[Freeipa-users] ipa replica install fails

Rajnesh Kumar Siwal rajnesh.siwal at gmail.com
Tue Feb 5 13:18:50 UTC 2013


We are trying to setup the IPA replication but it says "Connection
check failed!".
We disabled the firewall and found the same result.

-----------------------------------------------------------------------------------------------------------------------
[root at ipa2 /]# ipa-replica-install -d --setup-ca --setup-dns
--forwarder 64.71.0.60 /var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg
ipa         : DEBUG    /usr/sbin/ipa-replica-install was invoked with
argument "/var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg" and options:
{'no_forwarders': False, 'conf_ssh': False, 'conf_sshd': False,
'ui_redirect': True, 'reverse_zone': None, 'trust_sshfp': False,
'unattended': False, 'no_host_dns': False, 'ip_address': None,
'no_reverse': False, 'setup_dns': True, 'create_sshfp': True,
'setup_ca': True, 'forwarders': [CheckedIPAddress('64.71.0.60')],
'debug': True, 'conf_ntp': True, 'skip_conncheck': False}
ipa         : DEBUG    Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa         : DEBUG    Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
ipa         : DEBUG    Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
Directory Manager (existing master) password:

ipa         : DEBUG    args=/usr/bin/gpg --batch --homedir
/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg --passphrase-fd 0 --yes --no-tty
-o /tmp/tmpRGaqDpipa/files.tar -d
/var/lib/ipa/replica-info-ipa2.xyz.dmz.gpg
ipa         : DEBUG    stdout=
ipa         : DEBUG    stderr=gpg: WARNING: unsafe permissions on
homedir `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg'
gpg: keyring `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg/secring.gpg' created
gpg: keyring `/tmp/tmpRGaqDpipa/ipa-A3XOq7/.gnupg/pubring.gpg' created
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

ipa         : DEBUG    args=tar xf /tmp/tmpRGaqDpipa/files.tar -C
/tmp/tmpRGaqDpipa
ipa         : DEBUG    stdout=
ipa         : DEBUG    stderr=
Run connection check to master
Check connection from replica to remote master 'ipa1.xyz.dmz':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin at XYZ.DMZ password:

Execute check on remote master
admin at ipa1.xyz.dmz's password:

Remote master check failed with following error message(s):

ipa         : DEBUG    args=/usr/sbin/ipa-replica-conncheck --master
ipa1.xyz.dmz --auto-master-check --realm XYZ.DMZ --principal admin
--hostname ipa2.xyz.dmz --check-ca
Connection check failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with
--skip-conncheck parameter.
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Please suggest




More information about the Freeipa-users mailing list