[Freeipa-devel] Proxy/Port work status

Adam Young adam at younglogic.com
Thu Aug 25 02:29:01 UTC 2011


Had some success earlier today, but I seem to be unable to replicate 
it.  I've been working with the "full" proxy.conf file lately,. and even 
that seems to be preventing a replica.  It is quite possible that the 
problem is something on one of the two systems, as I've found that 
install/uninstall often leaves some of the files being owned by 
non-existent users.   At this point, I'm not sure if the patch I've 
submitted will work on a vanilla system.  Testing it has proven to be a 
pretty time consuming endeavour.


Here's what I've gotten it down to:

ON One machine, run

ipa-server-install -U -r ` hostname  | tr '[:lower:]' '[:upper:]'`  -p 
freeipa4all  -a freeipa4all  --setup-dns --no-forwarders


once that succeeds, I have to reset /etc/resolv.conf as the lab DNS 
server gets removed:

cp ~/resolve.conf /etc

then

ipa-replica-prepare $REPLICA

scp /var/lib/ipa/replica-info-$REPLICA.gpg root@$REPLICA:

On the replica:

ipa-replica-install  --setup-ca  replica-info-$HOSTNAME.gpg

I have firewall off on master and replica


At one point I had a replica install that worked with the Proxy, so I 
know it is possible, but for the last couple of hours this last command 
has been failing with:

creation of replica failed: Configuration of CA failed



pkisilent reports the failure in the debug log, but not the URL it is 
trying to reach.  I'm going to modify it to give some more information 
in the morning.


I'm not seeing anything in /var/log/httpd/error|access.log  on the 
master, which is weird.


I see this in /var/log/ipareplica-conncheck.log.   We should not be 
trying to do anything in /home/admin


2011-08-24 21:52:18,544 DEBUG stderr=
2011-08-24 21:52:19,521 DEBUG args=/usr/bin/ssh -q -o 
StrictHostKeychecking=no -o UserKnownHostsFile=/dev/null 
admin at vm-088.idm.lab.bos.redhat.com /usr/sbin/ipa-replica-conncheck 
--replica vm-116.idm.lab.bos.redhat.com --check-ca
2011-08-24 21:52:19,521 DEBUG stdout=Check connection from master to 
remote replica 'vm-116.idm.lab.bos.redhat.com':
    Directory Service: Unsecure port (389): OK
    Directory Service: Secure port (636): OK
    Kerberos (88): OK
    PKI-CA: Directory Service port (7389): OK
    PKI-CA: Agent secure port (9443): OK
    PKI-CA: EE secure port (9444): OK
    PKI-CA: Admin secure port (9445): OK
    PKI-CA: EE secure client auth port (9446): OK
    PKI-CA: Unsecure port (9180): OK

Connection from master to replica is OK.

2011-08-24 21:52:19,522 DEBUG stderr=Could not chdir to home directory 
/home/admin: No such file or directory



Ade Lee noticed that the replica install is failing before it ever 
attempts to talk to the Master,  which corresponds with what I am 
seeing.  I see in the PKI install log that

[2011-08-24 22:23:50] [error] FAILED run_command("/sbin/service pki-cad 
restart pki-ca"), exit status=1 output="Stopping pki-ca: [FAILED]
Starting pki-ca: [  OK  ]^M"


Running this command by hand gets the same output.

In  less /var/log/pki-ca/catalina.out

  /var/lib/pki-ca/logs/catalina.out: Permission denied
/var/log/pki-ca/catalina.out (END)


SO it looks like another cleanup issue.





More information about the Freeipa-devel mailing list