I tried a fresh install with the same result. The new replica install process completes
successfully but it does not register as a master. When I look at the replication status
via ipa-replica-manage it shows this:
# ipa-replica-manage list -v ipa8.domain.tld
Directory Manager password:
ipa1.domain.tld: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (3) Replication error acquiring replica: Unable to acquire
replica: permission denied. The bind dn does not have permission to supply replication
updates to the replica. Will retry later. (permission denied)
last update ended: 1970-01-01 00:00:00+00:00
When I try to create a new replication agreement via ipa-replica-manage connect I get this
message:
# ipa-replica-manage connect ipa4.domain.tld
Directory Manager password:
Connection unsuccessful: ipa4.domain.tld is an IPA Server, but it might be unknown,
foreign or previously deleted one.
I saw this article:
https://access.redhat.com/solutions/2988311
I checked all my replicas and they show:
$ ldapsearch -o ldif-wrap=no -D "cn=directory manager" -W -b
"cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld> with scope
subtree
# filter: (objectclass=*)
# requesting: ALL
#
# replication managers, sysaccounts, etc, domain.tld
dn: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld
member:
krbprincipalname=ldap/ipa2.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
member:
krbprincipalname=ldap/ipa4.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
member:
krbprincipalname=ldap/ipa7.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
member:
krbprincipalname=ldap/ipa3.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
member:
krbprincipalname=ldap/ipa5.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
member:
krbprincipalname=ldap/ipa6.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
member:
krbprincipalname=ldap/ipa1.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
member:
krbprincipalname=ldap/ipa8.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
I also checked this on the new server:
# ldapsearch -xLLL -D "cn=directory manager" -W -b "cn=config"
"(cn=replica)" nsds5replicabinddngroup nsds5replicabinddngroupcheckinterval
Enter LDAP Password:
dn: cn=replica,cn=dc\3Ddomain\2Cdc\3Dtld,cn=mapping tree,cn=config
nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld
nsds5replicabinddngroupcheckinterval: 60
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld
nsds5replicabinddngroupcheckinterval: 60
On the other 4.x IPA servers (all non CA replicas) it showed the first stanza like above
and on the 3.x servers it only had:
$ ldapsearch -o ldif-wrap=no -xLLL -D "cn=directory manager" -W -b
"cn=config" "(cn=replica)" nsds5replicabinddngroup
nsds5replicabinddngroupcheckinterval
Enter LDAP Password:
dn: cn=replica,cn=dc\3Ddomain\2Cdc\3Dtld,cn=mapping tree,cn=config
Anything else I should verify as well that might lead to a solution?
Thanks!
> After some trial and error I was finally able to get a new replica + CA (RHEL7.4 and
> ipa-server 4.5) added to our existing mixed (RHEL 6 and ipa server 3.0 - 4.x) and
the
> ipa-replica-install command completed successfully but now when I run the
> ipa-manage-replica -v list <host> command I see this:
>
> # ipa-replica-manage -v list ipa5.domain.tld
> Directory Manager password:
>
> ipa1.domain.tld: replica
> last init status: None
> last init ended: 1970-01-01 00:00:00+00:00
> last update status: Error (3) Replication error acquiring replica: Unable to
acquire
> replica: permission denied. The bind dn does not have permission to supply
replication
> updates to the replica. Will retry later. (permission denied)
> last update ended: 1970-01-01 00:00:00+00:00
>
> I ran the ipa-replica-manage re-initialize and it runs successfully and the above
> permission denied error goes away but the host can not be connected to any other
replicas,
> it no longer sees itself as a replica or csreplica. I assume this is due to the
re-init.
> I'm leery of trying to force it to try and join and potentially cause more
issues.
> I would appreciate any helpful suggestions.