Hi, on auht01 i see the following error just before installation fails:
[14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err=9999 Unknown error 9999 [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999 [14/Apr/2016:15:57:09 +0200] - str2entry_fast: entry has no dn [14/Apr/2016:15:57:09 +0200] id2entry - str2entry returned NULL for id 252, string="" [14/Apr/2016:15:57:09 +0200] - dn2entry_ext: the dn "krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=intern,dc=eu" was in the entryrdn index, but it did not exist in id2entry of instance userRoot. [14/Apr/2016:15:57:09 +0200] entryrdn-index - _entryrdn_insert_key: Same DN (dn: krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=intern,dc=eu) is already in the entryrdn file with different ID 252. Expected ID is 625. [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err=9999 Unknown error 9999 [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999 [14/Apr/2016:15:57:19 +0200] - str2entry_fast: entry has no dn [14/Apr/2016:15:57:19 +0200] id2entry - str2entry returned NULL for id 252, string="" [14/Apr/2016:15:57:21 +0200] - str2entry_fast: entry has no dn [14/Apr/2016:16:02:01 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://auth02.intern.eu:389/o%3Dipaca) failed. Greets Kilian ________________________________________ Von: [email protected] <[email protected]> im Auftrag von Ludwig Krispenz <[email protected]> Gesendet: Donnerstag, 14. April 2016 16:46 An: [email protected] Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted On 04/14/2016 04:19 PM, Kilian Ries wrote: > Hello Rob, > > thanks for your explanations. I followed your hints and did a complete > uninstall and started over with a fresh installation. I ended up with exactly > the same error as the first time... > > I did the following steps: > > > auth01$ ipa-replica-manage del auth02 > > auth02$ ipa-server-install --uninstall > > auth01$ ipa-replica-prepare --ip-address 192.168.210.181 auth02.intern.eu > > auth02$ ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.210.40 > /root/replica-info-auth02.intern.eu.gpg > > > Are there other logfiles i can check for more specific errors? you should have a look to the DS error logs in /var/log/dirsrv on both instances > > Greets > Kilian > > ________________________________________ > Von: Rob Crittenden <[email protected]> > Gesendet: Mittwoch, 13. April 2016 16:18 > An: Kilian Ries; [email protected] > Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service > principals is missing. Replication agreement cannot be converted > > Kilian Ries wrote: >> Does nobody have an idea whats the problem here? > TL;DR you are best off deleting this failed replica install and trying > again. > > Initial replication is done over TLS. When replication is completed both > sides of the agreement are converted to using GSSAPI and both ldap > principals are needed to do this. Given that replication just completed > both principals should be available but rarely one is not (hence the > vague-ish error message). > > In this case the new ldap principal for the new replica wasn't found on > the remote master so things blew up. > > There is no continuing the installation after this type of failure so > you'll need to remove the failed install as a master on auth01 > (ipa-replica-manage del auth02...) and then run ipa-server-install > --uninstall on autho02 and try again. > > rob > >> >> Thanks >> >> Kilian >> >> >> >> ------------------------------------------------------------------------ >> *Von:* [email protected] >> <[email protected]> im Auftrag von Kilian Ries >> <[email protected]> >> *Gesendet:* Mittwoch, 6. April 2016 10:41 >> *An:* [email protected] >> *Betreff:* [Freeipa-users] Error setting up Replication: ldap service >> principals is missing. Replication agreement cannot be converted >> >> Hello, >> >> >> i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm >> trying to add an replication partner. >> >> >> During the installation i got the following error: >> >> >> ### >> >> Restarting the directory and certificate servers >> >> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds >> >> [1/8]: adding sasl mappings to the directory >> >> [2/8]: configuring KDC >> >> [3/8]: creating a keytab for the directory >> >> [4/8]: creating a keytab for the machine >> >> [5/8]: adding the password extension to the directory >> >> [6/8]: enable GSSAPI for replication >> >> [error] RuntimeError: One of the ldap service principals is missing. >> Replication agreement cannot be converted. >> >> Your system may be partly configured. >> >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> >> ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the >> ldap service principals is missing. Replication agreement cannot be >> converted. >> >> ### >> >> >> >> The installation Log shows the following: >> >> >> >> ### >> >> 2016-04-06T08:22:34Z INFO Getting ldap service principals for >> conversion: (krbprincipalname=ldap/[email protected]) and >> (krbprincipalname=ldap/[email protected]) >> >> 2016-04-06T08:22:34Z DEBUG Unable to find entry for >> (krbprincipalname=ldap/[email protected]) on auth01.intern.eu:636 >> >> 2016-04-06T08:22:34Z INFO Setting agreement >> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping >> tree,cn=config schedule to 2358-2359 0 to force synch >> >> 2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement >> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping >> tree,cn=config >> >> 2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status: >> 0 Replica acquired successfully: Incremental update succeeded: start: 0: >> end: 0 >> >> 2016-04-06T08:22:36Z DEBUG Traceback (most recent call last): >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 418, in start_creation >> >> run_step(full_msg, method) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 408, in run_step >> >> method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >> line 438, in __convert_to_gssapi_replication >> >> r_bindpw=self.dm_password) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 1104, in convert_to_gssapi_replication >> >> self.gssapi_update_agreements(self.conn, r_conn) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 797, in gssapi_update_agreements >> >> self.setup_krb_princs_as_replica_binddns(a, b) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 767, in setup_krb_princs_as_replica_binddns >> >> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 751, in get_replica_principal_dns >> >> raise RuntimeError(error) >> >> RuntimeError: One of the ldap service principals is missing. Replication >> agreement cannot be converted. >> >> >> 2016-04-06T08:22:36Z DEBUG [error] RuntimeError: One of the ldap >> service principals is missing. Replication agreement cannot be converted. >> >> 2016-04-06T08:22:36Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in >> execute >> >> return_value = self.run() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >> line 311, in run >> >> cfgr.run() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 281, in run >> >> self.execute() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 303, in execute >> >> for nothing in self._executor(): >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> >> self._handle_exception(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> >> step() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> >> raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> >> value = gen.send(prev_value) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 524, in _configure >> >> executor.next() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> >> self._handle_exception(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 421, in _handle_exception >> >> self.__parent._handle_exception(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 418, in _handle_exception >> >> super(ComponentBase, self)._handle_exception(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> >> step() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> >> raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> >> value = gen.send(prev_value) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", >> line 63, in _install >> >> for nothing in self._installer(self.parent): >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >> line 879, in main >> >> install(self) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >> line 295, in decorated >> >> func(installer) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >> line 586, in install >> >> krb = install_krb(config, setup_pkinit=not options.no_pkinit) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >> line 93, in install_krb >> >> setup_pkinit, pkcs12_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >> line 214, in create_replica >> >> self.start_creation(runtime=30) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 418, in start_creation >> >> run_step(full_msg, method) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 408, in run_step >> >> method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >> line 438, in __convert_to_gssapi_replication >> >> r_bindpw=self.dm_password) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 1104, in convert_to_gssapi_replication >> >> self.gssapi_update_agreements(self.conn, r_conn) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 797, in gssapi_update_agreements >> >> self.setup_krb_princs_as_replica_binddns(a, b) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 767, in setup_krb_princs_as_replica_binddns >> >> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 751, in get_replica_principal_dns >> >> raise RuntimeError(error) >> >> >> 2016-04-06T08:22:36Z DEBUG The ipa-replica-install command failed, >> exception: RuntimeError: One of the ldap service principals is missing. >> Replication agreement cannot be converted. >> >> 2016-04-06T08:22:36Z ERROR One of the ldap service principals is >> missing. Replication agreement cannot be converted. >> >> ### >> >> >> >> Can anybody help me? >> >> >> Thanks >> >> Greets >> >> Kilian >> >> >> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
