[Freeipa-users] Replica creation problem - IPv6?
Dimitris Tsompanidis
dimitris.tsompanidis at comeon.com
Thu Mar 15 14:47:39 UTC 2012
On 15/03/2012 16:20, Kelvin Edmison wrote:
>
>
> On 12-03-15 8:36 AM, "Dimitris Tsompanidis"
> <dimitris.tsompanidis at comeon.com> wrote:
>
>> Hi all,
>>
>> I'm trying to set up a FreeIPA replica on a new Fedora 16 VM.
>> The process fails when ipa-replica-install starts checking for connectivity
>> from the master server side towards the new replica.
>>
>>
>> # ipa-replica-install -N /var/lib/ipa/replica-info-ldaps01.example.com.gpg
>> [... lines of output ...]
>> Execute check on remote master
>>
>> Remote master check failed with following error message(s):
>>
>> Connection check failed!
>> Please fix your network settings according to error messages above.
>> If the check results are not valid it can be skipped with --skip-conncheck
>> parameter.
>>
>>
>> Running the connectivity check on its own from the server gives me the
>> following output:
>>
>> Check connection from master to remote replica 'ldaps01.example.com':
>> Directory Service: Unsecure port (389): FAILED
>> Directory Service: Secure port (636): FAILED
>> Kerberos KDC: TCP (88): FAILED
>> Kerberos KDC: UDP (88): OK
>> Kerberos Kpasswd: TCP (464): FAILED
>> Kerberos Kpasswd: UDP (464): OK
>> HTTP Server: Unsecure port (80): FAILED
>> HTTP Server: Secure port (443): FAILED
>> Port check failed! Inaccessible port(s): 389, 636, 88, 464, 80, 443
>>
>>
>> To actually see what's going on, I run 'netstat -tuan' to see what ports are
>> open while ipa-replica-install waits for me to type my admin password (just
>> before the remote master check):
>>
>> [root at ldaps01 ~]# netstat -tuan
>> Active Internet connections (servers and established)
>> Proto Recv-Q Send-Q Local Address Foreign Address
>> State
>> tcp 0 0 0.0.0.0:22 0.0.0.0:*
>> LISTEN
>> tcp 0 0 127.0.0.1:25 0.0.0.0:*
>> LISTEN
>> tcp 0 0 192.168.98.10:22 192.168.10.128:12548
>> ESTABLISHED
>> tcp 0 48 192.168.98.10:22 192.168.10.128:12597
>> ESTABLISHED
>> tcp 0 0 :::80 :::*
>> LISTEN
>> tcp 0 0 :::464 :::*
>> LISTEN
>> tcp 0 0 :::88 :::*
>> LISTEN
>> tcp 0 0 :::443 :::*
>> LISTEN
>> tcp 0 0 :::636 :::*
>> LISTEN
>> tcp 0 0 :::389 :::*
>> LISTEN
>> udp 0 0 192.168.98.10:123 0.0.0.0:*
>> udp 0 0 127.0.0.1:123 0.0.0.0:*
>> udp 0 0 0.0.0.0:123 0.0.0.0:*
>> udp 0 0 :::464 :::*
>> udp 0 0 :::88 :::*
>> udp 0 0 :::123 :::*
>>
>> It seems that the replica procedure automatically binds to IPv6 addresses
>> (although I've disabled IPv6 on eth0 and on loopback, remove IPv6 entries from
>> /etc/hosts and /etc/resolve.conf).
>>
>> NTP listens on both ipv4 and ipv6 locahost but that's because I choose to
>> handle it a separate service on its own.
>>
>> FreeIPA server is 2.1.4-5 on both ldap (master) and ldaps01 (slave).
>>
>> Regards,
>> Dimitris
>>
> The problem may be your firewall rules. run
> sudo /sbin/service iptables status
> to see the list of active firewall rules.
>
> Make sure that the list of open ports includes those in this ticket
> https://fedorahosted.org/freeipa/ticket/2110
>
> Regards,
> Kelvin
Firewalls on both machines are disabled and the firewall in between is
wide open, especially in the master->slave direction where I allow
everything.
Dimitris
More information about the Freeipa-users
mailing list