Hi all
I have two centos 8 servers. One is installed and configured as master and AD trust controller. The second one, I'm trying to configure it as a replica, but what ever I do, the replica server fails to start.
Environment : OS - CentOS Linux release 8.1.1911 (Core) ipa-server: ipa-server-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64
Replica install is started with : #ipa-replica-install -v --principal admin -p XXXXX --domain ipamaster01.example.com --server ipamaster01.example.com --setup-ca --setup-adtrust
The client install goes well, but the server stops at :
Starting replication, please wait until this has completed. Update in progress, 15 seconds elapsed [ldap://ipamaster01.example.com:389] reports: Update failed! Status: [Error (-2) - LDAP error: Local error - no response received]
On the ipareplica-install.log, last entries are:
2020-04-14T08:29:13Z DEBUG Created connection context.ldap2_139862275887680 2020-04-14T08:29:13Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2020-04-14T08:29:13Z DEBUG retrieving schema for SchemaCache url=ldap://ipamaster01.example.com:389 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f34367c7080> 2020-04-14T08:29:13Z DEBUG Successfully updated nsDS5ReplicaId. 2020-04-14T08:29:13Z DEBUG Add or update replica config cn=replica,cn=dc=ipamaster01,dc=example,dc=com,cn=mapping tree,cn=config 2020-04-14T08:29:13Z DEBUG Added replica config cn=replica,cn=dc=ipamaster01,dc=example,dc=com,cn=mapping tree,cn=config 2020-04-14T08:29:13Z DEBUG Add or update replica config cn=replica,cn=dc=ipamaster01,dc=example,dc=com,cn=mapping tree,cn=config 2020-04-14T08:29:13Z DEBUG No update to cn=replica,cn=dc=ipamaster01,dc=example,dc=com,cn=mapping tree,cn=config necessary 2020-04-14T08:29:13Z DEBUG Waiting for replication (ldapi://%2Fvar%2Frun%2Fslapd-IPAMASTER01-EXAMPLE-COM.socket) cn=meToipamaster01.example.com,cn=replica,cn=dc=ipamaster01,dc=example,dc=com,cn=mapping tree ,cn=config (objectclass=*) 2020-04-14T08:29:13Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn=meToipamaster01.example.com,cn=replica,cn=dc=ipamaster01,dc=example,dc=com,cn=mapping tree,cn=config'), {'objectClass': [b'nsds5replicat ionagreement', b'top'], 'cn': [b'meToipamaster01.example.com'], 'nsDS5ReplicaHost': [b'ipamaster01.example.com'], 'nsDS5ReplicaPort': [b'389'], 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': [b'dc=ipamaste r01,dc=example,dc=com'], 'description': [b'me to ipamaster01.example.com'], 'nsDS5ReplicatedAttributeList': [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth kr bloginfailedcount'], 'nsDS5ReplicaTransportInfo': [b'LDAP'], 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs': [b'modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp'] , 'nsDS5ReplicatedAttributeListTotal': [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': [b'197 00101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'], 'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions started since server startup' ], 'nsds5replicaLastUpdateStatusJSON': [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", "repl_rc": "0", "repl_rc_text": "replica acquired", "date": "2020-04-14T08:29:13Z", "message": "Error (0) N o replication sessions started since server startup"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'], 'nsds5replicaLastInitStart': [b'19700101000000Z'], 'nsds5replicaLastInitEnd': [b'19700101000000Z']})] 2020-04-14T08:29:29Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 603, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 589, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 427, in __setup_replica cacert=self.ca_file File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py", line 1860, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication
I can query both ldap servers on the master and replica with :
ldapsearch -h ldap://ipamaster01.example.com -p 389 -Y GSSAPI -b "" -s base -W ldapsearch -h ldap://ipareplica01.example.com -p 389 -Y GSSAPI -b "" -s base -W
in this point, I'm really run out of options. Could someone tell me what I'm doing wrong?
Cheers Alex
On 4/14/20 6:04 AM, Alexandru David via FreeIPA-users wrote:
Hi all
I have two centos 8 servers. One is installed and configured as master and AD trust controller. The second one, I'm trying to configure it as a replica, but what ever I do, the replica server fails to start.
Environment : OS - CentOS Linux release 8.1.1911 (Core) ipa-server: ipa-server-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64
Replica install is started with : #ipa-replica-install -v --principal admin -p XXXXX --domain ipamaster01.example.com --server ipamaster01.example.com --setup-ca --setup-adtrust
The client install goes well, but the server stops at :
Starting replication, please wait until this has completed. Update in progress, 15 seconds elapsed [ldap://ipamaster01.example.com:389] reports: Update failed! Status: [Error (-2) - LDAP error: Local error - no response received]
Can you provide clips from the Directory Server access and errors logs from this time? /var/log/dirsrv/slapd-YOUR_INSTANCE/
Start by looking in the access log for "err=82", this it the "local" error code. Please provide an access log clip from this time. Then provide a errors log clip from the exact same time. There should be a corresponding message in the errors log that explains the "local error". I suspect it's coming from a bind (SSL client auth issue), but we'll see...
Thanks,
Mark
On the ipareplica-install.log, last entries are:
2020-04-14T08:29:13Z DEBUG Created connection context.ldap2_139862275887680 2020-04-14T08:29:13Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2020-04-14T08:29:13Z DEBUG retrieving schema for SchemaCache url=ldap://ipamaster01.example.com:389 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f34367c7080> 2020-04-14T08:29:13Z DEBUG Successfully updated nsDS5ReplicaId. 2020-04-14T08:29:13Z DEBUG Add or update replica config cn=replica,cn=dc=ipamaster01,dc=example,dc=com,cn=mapping tree,cn=config 2020-04-14T08:29:13Z DEBUG Added replica config cn=replica,cn=dc=ipamaster01,dc=example,dc=com,cn=mapping tree,cn=config 2020-04-14T08:29:13Z DEBUG Add or update replica config cn=replica,cn=dc=ipamaster01,dc=example,dc=com,cn=mapping tree,cn=config 2020-04-14T08:29:13Z DEBUG No update to cn=replica,cn=dc=ipamaster01,dc=example,dc=com,cn=mapping tree,cn=config necessary 2020-04-14T08:29:13Z DEBUG Waiting for replication (ldapi://%2Fvar%2Frun%2Fslapd-IPAMASTER01-EXAMPLE-COM.socket) cn=meToipamaster01.example.com,cn=replica,cn=dc=ipamaster01,dc=example,dc=com,cn=mapping tree ,cn=config (objectclass=*) 2020-04-14T08:29:13Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn=meToipamaster01.example.com,cn=replica,cn=dc=ipamaster01,dc=example,dc=com,cn=mapping tree,cn=config'), {'objectClass': [b'nsds5replicat ionagreement', b'top'], 'cn': [b'meToipamaster01.example.com'], 'nsDS5ReplicaHost': [b'ipamaster01.example.com'], 'nsDS5ReplicaPort': [b'389'], 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': [b'dc=ipamaste r01,dc=example,dc=com'], 'description': [b'me to ipamaster01.example.com'], 'nsDS5ReplicatedAttributeList': [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth kr bloginfailedcount'], 'nsDS5ReplicaTransportInfo': [b'LDAP'], 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs': [b'modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp'] , 'nsDS5ReplicatedAttributeListTotal': [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': [b'197 00101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'], 'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions started since server startup' ], 'nsds5replicaLastUpdateStatusJSON': [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", "repl_rc": "0", "repl_rc_text": "replica acquired", "date": "2020-04-14T08:29:13Z", "message": "Error (0) N o replication sessions started since server startup"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'], 'nsds5replicaLastInitStart': [b'19700101000000Z'], 'nsds5replicaLastInitEnd': [b'19700101000000Z']})] 2020-04-14T08:29:29Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 603, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 589, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 427, in __setup_replica cacert=self.ca_file File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py", line 1860, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication
I can query both ldap servers on the master and replica with :
ldapsearch -h ldap://ipamaster01.example.com -p 389 -Y GSSAPI -b "" -s base -W ldapsearch -h ldap://ipareplica01.example.com -p 389 -Y GSSAPI -b "" -s base -W
in this point, I'm really run out of options. Could someone tell me what I'm doing wrong?
Cheers Alex _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi Mark
This is what I have on the master error log during replica install:
[14/Apr/2020:11:21:00.257655895 +0000] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipareplica01.example.com" (ipareplica01:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [14/Apr/2020:11:21:21.285497624 +0000] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipareplica01.example.com" (ipareplica01:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [14/Apr/2020:11:21:27.293626669 +0000] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipareplica01.example.com" (ipareplica01:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [14/Apr/2020:11:21:37.327494957 +0000] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying in 1 seconds. [14/Apr/2020:11:21:38.385987336 +0000] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying in 2 seconds. [14/Apr/2020:11:21:40.398179033 +0000] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying in 3 seconds. [14/Apr/2020:11:21:43.407848477 +0000] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying in 4 seconds. [14/Apr/2020:11:21:47.419790763 +0000] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying in 5 seconds.
on the replica error log there are no ERR logs only INFO and WARN and the logs ends with :
[14/Apr/2020:11:21:34.981330893 +0000] - INFO - main - 389-Directory/1.4.1.3 B2019.323.229 starting up [14/Apr/2020:11:21:35.022977416 +0000] - INFO - main - Setting the maximum file descriptor limit to: 4096 [14/Apr/2020:11:21:35.803769888 +0000] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds [14/Apr/2020:11:21:35.874697893 +0000] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [14/Apr/2020:11:21:35.927003711 +0000] - NOTICE - ldbm_back_start - found 12128704k physical memory [14/Apr/2020:11:21:36.006415484 +0000] - NOTICE - ldbm_back_start - found 11445168k available [14/Apr/2020:11:21:36.048090360 +0000] - NOTICE - ldbm_back_start - cache autosizing: db cache: 303217k [14/Apr/2020:11:21:36.123061153 +0000] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (1 total): 851968k [14/Apr/2020:11:21:36.350166036 +0000] - NOTICE - ldbm_back_start - cache autosizing: userRoot dn cache (1 total): 131072k [14/Apr/2020:11:21:36.599188174 +0000] - NOTICE - ldbm_back_start - total cache size: 1255028817 B; [14/Apr/2020:11:21:36.745618576 +0000] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [14/Apr/2020:11:21:36.781112735 +0000] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [14/Apr/2020:11:21:36.806422732 +0000] - INFO - slapd_daemon - Listening on /var/run/slapd-IPAMASTER01-EXAMPLE-COM.socket for LDAPI requests [14/Apr/2020:11:21:37.309999728 +0000] - WARN - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=meToipamaster01.example.com" (ipamaster01:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica.
But the interesting part is on master :
KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -h ipareplica01.example.com -b "" -s base SASL/GSSAPI authentication started [14335] 1586874293.284426: ccselect can't find appropriate cache for server principal ldap/ipareplica01.example.com@EXAMPLE.COM [14335] 1586874293.284427: Getting credentials admin@IPAMASTER01.EXAMPLE.COM -> ldap/ipareplica01.example.com@EXAMPLE.COM using ccache KCM:0 [14335] 1586874293.284428: Retrieving admin@IPAMASTER01.EXAMPLE.COM -> ldap/ipareplica01.example.com@EXAMPLE.COM from KCM:0 with result: -1765328243/Matching credential not found [14335] 1586874293.284429: Retrieving admin@IPAMASTER01.EXAMPLE.COM -> krbtgt/EXAMPLE.COM@EXAMPLE.COM from KCM:0 with result: -1765328243/Matching credential not found [14335] 1586874293.284430: Retrieving admin@IPAMASTER01.EXAMPLE.COM -> krbtgt/IPAMASTER01.EXAMPLE.COM@IPAMASTER01.EXAMPLE.COM from KCM:0 with result: 0/Success [14335] 1586874293.284431: Starting with TGT for client realm: admin@IPAMASTER01.EXAMPLE.COM -> krbtgt/IPAMASTER01.EXAMPLE.COM@IPAMASTER01.EXAMPLE.COM [14335] 1586874293.284432: Retrieving admin@IPAMASTER01.EXAMPLE.COM -> krbtgt/EXAMPLE.COM@EXAMPLE.COM from KCM:0 with result: -1765328243/Matching credential not found [14335] 1586874293.284433: Requesting TGT krbtgt/EXAMPLE.COM@IPAMASTER01.EXAMPLE.COM using TGT krbtgt/IPAMASTER01.EXAMPLE.COM@IPAMASTER01.EXAMPLE.COM [14335] 1586874293.284434: Generated subkey for TGS request: aes256-cts/8B0E [14335] 1586874293.284435: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [14335] 1586874293.284437: Encoding request body and padata into FAST request [14335] 1586874293.284438: Sending request (1569 bytes) to IPAMASTER01.EXAMPLE.COM [14335] 1586874293.284439: Initiating TCP connection to stream 192.168.200.107:88 [14335] 1586874293.284440: Sending TCP request to stream 192.168.200.107:88 [14335] 1586874293.284441: Received answer (461 bytes) from stream 192.168.200.107:88 [14335] 1586874293.284442: Terminating TCP connection to stream 192.168.200.107:88 [14335] 1586874293.284443: Response was from master KDC [14335] 1586874293.284444: Decoding FAST response [14335] 1586874293.284445: TGS request result: -1765328377/Server krbtgt/EXAMPLE.COM@IPAMASTER01.EXAMPLE.COM not found in Kerberos database [14335] 1586874293.284446: Trying next closer realm in path: EXAMPLE.COM [14335] 1586874293.284447: Retrieving admin@IPAMASTER01.EXAMPLE.COM -> krbtgt/EXAMPLE.COM@EXAMPLE.COM from KCM:0 with result: -1765328243/Matching credential not found [14335] 1586874293.284448: Requesting TGT krbtgt/EXAMPLE.COM@IPAMASTER01.EXAMPLE.COM using TGT krbtgt/IPAMASTER01.EXAMPLE.COM@IPAMASTER01.EXAMPLE.COM [14335] 1586874293.284449: Generated subkey for TGS request: aes256-cts/E193 [14335] 1586874293.284450: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [14335] 1586874293.284452: Encoding request body and padata into FAST request [14335] 1586874293.284453: Sending request (1569 bytes) to IPAMASTER01.EXAMPLE.COM [14335] 1586874293.284454: Initiating TCP connection to stream 192.168.200.107:88 [14335] 1586874293.284455: Sending TCP request to stream 192.168.200.107:88 [14335] 1586874293.284456: Received answer (461 bytes) from stream 192.168.200.107:88 [14335] 1586874293.284457: Terminating TCP connection to stream 192.168.200.107:88 [14335] 1586874293.284458: Response was from master KDC [14335] 1586874293.284459: Decoding FAST response [14335] 1586874293.284460: TGS request result: -1765328377/Server krbtgt/EXAMPLE.COM@IPAMASTER01.EXAMPLE.COM not found in Kerberos database ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/EXAMPLE.COM@IPAMASTER01.EXAMPLE.COM not found in Kerberos database)
and on replica:
KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -h ipareplica01.example.com -b "" -s base SASL/GSSAPI authentication started [6124] 1586874420.464854: ccselect module realm chose cache KCM:0 with client principal admin@IPAMASTER01.EXAMPLE.COM for server principal ldap/ipareplica01.example.com@IPAMASTER01.EXAMPLE.COM [6124] 1586874420.464855: Getting credentials admin@IPAMASTER01.EXAMPLE.COM -> ldap/ipareplica01.example.com@IPAMASTER01.EXAMPLE.COM using ccache KCM:0 [6124] 1586874420.464856: Retrieving admin@IPAMASTER01.EXAMPLE.COM -> ldap/ipareplica01.example.com@IPAMASTER01.EXAMPLE.COM from KCM:0 with result: 0/Success [6124] 1586874420.464858: Creating authenticator for admin@IPAMASTER01.EXAMPLE.COM -> ldap/ipareplica01.example.com@IPAMASTER01.EXAMPLE.COM, seqnum 602124589, subkey aes256-cts/EDE8, session key aes256-cts/8C19 [6124] 1586874420.464863: Read AP-REP, time 1586874420.464859, subkey aes256-cts/57FE, seqnum 837693153 ldap_sasl_interactive_bind_s: Invalid credentials (49)
Best Alex
On ti, 14 huhti 2020, Alexandru David via FreeIPA-users wrote:
Hi all
I have two centos 8 servers. One is installed and configured as master and AD trust controller. The second one, I'm trying to configure it as a replica, but what ever I do, the replica server fails to start.
Environment : OS - CentOS Linux release 8.1.1911 (Core) ipa-server: ipa-server-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64
Replica install is started with : #ipa-replica-install -v --principal admin -p XXXXX --domain ipamaster01.example.com --server ipamaster01.example.com --setup-ca --setup-adtrust
Let's stop here. Why are you using ipamaster01.example.com as a domain?
Your domain (and realm) would be example.com and EXAMPLE.COM correspondingly.
The client install goes well, but the server stops at :
Starting replication, please wait until this has completed. Update in progress, 15 seconds elapsed [ldap://ipamaster01.example.com:389] reports: Update failed! Status: [Error (-2) - LDAP error: Local error - no response received]
On the ipareplica-install.log, last entries are:
2020-04-14T08:29:13Z DEBUG Created connection context.ldap2_139862275887680 2020-04-14T08:29:13Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2020-04-14T08:29:13Z DEBUG retrieving schema for SchemaCache url=ldap://ipamaster01.example.com:389 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f34367c7080> 2020-04-14T08:29:13Z DEBUG Successfully updated nsDS5ReplicaId. 2020-04-14T08:29:13Z DEBUG Add or update replica config cn=replica,cn=dc=ipamaster01,dc=example,dc=com,cn=mapping tree,cn=config 2020-04-14T08:29:13Z DEBUG Added replica config cn=replica,cn=dc=ipamaster01,dc=example,dc=com,cn=mapping tree,cn=config 2020-04-14T08:29:13Z DEBUG Add or update replica config cn=replica,cn=dc=ipamaster01,dc=example,dc=com,cn=mapping tree,cn=config 2020-04-14T08:29:13Z DEBUG No update to cn=replica,cn=dc=ipamaster01,dc=example,dc=com,cn=mapping tree,cn=config necessary 2020-04-14T08:29:13Z DEBUG Waiting for replication (ldapi://%2Fvar%2Frun%2Fslapd-IPAMASTER01-EXAMPLE-COM.socket) cn=meToipamaster01.example.com,cn=replica,cn=dc=ipamaster01,dc=example,dc=com,cn=mapping tree ,cn=config (objectclass=*) 2020-04-14T08:29:13Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn=meToipamaster01.example.com,cn=replica,cn=dc=ipamaster01,dc=example,dc=com,cn=mapping tree,cn=config'), {'objectClass': [b'nsds5replicat ionagreement', b'top'], 'cn': [b'meToipamaster01.example.com'], 'nsDS5ReplicaHost': [b'ipamaster01.example.com'], 'nsDS5ReplicaPort': [b'389'], 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': [b'dc=ipamaste r01,dc=example,dc=com'], 'description': [b'me to ipamaster01.example.com'], 'nsDS5ReplicatedAttributeList': [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth kr bloginfailedcount'], 'nsDS5ReplicaTransportInfo': [b'LDAP'], 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs': [b'modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp'] , 'nsDS5ReplicatedAttributeListTotal': [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': [b'197 00101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'], 'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions started since server startup' ], 'nsds5replicaLastUpdateStatusJSON': [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", "repl_rc": "0", "repl_rc_text": "replica acquired", "date": "2020-04-14T08:29:13Z", "message": "Error (0) N o replication sessions started since server startup"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'], 'nsds5replicaLastInitStart': [b'19700101000000Z'], 'nsds5replicaLastInitEnd': [b'19700101000000Z']})] 2020-04-14T08:29:29Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 603, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 589, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 427, in __setup_replica cacert=self.ca_file File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py", line 1860, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication
I can query both ldap servers on the master and replica with :
ldapsearch -h ldap://ipamaster01.example.com -p 389 -Y GSSAPI -b "" -s base -W ldapsearch -h ldap://ipareplica01.example.com -p 389 -Y GSSAPI -b "" -s base -W
in this point, I'm really run out of options. Could someone tell me what I'm doing wrong?
Cheers Alex _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On ti, 14 huhti 2020, Alexandru David via FreeIPA-users wrote:
Let's stop here. Why are you using ipamaster01.example.com as a domain?
the server was installed with
#ipa-server-install -a XXXXXXXXXXXXX -p YYYYYYYYYYY --domain=ipamaster01.example.com --realm=IPAMASTER01.EXAMPLE.COM -U
Your domain (and realm) would be example.com and EXAMPLE.COM correspondingly.
On ti, 14 huhti 2020, Alexandru David via FreeIPA-users wrote:
On ti, 14 huhti 2020, Alexandru David via FreeIPA-users wrote:
Let's stop here. Why are you using ipamaster01.example.com as a domain?
the server was installed with
#ipa-server-install -a XXXXXXXXXXXXX -p YYYYYYYYYYY --domain=ipamaster01.example.com --realm=IPAMASTER01.EXAMPLE.COM -U
So, any particular reason why you chose that realm/domain?
this is important. The realm is fixed forever, and primary domain is fixed to be the same as the realm. In your replica deployment and other logs provided somehow your realm is EXAMPLE.COM while original realm is IPAMASTER01.EXAMPLE.COM.
Why are you using the first master's machine's hostname as a domain and realm here?
Is there any particular reason you want this configuration?
Your domain (and realm) would be example.com and EXAMPLE.COM correspondingly.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On ti, 14 huhti 2020, Alexandru David via FreeIPA-users wrote:
So, any particular reason why you chose that realm/domain?
this is important. The realm is fixed forever, and primary domain is fixed to be the same as the realm. In your replica deployment and other logs provided somehow your realm is EXAMPLE.COM while original realm is IPAMASTER01.EXAMPLE.COM.
Why are you using the first master's machine's hostname as a domain and realm here?
Because both IPA and AD are deployed in same domain.
Is there any particular reason you want this configuration?
On ke, 15 huhti 2020, Alexandru David via FreeIPA-users wrote:
On ti, 14 huhti 2020, Alexandru David via FreeIPA-users wrote:
So, any particular reason why you chose that realm/domain?
this is important. The realm is fixed forever, and primary domain is fixed to be the same as the realm. In your replica deployment and other logs provided somehow your realm is EXAMPLE.COM while original realm is IPAMASTER01.EXAMPLE.COM.
Why are you using the first master's machine's hostname as a domain and realm here?
Because both IPA and AD are deployed in same domain.
This is not supported.
Either you move IPA into a subdomain of AD DNS zone or it is not really doable without hacks that would break you horribly going forward.
Hi
I have rebuild entire setup into a subdomain of the AD (ex linux.example.com) and I have now ipamaster01.linux.example.com and ipareplica01.example.com. I was able to establish the trust on the master, install the replica and added replica as a trust agent on the master. But there is still one thing I don;t understand: - if I run the #id <user> on the master I get a lot of information about that user (including all AD groups in which the user is in)
[root@ipamaster01 ~]# id alexc@example.com uid=748601137(alexc@example.com) gid=748601137(alexc@example.com) groups=748601137(alexc@example.com),748601193(s-infra@example.com),748601182(sqs-all@example.com),748601183(admins@example.com),748600513(domain users@example.com)
- same command, on the replica returns a limited set of information :
[root@ipareplica01 ~]# id alexc@example.com uid=748601137(alexc@example.com) gid=748601137(alexc@example.com) groups=748601137(alexc@example.com),748600513
is this the intended behavior ?
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Alexandru David -
Mark Reynolds