[Freeipa-users] IPA 4.4 replica installation failing
thierry bordaz
tbordaz at redhat.com
Fri Nov 18 10:08:23 UTC 2016
On 11/18/2016 09:16 AM, Martin Babinsky wrote:
> On 11/17/2016 03:51 PM, Baird, Josh wrote:
>> Hi all,
>>
>> In my IPA 4.4 lab (RHEL 7.3), I'm trying to install/configure a new
>> replica, and I seem to be hitting something similar to #5412 [1].
>>
>> The 'ipa-replica-install' is getting stuck on:
>>
>> [4/26]: creating installation admin user
>>
>> Dirsrv error logs on the new replica:
>>
>> [17/Nov/2016:08:45:09.342813042 -0600] NSMMReplicationPlugin -
>> agmt="cn=caToimqa-d1-dc01.qa-unix.domain.com" (imqa-d1-dc01:389):
>> Unable to acquire replica: permission denied. The bind dn "" does not
>> have permission to supply replication updates to the replica. Will
>> retry later.
>>
>> Dirsrv access logs on existing master:
>>
>> [17/Nov/2016:08:39:59.244698389 -0600] conn=121 op=83 RESULT err=0
>> tag=101 nentries=0 etime=0
>> [17/Nov/2016:08:40:00.248620354 -0600] conn=121 op=84 SRCH
>> base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca"
>> scope=0 filter="(objectClass=*)" attrs=ALL
>> [17/Nov/2016:08:40:00.248917257 -0600] conn=121 op=84 RESULT err=0
>> tag=101 nentries=0 etime=0
>> [17/Nov/2016:08:40:01.253067200 -0600] conn=121 op=85 SRCH
>> base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca"
>> scope=0 filter="(objectClass=*)" attrs=ALL
>> [17/Nov/2016:08:40:01.253481728 -0600] conn=121 op=85 RESULT err=0
>> tag=101 nentries=0 etime=0
>> [17/Nov/2016:08:40:02.257477560 -0600] conn=121 op=86 SRCH
>> base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca"
>> scope=0 filter="(objectClass=*)" attrs=ALL
>> [17/Nov/2016:08:40:02.257813691 -0600] conn=121 op=86 RESULT err=0
>> tag=101 nentries=0 etime=0
>> [17/Nov/2016:08:40:03.261805482 -0600] conn=121 op=88 SRCH
>> base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca"
>> scope=0 filter="(objectClass=*)" attrs=ALL
>> [17/Nov/2016:08:40:03.262310788 -0600] conn=121 op=88 RESULT err=0
>> tag=101 nentries=0 etime=0
>>
>> Dirsrv logs on the existing master:
>>
>> [17/Nov/2016:08:40:20.644554573 -0600] NSMMReplicationPlugin -
>> conn=120 op=13 replica="o=ipaca": Unable to acquire replica: error:
>> permission denied
>> [17/Nov/2016:08:41:57.858672215 -0600] NSMMReplicationPlugin -
>> conn=123 op=5 replica="o=ipaca": Unable to acquire replica: error:
>> permission denied
>> [17/Nov/2016:08:45:09.334188374 -0600] NSMMReplicationPlugin -
>> conn=130 op=5 replica="o=ipaca": Unable to acquire replica: error:
>> permission denied
>>
>> Has anyone else experienced this issue?
>>
>> Thanks,
>>
>> Josh
>>
>> [1] https://fedorahosted.org/freeipa/ticket/5412
>>
>>
> Hi Josh,
>
> in the original ticket the issue was occuring when creating CA replica
> against 7.2 master upgraded to 7.3 with domain level raised to 1. Do
> you have the same scenario?
>
> Also, during the stuck installation can you check for the presence of
> replica's LDAP principal in 'nsds5replicabinddn' attribute on master's
> 'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry?
>
> I would also check for the reverse, i.e. if the master's LDAP
> principal is in the 'nsds5replicabinddn' attribute on replica's
> 'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry.
>
Hi Josh,
Both direction Replica Agreements should use GSSAPI authentication with
accounts in 'cn=replication managers,cn=sysaccounts,cn=etc,<suffix>'
Would you check the members (on master and replica) of this entry and
see if it contains the expected principals ?
regards
thierry
More information about the Freeipa-users
mailing list