repl conflict which is not there - ?
by lejeczek
Hi guys.
for what 'ipa-healthcheck' complains of:
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "WARNING",
"uuid": "720d7af6-5a11-486f-a610-f6f06ec4d9e2",
"when": "20230526202306Z",
"duration": "0.054683",
"kw": {
"key": "DSREPLLE0002",
"items": [
"Replication",
"Conflict Entries"
],
"msg": "There were 1 conflict entries found under the
replication suffix \"o=ipaca\"."
}
},
and old trick finds not culprit:
-> $ ldapsearch -LLL -H ldaps://$(hostname) -Y GSSAPI -D
'cn=Directory Manager' -b 'o=ipaca'
'(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))'
nsds5ReplConflict
SASL/GSSAPI authentication started
SASL username: admin(a)MINE.PRIV
SASL SSF: 256
SASL data security layer installed.
where is it hiding?
many thanks, L.
1 day, 16 hours
Can't add CA to replica - invalid 'cn': must be
by Nicholas Cross
We are in the process of adding a new a CA replica.
We install in the following fashion:
1. ipa-replica-install
2. ipa-dns-install
3. ipa-ca-install
All goes well until step3. ipa-ca-install, where we get the error:
2023-05-22T16:51:30Z ERROR ERROR: Remote master check failed with following error message(s):
invalid 'cn': must be "ipa011.ad.company.fm"
If we do --skip-conn-check (not recommended) at step 3 we get a complete install, but it does not allow kinit to work on that server.
Any thoughts on how to diagnose and/or fix?
Thanks
Nick.
1 day, 21 hours
container IPA fine but only until host's reboot
by lejeczek
Hi guys.
I've a replica in container which deploys & works seemingly
a okey, container reboot is not detrimental to IPA yet host
reboot seems to break LDAP down.
Both container and host, are up to date Centos 9, it's a
rootful container.
So far - a several times - it reproduces each time - I can
remove "broken" container, re-create anew, it works, then
host reboots and ... a bummer.
Anybody seen this or similar issues? Log snippets:
-> $ ipactl restart
Starting Directory Service
Failed to start Directory Service:
CalledProcessError(Command ['/bin/systemctl', 'start',
'dirsrv(a)MINE-PRIV.service'] returned non-zero exit status 1)
Starting 389 Directory Server MINE-PRIV....
dirsrv(a)MINE-PRIV.service: ProtectHostname=yes is configured,
but UTS namespace setup is prohibited (container manager?),
ignoring namespace setup.
dirsrv(a)MINE-PRIV.service: ProtectHostname=yes is configured,
but UTS namespace setup is prohibited (container manager?),
ignoring namespace setup.
dirsrv(a)MINE-PRIV.service: ProtectHostname=yes is configured,
but UTS namespace setup is prohibited (container manager?),
ignoring namespace setup.
[25/May/2023:20:38:08.747319489 +0000] - CRIT - Security
Initialization - warn_if_no_cert_file - Certificate DB file
cert8.db nor cert9.db exists in
[/etc/dirsrv/slapd-MINE-PRIV] - SSL initialization will
likely fail
[25/May/2023:20:38:08.752730373 +0000] - CRIT - Security
Initialization - warn_if_no_key_file - Key DB file key3.db
nor key4.db exists in [/etc/dirsrv/slapd-MINE-PRIV] - SSL
initialization will likely fail
[25/May/2023:20:38:08.768566520 +0000] - ERR - Security
Initialization - SSL failure: NSS initialization failed
(Netscape Portable Runtime error -8174 - security library:
bad database.): certdir: /etc/dirsrv/slapd-MINE-PRIV
[25/May/2023:20:38:08.770531395 +0000] - ERR -
force_to_disable_security - ERROR: NSS Initialization
Failed. Disabling NSS.
[25/May/2023:20:38:08.772440575 +0000] - ERR -
set_workingdir - detach: failed to chdir to
/var/log/dirsrv/slapd-MINE-PRIV
[25/May/2023:20:38:08.774326540 +0000] - ERR -
set_workingdir - detach: set workingdir failed with "Working
directory "/" is not writeable."
[25/May/2023:20:38:08.776402306 +0000] - INFO - main -
389-Directory/2.2.4 B2022.347.0000 starting up
[25/May/2023:20:38:08.778279795 +0000] - INFO - main -
Setting the maximum file descriptor limit to: 1024
[25/May/2023:20:38:08.780257034 +0000] - ERR -
fedse_create_startOK - Cannot copy DSE file
"/etc/dirsrv/slapd-MINE-PRIV/dse.ldif" to
"/etc/dirsrv/slapd-MINE-PRIV/dse.ldif.startOK" OS error 13
(Permission denied)
[25/May/2023:20:38:08.782222230 +0000] - ERR -
dse_write_file_nolock - Cannot open temporary DSE file
"/etc/dirsrv/slapd-MINE-PRIV/dse.ldif.tmp" for update: OS
error 13 (Permission denied)
[25/May/2023:20:38:08.787607325 +0000] - ERR - PBKDF2_SHA256
- Unable to generate algorithm ID.
[25/May/2023:20:38:08.789526243 +0000] - ERR - PBKDF2_SHA256
- Could not generate pbkdf2_sha256_hash!
[25/May/2023:20:38:08.791436584 +0000] - ERR - PBKDF2_SHA256
- Unable to generate algorithm ID.
[25/May/2023:20:38:08.793404806 +0000] - ERR - PBKDF2_SHA256
- Could not generate pbkdf2_sha256_hash!
[25/May/2023:20:38:08.795305449 +0000] - ERR - PBKDF2_SHA256
- Unable to generate algorithm ID.
[25/May/2023:20:38:08.797253522 +0000] - ERR - PBKDF2_SHA256
- Could not generate pbkdf2_sha256_hash!
[25/May/2023:20:38:08.799164114 +0000] - ERR - PBKDF2_SHA256
- Unable to generate algorithm ID.
[25/May/2023:20:38:08.801065298 +0000] - ERR - PBKDF2_SHA256
- Could not generate pbkdf2_sha256_hash!
[25/May/2023:20:38:08.803027158 +0000] - ERR - PBKDF2_SHA256
- Unable to generate algorithm ID.
[25/May/2023:20:38:08.804938281 +0000] - ERR - PBKDF2_SHA256
- Could not generate pbkdf2_sha256_hash!
[25/May/2023:20:38:08.806866727 +0000] - ERR - PBKDF2_SHA256
- Unable to generate algorithm ID.
[25/May/2023:20:38:08.808871438 +0000] - ERR - PBKDF2_SHA256
- Could not generate pbkdf2_sha256_hash!
[25/May/2023:20:38:08.810796257 +0000] - ERR - PBKDF2_SHA256
- Unable to generate algorithm ID.
[25/May/2023:20:38:08.812761433 +0000] - ERR - PBKDF2_SHA256
- Could not generate pbkdf2_sha256_hash!
[25/May/2023:20:38:08.814675903 +0000] - ERR - PBKDF2_SHA256
- Unable to generate algorithm ID.
[25/May/2023:20:38:08.816595692 +0000] - ERR - PBKDF2_SHA256
- Could not generate pbkdf2_sha256_hash!
[25/May/2023:20:38:08.818568974 +0000] - INFO -
PBKDF2_SHA256 - Based on CPU performance, chose 12000 rounds
[25/May/2023:20:38:08.822101547 +0000] - INFO -
ldbm_instance_config_cachememsize_set - force a minimal
value 512000
[25/May/2023:20:38:08.824226177 +0000] - INFO -
ldbm_instance_config_set - instance: userRoot attr aci
[25/May/2023:20:38:08.826218264 +0000] - INFO -
ldbm_instance_config_set - instance: userRoot attr
nsslapd-cachesize
[25/May/2023:20:38:08.828147422 +0000] - INFO -
ldbm_instance_config_set - instance: userRoot attr
nsslapd-cachememsize
[25/May/2023:20:38:08.830689678 +0000] - INFO -
ldbm_instance_config_set - instance: userRoot attr
nsslapd-readonly
[25/May/2023:20:38:08.832725468 +0000] - INFO -
ldbm_instance_config_set - instance: userRoot attr
nsslapd-require-index
[25/May/2023:20:38:08.834666098 +0000] - INFO -
ldbm_instance_config_set - instance: userRoot attr
nsslapd-require-internalop-index
[25/May/2023:20:38:08.836658115 +0000] - INFO -
ldbm_instance_config_set - instance: userRoot attr
nsslapd-dncachememsize
[25/May/2023:20:38:08.838859671 +0000] - INFO -
ldbm_instance_config_set - instance: userRoot attr
nsslapd-directory
[25/May/2023:20:38:08.843583015 +0000] - INFO -
ldbm_instance_config_cachememsize_set - force a minimal
value 512000
[25/May/2023:20:38:08.845746619 +0000] - INFO -
ldbm_instance_config_set - instance: ipaca attr
nsslapd-cachesize
[25/May/2023:20:38:08.847696185 +0000] - INFO -
ldbm_instance_config_set - instance: ipaca attr
nsslapd-cachememsize
[25/May/2023:20:38:08.850034512 +0000] - INFO -
ldbm_instance_config_set - instance: ipaca attr nsslapd-readonly
[25/May/2023:20:38:08.852052299 +0000] - INFO -
ldbm_instance_config_set - instance: ipaca attr
nsslapd-require-index
[25/May/2023:20:38:08.854005963 +0000] - INFO -
ldbm_instance_config_set - instance: ipaca attr
nsslapd-require-internalop-index
[25/May/2023:20:38:08.855960008 +0000] - INFO -
ldbm_instance_config_set - instance: ipaca attr
nsslapd-dncachememsize
[25/May/2023:20:38:08.858087924 +0000] - INFO -
ldbm_instance_config_set - instance: ipaca attr
nsslapd-directory
[25/May/2023:20:38:08.862288731 +0000] - INFO -
ldbm_instance_config_cachememsize_set - force a minimal
value 512000
[25/May/2023:20:38:08.864482192 +0000] - INFO -
ldbm_instance_config_set - instance: changelog attr
nsslapd-cachesize
[25/May/2023:20:38:08.866449653 +0000] - INFO -
ldbm_instance_config_set - instance: changelog attr
nsslapd-cachememsize
[25/May/2023:20:38:08.868618397 +0000] - INFO -
ldbm_instance_config_set - instance: changelog attr
nsslapd-readonly
[25/May/2023:20:38:08.870625282 +0000] - INFO -
ldbm_instance_config_set - instance: changelog attr
nsslapd-require-index
[25/May/2023:20:38:08.872589927 +0000] - INFO -
ldbm_instance_config_set - instance: changelog attr
nsslapd-require-internalop-index
[25/May/2023:20:38:08.874549833 +0000] - INFO -
ldbm_instance_config_set - instance: changelog attr
nsslapd-dncachememsize
[25/May/2023:20:38:08.876699000 +0000] - INFO -
ldbm_instance_config_set - instance: changelog attr
nsslapd-directory
[25/May/2023:20:38:08.880669548 +0000] - NOTICE -
bdb_start_autotune - found 32506232k physical memory
[25/May/2023:20:38:08.882702473 +0000] - NOTICE -
bdb_start_autotune - found 28174216k available
[25/May/2023:20:38:08.884678500 +0000] - NOTICE -
bdb_start_autotune - cache autosizing: db cache: 1572864k
[25/May/2023:20:38:08.886641071 +0000] - NOTICE -
bdb_start_autotune - cache autosizing: userRoot entry cache
(3 total): 2031616k
[25/May/2023:20:38:08.889062407 +0000] - NOTICE -
bdb_start_autotune - cache autosizing: userRoot dn cache (3
total): 262144k
[25/May/2023:20:38:08.891234948 +0000] - NOTICE -
bdb_start_autotune - cache autosizing: ipaca entry cache (3
total): 2031616k
[25/May/2023:20:38:08.893482262 +0000] - NOTICE -
bdb_start_autotune - cache autosizing: ipaca dn cache (3
total): 262144k
[25/May/2023:20:38:08.895602163 +0000] - NOTICE -
bdb_start_autotune - cache autosizing: changelog entry cache
(3 total): 2031616k
[25/May/2023:20:38:08.897693539 +0000] - NOTICE -
bdb_start_autotune - cache autosizing: changelog dn cache (3
total): 262144k
[25/May/2023:20:38:08.899736183 +0000] - NOTICE -
bdb_start_autotune - total cache size: 8657043456 B;
[25/May/2023:20:38:08.901810216 +0000] - ERR -
bdb_version_write - Could not open file
"/var/lib/dirsrv/slapd-MINE-PRIV/db/DBVERSION" for writing
Netscape Portable Runtime -5966 (Access Denied.)
[25/May/2023:20:38:08.903797254 +0000] - ERR - mkdir_p -
/var/lib/dirsrv: error -5943 (Cannot create or rename a
filename that already exists.)
[25/May/2023:20:38:08.905887528 +0000] - CRIT - bdb_start -
Can't start because the database directory
"/var/lib/dirsrv/slapd-MINE-PRIV/db" either doesn't exist,
or is not accessible
[25/May/2023:20:38:08.907883443 +0000] - ERR -
ldbm_back_start - Failed to init database, err=-1 Unexpected
dbimpl error code
[25/May/2023:20:38:08.909873536 +0000] - ERR -
plugin_dependency_startall - Failed to start database plugin
ldbm database
[25/May/2023:20:38:08.912185504 +0000] - ERR -
schema-compat-plugin - scheduled schema-compat-plugin tree
scan in about 5 seconds after the server startup!
[25/May/2023:20:38:08.914588354 +0000] - CRIT -
dblayer_setup - dblayer_init failed
[25/May/2023:20:38:08.916582074 +0000] - ERR -
ldbm_back_start - Failed to setup dblayer
[25/May/2023:20:38:08.918659775 +0000] - ERR -
plugin_dependency_startall - Failed to start database plugin
ldbm database
[25/May/2023:20:38:08.920651491 +0000] - ERR -
plugin_dependency_startall - Failed to resolve plugin
dependencies
[25/May/2023:20:38:08.922769498 +0000] - ERR -
plugin_dependency_startall - betxnpreoperation plugin 7-bit
check is not started
[25/May/2023:20:38:08.924779700 +0000] - ERR -
plugin_dependency_startall - preoperation plugin Account
Usability Plugin is not started
[25/May/2023:20:38:08.926780244 +0000] - ERR -
plugin_dependency_startall - accesscontrol plugin ACL Plugin
is not started
[25/May/2023:20:38:08.928838868 +0000] - ERR -
plugin_dependency_startall - preoperation plugin ACL
preoperation is not started
[25/May/2023:20:38:08.930855532 +0000] - ERR -
plugin_dependency_startall - betxnpreoperation plugin Auto
Membership Plugin is not started
[25/May/2023:20:38:08.932879861 +0000] - ERR -
plugin_dependency_startall - preoperation plugin caacl name
uniqueness is not started
[25/May/2023:20:38:08.934954846 +0000] - ERR -
plugin_dependency_startall - preoperation plugin certificate
store issuer/serial uniqueness is not started
[25/May/2023:20:38:08.936969697 +0000] - ERR -
plugin_dependency_startall - preoperation plugin certificate
store subject uniqueness is not started
[25/May/2023:20:38:08.939096711 +0000] - ERR -
plugin_dependency_startall - object plugin Class of Service
is not started
[25/May/2023:20:38:08.941113295 +0000] - ERR -
plugin_dependency_startall - object plugin Content
Synchronization is not started
[25/May/2023:20:38:08.943127434 +0000] - ERR -
plugin_dependency_startall - preoperation plugin deref is
not started
[25/May/2023:20:38:08.945181109 +0000] - ERR -
plugin_dependency_startall - bepreoperation plugin
Distributed Numeric Assignment Plugin is not started
[25/May/2023:20:38:08.947196180 +0000] - ERR -
plugin_dependency_startall - preoperation plugin IPA DNS is
not started
[25/May/2023:20:38:08.949205500 +0000] - ERR -
plugin_dependency_startall - object plugin IPA Graceperiod
is not started
[25/May/2023:20:38:08.951276348 +0000] - ERR -
plugin_dependency_startall - object plugin IPA Lockout is
not started
[25/May/2023:20:38:08.953303542 +0000] - ERR -
plugin_dependency_startall - betxnpostoperation plugin IPA
MODRDN is not started
[25/May/2023:20:38:08.955319695 +0000] - ERR -
plugin_dependency_startall - preoperation plugin IPA OTP
Counter is not started
[25/May/2023:20:38:08.957401373 +0000] - ERR -
plugin_dependency_startall - preoperation plugin IPA OTP
Last Token is not started
[25/May/2023:20:38:08.959428697 +0000] - ERR -
plugin_dependency_startall - preoperation plugin IPA
Range-Check is not started
[25/May/2023:20:38:08.961479948 +0000] - ERR -
plugin_dependency_startall - postoperation plugin IPA SIDGEN
is not started
[25/May/2023:20:38:08.963520437 +0000] - ERR -
plugin_dependency_startall - object plugin IPA Topology
Configuration is not started
[25/May/2023:20:38:08.965548823 +0000] - ERR -
plugin_dependency_startall - preoperation plugin IPA UUID is
not started
[25/May/2023:20:38:08.967588822 +0000] - ERR -
plugin_dependency_startall - preoperation plugin IPA Version
Replication is not started
[25/May/2023:20:38:08.969640553 +0000] - ERR -
plugin_dependency_startall - preoperation plugin ipa-winsync
is not started
[25/May/2023:20:38:08.971679109 +0000] - ERR -
plugin_dependency_startall - extendedop plugin
ipa_enrollment_extop is not started
[25/May/2023:20:38:08.973720600 +0000] - ERR -
plugin_dependency_startall - extendedop plugin
ipa_extdom_extop is not started
[25/May/2023:20:38:08.975765037 +0000] - ERR -
plugin_dependency_startall - extendedop plugin ipa_pwd_extop
is not started
[25/May/2023:20:38:08.977817560 +0000] - ERR -
plugin_dependency_startall - preoperation plugin
ipaSubordinateIdEntry ipaOwner uniqueness is not started
[25/May/2023:20:38:08.979867658 +0000] - ERR -
plugin_dependency_startall - preoperation plugin ipaUniqueID
uniqueness is not started
[25/May/2023:20:38:08.981913688 +0000] - ERR -
plugin_dependency_startall - preoperation plugin
krbCanonicalName uniqueness is not started
[25/May/2023:20:38:08.983974386 +0000] - ERR -
plugin_dependency_startall - preoperation plugin
krbPrincipalName uniqueness is not started
[25/May/2023:20:38:08.986051896 +0000] - ERR -
plugin_dependency_startall - database plugin ldbm database
is not started
[25/May/2023:20:38:08.988109989 +0000] - ERR -
plugin_dependency_startall - betxnpreoperation plugin Linked
Attributes is not started
[25/May/2023:20:38:08.990170186 +0000] - ERR -
plugin_dependency_startall - betxnpreoperation plugin
Managed Entries is not started
[25/May/2023:20:38:08.992227157 +0000] - ERR -
plugin_dependency_startall - betxnpostoperation plugin
MemberOf Plugin is not started
[25/May/2023:20:38:08.994270532 +0000] - ERR -
plugin_dependency_startall - object plugin Multisupplier
Replication Plugin is not started
[25/May/2023:20:38:08.996345598 +0000] - ERR -
plugin_dependency_startall - preoperation plugin netgroup
uniqueness is not started
[25/May/2023:20:38:08.998405354 +0000] - ERR -
plugin_dependency_startall - betxnpostoperation plugin
referential integrity postoperation is not started
[25/May/2023:20:38:09.000484848 +0000] - ERR -
plugin_dependency_startall - object plugin Retro Changelog
Plugin is not started
[25/May/2023:20:38:09.002615038 +0000] - ERR -
plugin_dependency_startall - object plugin Roles Plugin is
not started
[25/May/2023:20:38:09.004668452 +0000] - ERR -
plugin_dependency_startall - preoperation plugin sudorule
name uniqueness is not started
[25/May/2023:20:38:09.006728329 +0000] - ERR -
plugin_dependency_startall - preoperation plugin uid
uniqueness is not started
[25/May/2023:20:38:09.008808835 +0000] - ERR -
plugin_dependency_startall - object plugin USN is not started
[25/May/2023:20:38:09.010895272 +0000] - ERR -
plugin_dependency_startall - object plugin Views is not started
[25/May/2023:20:38:09.012962683 +0000] - ERR -
plugin_dependency_startall - extendedop plugin whoami is not
started
dirsrv(a)MINE-PRIV.service: Main process exited, code=exited,
status=1/FAILURE
dirsrv(a)MINE-PRIV.service: Failed with result 'exit-code'.
Failed to start 389 Directory Server MINE-PRIV..
2 days
Fwd: Problem with replica installation 4.10.1
by Jakub Werwiński
I tried with the --skip-conncheck option, however the same error (-11)
every time. The firewall was disabled and also tested.
error on replica /var/log/dirsrv/slapd-MY.DOMAIN.COM/error
[25/May/2023:15:18:45.460057564 +0200] - ERR - NSMMReplicationPlugin -
update_consumer_schema - [S] Schema agmt="cn=
meTofreeipa-replica.mydomain.com" (freeipa-replica:389) must not be
overwritten (set replication log for additional info)
[25/May/2023:15:18:46.104681271 +0200] - INFO - NSMMReplicationPlugin -
repl5_tot_run - Beginning total update of replica
"agmt="cn=meTofreeipa-mydomain.com" (freeipa-replica:389)".
[25/May/2023:15:18:58.638287655 +0200] - ERR - NSMMReplicationPlugin -
repl5_tot_log_operation_failure - agmt="cn=meTofreeipa-replica.mydomain.com"
(freeipa-replica:389): Received error -1 (Can't contact LDAP server): for
total update operation [25/May/2023:15:18:58.640550244 +0200] - ERR -
NSMMReplicationPlugin - release_replica - agmt="cn=
meTofreeipa-replica.mydomain.com" (freeipa-replica:389): Unable to send
endReplication extended operation (Can't contact LDAP server)
[25/May/2023:15:18:58.642048003 +0200] - ERR - NSMMReplicationPlugin -
repl5_tot_run - Total update failed for replica "agmt="cn=
meTofreeipa-replica.mydomain.com" (freeipa-replica:389)", error (-11)
[25/May/2023:15:18:58.659305226 +0200] - INFO - NSMMReplicationPlugin -
bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com"
(freeipa-replica:389): Replication bind with GSSAPI auth resumed
[25/May/2023:15:18:59.607038328 +0200] - WARN - NSMMReplicationPlugin -
repl5_inc_run - agmt="cn=meTofreeipa-replica.mydomain.com"
(freeipa-replica:389): The remote replica has a different database
generation ID than the local database. You may have to reinitialize the
remote replica, or the local replica. [25/May/2023:15:19:02.995509460
+0200] - WARN - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=
meTofreeipa-replica.mydomain.com" (freeipa-replica:389): The remote replica
has a different database generation ID than the local database. You may
have to reinitialize the remote replica, or the local replica.
czw., 25 maj 2023 o 09:46 Florence Blanc-Renaud <flo(a)redhat.com> napisał(a):
> Hi,
>
> replica installation failures are often related to either a wrong DNS
> configuration or firewall preventing the communication.
> Did you run ipa-replica-installation with or without the option
> --skip-conncheck? Without the option you may have some hints if the issue
> is related to the firewall.
> You can find more info in Host name and DNS requirements for IdM [1] and
> Opening the ports required by IdM [2].
>
> The timestamp for replica installation is 2023-05-24T*10:15:04Z* but the
> master logs don't match (24/May/2023:*11:47:29.382502138 +0200*).
> Difficult to draw any conclusion with that, do you have the master logs
> from the same time?
>
> flo
>
> [1]
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/...
> [2]
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/...
>
>
> On Wed, May 24, 2023 at 12:34 PM Jakub Werwiński via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org> wrote:
>
>> Hi i have problem with freeipa replica installation log:
>>
>> Starting replication, please wait until this has completed.
>> Update in progress, 12 seconds elapsed
>> [ldap://freeipa.mydomain.com:389] reports: Update failed! Status: [Error
>> (-11) connection error: Unknown connection error (-11) - Total update
>> aborted]
>>
>> [error] RuntimeError: Failed to start replication
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> Failed to start replication
>> The ipa-replica-install command failed. See
>> /var/log/ipareplica-install.log for more information
>>
>>
>>
>> ---------------------------------------- var/log/ipareplica-install.log
>> -------------------------------------------------------
>>
>> 2023-05-24T10:14:50Z DEBUG Waiting up to 300 seconds for replication
>> (ldapi://%2Frun%2Fslapd-MY-DOMAIN.COM.socket) cn=meTofreeipa.mydomain.com,cn=replica,cn=dc\=xxx-poland\,dc\=com\,dc\=pl,cn=mapping
>> tree,cn=config (objectclass=*)
>> 2023-05-24T10:14:50Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn=
>> meTofreeipa.mydomain.com,cn=replica,cn=dc\=xxx-com\,dc\=com\,dc\=pl,cn=mapping
>> tree,cn=config'), {'objectClass': [b'nsds5replicationagreement', b'top'],
>> 'cn': [b'meTofreeipa.mydomain.com'], 'nsDS5ReplicaHost': [b'
>> freeipa.mydomain.com'], 'nsDS5ReplicaPort': [b'389'],
>> 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot':
>> [b'dc=mydomain,dc=com,dc=pl'], 'description': [b'me to
>> freeipa.mydomain.com'], 'nsDS5ReplicatedAttributeList':
>> [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn
>> krblastsuccessfulauth krblastfailedauth krbloginfailedcount
>> passwordgraceusertime'], 'nsDS5ReplicaTransportInfo': [b'LDAP'],
>> 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs':
>> [b'modifiersName modifyTimestamp internalModifiersName
>> internalModifyTimestamp'], 'nsDS5ReplicatedAttributeListTotal':
>> [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth
>> krblastfailedauth krbloginfailedcount passwordgraceusertime'],
>> 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart':
>> [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'],
>> 'nsds5replicaChangesSentSinceStartup': [b''],
>> 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions
>> started since server startup'], 'nsds5replicaLastUpdateStatusJSON':
>> [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", "repl_rc":
>> "0", "repl_rc_text": "replica acquired", "date": "2023-05-24T10:14:50Z",
>> "message": "Error (0) No replication sessions started since server
>> startup"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'],
>> 'nsds5replicaLastInitStart': [b'19700101000000Z'],
>> 'nsds5replicaLastInitEnd': [b'19700101000000Z']})]
>> 2023-05-24T10:15:04Z DEBUG Traceback (most recent call last):
>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
>> line 686, in start_creation
>> run_step(full_msg, method)
>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
>> line 672, in run_step
>> method()
>> File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/dsinstance.py", line
>> 430, in __setup_replica
>> repl.setup_promote_replication(
>> File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/replication.py", line
>> 1930, in setup_promote_replication
>> raise RuntimeError("Failed to start replication")
>> RuntimeError: Failed to start replication
>>
>> 2023-05-24T10:15:04Z DEBUG [error] RuntimeError: Failed to start
>> replication
>> 2023-05-24T10:15:04Z DEBUG Destroyed connection
>> context.ldap2_140645096151696
>> 2023-05-24T10:15:04Z DEBUG Backing up system configuration file
>> '/etc/ipa/default.conf'
>> 2023-05-24T10:15:04Z DEBUG Saving Index File to
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>> 2023-05-24T10:15:04Z DEBUG Writing configuration file
>> /etc/ipa/default.conf
>> 2023-05-24T10:15:04Z DEBUG [global]
>> basedn = dc=mydomain,dc=com,dc=pl
>> host = freeipa-replica.mydomain.com
>> realm = My.REALM.COM
>> domain = mydomain.com
>> xmlrpc_uri = https://freeipa-replica.mydomain.com/ipa/xml
>> ldap_uri = ldapi://%2Frun%2Fslapd-MY-DOMAIN-COM.socket
>> mode = production
>> enable_ra = True
>> ra_plugin = dogtag
>> dogtag_version = 10
>> ca_host = freeipa.mydomain.com
>>
>>
>>
>> 2023-05-24T10:15:04Z DEBUG File
>> "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in
>> execute
>> return_value = self.run()
>> File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line
>> 344, in run
>> return cfgr.run()
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 360, in run
>> return self.execute()
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 386, in execute
>> for rval in self._executor():
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 431, in __runner
>> exc_handler(exc_info)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 460, in _handle_execute_exception
>> self._handle_exception(exc_info)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 450, in _handle_exception
>> six.reraise(*exc_info)
>> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
>> raise value
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 421, in __runner
>> step()
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 418, in <lambda>
>> step = lambda: next(self.__gen)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
>> 81, in run_generator_with_yield_from
>> six.reraise(*exc_info)
>> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
>> raise value
>> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
>> 59, in run_generator_with_yield_from
>> value = gen.send(prev_value)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 655, in _configure
>> next(executor)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 431, in __runner
>> exc_handler(exc_info)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 460, in _handle_execute_exception
>> self._handle_exception(exc_info)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 518, in _handle_exception
>> self.__parent._handle_exception(exc_info)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 450, in _handle_exception
>> six.reraise(*exc_info)
>> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
>> raise value
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 515, in _handle_exception
>> super(ComponentBase, self)._handle_exception(exc_info)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 450, in _handle_exception
>> six.reraise(*exc_info)
>> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
>> raise value
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 421, in __runner
>> step()
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 418, in <lambda>
>> step = lambda: next(self.__gen)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
>> 81, in run_generator_with_yield_from
>> six.reraise(*exc_info)
>> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
>> raise value
>> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
>> 59, in run_generator_with_yield_from
>> value = gen.send(prev_value)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/common.py",
>> line 65, in _install
>> for unused in self._installer(self.parent):
>> File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py",
>> line 599, in main
>> replica_install(self)
>> File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
>> line 401, in decorated
>> func(installer)
>> File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
>> line 1267, in install
>> ds = install_replica_ds(config, options, ca_enabled,
>> File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
>> line 100, in install_replica_ds
>> ds.create_replica(
>> File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/dsinstance.py", line
>> 398, in create_replica
>> self.start_creation(runtime=30)
>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
>> line 686, in start_creation
>> run_step(full_msg, method)
>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
>> line 672, in run_step
>> method()
>> File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/dsinstance.py", line
>> 430, in __setup_replica
>> repl.setup_promote_replication(
>> File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/replication.py", line
>> 1930, in setup_promote_replication
>> raise RuntimeError("Failed to start replication")
>>
>> 2023-05-24T10:15:04Z DEBUG The ipa-replica-install command failed,
>> exception: RuntimeError: Failed to start replication
>> 2023-05-24T10:15:04Z ERROR Failed to start replication
>> 2023-05-24T10:15:04Z ERROR The ipa-replica-install command failed. See
>> /var/log/ipareplica-install.log for more information
>>
>> ---------------------------------------- master: /var/log/dirsrv/slapd-MY-
>> DOMAIN.COM/error -------------------------------------------------------
>>
>> [24/May/2023:11:47:02.653622389 +0200] - ERR - NSMMReplicationPlugin -
>> bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com"
>> (freeipa-replica:389) - Replication bind
>> with GSSAPI auth failed: LDAP error 49 (Invalid
>> credentials) ()
>> [24/May/2023:11:47:08.700315039 +0200] - ERR - NSMMReplicationPlugin -
>> bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com"
>> (freeipa-replica:389) - Replication bind
>> with GSSAPI auth failed: LDAP error -1 (Can't contact
>> LDAP server) ()
>> [24/May/2023:11:47:16.774918557 +0200] - INFO - NSMMReplicationPlugin -
>> bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com"
>> (freeipa-replica:389): Replication bind
>> with GSSAPI auth resumed
>> [24/May/2023:11:47:17.035351907 +0200] - INFO - NSMMReplicationPlugin -
>> repl5_tot_run - Beginning total update of replica "agmt="cn=
>> meTofreeipa-replica.mydomain.com" (freeipa-r
>> eplica:389)".
>> [24/May/2023:11:47:29.357889007 +0200] - ERR - NSMMReplicationPlugin -
>> repl5_tot_log_operation_failure - agmt="cn=
>> meTofreeipa-replica.mydomain.com" (freeipa-replica:389): Recei
>> ved error -1 (Can't contact
>> LDAP server): for total update operation
>> [24/May/2023:11:47:29.361891385 +0200] - ERR - NSMMReplicationPlugin -
>> release_replica - agmt="cn=meTofreeipa-replica.mydomain.com"
>> (freeipa-replica:389): Unable to send endRep
>> lication extended operation (Can't contact LDAP
>> server)
>> [24/May/2023:11:47:29.363050079 +0200] - ERR - NSMMReplicationPlugin -
>> repl5_tot_run - Total update failed for replica "agmt="cn=
>> meTofreeipa-replica.mydomain.com" (freeipa-repl
>> ica:389)", error (-11)
>> [24/May/2023:11:47:29.382502138 +0200] - INFO - NSMMReplicationPlugin -
>> bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com"
>> (freeipa-replica:389): Replication bind
>> with GSSAPI auth resumed
>>
>>
>> ---------------------------------------- About system
>> -------------------------------------------------------
>> Mater and Replica:
>> Os: Rocky Linux 9.2
>> IPA: 4.10.1
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>
2 days, 6 hours
'del' removes replica/tion but keeps all DNS record in - ?
by lejeczek
Hi guys.
With a forceful removal of a replica with
'ipa-replica-manage' such replica/tion gets removed but all
DNS records - of which 'ipa-healthcheck' complains - remain
intact.
Is that normal & expected?
many thanks, L.
2 days, 17 hours
ipa: ERROR: No valid Negotiate header - from/in container replica
by lejeczek
Hi guys.
This is my first trial/test of replicas in container - here
I added a replica to already existing, bare-metal IPA
domain, which otherwise works a okey - so numerous issues
are possible.
In container, only in this replica, I get:
bash-5.1# ipa dnszone-find
ipa: ERROR: No valid Negotiate header in server response
What that is, might be, a symptom of? Where to go with
troubleshooting?
All thoughts share are much appreciated.
many thanks, L.
3 days, 2 hours
Re: Can't add CA to replica - invalid 'cn': must be
by Nicholas Cross
Replying to myself here and asking additional questions.
Knowing that the original issues were that 1. i could not conn-check
successfully and 2. kinit. The kinit issue was fixed with the SID/PAC fix.
i ran `ipa-ca-install --debug --skip-conncheck` just for the heck if it and
it tells me it installed successfully. :tada:
So my questions are,
- Can we ignore the connection check failure, as we know it worked before
any of the installs?
- What issues might this cause in the future?
- Is there anyway i could debug the connection check
- Should i just ignore all of this and take the win?
thanks everyone for your input.
Nick
3 days, 4 hours
Problem with replica installation 4.10.1
by Jakub Werwiński
Hi i have problem with freeipa replica installation log:
Starting replication, please wait until this has completed.
Update in progress, 12 seconds elapsed
[ldap://freeipa.mydomain.com:389] reports: Update failed! Status: [Error (-11) connection error: Unknown connection error (-11) - Total update aborted]
[error] RuntimeError: Failed to start replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Failed to start replication
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
---------------------------------------- var/log/ipareplica-install.log -------------------------------------------------------
2023-05-24T10:14:50Z DEBUG Waiting up to 300 seconds for replication (ldapi://%2Frun%2Fslapd-MY-DOMAIN.COM.socket) cn=meTofreeipa.mydomain.com,cn=replica,cn=dc\=xxx-poland\,dc\=com\,dc\=pl,cn=mapping tree,cn=config (objectclass=*)
2023-05-24T10:14:50Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn=meTofreeipa.mydomain.com,cn=replica,cn=dc\=xxx-com\,dc\=com\,dc\=pl,cn=mapping tree,cn=config'), {'objectClass': [b'nsds5replicationagreement', b'top'], 'cn': [b'meTofreeipa.mydomain.com'], 'nsDS5ReplicaHost': [b'freeipa.mydomain.com'], 'nsDS5ReplicaPort': [b'389'], 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': [b'dc=mydomain,dc=com,dc=pl'], 'description': [b'me to freeipa.mydomain.com'], 'nsDS5ReplicatedAttributeList': [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount passwordgraceusertime'], 'nsDS5ReplicaTransportInfo': [b'LDAP'], 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs': [b'modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp'], 'nsDS5ReplicatedAttributeListTotal': [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount passwordgraceusertime'],
'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'], 'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions started since server startup'], 'nsds5replicaLastUpdateStatusJSON': [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", "repl_rc": "0", "repl_rc_text": "replica acquired", "date": "2023-05-24T10:14:50Z", "message": "Error (0) No replication sessions started since server startup"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'], 'nsds5replicaLastInitStart': [b'19700101000000Z'], 'nsds5replicaLastInitEnd': [b'19700101000000Z']})]
2023-05-24T10:15:04Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step
method()
File "/usr/lib/python3.9/site-packages/ipaserver/install/dsinstance.py", line 430, in __setup_replica
repl.setup_promote_replication(
File "/usr/lib/python3.9/site-packages/ipaserver/install/replication.py", line 1930, in setup_promote_replication
raise RuntimeError("Failed to start replication")
RuntimeError: Failed to start replication
2023-05-24T10:15:04Z DEBUG [error] RuntimeError: Failed to start replication
2023-05-24T10:15:04Z DEBUG Destroyed connection context.ldap2_140645096151696
2023-05-24T10:15:04Z DEBUG Backing up system configuration file '/etc/ipa/default.conf'
2023-05-24T10:15:04Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
2023-05-24T10:15:04Z DEBUG Writing configuration file /etc/ipa/default.conf
2023-05-24T10:15:04Z DEBUG [global]
basedn = dc=mydomain,dc=com,dc=pl
host = freeipa-replica.mydomain.com
realm = My.REALM.COM
domain = mydomain.com
xmlrpc_uri = https://freeipa-replica.mydomain.com/ipa/xml
ldap_uri = ldapi://%2Frun%2Fslapd-MY-DOMAIN-COM.socket
mode = production
enable_ra = True
ra_plugin = dogtag
dogtag_version = 10
ca_host = freeipa.mydomain.com
2023-05-24T10:15:04Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 344, in run
return cfgr.run()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", line 599, in main
replica_install(self)
File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated
func(installer)
File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 1267, in install
ds = install_replica_ds(config, options, ca_enabled,
File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 100, in install_replica_ds
ds.create_replica(
File "/usr/lib/python3.9/site-packages/ipaserver/install/dsinstance.py", line 398, in create_replica
self.start_creation(runtime=30)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step
method()
File "/usr/lib/python3.9/site-packages/ipaserver/install/dsinstance.py", line 430, in __setup_replica
repl.setup_promote_replication(
File "/usr/lib/python3.9/site-packages/ipaserver/install/replication.py", line 1930, in setup_promote_replication
raise RuntimeError("Failed to start replication")
2023-05-24T10:15:04Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Failed to start replication
2023-05-24T10:15:04Z ERROR Failed to start replication
2023-05-24T10:15:04Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
---------------------------------------- master: /var/log/dirsrv/slapd-MY-DOMAIN.COM/error -------------------------------------------------------
[24/May/2023:11:47:02.653622389 +0200] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-replica:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) ()
[24/May/2023:11:47:08.700315039 +0200] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-replica:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
[24/May/2023:11:47:16.774918557 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-replica:389): Replication bind with GSSAPI auth resumed
[24/May/2023:11:47:17.035351907 +0200] - INFO - NSMMReplicationPlugin - repl5_tot_run - Beginning total update of replica "agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-r eplica:389)".
[24/May/2023:11:47:29.357889007 +0200] - ERR - NSMMReplicationPlugin - repl5_tot_log_operation_failure - agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-replica:389): Recei ved error -1 (Can't contact LDAP server): for total update operation
[24/May/2023:11:47:29.361891385 +0200] - ERR - NSMMReplicationPlugin - release_replica - agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-replica:389): Unable to send endRep lication extended operation (Can't contact LDAP server)
[24/May/2023:11:47:29.363050079 +0200] - ERR - NSMMReplicationPlugin - repl5_tot_run - Total update failed for replica "agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-repl ica:389)", error (-11)
[24/May/2023:11:47:29.382502138 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-replica:389): Replication bind with GSSAPI auth resumed
---------------------------------------- About system -------------------------------------------------------
Mater and Replica:
Os: Rocky Linux 9.2
IPA: 4.10.1
3 days, 5 hours
Re: Can't add CA to replica - invalid 'cn': must be
by Nicholas Cross
Sorry i added far too much there.
here is a slightly less when i grep for my name
[root@ipa011 ~]# tail -f /var/log/krb5kdc.log | grep nicholas
May 23 10:55:47 ipa011.ad.companyx.fm krb5kdc[4304](info): AS_REQ (4 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.32.225.7:
NEEDED_PREAUTH: nicholas.cross(a)AD.companyx.FM for krbtgt/
AD.companyx.FM(a)AD.companyx.FM, Additional pre-authentication required
May 23 10:55:56 ipa011.ad.companyx.fm krb5kdc[4304](info): AS_REQ (4 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.32.225.7:
HANDLE_AUTHDATA: nicholas.cross(a)AD.companyx.FM for krbtgt/
AD.companyx.FM(a)AD.companyx.FM, No such file or directory
I'm guessing it's this?
nicholas.cross(a)AD.companyx.FM for krbtgt/AD.companyx.FM(a)AD.companyx.FM, No
such file or directory
4 days, 2 hours
ACME service is disabled
by Georgy Safronov
Hello! On one of our ipa masters (alma9.2, ipa 4.10.1, CA renewal master) we have some problems with pki-tomcat, on neighbour master (alma9.2, ipa 4.10.1, ca role) there are no same problems. ipactl status and ipa-healthcheck reports all ok, restarting of services also goes normally. But in pki debug log have some flood about java exeption:
[root@dc1 ~]# tail -n 57 /var/log/pki/pki-tomcat/pki/debug.2023-05-23.log
2023-05-23 14:30:21 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-2] ERROR: RESTEASY002010: Failed to execute
javax.ws.rs.ServiceUnavailableException: ACME service is disabled
at org.dogtagpki.acme.server.ACMERequestFilter.filter(ACMERequestFilter.java:48)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:263)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
at jdk.internal.reflect.GeneratedMethodAccessor49.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:222)
at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at jdk.internal.reflect.GeneratedMethodAccessor51.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:433)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1724)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:833)
Also have some flood in systemctl status pki-tomcatd(a)pki-tomcat.service like:
[root@dc1 ~]# journalctl -u pki-tomcatd(a)pki-tomcat.service --no-pager|tail -n 4
May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The SHA-1 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm.
May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The MD2 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm.
May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The MD5 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm.
May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The SHA-1 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm.
What could be the reason for these messages? And how to fix it? Thank you in advance!
4 days, 21 hours