On 08/05/2019 16:51, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
> On 08/05/2019 14:28, Rob Crittenden wrote:
>> lejeczek via FreeIPA-users wrote:
>>> hi guys,
>>>
>>> this must be something trivial and I must have gone blind, can you spot
>>> what I missed?
>>>
>>>
>>> $ ipa-replica-install --setup-dns --no-forwarders --ip-address=10.5.8.65
>>> WARNING: conflicting time&date synchronization service 'chronyd'
will
>>> be disabled in favor of ntpd
>>>
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>> ipapython.admintool: ERROR The host name rider.xxx does not match the
>>> primary host name rider-ring8.xxx. Please check /etc/hosts or DNS name
>>> resolution
>>>
>>> $ host -r 10.5.8.97
>>> 97.8.5.10.in-addr.arpa domain name pointer rider.xxx.
>>> 97.8.5.10.in-addr.arpa domain name pointer rider-ring8.xxx.
>>> $ host -r 10.5.8.49
>>> 49.8.5.10.in-addr.arpa domain name pointer whale.xxx.
>>> 49.8.5.10.in-addr.arpa domain name pointer whale-ring8.xxx.
>>> $ host rider-ring8..
>>> rider-ring8. has address 10.5.8.97
>>> $ host rider..
>>> rider. has address 10.5.8.97
>>>
>>> Primary hostname of the box replica-install complains of is rider.xxx.
>>> Why IPA thinks it is rider-ring8.xxx ?
>>>
>>> What can be wrong?
>> /etc/hosts perhaps, though it could also be that DNS is doing
>> round-robin on the reverse lookup so the results are inconsistent.
>>
>> You can try --no-host-dns to skip the lookup but it may portend future
>> problems.
>>
>> rob
> freaking hell... installation of replica failed and now I have "invalid
> 'PKINIT enabled server': all masters must have IPA master role enabled"
> problem.
>
> replica's failure:
>
> Upgrading IPA:. Estimated time: 1 minute 30 seconds
> [1/10]: stopping directory server
> [2/10]: saving configuration
> [3/10]: disabling listeners
> [4/10]: enabling DS global lock
> [5/10]: disabling Schema Compat
> [6/10]: starting directory server
> [7/10]: upgrading server
> ipaserver.install.upgradeinstance: ERROR Upgrade failed with cannot
> connect to 'ldapi://%2Fvar%2Frun%2Fslapd-PRIVATE.socket':
> [error] RuntimeError: cannot connect to
> 'ldapi://%2Fvar%2Frun%2Fslapd-PRIVATE.socket':
> [cleanup]: stopping directory server
> [cleanup]: restoring configuration
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipapython.admintool: ERROR Update failed: cannot connect to
> 'ldapi://%2Fvar%2Frun%2Fslapd-PRIVATE.socket':
> ipapython.admintool: ERROR The ipa-replica-install command failed.
> See /var/log/ipareplica-install.log for more information
>
>
> I have that log if somebody would want to have a look. But how to get
> out from that "PKINIT enabled server" ??
>
> many thanks, L.
See
https://pagure.io/freeipa/issue/7929
A workaround is included in the ticket.
rob
Workaround seemingly worked - I was able to remove failed replica from
topology.
Now trying to install that same replica again but it fails exactly same
way as first time:
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
ipaserver.install.upgradeinstance: ERROR Upgrade failed with cannot
connect to 'ldapi://%2Fvar%2Frun%2Fslapd-PRIVATE.socket':
[error] RuntimeError: cannot connect to
'ldapi://%2Fvar%2Frun%2Fslapd-PRIVATE.socket':
[cleanup]: stopping directory server
[cleanup]: restoring configuration
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Could it be the fact due to that IPA's confusion by two A records
pointing to the same IP?
Now, before I try the "workaround" again I see this from working two
masters:
$ ipa topologysegment-del domain rider.private-to-swir.private
ipa: ERROR: Server is unwilling to perform: Removal of Segment
disconnects topology.Deletion not allowed.
Does the same workaround apply?