ipa-replica-conncheck fails with --auto-master-check (used by ipa-ca-install), but not without:


[root@ipa02 ~]# /usr/sbin/ipa-replica-conncheck --master ipa01.hq.spinque.com --auto-master-check --realm HQ.SPINQUE.COM --hostname ipa02.hq.spinque.com
Check connection from replica to remote master 'ipa01.hq.spinque.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocoland would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
389 tcp: Failed to bind
636 tcp: Failed to bind
88 tcp: Failed to bind
88 udp: Failed to bind
464 tcp: Failed to bind
464 udp: Failed to bind
80 tcp: Failed to bind
443 tcp: Failed to bind
Get credentials to log in to remote master
Check RPC connection to remote master
trying https://ipa01.hq.spinque.com/ipa/session/json
Connection to https://ipa01.hq.spinque.com/ipa/session/json failed with <ProtocolError for ipa01.hq.spinque.com/ipa/session/json: 500 Internal Server Error>
trying https://ipa02.hq.spinque.com/ipa/session/json
[try 1]: Forwarding 'schema' to json server 'https://ipa02.hq.spinque.com/ipa/session/json'
trying https://ipa01.hq.spinque.com/ipa/session/json
Connection to https://ipa01.hq.spinque.com/ipa/session/json failed with <ProtocolError for ipa01.hq.spinque.com/ipa/session/json: 500 Internal Server Error>
trying https://ipa02.hq.spinque.com/ipa/session/json
[try 1]: Forwarding 'ping/1' to json server 'https://ipa02.hq.spinque.com/ipa/session/json'
Execute check on remote master
[try 1]: Forwarding 'server_conncheck' to json server 'https://ipa02.hq.spinque.com/ipa/session/json'
ERROR: Remote master check failed with following error message(s):
invalid 'cn': must be "ipa02.hq.spinque.com"


Now, without --auto-master-check:

On ipa02 (I suppose the many "Failed to bind" below are expected?):
[root@ipa02 ~]# /usr/sbin/ipa-replica-conncheck --master ipa01.hq.spinque.com  --realm HQ.SPINQUE.COM --hostname ipa02.hq.spinque.com
Check connection from replica to remote master 'ipa01.hq.spinque.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocoland would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
389 tcp: Failed to bind
636 tcp: Failed to bind
88 tcp: Failed to bind
88 udp: Failed to bind
464 tcp: Failed to bind
464 udp: Failed to bind
80 tcp: Failed to bind
443 tcp: Failed to bind
Listeners are started. Use CTRL+C to terminate the listening part after the test.

Please run the following command on remote master:
/usr/sbin/ipa-replica-conncheck --replica ipa02.hq.spinque.com
^C
Cleaning up...

On ipa01:
[root@ipa01 ~]# /usr/sbin/ipa-replica-conncheck --replica ipa02.hq.spinque.com
Check connection from master to remote replica 'ipa02.hq.spinque.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): WARNING
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): WARNING
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
The following UDP ports could not be verified as open: 88, 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.

Connection from master to replica is OK.



On Thu, 23 Jul 2020 at 15:15, Roberto Cornacchia <roberto.cornacchia@gmail.com> wrote:
Hi, 

I have successfully created a replica from a 4.2.4 master (ipa01) into a new 4.6.6 master (ipa02).

I did it without --setup-ca option (because it had failed), so the only CA is still on the 4.2.4 server (ipa01).

When I try to setup theCA on ipa02 (the same replica file was used with ipa-replica-install), this fails:

$ ipa-ca-install replica-info-ipa02.hq.spinque.com.gpg 
Directory Manager (existing master) password:

Run connection check to master

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Connection check failed!
See /var/log/ipareplica-conncheck.log for more information.
If the check results are not valid it can be skipped with --skip-conncheck parameter.

The log of conncheck (generated by ipa-ca-install) is in attachment. In there, I can see a couple of things going wrong:

ProtocolError: <ProtocolError for ipa01.hq.spinque.com/ipa/session/json: 500 Internal Server Error>
...
2020-07-23T12:20:50Z ERROR ERROR: Remote master check failed with following error message(s):
invalid 'cn': must be "ipa02.hq.spinque.com"

Not sure if relevant, but also ipa-replica-install, though it completed successfully, gave this error:

Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: disabling Schema Compat
  [6/10]: starting directory server
  [7/10]: upgrading server
ipaserver.install.ldapupdate: ERROR    Add failure attribute "cn" not allowed
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server


Could you please help me find the issue?