[Freeipa-users] Re: New replica (4.5) issues

I tried a fresh install with the same result. The new replica install process completes successfully but it does not register as a master. When I look at the replication status via ipa-replica-manage it shows this: # ipa-replica-manage list -v ipa8.domain.tld Directory Manager password: ipa1.domain.tld: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (3) Replication error acquiring replica: Unable to acquire replica: permission denied. The bind dn does not have permission to supply replication updates to the replica. Will retry later. (permission denied) last update ended: 1970-01-01 00:00:00+00:00 When I try to create a new replication agreement via ipa-replica-manage connect I get this message: # ipa-replica-manage connect ipa4.domain.tld Directory Manager password: Connection unsuccessful: ipa4.domain.tld is an IPA Server, but it might be unknown, foreign or previously deleted one. I saw this article: https://access.redhat.com/solutions/2988311 I checked all my replicas and they show: $ ldapsearch -o ldif-wrap=no -D "cn=directory manager" -W -b "cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld> with scope subtree # filter: (objectclass=*) # requesting: ALL # # replication managers, sysaccounts, etc, domain.tld dn: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld member: krbprincipalname=ldap/ipa2.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa4.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa7.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa3.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa5.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa6.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa1.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld member: krbprincipalname=ldap/ipa8.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld I also checked this on the new server: # ldapsearch -xLLL -D "cn=directory manager" -W -b "cn=config" "(cn=replica)" nsds5replicabinddngroup nsds5replicabinddngroupcheckinterval Enter LDAP Password: dn: cn=replica,cn=dc\3Ddomain\2Cdc\3Dtld,cn=mapping tree,cn=config nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld nsds5replicabinddngroupcheckinterval: 60 dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld nsds5replicabinddngroupcheckinterval: 60 On the other 4.x IPA servers (all non CA replicas) it showed the first stanza like above and on the 3.x servers it only had: $ ldapsearch -o ldif-wrap=no -xLLL -D "cn=directory manager" -W -b "cn=config" "(cn=replica)" nsds5replicabinddngroup nsds5replicabinddngroupcheckinterval Enter LDAP Password: dn: cn=replica,cn=dc\3Ddomain\2Cdc\3Dtld,cn=mapping tree,cn=config Anything else I should verify as well that might lead to a solution? Thanks! > After some trial and error I was finally able to get a new replica + CA (RHEL7.4 and > ipa-server 4.5) added to our existing mixed (RHEL 6 and ipa server 3.0 - 4.x) and the > ipa-replica-install command completed successfully but now when I run the > ipa-manage-replica -v list <host> command I see this: > > # ipa-replica-manage -v list ipa5.domain.tld > Directory Manager password: > > ipa1.domain.tld: replica > last init status: None > last init ended: 1970-01-01 00:00:00+00:00 > last update status: Error (3) Replication error acquiring replica: Unable to acquire > replica: permission denied. The bind dn does not have permission to supply replication > updates to the replica. Will retry later. (permission denied) > last update ended: 1970-01-01 00:00:00+00:00 > > I ran the ipa-replica-manage re-initialize and it runs successfully and the above > permission denied error goes away but the host can not be connected to any other replicas, > it no longer sees itself as a replica or csreplica. I assume this is due to the re-init. > I'm leery of trying to force it to try and join and potentially cause more issues. > I would appreciate any helpful suggestions.