[Freeipa-users] EXTERNAL: Re: ipa-replica-install errors

Joseph, Matthew (EXP) matthew.joseph at lmco.com
Wed Apr 10 11:55:05 UTC 2013 

Hey,

I'm still trying to figure out this error but I am getting nothing.
Anyone have any suggestions or ideas on why this is failing?

Matt

From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Joseph, Matthew (EXP)
Sent: Monday, April 08, 2013 12:30 PM
To: Nathan Kinder
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors

Hey,

Yup, the client side says the following;

Op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate.

Matt

From: Nathan Kinder [mailto:nkinder at redhat.com]
Sent: Monday, April 08, 2013 12:28 PM
To: Joseph, Matthew (EXP)
Cc: freeipa-users at redhat.com
Subject: Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors

On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote:
Hey,

So on the IPA server under the access logs I am getting the following error.

Error: could not send startTLS request: Error -11 (connect error) errno 0 (success)

Any ideas?
Does the access log on the receiving side show a connection attempt from the master at the same time?  The access log will be located at /var/log/dirsrv/slapd-<DOMAIN>/access.

-NGK

Matt

From: Nathan Kinder [mailto:nkinder at redhat.com]
Sent: Thursday, April 04, 2013 6:00 PM
To: Joseph, Matthew (EXP)
Cc: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors

On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote:
Hello,

I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server.

Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide);
------------------------
IPA_Server:
ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2
scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/

IPA_Replica:
ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg
------------------------------

Below is the error I am getting when running ipa-replica-install;


Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'IPA_Server.domain.ca':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin at domain.ca<mailto:admin at domain.ca> password:

Execute check on remote master
Check connection from master to remote replica 'IPA_Replica.domain.ca':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

Connection from master to replica is OK.

Connection check OK
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/13]: creating certificate server user
  [2/13]: creating pki-ca instance
  [3/13]: configuring certificate server instance
  [4/13]: disabling nonces
  [5/13]: creating RA agent certificate database
  [6/13]: importing CA chain to RA certificate database
  [7/13]: fixing RA database permissions
  [8/13]: setting up signing cert profile
  [9/13]: set up CRL publishing
  [10/13]: set certificate subject base
  [11/13]: enabling Subject Key Identifier
  [12/13]: configuring certificate server to start on boot
  [13/13]: Configure HTTP to proxy connections
done configuring pki-cad.
Restarting the directory and certificate servers
Configuring directory server: Estimated time 1 minute
  [1/30]: creating directory server user
  [2/30]: creating directory server instance
  [3/30]: adding default schema
  [4/30]: enabling memberof plugin
  [5/30]: enabling referential integrity plugin
  [6/30]: enabling winsync plugin
  [7/30]: configuring replication version plugin
  [8/30]: enabling IPA enrollment plugin
  [9/30]: enabling ldapi
  [10/30]: configuring uniqueness plugin
  [11/30]: configuring uuid plugin
  [12/30]: configuring modrdn plugin
  [13/30]: enabling entryUSN plugin
  [14/30]: configuring lockout plugin
  [15/30]: creating indices
  [16/30]: configuring ssl for ds instance
  [17/30]: configuring certmap.conf
  [18/30]: configure autobind for root
  [19/30]: configure new location for managed entries
  [20/30]: restarting directory server
  [21/30]: setting up initial replication
Starting replication, please wait until this has completed.
[IPA_Server.domain.ca] reports: Update failed! Status: [-11  - System error]
creation of replica failed: Failed to start replication

Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the following error;

NSMMReplicationPlugin - agmt="cn=metoIPA_Server.domain.ca" (ipa_server:389): Replica has a different generation ID than the local data.
This is probably just fallout from the replica initialization failure.  If a replica is never initialized, it will get a generation ID mismatch error when the master contacts it.



Any thoughts or ideas on this issue? Searching google I don't see anyone getting the Status:-11 - System Error.
There was a bug in 389-ds-base that was fixed a while back where negative LDAP error codes were all printed as "System Error".  The -11 is a connection error.  Here is how it is defined in /usr/include/ldap.h:

    #define LDAP_CONNECT_ERROR                              (-11)

It sounds like this connection error is occurring when it tries to initialize the replica.  It might help to enable replication level logging on the master, then trying to run ipa-replica-install again.  The errors in the 389 DS errors log might point to the problem.  To enable replication level logging, you can perform the following operation with ldapmodify as "cn=Directory Manager":

------------------------------------------
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 8192
------------------------------------------

When you are finished debugging the issue, don't forget to change the log level back to "0".

-NGK


Thanks,

Matt




_______________________________________________

Freeipa-users mailing list

Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130410/1ecbd80a/attachment.htm>

More information about the Freeipa-users mailing list