Hello Rob,
Here is the ouuput without the --skip-conncheck option:
[root@ipaserver2 ~]# ipa-replica-install --setup-ca --setup-dns --forwarder=9.9.9.9
Lookup failed: Preferred host ipaserver2.linuxtest.gonicus.de does not provide DNS.
Could not resolve hostname ipaserver2.linuxtest.gonicus.de using DNS. Clients may not
function
properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and
ignores
/etc/hosts.)
Continue? [no]: yes
Checking DNS forwarders, please wait ...
Run connection check to master
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Connection check failed!
See /var/log/ipareplica-conncheck.log for more information.
If the check results are not valid it can be skipped with --skip-conncheck parameter.
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more
information:
2019-07-17T12:22:35Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt
2019-07-17T12:22:36Z DEBUG failed to find session_cookie in persistent storage for
principal
'host/ipaserver2.linuxtest.gonicus.de(a)LINUXTEST.GONICUS.DE'
2019-07-17T12:22:36Z DEBUG trying
https://ipaserver1.linuxtest.gonicus.de/ipa/json
2019-07-17T12:22:36Z DEBUG Created connection context.jsonclient_140677757574736
2019-07-17T12:22:36Z DEBUG [try 1]: Forwarding 'env' to json server
'https://ipaserver1.linuxtest.gonicus.de/ipa/json'
2019-07-17T12:22:36Z DEBUG New HTTP connection (ipaserver1.linuxtest.gonicus.de)
2019-07-17T12:22:36Z DEBUG received Set-Cookie (<class
'list'>)'['ipa_session=MagBearerToken=MBQK%2f22mxm59HGcIC6a6rZB2SmHY21MI5TjVDpbSnMSUUWkmW0%2buv7GEKqYAD80ASs6xsRc6doBuoei%2fdVOEHOe0g8WovLyVyIeZVgzZ0EImAeHlC8P%2f1sS7gj%2fWlc7o4IUVoHMPg5hEkYjfMXBWcyYfvlAWMDDCcdxgOl4MdxE%2bwIaLdfXwnYNPVM6TJW2OauESZCP86OjFpJ4YdP43Hi0J%2b6A1MlK5wXhQ6K9YLYY%2bqycMVjH6sRJYHMRlK7cDFbui2cLXUp7mUVx6MNBkc0RimpzPs95%2b85QSIDkixi51DoNHJ%2bdpWeMEW7Xhzw%2fS3X5KaGAlMB5XQ889WunxryBlKN4kFKMDyeNg8M6mlBU%3d;path=/ipa;httponly;secure;']'
2019-07-17T12:22:36Z DEBUG storing cookie
'ipa_session=MagBearerToken=MBQK%2f22mxm59HGcIC6a6rZB2SmHY21MI5TjVDpbSnMSUUWkmW0%2buv7GEKqYAD80ASs6xsRc6doBuoei%2fdVOEHOe0g8WovLyVyIeZVgzZ0EImAeHlC8P%2f1sS7gj%2fWlc7o4IUVoHMPg5hEkYjfMXBWcyYfvlAWMDDCcdxgOl4MdxE%2bwIaLdfXwnYNPVM6TJW2OauESZCP86OjFpJ4YdP43Hi0J%2b6A1MlK5wXhQ6K9YLYY%2bqycMVjH6sRJYHMRlK7cDFbui2cLXUp7mUVx6MNBkc0RimpzPs95%2b85QSIDkixi51DoNHJ%2bdpWeMEW7Xhzw%2fS3X5KaGAlMB5XQ889WunxryBlKN4kFKMDyeNg8M6mlBU%3d;'
for principal host/ipaserver2.linuxtest.gonicus.de(a)LINUXTEST.GONICUS.DE
2019-07-17T12:22:36Z DEBUG [try 1]: Forwarding 'env' to json server
'https://ipaserver1.linuxtest.gonicus.de/ipa/json'
2019-07-17T12:22:36Z DEBUG HTTP connection keep-alive (ipaserver1.linuxtest.gonicus.de)
2019-07-17T12:22:36Z DEBUG received Set-Cookie (<class
'list'>)'['ipa_session=MagBearerToken=4X6R5KO62qVu5IItwIUUm5Mb8TuugiSuTtigry8HXa9f04KSpLkK0uxRiDu6vi%2b8Tdms2%2blO45gArJLvKO0O%2bKDChYtd2XBczfeYwsRAfqHXiVP1sxAjXI2kG8t8AdQkkQkCkQjAGBdAuNC2qek%2fUmR%2f%2byL0KqWm9c%2bQIbsayICmKERgsOCMyrs5Vt3poNJsjtx73DU0GrvAOOaBlnd5NVvMw38WHH5z6zLKGy6%2f4QwX2KreSTOaWwNWnordLKenZ5S1%2fvq7ktFn1PvScPjqJGzHiDI0D0t%2feMc9RbTYcNtmmfhG%2f6UgNtj622q7QymEEHldxX%2by%2bIt9rIRAVB2R8sjRhuC%2bEKccV3scQJiLhxI%3d;path=/ipa;httponly;secure;']'
2019-07-17T12:22:36Z DEBUG storing cookie
'ipa_session=MagBearerToken=4X6R5KO62qVu5IItwIUUm5Mb8TuugiSuTtigry8HXa9f04KSpLkK0uxRiDu6vi%2b8Tdms2%2blO45gArJLvKO0O%2bKDChYtd2XBczfeYwsRAfqHXiVP1sxAjXI2kG8t8AdQkkQkCkQjAGBdAuNC2qek%2fUmR%2f%2byL0KqWm9c%2bQIbsayICmKERgsOCMyrs5Vt3poNJsjtx73DU0GrvAOOaBlnd5NVvMw38WHH5z6zLKGy6%2f4QwX2KreSTOaWwNWnordLKenZ5S1%2fvq7ktFn1PvScPjqJGzHiDI0D0t%2feMc9RbTYcNtmmfhG%2f6UgNtj622q7QymEEHldxX%2by%2bIt9rIRAVB2R8sjRhuC%2bEKccV3scQJiLhxI%3d;'
for principal host/ipaserver2.linuxtest.gonicus.de(a)LINUXTEST.GONICUS.DE
2019-07-17T12:22:36Z DEBUG Destroyed connection context.jsonclient_140677757574736
2019-07-17T12:22:36Z DEBUG Created connection context.ldap2_140677767577936
2019-07-17T12:22:36Z DEBUG flushing ldaps://ipaserver1.linuxtest.gonicus.de from
SchemaCache
2019-07-17T12:22:36Z DEBUG retrieving schema for SchemaCache
url=ldaps://ipaserver1.linuxtest.gonicus.de conn=<ldap.ldapobject.SimpleLDAPObject
object at
0x7ff217c82d10>
2019-07-17T12:22:36Z DEBUG raw: domainlevel_get(version='2.233')
2019-07-17T12:22:36Z DEBUG domainlevel_get(version='2.233')
2019-07-17T12:22:36Z DEBUG raw: hostgroup_find(None, cn='ipaservers',
version='2.233',
host=['ipaserver2.linuxtest.gonicus.de'])
2019-07-17T12:22:36Z DEBUG hostgroup_find(None, cn='ipaservers', all=False,
raw=False,
version='2.233', no_members=True, pkey_only=False,
host=('ipaserver2.linuxtest.gonicus.de',))
2019-07-17T12:22:36Z WARNING Lookup failed: Preferred host ipaserver2.linuxtest.gonicus.de
does not
provide DNS.
2019-07-17T12:22:36Z DEBUG Check forward/reverse DNS resolution
2019-07-17T12:22:36Z DEBUG Search DNS server ipaserver1.linuxtest.gonicus.de
(['192.168.122.101',
'192.168.122.101', '192.168.122.101']) for
ipaserver1.linuxtest.gonicus.de
2019-07-17T12:22:36Z DEBUG Check reverse address 192.168.122.101
(ipaserver1.linuxtest.gonicus.de)
2019-07-17T12:22:36Z DEBUG Address 192.168.122.101 resolves to:
ipaserver1.linuxtest.gonicus.de..
2019-07-17T12:22:36Z DEBUG Search DNS server ipaserver1.linuxtest.gonicus.de
(['192.168.122.101',
'192.168.122.101', '192.168.122.101']) for
ipaserver2.linuxtest.gonicus.de
2019-07-17T12:22:36Z ERROR Could not resolve hostname ipaserver2.linuxtest.gonicus.de
using DNS.
Clients may not function properly. Please check your DNS setup. (Note that this check
queries IPA
DNS directly and ignores /etc/hosts.)
2019-07-17T12:22:41Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2019-07-17T12:22:41Z DEBUG raw: dns_is_enabled(version='2.233')
2019-07-17T12:22:41Z DEBUG dns_is_enabled(version='2.233')
2019-07-17T12:22:41Z DEBUG Name ipaserver2.linuxtest.gonicus.de resolved to
{UnsafeIPAddress('192.168.122.102')}
2019-07-17T12:22:41Z DEBUG Searching for an interface of IP address: 192.168.122.102
2019-07-17T12:22:41Z DEBUG Testing local IP address: 127.0.0.1/255.0.0.0 (interface: lo)
2019-07-17T12:22:41Z DEBUG Testing local IP address: 192.168.122.102/255.255.255.0
(interface: ens3)
2019-07-17T12:22:41Z DEBUG IP address 192.168.122.102 belongs to a private range, using
forward
policy only
2019-07-17T12:22:41Z DEBUG Checking DNS server: 9.9.9.9
2019-07-17T12:22:41Z DEBUG will use DNS forwarders:
[CheckedIPAddressLoopback('9.9.9.9')]
2019-07-17T12:22:41Z DEBUG Destroyed connection context.ldap2_140677767577936
2019-07-17T12:22:41Z DEBUG Starting external process
2019-07-17T12:22:41Z DEBUG args=['/usr/sbin/ipa-replica-conncheck',
'--master',
'ipaserver1.linuxtest.gonicus.de', '--auto-master-check',
'--realm', 'LINUXTEST.GONICUS.DE',
'--hostname', 'ipaserver2.linuxtest.gonicus.de', '--ca-cert-file',
'/etc/ipa/ca.crt']
2019-07-17T12:22:44Z DEBUG Process finished, return code=1
2019-07-17T12:22:44Z DEBUG stdout=
2019-07-17T12:22:44Z DEBUG stderr=Check connection from replica to remote master
'ipaserver1.linuxtest.gonicus.de':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
The following list of ports use UDP protocol and would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
In /etc/hosts is an entry for ipaserver1 and in /etc/resolv.conf also.
Dirk
Am 17.07.19 um 13:58 schrieb Rob Crittenden via FreeIPA-users:
> Dirk Streubel via FreeIPA-users wrote:
>> Hello,
>>
>> i've got a little Problem with ipa-replica install
>>
>> After the following command: ipa-replica-install --setup-ca --setup-dns
--forwarder=9.9.9.9
>> --skip-conncheck
> Why are you skipping the connection check? What fails when you do not
> pass that option?
>
> rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...