanks, > > Matt > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users