Hmm. Those are open enough to work but I didn't verify against the official open port
list (memory is coffee dependent).
There was still that install error and that is the primary suspect.
Next step: uninstall replica and main. Remove the log files. Remove the rpms for freeipa
and all required dependents. Run rpm -Va and analyze the output for bad binaries of
everything else. Check for a flakey hard drive or other network issues.
Reinstall. At each step, do a log analysis and resolve all errors before continuing. Pay
careful attention to the startup process of the CA server components.
On December 29, 2021 12:52:45 AM EST, Chris Roadfeldt via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Thanks for the help, appreciate another set of eyes on this.
Was hoping it would be something simple between the systems. To that
end I've turned off all local firewalls on the primary and replica as
well as ensuring that required ports are open when it is on. I've also
ensured that the inter-vlan firewall has rules allowing all traffic to
flow in both directions between primary and replica.
example.com is a sanitized domain as you picked up on.
Here are the nmap -v results
replica to primary
[root@replica ~]# nmap -v primary
Starting Nmap 7.91 (
https://nmap.org ) at 2021-12-28 23:18 CST
Initiating Ping Scan at 23:18
Scanning primary (192.168.0.21) [4 ports]
Completed Ping Scan at 23:18, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:18
Scanning primary (192.168.0.21) [1000 ports]
Discovered open port 53/tcp on 192.168.0.21
Discovered open port 22/tcp on 192.168.0.21
Discovered open port 443/tcp on 192.168.0.21
Discovered open port 139/tcp on 192.168.0.21
Discovered open port 8080/tcp on 192.168.0.21
Discovered open port 80/tcp on 192.168.0.21
Discovered open port 445/tcp on 192.168.0.21
Discovered open port 135/tcp on 192.168.0.21
Discovered open port 49152/tcp on 192.168.0.21
Discovered open port 9090/tcp on 192.168.0.21
Discovered open port 749/tcp on 192.168.0.21
Discovered open port 8443/tcp on 192.168.0.21
Discovered open port 389/tcp on 192.168.0.21
Discovered open port 636/tcp on 192.168.0.21
Discovered open port 464/tcp on 192.168.0.21
Discovered open port 88/tcp on 192.168.0.21
Completed SYN Stealth Scan at 23:18, 0.69s elapsed (192.168.total
ports)
Nmap scan report for primary (192.168.0.21)
Host is up (0.044s latency).
rDNS record for 192.168.0.21:
primary.example.com
Not shown: 984 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
749/tcp open kerberos-adm
8080/tcp open http-proxy
8443/tcp open https-alt
9090/tcp open zeus-admin
49152/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.83 seconds
Raw packets sent: 1004 (44.152KB) | Rcvd: 1001 (40.092KB)
primary to replica
[root@primary ~]# nmap -v replica
Starting Nmap 7.91 (
https://nmap.org ) at 2021-12-28 23:21 CST
Initiating Ping Scan at 23:21
Scanning 192.168.10.9 [4 ports]
Completed Ping Scan at 23:21, 0.05s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:21
Scanning
replica.example.com (192.168.10.9) [1000 ports]
Discovered open port 22/tcp on 192.168.10.9
Discovered open port 443/tcp on 192.168.10.9
Discovered open port 80/tcp on 192.168.10.9
Discovered open port 389/tcp on 192.168.10.9
Discovered open port 9090/tcp on 192.168.10.9
Discovered open port 88/tcp on 192.168.10.9
Discovered open port 636/tcp on 192.168.10.9
Discovered open port 464/tcp on 192.168.10.9
Completed SYN Stealth Scan at 23:22, 4.86s elapsed (1000 total ports)
Nmap scan report for
replica.examplenslooku.com (192.168.10.9)
Host is up (0.040s latency).
Not shown: 991 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp closed domain
80/tcp open http
88/tcp open kerberos-sec
389/tcp open ldap
443/tcp open https
464/tcp open kpasswd5
636/tcp open ldapssl
9090/tcp open zeus-admin
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.98 seconds
Raw packets sent: 1986 (87.360KB) | Rcvd: 20 (1.156KB)
Re: No communication, what's baffling is that I can see the replication
start up on both ends in the dirsrv logs. Also the initial sync runs
and completes.
Re: DNS, I point the replica to the primary for DNS resolution during
the replica install. I also have entries in the hosts files on the
replica and primary for the shortname and fqdn of both the replica and
primary. I do have other DNS servers that are mirrors of the primary
IPA DNS.
Re: --uninstall, that is performed as well as a reboot after each
ipa-client-install, ipa-replica-install and ipa-server-install
--uninstall for good measure.
I do run a split domain, I know the evils of that, but it's necessary
for my clients to work while migrating in and out of the internal
networks. I've verified that is working as expected as well.
The dirsrv logs do show a replication issue around number of entries
per time, assume that's a throttling mechanism. Also have a dangling
replication agreement that I can not get rid off for another replica.
Other than that, I don't see anything unusual in the logs for ldap. But
I'm no expert, so if a santized version of those would help, let me
know.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure