-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/04/2014 08:46 AM, Rob Crittenden wrote: > Erinn Looney-Triggs wrote: >> On 08/04/2014 04:01 AM, Martin Kosek wrote: >>> On 08/04/2014 04:45 AM, Erinn Looney-Triggs wrote: >>>> >>>> >>>> >>>> >>>>> Whether related or not I am getting the following in my >>>>> RHEL 6.5 IPA instance /var/log/dirsrv/slapd-PKI-CA/debug >>>>> log: >>>> >>>>> [26/Jul/2014:20:23:23 +0000] slapi_ldap_bind - Error: >>>>> could not send startTLS re quest: error -1 (Can't contact >>>>> LDAP server) errno 107 (Transport endpoint is not >>>>> connected) [26/Jul/2014:20:23:23 +0000] >>>>> NSMMReplicationPlugin - agmt="cn=masterAgreement1-i >>>>> pa2.example.com-pki-ca" (ipa2:7389): Replication bind with >>>>> SIMPLE auth failed: LD AP error -1 (Can't contact LDAP >>>>> server) ((null)) [26/Jul/2014:20:23:37 +0000] >>>>> slapi_ldap_bind - Error: could not send startTLS re quest: >>>>> error -1 (Can't contact LDAP server) errno 107 (Transport >>>>> endpoint is not connected) [26/Jul/2014:20:23:48 +0000] >>>>> slapi_ldap_bind - Error: could not send startTLS re quest: >>>>> error -1 (Can't contact LDAP server) errno 107 (Transport >>>>> endpoint is not connected) >>>> >>>>> And these errors just continue to be logged. >>>> >>>>> When attempting to run ipa-ca-install -d on the RHEL 7 >>>>> replica (all other services are on there running fine) I >>>>> receive the following: >>>> >>>>> ipa : CRITICAL failed to configure ca instance >>>>> Command '/usr/sbin/pkispawn -vv -s CA -f /tmp/tmpqd0WwF' >>>>> returned non-zero exit status 1 ipa : DEBUG >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>> >>>> >>>> >>>>> >> >>>>> line 638, in run_script >>>>> return_value = main_function() >>>> >>>>> File "/usr/sbin/ipa-ca-install", line 179, in main CA = >>>>> cainstance.install_replica_ca(config, postinstall=True) >>>> >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> >>>> >>>> >>>>> >> >>>>> line 1678, in install_replica_ca >>>>> subject_base=config.subject_base) >>>> >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> >>>> >>>> >>>>> >> >>>>> line 478, in configure_instance >>>>> self.start_creation(runtime=210) >>>> >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>> >>>>> >> >>>>> line 364, in start_creation method() >>>> >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> >>>> >>>> >>>>> >> >>>>> line 604, in __spawn_instance >>>>> raise RuntimeError('Configuration of CA failed') >>>> >>>>> ipa : DEBUG The ipa-ca-install command failed, >>>>> exception: RuntimeError: Configuration of CA failed >>>> >>>>> Your system may be partly configured. Run >>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>> >>>>> Configuration of CA failed >>>> >>>> >>>>> So this behavior changed after restarting the IPA service >>>>> on the RHEL 6.5 system. >>>> >>>>> So at this point I have a RHEL 6.5 system and a RHEL 7 >>>>> replica of everything except the CA. The RHEL 6.5 system, >>>>> when the IPA service is restarted throws an error, perhaps >>>>> from schema change? >>>> >>>>> Any ideas? >>>> >>>>> -Erinn >>>> >>>> >>>> >>>> I went in and debugged this a bit further by changing the >>>> verbosity for nsslapd-errorlog-level. It appears that the >>>> rhel 6.5 system is attempting to connect to the RHEL 7 system >>>> on port 7389 and since the RHEL 7 system does not have the CA >>>> installed this would obviously fail. This leads me to believe >>>> that there is cruft in the directory that is pointing to the >>>> wrong place. I don't think this will fix my second group of >>>> errors, but how does one view the replication agreements >>>> specifically for the ca? >>>> >>>> As well I omitted to lines from the ipa-ca-install error >>>> which are probably pertinent: >>>> >>>> ERROR: Unable to access directory server: Server is >>>> unwilling to perform >>>> >>>> ipa : DEBUG stderr= >>>> >>>> -Erinn >> >>> This is strange. ipa-ca-install/ipa-replica-install --setup-ca >>> should create the replication agreement pointing at port 389 >>> on RHEL-7.0, given that the 2 originally separated DS databases >>> were merged. >> >>> It looks like this is some replication agreement left over >>> from previous tests. >> >>> Anyway, to list all hosts with PKI, try: >> >>> # ipa-csreplica-manage list Directory Manager password: >> >>> vm-089.idm.lab.bos.redhat.com: master >>> vm-086.idm.lab.bos.redhat.com: master >> >>> "master" means that this server has PKI service installed. It >>> will show different value if there is no PKI service. >> >>> To check PKI replication agreements for specific hostname, >>> run: >> >>> # ipa-csreplica-manage list `hostname` Directory Manager >>> password: >> >>> vm-089.idm.lab.bos.redhat.com >> >>> Check "man ipa-csreplica-manage" for advise how to delete or >>> create the PKI agreements. >> >>> HTH, Martin >> >> >> Yeah here is what I get: ipa-csreplica-manage list Directory >> Manager password: >> >> ipa2.example.com: CA not configured ipa.example.com: master >> >> ipa2 is my rhel7 instance, ipa is the rhel 6.5 instance. >> >> ipa-csreplica-manage list ipa2.example.com Directory Manager >> password: >> >> Can't contact LDAP server >> >> Which I guess makes sense, however: ipa-csreplica-manage list -v >> ipa.example.com Directory Manager password: >> >> ipa2.example.com last init status: None last init ended: None >> last update status: -1 - LDAP error: Can't contact LDAP server >> last update ended: None ipa2.example.com last init status: None >> last init ended: None last update status: 0 Replica acquired >> successfully: Incremental update succeeded last update ended: >> 2014-08-04 14:43:48+00:00 >> >> This seems odd to me, but I don't really know exactly what to >> expect. Why is ipa2 referenced twice? Why does on have >> replication succeeding and the other failing? >> >> It currently just feels like something is configured wrong, there >> is a wrong entry somewhere, but I can't figure it out just yet. > > As Directory Manager, look in cn=mapping tree,cn=config for the > list of agreements. I'm guessing at least one of those has the > wrong port. > > The IPA agreement CN takes the form of meTo<somewhere> and CA > agreements CN uses masterAgreement1-<hostname>-* (or > cloneAgreement, depending on the side you're on). > > rob >
Rob, Thanks, looking in there I see two entries for my ipa2 instance for CA replication. However, none should exist as far as I know because at this point there is no CA replica on ipa2. These safe to delete? - -Erinn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJT3/APAAoJEFg7BmJL2iPOJi0H/1fSZ2spdvzJtyvHxsNIOGAJ u8GgopYi7K3/sT/0tHl60zrwe5zfLroWbAN1wWO0MwDuR7HAf10rUpXmgz109tAS tPAgCpEbLYfJMJJ4DrqL6AbN2Uxy5PzWIdAdzgZcnt4sQeTqHKsmYnpLpHPlHEIW xuRokQo/qy+t0uuTGC4zHbZuT+FxDBgsIYMTPv0DUYx5e6M3xVIswSWn6NQchUtg 9HfaU2Qn0kk+0eDBhCbbsWoUuyf1NJAdh8Cp+bgCCL1ADmqGQJDyWeYEvqgYqt26 4Pf+q2dxVXDOZLdjx6fXy8zWjF3Cisf62dZ6HOYv4u6vuTK0HRwc78X9bQJjfhM= =JaA2 -----END PGP SIGNATURE----- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project