Re: [Freeipa-users] IPA Replica Install Failing with "UnboundLocalError: local variable 'replman' referenced before assignment"
Choudhury, Suhail wrote: > Okay tried that Petr, but yes still getting the LDAP connection error: > > return_value = main_function() > > File "/usr/sbin/ipa-replica-install", line 431, in main > tls_cacertfile=CACERT) > > File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in > connect > conn = self.create_connection(*args, **kw) > > File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line > 846, in create_connection > self.handle_errors(e) > > File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line > 736, in handle_errors > error=u'LDAP Server Down') > > ipa : INFO The ipa-replica-install command failed, exception: > NetworkError: cannot connect to 'ldaps://ipa01.domain.com': LDAP Server Down > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Unexpected error - see /var/log/ipareplica-install.log for details: > NetworkError: cannot connect to 'ldaps://ipa01.domain.com': LDAP Server Down > > What command-line are you using? > > Running the LDAP query directly is successful: > > [root@recsds3 ~]# ldapsearch -x -s one -b cn=schema -h ipa01.domain.com This isn't exactly the same thing. Try this: # ldapsearch -x -H ldaps://ipa01.domain.com -s one -b cn=schema You may also want to look at the 389-ds access log on ipa01 to see if the connection was rejected. > Is there an exhaustive list of ports(TCP/UDP) required for IPA replica setup? > I just successfully created an IPA replica by connecting to another IPA > master so it perhaps it is a specific port that is required that is not > apparent? It depends very much on what version of IPA you are installing with what features. Generally though the list is TCP 389, 636, 88, 464, 80 and 443, UDP 88, 464. Older versions may require more. ipa-replica-conncheck, which is run as part of the replica install unless you've disabled it, should confirm that the required ports are open. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Replica Install Failing with "UnboundLocalError: local variable 'replman' referenced before assignment"
Okay tried that Petr, but yes still getting the LDAP connection error: return_value = main_function() File "/usr/sbin/ipa-replica-install", line 431, in main tls_cacertfile=CACERT) File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 846, in create_connection self.handle_errors(e) File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 736, in handle_errors error=u'LDAP Server Down') ipa : INFO The ipa-replica-install command failed, exception: NetworkError: cannot connect to 'ldaps://ipa01.domain.com': LDAP Server Down Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-install.log for details: NetworkError: cannot connect to 'ldaps://ipa01.domain.com': LDAP Server Down Running the LDAP query directly is successful: [root@recsds3 ~]# ldapsearch -x -s one -b cn=schema -h ipa01.domain.com # extended LDIF # # LDAPv3 # base with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 Is there an exhaustive list of ports(TCP/UDP) required for IPA replica setup? I just successfully created an IPA replica by connecting to another IPA master so it perhaps it is a specific port that is required that is not apparent? Regards, Suhail Choudhury. DevOps | Recommendations Team | BSkyB From: Petr Viktorin [pvikt...@redhat.com] Sent: 15 July 2014 15:52 To: Choudhury, Suhail; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA Replica Install Failing with "UnboundLocalError: local variable 'replman' referenced before assignment" On 07/15/2014 04:25 PM, Choudhury, Suhail wrote: > Hi Petr, > > Yes definitely using IPA 3.0 packages as per the package details provided > earlier. Ah, I see. This was reverted in a patch for EL6. Sorry for doubting you. To get rid of the error, since you're not afraid to modify code, you can follow the instruction inline: > > The following code is present in the replica installer script: > > # Try out the password > ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) Here, insert the line: replman = None > try: > conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') > conn.connect(bind_dn=DN(('cn', 'directory manager')), > bind_pw=config.dirman_password, > tls_cacertfile=CACERT) > replman = ReplicationManager(config.realm_name, > config.master_host_name, > config.dirman_password) > found = False > try: > entry = conn.find_entries(u'fqdn=%s' % host, ['dn', 'fqdn'], > DN(api.env.container_host, api.env.basedn)) > print "The host %s already exists on the master server.\nYou > should remove it before proceeding:" % host > print "%% ipa host-del %s" % host > found = True > except errors.NotFound: > pass > try: > (agreement_cn, agreement_dn) = replman.agreement_dn(host) > entry = conn.get_entry(agreement_dn, ['*']) > print "A replication agreement for this host already exists. It > needs to be removed. Run this on the master that generated the info file:" > print "%% ipa-replica-manage del %s --force" % host > found = True > except errors.NotFound: > pass > if found: > sys.exit(3) > except errors.ACIError: > sys.exit("\nThe password provided is incorrect for LDAP server %s" % > config.master_host_name) > except errors.LDAPError: > sys.exit("\nUnable to connect to LDAP server %s" % > config
Re: [Freeipa-users] IPA Replica Install Failing with "UnboundLocalError: local variable 'replman' referenced before assignment"
On 07/15/2014 04:25 PM, Choudhury, Suhail wrote: Hi Petr, Yes definitely using IPA 3.0 packages as per the package details provided earlier. Ah, I see. This was reverted in a patch for EL6. Sorry for doubting you. To get rid of the error, since you're not afraid to modify code, you can follow the instruction inline: The following code is present in the replica installer script: # Try out the password ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) Here, insert the line: replman = None try: conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=config.dirman_password, tls_cacertfile=CACERT) replman = ReplicationManager(config.realm_name, config.master_host_name, config.dirman_password) found = False try: entry = conn.find_entries(u'fqdn=%s' % host, ['dn', 'fqdn'], DN(api.env.container_host, api.env.basedn)) print "The host %s already exists on the master server.\nYou should remove it before proceeding:" % host print "%% ipa host-del %s" % host found = True except errors.NotFound: pass try: (agreement_cn, agreement_dn) = replman.agreement_dn(host) entry = conn.get_entry(agreement_dn, ['*']) print "A replication agreement for this host already exists. It needs to be removed. Run this on the master that generated the info file:" print "%% ipa-replica-manage del %s --force" % host found = True except errors.NotFound: pass if found: sys.exit(3) except errors.ACIError: sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name) except errors.LDAPError: sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name) finally: if conn and conn.isconnected(): conn.disconnect() if replman and replman.conn: replman.conn.unbind_s() The background to this problem is that we have 6 x IPA servers, 2 each in 3 x DCs. In one DC we had a problem with storage which messed up the 2 IPAs, 1 of which was the master from which replicas were originally taken. After promoting a good IPA box in another DC(as per http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html) I cannot now create new replicas to replace the two which were messed up. But when trying to install them I am getting the error "UnboundLocalError: local variable 'replman' referenced before assignment". Fixing the UnboundLocalError will reveal the real problem. If you get "LDAP server on ipabox1.domain.com is not responding." again, please check if the server is really unreachable, using: ldapsearch -x -s one -b cn=schema -h ipabox1.domain.com Regards, Suhail Choudhury. DevOps | Recommendations Team | BSkyB ________________________ From: Petr Viktorin [pvikt...@redhat.com] Sent: 15 July 2014 14:59 To: freeipa-users@redhat.com; Choudhury, Suhail Subject: Re: [Freeipa-users] IPA Replica Install Failing with "UnboundLocalError: local variable 'replman' referenced before assignment" You say you are using the IPA 3.0 packages. Are you sure? The "UnboundLocalError" should have been fixed in IPA 3.0.0 (as a side effect of fixing https://fedorahosted.org/freeipa/ticket/2845 ) I checked the CentOS 3.5 srpm, and the fix is there. Yet it is missing from the source you quote below. On 07/15/2014 03:25 PM, Choudhury, Suhail wrote: FYI, These are IPA replicas being re-added. I removing these replman lines in the installer script: What do you mean by "Removing the replman lines"? Is this quote from before or after you removed them? # Try out the password ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) try: conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=config.dirman_password, tls_cacertfile=CACERT) replman = ReplicationManager(config.realm_name, config.mas
Re: [Freeipa-users] IPA Replica Install Failing with "UnboundLocalError: local variable 'replman' referenced before assignment"
Hi Petr, Yes definitely using IPA 3.0 packages as per the package details provided earlier. The following code is present in the replica installer script: # Try out the password ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) try: conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=config.dirman_password, tls_cacertfile=CACERT) replman = ReplicationManager(config.realm_name, config.master_host_name, config.dirman_password) found = False try: entry = conn.find_entries(u'fqdn=%s' % host, ['dn', 'fqdn'], DN(api.env.container_host, api.env.basedn)) print "The host %s already exists on the master server.\nYou should remove it before proceeding:" % host print "%% ipa host-del %s" % host found = True except errors.NotFound: pass try: (agreement_cn, agreement_dn) = replman.agreement_dn(host) entry = conn.get_entry(agreement_dn, ['*']) print "A replication agreement for this host already exists. It needs to be removed. Run this on the master that generated the info file:" print "%% ipa-replica-manage del %s --force" % host found = True except errors.NotFound: pass if found: sys.exit(3) except errors.ACIError: sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name) except errors.LDAPError: sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name) finally: if conn and conn.isconnected(): conn.disconnect() if replman and replman.conn: replman.conn.unbind_s() The background to this problem is that we have 6 x IPA servers, 2 each in 3 x DCs. In one DC we had a problem with storage which messed up the 2 IPAs, 1 of which was the master from which replicas were originally taken. After promoting a good IPA box in another DC(as per http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html) I cannot now create new replicas to replace the two which were messed up. But when trying to install them I am getting the error "UnboundLocalError: local variable 'replman' referenced before assignment". Regards, Suhail Choudhury. DevOps | Recommendations Team | BSkyB ____________________ From: Petr Viktorin [pvikt...@redhat.com] Sent: 15 July 2014 14:59 To: freeipa-users@redhat.com; Choudhury, Suhail Subject: Re: [Freeipa-users] IPA Replica Install Failing with "UnboundLocalError: local variable 'replman' referenced before assignment" You say you are using the IPA 3.0 packages. Are you sure? The "UnboundLocalError" should have been fixed in IPA 3.0.0 (as a side effect of fixing https://fedorahosted.org/freeipa/ticket/2845 ) I checked the CentOS 3.5 srpm, and the fix is there. Yet it is missing from the source you quote below. On 07/15/2014 03:25 PM, Choudhury, Suhail wrote: > FYI, > > These are IPA replicas being re-added. > > I removing these replman lines in the installer script: What do you mean by "Removing the replman lines"? Is this quote from before or after you removed them? > > # Try out the password > ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) > try: > conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') > conn.connect(bind_dn=DN(('cn', 'directory manager')), > bind_pw=config.dirman_password, > tls_cacertfile=CACERT) > replman = ReplicationManager(config.realm_name, > config.master_host_name, > config.dirman_password) > found = False > try: > entry = conn.find_entries(u'fqdn=%s' % host, ['dn', > 'fqdn'], DN(api.env.container_host, api.env.basedn)) > print "The host %s already exists on the master > server.\nYou should remove it before proceeding:" % host > print "%% ipa host-del %s" % host > found = T
Re: [Freeipa-users] IPA Replica Install Failing with "UnboundLocalError: local variable 'replman' referenced before assignment"
You say you are using the IPA 3.0 packages. Are you sure? The "UnboundLocalError" should have been fixed in IPA 3.0.0 (as a side effect of fixing https://fedorahosted.org/freeipa/ticket/2845 ) I checked the CentOS 3.5 srpm, and the fix is there. Yet it is missing from the source you quote below. On 07/15/2014 03:25 PM, Choudhury, Suhail wrote: FYI, These are IPA replicas being re-added. I removing these replman lines in the installer script: What do you mean by "Removing the replman lines"? Is this quote from before or after you removed them? # Try out the password ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) try: conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=config.dirman_password, tls_cacertfile=CACERT) replman = ReplicationManager(config.realm_name, config.master_host_name, config.dirman_password) found = False try: entry = conn.find_entries(u'fqdn=%s' % host, ['dn', 'fqdn'], DN(api.env.container_host, api.env.basedn)) print "The host %s already exists on the master server.\nYou should remove it before proceeding:" % host print "%% ipa host-del %s" % host found = True except errors.NotFound: pass try: (agreement_cn, agreement_dn) = replman.agreement_dn(host) entry = conn.get_entry(agreement_dn, ['*']) print "A replication agreement for this host already exists. It needs to be removed. Run this on the master that generated the info file:" print "%% ipa-replica-manage del %s --force" % host found = True except errors.NotFound: pass if found: sys.exit(3) except errors.ACIError: sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name) except errors.LDAPError: sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name) finally: if conn and conn.isconnected(): conn.disconnect() if replman and replman.conn: replman.conn.unbind_s() and then ran the install again but it is now failing on: ipa : DEBUGstderr= ipa : DEBUGwait_for_open_ports: localhost [9180, 9443, 9444] timeout 120 ipa : INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-replica-install", line 433, in main install_dns_records(config, options) File "/usr/sbin/ipa-replica-install", line 251, in install_dns_records dm_password=config.dirman_password): File "/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py", line 192, in dns_container_exists raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn) ipa : INFO The ipa-replica-install command failed, exception: RuntimeError: LDAP server on ipabox1.domain.com is not responding. Is IPA installed? Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. LDAP server on ipabox1.domain.com is not responding. Is IPA installed? However LDAP ports on the IPA master are working and accessible(checked using telnet and ldapsearch). Regards, Suhail Choudhury. *DevOps | Recommendations Team | BSkyB* ---- *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Choudhury, Suhail [suhail.choudh...@bskyb.com] *Sent:* 15 July 2014 10:52 *To:* freeipa-users@redhat.com *Subject:* [Freeipa-users] IPA Replica Install Failing with "UnboundLocalError: local variable 'replman' referenced before assignment" Hi, I'm trying to install some new IPA replicas but getting this installation error: -- ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserve
Re: [Freeipa-users] IPA Replica Install Failing with "UnboundLocalError: local variable 'replman' referenced before assignment"
FYI, These are IPA replicas being re-added. I removing these replman lines in the installer script: # Try out the password ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) try: conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=config.dirman_password, tls_cacertfile=CACERT) replman = ReplicationManager(config.realm_name, config.master_host_name, config.dirman_password) found = False try: entry = conn.find_entries(u'fqdn=%s' % host, ['dn', 'fqdn'], DN(api.env.container_host, api.env.basedn)) print "The host %s already exists on the master server.\nYou should remove it before proceeding:" % host print "%% ipa host-del %s" % host found = True except errors.NotFound: pass try: (agreement_cn, agreement_dn) = replman.agreement_dn(host) entry = conn.get_entry(agreement_dn, ['*']) print "A replication agreement for this host already exists. It needs to be removed. Run this on the master that generated the info file:" print "%% ipa-replica-manage del %s --force" % host found = True except errors.NotFound: pass if found: sys.exit(3) except errors.ACIError: sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name) except errors.LDAPError: sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name) finally: if conn and conn.isconnected(): conn.disconnect() if replman and replman.conn: replman.conn.unbind_s() and then ran the install again but it is now failing on: ipa : DEBUGstderr= ipa : DEBUGwait_for_open_ports: localhost [9180, 9443, 9444] timeout 120 ipa : INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-replica-install", line 433, in main install_dns_records(config, options) File "/usr/sbin/ipa-replica-install", line 251, in install_dns_records dm_password=config.dirman_password): File "/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py", line 192, in dns_container_exists raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn) ipa : INFO The ipa-replica-install command failed, exception: RuntimeError: LDAP server on ipabox1.domain.com is not responding. Is IPA installed? Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. LDAP server on ipabox1.domain.com is not responding. Is IPA installed? However LDAP ports on the IPA master are working and accessible(checked using telnet and ldapsearch). Regards, Suhail Choudhury. DevOps | Recommendations Team | BSkyB From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Choudhury, Suhail [suhail.choudh...@bskyb.com] Sent: 15 July 2014 10:52 To: freeipa-users@redhat.com Subject: [Freeipa-users] IPA Replica Install Failing with "UnboundLocalError: local variable 'replman' referenced before assignment" Hi, I'm trying to install some new IPA replicas but getting this installation error: -- ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/rename_managed.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/update_anonymous_aci.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/update_services.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plu
[Freeipa-users] IPA Replica Install Failing with "UnboundLocalError: local variable 'replman' referenced before assignment"
Hi, I'm trying to install some new IPA replicas but getting this installation error: -- ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/rename_managed.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/update_anonymous_aci.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/update_services.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa : DEBUGds group dirsrv exists ipa : DEBUGSaving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' ipa : INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-replica-install", line 458, in main if replman and replman.conn: ipa : INFO The ipa-replica-install command failed, exception: UnboundLocalError: local variable 'replman' referenced before assignment Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-install.log for details: UnboundLocalError: local variable 'replman' referenced before assignment -- These are the relevant lines in "ipa-replica-install": -- except errors.NotFound: pass if found: sys.exit(3) except errors.ACIError: sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name) except errors.LDAPError: sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name) finally: if conn and conn.isconnected(): conn.disconnect() if replman and replman.conn: replman.conn.unbind_s() -- This is on a freshly installed and updated CentOS release 6.5 (Final) box running "2.6.32-431.20.3.el6.x86_64" kernel, SELinux disabled and with the following IPA packages: ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 ipa-admintools-3.0.0-37.el6.x86_64 ipa-server-selinux-3.0.0-37.el6.x86_64 libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-1.9.2-129.el6_5.4.x86_64 ipa-server-3.0.0-37.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch Any help/ideas much appreciated. Regards, Suhail Choudhury. DevOps | Recommendations Team | BSkyB Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project