On 02/09/2015 11:36 AM, Martin Kosek wrote:
On 02/09/2015 05:16 PM, Chris Mohler wrote:
On 02/09/2015 10:18 AM, Martin Kosek wrote:
On 02/07/2015 12:27 AM, Chris Mohler wrote:
I'm having some troubles. I have an older IPA install Version 3.0.0. on Centos
6.6. It's currently the only master for my domain. I have about 4k user
accounts on here and it's a live system called "idm"
I'm trying to upgrade to V4.x as I am hoping to fix some issues I am having.
(clients can't auth unless service sssd is restarted multiple times "10 (User
not known to the underlying authentication module") I think this is possibly
unrelated and the topic for another thread.
I created a new VM and installed Fedora Server 21 and FreeIPA 4.1.2 it's called
"ipa"
Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
in, so you can also use that platform if you are used to it.
on the master "idm" I ran "ipa-replica-prepare" and transfered the file to the
future replica "ipa" Then I ran the install replica script ipa-replica-install
--setup-ca /home/svradm/replica-info-ipa.cs.oberlin.edu.gpg
Things went well until it failed
[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 133 seconds elapsed
Update in progress yet not in progress
Update in progress yet not in progress
Update in progress yet not in progress
[idm.cs.oberlin.edu] reports: Update failed! Status: [10 Total update
abortedLDAP error: Referral]
[error] RuntimeError: Failed to start replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Please help I'm getting nowhere by myself.
Can you please look on the master you are replicating from and look for errors
in /var/log/messages or DS errors log?
Maybe you will see messages like "ns-slapd: encoded packet size too big (xxxxxx
65536)" that are know to pop up more with CentOS 6.6.
Hi Martin,
Thanks for the reply and help I appreciate it.
Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
in, so you can also use that platform if you are used to it.
Good to know. I try to be distro agnostic. I've used Redhat 7.1 then went
Solaris, then Ubuntu, Now I'm back for Centos and Fedora. I guess I'm equally
uncomfortable with either version.
That Said. Is there any reason that I could or should not have a replica on a
Fedora 21 server and 2nd replica on a Centos 7.1 later? My understanding is the
more the merrier.
It should just work. Just note that in case of Fedora Server, these are
upstream/Fedora bits which are only tested upstream. So if you for example
break something in Fedora 21 (not likely to happen though ;-) and then get the
change *replicated* to RHEL production instance, I do not think Red Hat support
would be happy with that.
Also, if for example upstream releases FreeIPA 4.2, I would not just plug it in
your production RHEL instance is it would upgrade all the data for 4.2 level -
which should get more downstream testing before Red Hat can rubber stamp it.
TLDR; if you are happy with the upstream level of support (this list/IRC/Trac),
knock yourself out :-)
Can you please look on the master you are replicating from and look for errors
in /var/log/messages or DS errors log?
I tried to setup the replica again just now so I have some fresh logs.
From the Dirserv error log
[08/Feb/2015:22:14:48 -0500] - 389-Directory/1.2.11.15 B2014.314.1342 starting
up
[08/Feb/2015:22:14:48 -0500] schema-compat-plugin - warning: no entries set up
under cn=computers, cn=compat,dc=cs,dc=oberlin,dc=edu
[08/Feb/2015:22:14:50 -0500] - slapd started. Listening on All Interfaces port
389 for LDAP requests
[08/Feb/2015:22:14:50 -0500] - Listening on All Interfaces port 636 for LDAPS
requests
[08/Feb/2015:22:14:50 -0500] - Listening on
/var/run/slapd-CS-OBERLIN-EDU.socket for LDAPI requests
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin -
agmt="cn=meToipa.cs.oberlin.edu" (ipa:389): Schema replication update failed:
Server is unwilling to perform
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Warning: unable to
replicate schema to host ipa.cs.oberlin.edu, port 389. Continuing with total
update session.
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Beginning total update of
replica "agmt="cn=meToipa.cs.oberlin.edu" (ipa:389)"
To be fair and not duplicate efforts I have had the following error
[08/Feb/2015:08:51:26 -0500] - WARNING: userRoot: entry cache size 10485760B is
less than db size 12115968B; We recommend to increase the
entry cache size nsslapd-cachememsize.
To which I have asked another question "how do I change the entry cache size"
https://www.redhat.com/archives/freeipa-users/2015-February/msg00114.html
I now get additional errors which I would guess are possibly related.
IMO, they this should not be related (should not break replication). I do not
see anything useful in the error log though. Did you also check
/var/log/messages for the errors log I sent?
I Did some homework yesterday and noticed starting in fedora 20 the
/var/log/messages is no longer used the preferred method of checking
logs is to use the "journalctl" command.
The Journal actually has a few lined that reference slapd but I don't
see any obvious lines in red that say error. Here is what I have
Feb 09 10:40:15 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:15
-0500] - SSL alert: Configured NSS Ciphers
Feb 09 10:40:16 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:16
-0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
Feb 09 10:40:16 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:16
-0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
Feb 09 10:40:16 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:16
-0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:16 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:16
-0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:16 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:16
-0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:16 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:16
-0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
Feb 09 10:40:16 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:16
-0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
Feb 09 10:40:17 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:17
-0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:17 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:17
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
Feb 09 10:40:17 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:17
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:17 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:17
-0500] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:17 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:17
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
Feb 09 10:40:19 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:19
-0500] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
Feb 09 10:40:19 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:19
-0500] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:19 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:19
-0500] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
Feb 09 10:40:19 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:19
-0500] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
Feb 09 10:40:19 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:19
-0500] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled
Feb 09 10:40:19 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:19
-0500] SSL Initialization - SSL version range: min: TLS1.0, max: TLS1.2
Feb 09 10:40:22 ipa.cs.oberlin.edu systemd[1]: Configuration file
/usr/lib/systemd/system/auditd.service is marked world-inaccessible.
This has no effect as configuration data is accessibl
Feb 09 10:40:23 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:23
-0500] - SSL alert: Configured NSS Ciphers
Feb 09 10:40:23 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:23
-0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
Feb 09 10:40:23 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:23
-0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] SSL Initialization - SSL version range: min: TLS1.0, max: TLS1.2
I also took a look at the ipareplica-install.log
and there was some odd stuff at the bottom. Is any of this relevant?
2015-02-09T15:42:44Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
368, in __setup_replica
r_bindpw=self.dm_password)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 965, in setup_replication
raise RuntimeError("Failed to start replication")
RuntimeError: Failed to start replication
2015-02-09T15:42:44Z DEBUG [error] RuntimeError: Failed to start
replication
2015-02-09T15:42:44Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 642, in run_script
return_value = main_function()
File "/sbin/ipa-replica-install", line 700, in main
ds = install_replica_ds(config)
File "/sbin/ipa-replica-install", line 195, in install_replica_ds
ca_file=config.dir + "/ca.crt",
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
355, in create_replica
self.start_creation(runtime=60)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
368, in __setup_replica
r_bindpw=self.dm_password)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 965, in setup_replication
raise RuntimeError("Failed to start replication")
2015-02-09T15:42:44Z DEBUG The ipa-replica-install command failed,
exception: RuntimeError: Failed to start replication
-Chris
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
