[Freeipa-users] ipa-replica-install command failed

2016-12-20 Thread Gady Notrica 
Hello,

Need some help installing replica - FREEIPA on Centos 7. My networking is run, 
DNS is up on the master IPA all ports are opened. But I can't isolate the 
problem. Any help?

-- Error:
The ipa-replica-install command failed, exception: SystemExit: Connection check 
failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with --skip-conncheck 
parameter.

-- Command

# ipa-replica-install --setup-dns --setup-ca --no-forwarder 
--ip-address=172.20.10.100 
/var/lib/ipa/replica-info-sys-sec-repl.ipa.domain.com.gpg
Directory Manager (existing master) password:

Run connection check to master
ad...@ipa.domain.com password:
ipa.ipapython.install.cli.install_tool(Replica): ERRORConnection check 
failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with --skip-conncheck 
parameter.
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe 
ipa-replica-install command failed. See /var/log/ipareplica-install.log for 
more information


- LOG at /var/log/ipareplica-install.log

2016-12-20T19:14:50Z DEBUG stdout=Check connection from replica to remote 
master ' sys-pri-repl.ipa.domain.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master

Check RPC connection to remote master
Retrying using SSH...
Check SSH connection to remote master
Could not SSH into remote host. Error output:
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to sys-pri-repl.ipa.domain.com [172.20.10.99] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x0400
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-...@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-...@openssh.com none
debug1: kex: curve25519-sha...@libssh.org need=16 dh_need=16
debug1: kex: curve25519-sha...@libssh.org need=16 dh_need=16
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 
6r:0e:15:55:dk:17:86:27:53:02:02:89:c7:98:20:11
Warning: Permanently added 'sys-pri-repl.ipa.domain.com,172.20.10.99' 
(ECDSA) to the list of known hosts.
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
Connection closed by 172.20.10.99

2016-12-20T19:14:50Z DEBUG stderr=Could not SSH to remote host.

2016-12-20T19:14:50Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, 
in run
cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 308, 
in run
self.validate()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 317, 
in validate
for nothing in self._validator():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, 
in __runner
self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, 
in _handle_exception
six.reraise(*exc_info)
  File

Re: [Freeipa-users] ipa-replica-install command failed

2013-02-26 Thread Martin Kosek 
On 02/26/2013 09:01 AM, Umarzuki Mochlis wrote:
 hi,
 
 on tried to create a free-ipa replica on fedora 18 with
 freeipa-server-3.1.2-1.fc18.x86_64
 
 below is last few lines of /var/log/ipareplica-install.log
 
 2013-02-25T16:16:33Z DEBUG retrieving schema for SchemaCache
 url=ldap://ipa.domain.com:389 conn=ldap.ldapobject.SimpleLDAPObject
 instance at 0x3b77758
 2013-02-25T16:18:42Z INFO   File
 /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
 line 617, in run_script
 return_value = main_function()
 
   File /usr/sbin/ipa-replica-install, line 633, in main
 ds = install_replica_ds(config)
 
   File /usr/sbin/ipa-replica-install, line 161, in install_replica_ds
 pkcs12_info)
 
   File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py,
 line 303, in create_replica
 self.start_creation(runtime=60)
 
   File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
 line 358, in start_creation
 method()
 
   File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py,
 line 316, in __setup_replica
 r_bindpw=self.dm_password)
 
   File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py,
 line 864, in setup_replication
 raise RuntimeError(Failed to start replication)
 
 2013-02-25T16:18:42Z INFO The ipa-replica-install command failed,
 exception: RuntimeError: Failed to start replication
 
 is this a known issue/bug or simply errors on my part?
 

Hello Umarzuki,

I am not aware of this bug. Can you please check 389-ds-base logs on the
replica and see if there is any bug? The log should be in
/var/log/dirsrv/slapd-YOUR-IPA-INSTANCE/errors.

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-replica-install command failed

2013-02-26 Thread Umarzuki Mochlis 
2013/2/26 Martin Kosek mko...@redhat.com:

Hi Martin,

I found below on errors file

[26/Feb/2013:00:16:14 +0800] - 389-Directory/1.3.0.3 B2013.045.10 starting up
[26/Feb/2013:00:16:14 +0800] - Db home directory is not set. Possibly
nsslapd-directory (optionally nsslapd-db-home-directory) is missin
g in the config file.
.
.
[26/Feb/2013:00:16:32 +0800] - 389-Directory/1.3.0.3 B2013.045.10 starting up
[26/Feb/2013:00:16:32 +0800] ipaenrollment_start - [file
ipa_enrollment.c, line 390]: Failed to get default realm?!
.
.
[26/Feb/2013:00:16:33 +0800] NSMMReplicationPlugin -
agmt=cn=meToipa.domain.com (ipa:389): Replica has a different
generation ID than the local data.
[26/Feb/2013:00:16:33 +0800] NSMMReplicationPlugin -
multimaster_be_state_change: replica dc=domain,dc=com is going
offline; disabling replication

 Hello Umarzuki,

 I am not aware of this bug. Can you please check 389-ds-base logs on the
 replica and see if there is any bug? The log should be in
 /var/log/dirsrv/slapd-YOUR-IPA-INSTANCE/errors.

 Martin



-- 
Regards,

Umarzuki Mochlis
http://debmal.my

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-replica-install command failed

2013-02-26 Thread Martin Kosek 
Hm, all these are usually benign, when we are just setting up a replication.
Can you please send me the whole ipareplica-install.log and dirsrv's errors log
so I can see these errors in a broader context? You can do it in private
message if you want.

Btw I assume that you are running on the current Fedora 18 389-ds-base version
(389-ds-base-0:1.3.0.2-1.fc18)

Thanks,
Martin

On 02/26/2013 09:36 AM, Umarzuki Mochlis wrote:
 2013/2/26 Martin Kosek mko...@redhat.com:
 
 Hi Martin,
 
 I found below on errors file
 
 [26/Feb/2013:00:16:14 +0800] - 389-Directory/1.3.0.3 B2013.045.10 starting up
 [26/Feb/2013:00:16:14 +0800] - Db home directory is not set. Possibly
 nsslapd-directory (optionally nsslapd-db-home-directory) is missin
 g in the config file.
 .
 .
 [26/Feb/2013:00:16:32 +0800] - 389-Directory/1.3.0.3 B2013.045.10 starting up
 [26/Feb/2013:00:16:32 +0800] ipaenrollment_start - [file
 ipa_enrollment.c, line 390]: Failed to get default realm?!
 .
 .
 [26/Feb/2013:00:16:33 +0800] NSMMReplicationPlugin -
 agmt=cn=meToipa.domain.com (ipa:389): Replica has a different
 generation ID than the local data.
 [26/Feb/2013:00:16:33 +0800] NSMMReplicationPlugin -
 multimaster_be_state_change: replica dc=domain,dc=com is going
 offline; disabling replication
 
 Hello Umarzuki,

 I am not aware of this bug. Can you please check 389-ds-base logs on the
 replica and see if there is any bug? The log should be in
 /var/log/dirsrv/slapd-YOUR-IPA-INSTANCE/errors.

 Martin
 
 
 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users