On Fri, Nov 7, 2014 at 7:22 PM, Petr Spacek <pspa...@redhat.com> wrote: > On 7.11.2014 17:20, Traiano Welcome wrote: >> Hi Petr >> >> >> >> On Fri, Nov 7, 2014 at 6:19 PM, Petr Spacek <pspa...@redhat.com> wrote: >>> On 7.11.2014 14:08, Traiano Welcome wrote: >>>> Hi List >>>> >>>> I'm trying to configure a replica for a primary freeipa IdM server >>>> (both CentOS 7, AD trusts configured on primary), but "ipa-replica-install" >>>> fails with the following error: >>>> -- >>>> ipa-replica-install -d --setup-ca --setup-dns --no-forwarders >>>> /var/lib/ipa/replica-info-lolpr-idm-slve.idm.local.gpg >>>> . >>>> . >>>> Invalid IP Address 172.16.100.222 for lolpr-idm-slve.idm.local: cannot use >>>> IP network address >>>> . >>>> . >>>> -- >>>> >>>> For context, here is the full output from the replica-install command (I've >>>> attached the full debug output): >>>> >>>> --- >>>> [root@lolpr-idm-slve ipa]# ipa-replica-install --setup-ca --setup-dns >>>> --no-forwarders /var/lib/ipa/replica-info-lolpr-idm-slve.idm.local.gpg >>>> WARNING: conflicting time&date synchronization service 'chronyd' will >>>> be disabled in favor of ntpd >>>> >>>> Directory Manager (existing master) password: >>>> >>>> Run connection check to master >>>> Check connection from replica to remote master 'lolpr-idm-mstr.idm.local': >>>> Directory Service: Unsecure port (389): OK >>>> Directory Service: Secure port (636): OK >>>> Kerberos KDC: TCP (88): OK >>>> Kerberos Kpasswd: TCP (464): OK >>>> HTTP Server: Unsecure port (80): OK >>>> HTTP Server: Secure port (443): OK >>>> >>>> The following list of ports use UDP protocol and would need to be >>>> checked manually: >>>> Kerberos KDC: UDP (88): SKIPPED >>>> Kerberos Kpasswd: UDP (464): SKIPPED >>>> >>>> Connection from replica to master is OK. >>>> Start listening on required ports for remote master check >>>> Get credentials to log in to remote master >>>> admin@IDM.LOCAL password: >>>> >>>> Check SSH connection to remote master >>>> Execute check on remote master >>>> Check connection from master to remote replica 'lolpr-idm-slve.idm.local': >>>> Directory Service: Unsecure port (389): OK >>>> Directory Service: Secure port (636): OK >>>> Kerberos KDC: TCP (88): OK >>>> Kerberos KDC: UDP (88): OK >>>> Kerberos Kpasswd: TCP (464): OK >>>> Kerberos Kpasswd: UDP (464): OK >>>> HTTP Server: Unsecure port (80): OK >>>> HTTP Server: Secure port (443): OK >>>> >>>> Connection from master to replica is OK. >>>> >>>> Connection check OK >>>> Invalid IP Address 172.16.100.222 for lolpr-idm-slve.idm.local: cannot use >>>> IP network address >>>> [root@lolpr-idm-slve ipa]# >>>> >>>> --- >>>> >>>> Some things I've tested: >>>> >>>> 1. disable selinux (followed by reboot) - no change >>>> 2. disable IPv6 (followed by reboot) - no change >>>> >>>> DNS resolution and IP checks seem fine: >>>> --- >>>> >>>> [root@lolpr-idm-slve install]# hostname >>>> lolpr-idm-slve.idm.local >>>> >>>> >>>> [root@lolpr-idm-slve install]# ifconfig >>>> ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 >>>> inet 172.16.100.222 netmask 255.255.255.255 broadcast >>>> 172.16.100.222 >>> >>> This is the cause: IP address on ens192 interface is 172.16.100.222/32. >>> >>> What is your environment? Is it some kind of weird container? >>> >>> Is it even valid configuration? :-) I don't recall any use case for 32-bit >>> netmask. As far as I remember 31-bit netmask is allowed by RFC 3021 for >>> point >>> to point links. >>> >> >> >> AFAIK, a /32 netmask designates a single address. Should be valid, >> although I'm not sure how IPA's installutils.py handles that. ipcalc >> says: >> >> ---- >> root@lol-dev:/opt/automation# ipcalc 172.16.100.222/32 >> Address: 172.16.100.222 10101100.00010000.01100100.11011110 >> Netmask: 255.255.255.255 = 32 11111111.11111111.11111111.11111111 >> Wildcard: 0.0.0.0 00000000.00000000.00000000.00000000 >> => >> Hostroute: 172.16.100.222 10101100.00010000.01100100.11011110 >> Hosts/Net: 1 Class B, Private Internet >> ---- >> >> Nice reference, seems to confirm this is a single host: >> http://www.oav.net/mirrors/cidr.html > > Sure, but how you can communicate using this address? You need to assign an > address to the other end too :-)
Doh! Thanks a ton, Petr. Time for me to lay off the coffee :-) > > It is still unclear to me what is your use case. > Simply to have a replica IdM server for clients to failover to should the primary IdM server be unreachable. Which is working wonderfully now ... > Petr^2 Spacek > >>> >>>> ether 00:50:56:9c:1e:60 txqueuelen 1000 (Ethernet) >>>> RX packets 17964 bytes 1705674 (1.6 MiB) >>>> RX errors 0 dropped 10 overruns 0 frame 0 >>>> TX packets 3772 bytes 595134 (581.1 KiB) >>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 >>>> -- >>>> >>>> /etc/hosts looks like this: >>>> >>>> -- >>>> 127.0.0.1 localhost localhost.localdomain localhost4 >>>> localhost4.localdomain4 >>>> 172.16.100.68 lolpr-idm-mstr.idm.local lolpr-idm-mstr >>>> 172.16.100.222 lolpr-idm-slve.idm.local lolpr-idm-slve >>>> 172.16.104.231 loltestdc001.loltestdc.com loltestdc001 >>>> -- >>>> >>>> Host naming, forward and reverse resolution seems fine: >>>> >>>> --- >>>> [root@lolpr-idm-slve install]# >>>> [root@lolpr-idm-slve install]# host `hostname` >>>> lolpr-idm-slve.idm.local has address 172.16.100.222 >>>> [root@lolpr-idm-slve install]# >>>> [root@lolpr-idm-slve install]# host `hostname`^C >>>> [root@lolpr-idm-slve install]# host `hostname`| cut -d " " -f 4| xargs >>>> -Iname host name >>>> 222.100.16.172.in-addr.arpa domain name pointer lolpr-idm-slve.idm.local. >>>> [root@lolpr-idm-slve install]# >>>> --- >>>> >>>> I'd be thankful if anyone could shed a light on why this error is happening >>>> and point me in the direction of a fix. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project