ipa-replica-conncheck fails with --auto-master-check (used by
ipa-ca-install), but not without:
[root@ipa02 ~]# /usr/sbin/ipa-replica-conncheck --master
ipa01.hq.spinque.com <
http://ipa01.hq.spinque.com> --auto-master-check
--realm
HQ.SPINQUE.COM <
http://HQ.SPINQUE.COM> --hostname
ipa02.hq.spinque.com <
http://ipa02.hq.spinque.com>
Check connection from replica to remote master 'ipa01.hq.spinque.com
<
http://ipa01.hq.spinque.com>';:
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
The following list of ports use UDP protocoland would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
389 tcp: Failed to bind
636 tcp: Failed to bind
88 tcp: Failed to bind
88 udp: Failed to bind
464 tcp: Failed to bind
464 udp: Failed to bind
80 tcp: Failed to bind
443 tcp: Failed to bind
Get credentials to log in to remote master
Check RPC connection to remote master
trying
https://ipa01.hq.spinque.com/ipa/session/json
*Connection to
https://ipa01.hq.spinque.com/ipa/session/json failed with
<ProtocolError for
ipa01.hq.spinque.com/ipa/session/json
<
http://ipa01.hq.spinque.com/ipa/session/json>: 500 Internal Server Error>*
trying
https://ipa02.hq.spinque.com/ipa/session/json
[try 1]: Forwarding 'schema' to json server
'https://ipa02.hq.spinque.com/ipa/session/json'
trying
https://ipa01.hq.spinque.com/ipa/session/json
Connection to
https://ipa01.hq.spinque.com/ipa/session/json failed with
<ProtocolError for
ipa01.hq.spinque.com/ipa/session/json
<
http://ipa01.hq.spinque.com/ipa/session/json>: 500 Internal Server Error>
trying
https://ipa02.hq.spinque.com/ipa/session/json
[try 1]: Forwarding 'ping/1' to json server
'https://ipa02.hq.spinque.com/ipa/session/json'
Execute check on remote master
[try 1]: Forwarding 'server_conncheck' to json server
'https://ipa02.hq.spinque.com/ipa/session/json'
*ERROR: Remote master check failed with following error message(s):
invalid 'cn': must be "ipa02.hq.spinque.com
<
http://ipa02.hq.spinque.com>"*
Now, without --auto-master-check:
On ipa02 (I suppose the many "Failed to bind" below are expected?):
[root@ipa02 ~]# /usr/sbin/ipa-replica-conncheck --master
ipa01.hq.spinque.com <
http://ipa01.hq.spinque.com> --realm
HQ.SPINQUE.COM <
http://HQ.SPINQUE.COM> --hostname
ipa02.hq.spinque.com
<
http://ipa02.hq.spinque.com>
Check connection from replica to remote master 'ipa01.hq.spinque.com
<
http://ipa01.hq.spinque.com>';:
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
The following list of ports use UDP protocoland would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
389 tcp: Failed to bind
636 tcp: Failed to bind
88 tcp: Failed to bind
88 udp: Failed to bind
464 tcp: Failed to bind
464 udp: Failed to bind
80 tcp: Failed to bind
443 tcp: Failed to bind
Listeners are started. Use CTRL+C to terminate the listening part after
the test.
Please run the following command on remote master:
/usr/sbin/ipa-replica-conncheck --replica
ipa02.hq.spinque.com
<
http://ipa02.hq.spinque.com>
^C
Cleaning up...
On ipa01:
[root@ipa01 ~]# /usr/sbin/ipa-replica-conncheck --replica
ipa02.hq.spinque.com <
http://ipa02.hq.spinque.com>
Check connection from master to remote replica 'ipa02.hq.spinque.com
<
http://ipa02.hq.spinque.com>';:
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): WARNING
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): WARNING
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
The following UDP ports could not be verified as open: 88, 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.
Connection from master to replica is OK.
On Thu, 23 Jul 2020 at 15:15, Roberto Cornacchia
<roberto.cornacchia(a)gmail.com <mailto:roberto.cornacchia@gmail.com>> wrote:
Hi,
I have successfully created a replica from a 4.2.4 master (ipa01)
into a new 4.6.6 master (ipa02).
I did it without --setup-ca option (because it had failed), so the
only CA is still on the 4.2.4 server (ipa01).
When I try to setup theCA on ipa02 (the same replica file was used
with ipa-replica-install), this fails:
$ ipa-ca-install replica-info-ipa02.hq.spinque.com.gpg
Directory Manager (existing master) password:
Run connection check to master
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Connection check failed!
See /var/log/ipareplica-conncheck.log for more information.
If the check results are not valid it can be skipped with
--skip-conncheck parameter.
The log of conncheck (generated by ipa-ca-install) is in attachment.
In there, I can see a couple of things going wrong:
ProtocolError: <ProtocolError for
ipa01.hq.spinque.com/ipa/session/json
<
http://ipa01.hq.spinque.com/ipa/session/json>: 500 Internal Server
Error>
...
2020-07-23T12:20:50Z ERROR ERROR: Remote master check failed with
following error message(s):
invalid 'cn': must be "ipa02.hq.spinque.com
<
http://ipa02.hq.spinque.com>"
Not sure if relevant, but also ipa-replica-install, though it
completed successfully, gave this error:
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
ipaserver.install.ldapupdate: ERROR Add failure attribute "cn"
not allowed
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Could you please help me find the issue?