[Freeipa-users] Replica creation problem - IPv6?

Dimitris Tsompanidis dimitris.tsompanidis at comeon.com
Thu Mar 15 14:47:39 UTC 2012 

On 15/03/2012 16:20, Kelvin Edmison wrote:
>
>
> On 12-03-15 8:36 AM, "Dimitris Tsompanidis"
> <dimitris.tsompanidis at comeon.com>  wrote:
>
>>     Hi all,
>>
>>   I'm trying to set up a FreeIPA replica on a new Fedora 16 VM.
>>   The process fails when ipa-replica-install starts checking for connectivity
>> from the master server side towards the new replica.
>>
>>
>> # ipa-replica-install -N /var/lib/ipa/replica-info-ldaps01.example.com.gpg
>>   [... lines of output ...]
>>   Execute check on remote master
>>
>>   Remote master check failed with following error message(s):
>>
>>   Connection check failed!
>>   Please fix your network settings according to error messages above.
>>   If the check results are not valid it can be skipped with --skip-conncheck
>> parameter.
>>
>>
>>   Running the connectivity check on its own from the server gives me the
>> following output:
>>
>> Check connection from master to remote replica 'ldaps01.example.com':
>>      Directory Service: Unsecure port (389): FAILED
>>      Directory Service: Secure port (636): FAILED
>>      Kerberos KDC: TCP (88): FAILED
>>      Kerberos KDC: UDP (88): OK
>>      Kerberos Kpasswd: TCP (464): FAILED
>>      Kerberos Kpasswd: UDP (464): OK
>>      HTTP Server: Unsecure port (80): FAILED
>>      HTTP Server: Secure port (443): FAILED
>>   Port check failed! Inaccessible port(s): 389, 636, 88, 464, 80, 443
>>
>>
>>   To actually see what's going on, I run 'netstat -tuan' to see what ports are
>> open while ipa-replica-install waits for me to type my admin password (just
>> before the remote master check):
>>
>> [root at ldaps01 ~]# netstat -tuan
>>   Active Internet connections (servers and established)
>>   Proto Recv-Q Send-Q Local Address               Foreign Address
>> State
>>   tcp        0      0 0.0.0.0:22                  0.0.0.0:*
>> LISTEN
>>   tcp        0      0 127.0.0.1:25                0.0.0.0:*
>> LISTEN
>>   tcp        0      0 192.168.98.10:22            192.168.10.128:12548
>> ESTABLISHED
>>   tcp        0     48 192.168.98.10:22            192.168.10.128:12597
>> ESTABLISHED
>>   tcp        0      0 :::80                       :::*
>> LISTEN
>>   tcp        0      0 :::464                      :::*
>> LISTEN
>>   tcp        0      0 :::88                       :::*
>> LISTEN
>>   tcp        0      0 :::443                      :::*
>> LISTEN
>>   tcp        0      0 :::636                      :::*
>> LISTEN
>>   tcp        0      0 :::389                      :::*
>> LISTEN
>>   udp        0      0 192.168.98.10:123           0.0.0.0:*
>>   udp        0      0 127.0.0.1:123               0.0.0.0:*
>>   udp        0      0 0.0.0.0:123                 0.0.0.0:*
>>   udp        0      0 :::464                      :::*
>>   udp        0      0 :::88                       :::*
>>   udp        0      0 :::123                      :::*
>>
>>   It seems that the replica procedure automatically binds to IPv6 addresses
>> (although I've disabled IPv6 on eth0 and on loopback, remove IPv6 entries from
>> /etc/hosts and /etc/resolve.conf).
>>
>>   NTP listens on both ipv4 and ipv6 locahost but that's because I choose to
>> handle it a separate service on its own.
>>
>>   FreeIPA server is 2.1.4-5 on both ldap (master) and ldaps01 (slave).
>>
>>   Regards,
>>   Dimitris
>>
> The problem may be your firewall rules.  run
> sudo /sbin/service iptables status
> to see the list of active firewall rules.
>
> Make sure that the list of open ports includes those in this ticket
> https://fedorahosted.org/freeipa/ticket/2110
>
> Regards,
>    Kelvin
Firewalls on both machines are disabled and the firewall in between is 
wide open, especially in the master->slave direction where I allow 
everything.

Dimitris

More information about the Freeipa-users mailing list