Hi, replica installation failures are often related to either a wrong DNS configuration or firewall preventing the communication. Did you run ipa-replica-installation with or without the option --skip-conncheck? Without the option you may have some hints if the issue is related to the firewall. You can find more info in Host name and DNS requirements for IdM [1] and Opening the ports required by IdM [2].
The timestamp for replica installation is 2023-05-24T*10:15:04Z* but the master logs don't match (24/May/2023:*11:47:29.382502138 +0200*). Difficult to draw any conclusion with that, do you have the master logs from the same time? flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/installing_identity_management/preparing-the-system-for-ipa-server-installation_installing-identity-management#host-name-and-dns-requirements-for-ipa_preparing-the-system-for-ipa-server-installation [2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/installing_identity_management/preparing-the-system-for-ipa-server-installation_installing-identity-management#opening-the-ports-required-by-idm_preparing-the-system-for-ipa-server-installation On Wed, May 24, 2023 at 12:34 PM Jakub Werwiński via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi i have problem with freeipa replica installation log: > > Starting replication, please wait until this has completed. > Update in progress, 12 seconds elapsed > [ldap://freeipa.mydomain.com:389] reports: Update failed! Status: [Error > (-11) connection error: Unknown connection error (-11) - Total update > aborted] > > [error] RuntimeError: Failed to start replication > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Failed to start replication > The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > > > > ---------------------------------------- var/log/ipareplica-install.log > ------------------------------------------------------- > > 2023-05-24T10:14:50Z DEBUG Waiting up to 300 seconds for replication > (ldapi://%2Frun%2Fslapd-MY-DOMAIN.COM.socket) > cn=meTofreeipa.mydomain.com,cn=replica,cn=dc\=xxx-poland\,dc\=com\,dc\=pl,cn=mapping > tree,cn=config (objectclass=*) > 2023-05-24T10:14:50Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn= > meTofreeipa.mydomain.com,cn=replica,cn=dc\=xxx-com\,dc\=com\,dc\=pl,cn=mapping > tree,cn=config'), {'objectClass': [b'nsds5replicationagreement', b'top'], > 'cn': [b'meTofreeipa.mydomain.com'], 'nsDS5ReplicaHost': [b' > freeipa.mydomain.com'], 'nsDS5ReplicaPort': [b'389'], > 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': > [b'dc=mydomain,dc=com,dc=pl'], 'description': [b'me to > freeipa.mydomain.com'], 'nsDS5ReplicatedAttributeList': > [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn > krblastsuccessfulauth krblastfailedauth krbloginfailedcount > passwordgraceusertime'], 'nsDS5ReplicaTransportInfo': [b'LDAP'], > 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs': > [b'modifiersName modifyTimestamp internalModifiersName > internalModifyTimestamp'], 'nsDS5ReplicatedAttributeListTotal': > [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth > krblastfailedauth krbloginfailedcount passwordgraceusertime'], > 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': > [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'], > 'nsds5replicaChangesSentSinceStartup': [b''], > 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions > started since server startup'], 'nsds5replicaLastUpdateStatusJSON': > [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", "repl_rc": > "0", "repl_rc_text": "replica acquired", "date": "2023-05-24T10:14:50Z", > "message": "Error (0) No replication sessions started since server > startup"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'], > 'nsds5replicaLastInitStart': [b'19700101000000Z'], > 'nsds5replicaLastInitEnd': [b'19700101000000Z']})] > 2023-05-24T10:15:04Z DEBUG Traceback (most recent call last): > File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", > line 686, in start_creation > run_step(full_msg, method) > File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", > line 672, in run_step > method() > File "/usr/lib/python3.9/site-packages/ipaserver/install/dsinstance.py", > line 430, in __setup_replica > repl.setup_promote_replication( > File > "/usr/lib/python3.9/site-packages/ipaserver/install/replication.py", line > 1930, in setup_promote_replication > raise RuntimeError("Failed to start replication") > RuntimeError: Failed to start replication > > 2023-05-24T10:15:04Z DEBUG [error] RuntimeError: Failed to start > replication > 2023-05-24T10:15:04Z DEBUG Destroyed connection > context.ldap2_140645096151696 > 2023-05-24T10:15:04Z DEBUG Backing up system configuration file > '/etc/ipa/default.conf' > 2023-05-24T10:15:04Z DEBUG Saving Index File to > '/var/lib/ipa/sysrestore/sysrestore.index' > 2023-05-24T10:15:04Z DEBUG Writing configuration file /etc/ipa/default.conf > 2023-05-24T10:15:04Z DEBUG [global] > basedn = dc=mydomain,dc=com,dc=pl > host = freeipa-replica.mydomain.com > realm = My.REALM.COM > domain = mydomain.com > xmlrpc_uri = https://freeipa-replica.mydomain.com/ipa/xml > ldap_uri = ldapi://%2Frun%2Fslapd-MY-DOMAIN-COM.socket > mode = production > enable_ra = True > ra_plugin = dogtag > dogtag_version = 10 > ca_host = freeipa.mydomain.com > > > > 2023-05-24T10:15:04Z DEBUG File > "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in > execute > return_value = self.run() > File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line > 344, in run > return cfgr.run() > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 360, in run > return self.execute() > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 386, in execute > for rval in self._executor(): > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 431, in __runner > exc_handler(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 460, in _handle_execute_exception > self._handle_exception(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 450, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > raise value > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 421, in __runner > step() > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 418, in <lambda> > step = lambda: next(self.__gen) > File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line > 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > raise value > File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line > 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 655, in _configure > next(executor) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 431, in __runner > exc_handler(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 460, in _handle_execute_exception > self._handle_exception(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 518, in _handle_exception > self.__parent._handle_exception(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 450, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > raise value > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 515, in _handle_exception > super(ComponentBase, self)._handle_exception(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 450, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > raise value > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 421, in __runner > step() > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 418, in <lambda> > step = lambda: next(self.__gen) > File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line > 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > raise value > File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line > 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", > line 65, in _install > for unused in self._installer(self.parent): > File > "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", > line 599, in main > replica_install(self) > File > "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", > line 401, in decorated > func(installer) > File > "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", > line 1267, in install > ds = install_replica_ds(config, options, ca_enabled, > File > "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", > line 100, in install_replica_ds > ds.create_replica( > File "/usr/lib/python3.9/site-packages/ipaserver/install/dsinstance.py", > line 398, in create_replica > self.start_creation(runtime=30) > File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", > line 686, in start_creation > run_step(full_msg, method) > File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", > line 672, in run_step > method() > File "/usr/lib/python3.9/site-packages/ipaserver/install/dsinstance.py", > line 430, in __setup_replica > repl.setup_promote_replication( > File > "/usr/lib/python3.9/site-packages/ipaserver/install/replication.py", line > 1930, in setup_promote_replication > raise RuntimeError("Failed to start replication") > > 2023-05-24T10:15:04Z DEBUG The ipa-replica-install command failed, > exception: RuntimeError: Failed to start replication > 2023-05-24T10:15:04Z ERROR Failed to start replication > 2023-05-24T10:15:04Z ERROR The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > > ---------------------------------------- master: /var/log/dirsrv/slapd-MY- > DOMAIN.COM/error ------------------------------------------------------- > > [24/May/2023:11:47:02.653622389 +0200] - ERR - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com" > (freeipa-replica:389) - Replication bind > with GSSAPI auth failed: LDAP error 49 (Invalid > credentials) () > [24/May/2023:11:47:08.700315039 +0200] - ERR - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com" > (freeipa-replica:389) - Replication bind > with GSSAPI auth failed: LDAP error -1 (Can't contact > LDAP server) () > [24/May/2023:11:47:16.774918557 +0200] - INFO - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com" > (freeipa-replica:389): Replication bind > with GSSAPI auth resumed > [24/May/2023:11:47:17.035351907 +0200] - INFO - NSMMReplicationPlugin - > repl5_tot_run - Beginning total update of replica "agmt="cn= > meTofreeipa-replica.mydomain.com" (freeipa-r > eplica:389)". > [24/May/2023:11:47:29.357889007 +0200] - ERR - NSMMReplicationPlugin - > repl5_tot_log_operation_failure - agmt="cn= > meTofreeipa-replica.mydomain.com" (freeipa-replica:389): Recei > ved error -1 (Can't contact > LDAP server): for total update operation > [24/May/2023:11:47:29.361891385 +0200] - ERR - NSMMReplicationPlugin - > release_replica - agmt="cn=meTofreeipa-replica.mydomain.com" > (freeipa-replica:389): Unable to send endRep > lication extended operation (Can't contact LDAP > server) > [24/May/2023:11:47:29.363050079 +0200] - ERR - NSMMReplicationPlugin - > repl5_tot_run - Total update failed for replica "agmt="cn= > meTofreeipa-replica.mydomain.com" (freeipa-repl > ica:389)", error (-11) > [24/May/2023:11:47:29.382502138 +0200] - INFO - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com" > (freeipa-replica:389): Replication bind > with GSSAPI auth resumed > > > ---------------------------------------- About system > ------------------------------------------------------- > Mater and Replica: > Os: Rocky Linux 9.2 > IPA: 4.10.1 > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue