subject:"\[Freeipa\-users\] ipa\-replica\-install errors"

[Freeipa-users] ipa-replica-install errors

2013-04-04 Thread Joseph, Matthew (EXP)

Hello,

I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and 
the Replica Server.

Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide);

IPA_Server:
ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2
scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ 
ipareplica:/var/lib/ipa/

IPA_Replica:
ipa-replica-install --setup-ca --setup-dns 
/var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg
--

Below is the error I am getting when running ipa-replica-install;


Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'IPA_Server.domain.ca':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@domain.ca password:

Execute check on remote master
Check connection from master to remote replica 'IPA_Replica.domain.ca':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

Connection from master to replica is OK.

Connection check OK
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/13]: creating certificate server user
  [2/13]: creating pki-ca instance
  [3/13]: configuring certificate server instance
  [4/13]: disabling nonces
  [5/13]: creating RA agent certificate database
  [6/13]: importing CA chain to RA certificate database
  [7/13]: fixing RA database permissions
  [8/13]: setting up signing cert profile
  [9/13]: set up CRL publishing
  [10/13]: set certificate subject base
  [11/13]: enabling Subject Key Identifier
  [12/13]: configuring certificate server to start on boot
  [13/13]: Configure HTTP to proxy connections
done configuring pki-cad.
Restarting the directory and certificate servers
Configuring directory server: Estimated time 1 minute
  [1/30]: creating directory server user
  [2/30]: creating directory server instance
  [3/30]: adding default schema
  [4/30]: enabling memberof plugin
  [5/30]: enabling referential integrity plugin
  [6/30]: enabling winsync plugin
  [7/30]: configuring replication version plugin
  [8/30]: enabling IPA enrollment plugin
  [9/30]: enabling ldapi
  [10/30]: configuring uniqueness plugin
  [11/30]: configuring uuid plugin
  [12/30]: configuring modrdn plugin
  [13/30]: enabling entryUSN plugin
  [14/30]: configuring lockout plugin
  [15/30]: creating indices
  [16/30]: configuring ssl for ds instance
  [17/30]: configuring certmap.conf
  [18/30]: configure autobind for root
  [19/30]: configure new location for managed entries
  [20/30]: restarting directory server
  [21/30]: setting up initial replication
Starting replication, please wait until this has completed.
[IPA_Server.domain.ca] reports: Update failed! Status: [-11  - System error]
creation of replica failed: Failed to start replication

Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the following 
error;

NSMMReplicationPlugin - agmt=cn=metoIPA_Server.domain.ca (ipa_server:389): 
Replica has a different generation ID than the local data.


Any thoughts or ideas on this issue? Searching google I don't see anyone 
getting the Status:-11 - System Error.

Thanks,

Matt
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-replica-install errors

2013-04-04 Thread Nathan Kinder


On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote:


Hello,

I'm trying to setup a replica server with ipa-2.2.0-16 on both the 
Server and the Replica Server.


Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide);



*IPA_Server:*

ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2

scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ 
ipareplica:/var/lib/ipa/


*IPA_Replica:*

ipa-replica-install --setup-ca --setup-dns 
/var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg


--

Below is the error I am getting when running ipa-replica-install;

Directory Manager (existing master) password:

Run connection check to master

Check connection from replica to remote master 'IPA_Server.domain.ca':

   Directory Service: Unsecure port (389): OK

   Directory Service: Secure port (636): OK

   Kerberos KDC: TCP (88): OK

   Kerberos Kpasswd: TCP (464): OK

   HTTP Server: Unsecure port (80): OK

   HTTP Server: Secure port (443): OK

   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be

checked manually:

   Kerberos KDC: UDP (88): SKIPPED

   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.

Start listening on required ports for remote master check

Get credentials to log in to remote master

ad...@domain.ca password:

Execute check on remote master

Check connection from master to remote replica 'IPA_Replica.domain.ca':

   Directory Service: Unsecure port (389): OK

   Directory Service: Secure port (636): OK

   Kerberos KDC: TCP (88): OK

   Kerberos KDC: UDP (88): OK

   Kerberos Kpasswd: TCP (464): OK

   Kerberos Kpasswd: UDP (464): OK

   HTTP Server: Unsecure port (80): OK

   HTTP Server: Secure port (443): OK

   PKI-CA: Directory Service port (7389): OK

Connection from master to replica is OK.

Connection check OK

Configuring ntpd

  [1/4]: stopping ntpd

  [2/4]: writing configuration

  [3/4]: configuring ntpd to start on boot

  [4/4]: starting ntpd

done configuring ntpd.

Configuring directory server for the CA: Estimated time 30 seconds

  [1/3]: creating directory server user

  [2/3]: creating directory server instance

  [3/3]: restarting directory server

done configuring pkids.

Configuring certificate server: Estimated time 3 minutes 30 seconds

  [1/13]: creating certificate server user

  [2/13]: creating pki-ca instance

  [3/13]: configuring certificate server instance

  [4/13]: disabling nonces

  [5/13]: creating RA agent certificate database

  [6/13]: importing CA chain to RA certificate database

  [7/13]: fixing RA database permissions

  [8/13]: setting up signing cert profile

  [9/13]: set up CRL publishing

  [10/13]: set certificate subject base

  [11/13]: enabling Subject Key Identifier

  [12/13]: configuring certificate server to start on boot

  [13/13]: Configure HTTP to proxy connections

done configuring pki-cad.

Restarting the directory and certificate servers

Configuring directory server: Estimated time 1 minute

  [1/30]: creating directory server user

  [2/30]: creating directory server instance

  [3/30]: adding default schema

  [4/30]: enabling memberof plugin

  [5/30]: enabling referential integrity plugin

  [6/30]: enabling winsync plugin

  [7/30]: configuring replication version plugin

  [8/30]: enabling IPA enrollment plugin

  [9/30]: enabling ldapi

  [10/30]: configuring uniqueness plugin

  [11/30]: configuring uuid plugin

  [12/30]: configuring modrdn plugin

  [13/30]: enabling entryUSN plugin

  [14/30]: configuring lockout plugin

  [15/30]: creating indices

  [16/30]: configuring ssl for ds instance

  [17/30]: configuring certmap.conf

  [18/30]: configure autobind for root

  [19/30]: configure new location for managed entries

  [20/30]: restarting directory server

  [21/30]: setting up initial replication

Starting replication, please wait until this has completed.

[IPA_Server.domain.ca] reports: Update failed! Status: [-11  - System 
error]


creation of replica failed: Failed to start replication

Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the 
following error;


NSMMReplicationPlugin -- agmt=cn=metoIPA_Server.domain.ca 
(ipa_server:389): Replica has a different generation ID than the local 
data.


This is probably just fallout from the replica initialization failure.  
If a replica is never initialized, it will get a generation ID mismatch 
error when the master contacts it.


Any thoughts or ideas on this issue? Searching google I don't see 
anyone getting the Status:-11 -- System Error.


There was a bug in 389-ds-base that was fixed a while back where 
negative LDAP error codes were all printed as System Error.  The -11 
is a connection error.  Here is how it is defined in /usr/include/ldap.h:


#define LDAP_CONNECT_ERROR  (-11)

It sounds like this connection error is occurring

[Freeipa-users] ipa-replica-install errors

Re: [Freeipa-users] ipa-replica-install errors

2 matches

Site Navigation

Mail list logo

Footer information