ipa-replica-conncheck fails with --auto-master-check (used by ipa-ca-install), but not without:
[root@ipa02 ~]# /usr/sbin/ipa-replica-conncheck --master ipa01.hq.spinque.com --auto-master-check --realm HQ.SPINQUE.COM --hostname ipa02.hq.spinque.com Check connection from replica to remote master 'ipa01.hq.spinque.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocoland would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check 389 tcp: Failed to bind 636 tcp: Failed to bind 88 tcp: Failed to bind 88 udp: Failed to bind 464 tcp: Failed to bind 464 udp: Failed to bind 80 tcp: Failed to bind 443 tcp: Failed to bind Get credentials to log in to remote master Check RPC connection to remote master trying https://ipa01.hq.spinque.com/ipa/session/json *Connection to https://ipa01.hq.spinque.com/ipa/session/json <https://ipa01.hq.spinque.com/ipa/session/json> failed with <ProtocolError for ipa01.hq.spinque.com/ipa/session/json <http://ipa01.hq.spinque.com/ipa/session/json>: 500 Internal Server Error>* trying https://ipa02.hq.spinque.com/ipa/session/json [try 1]: Forwarding 'schema' to json server ' https://ipa02.hq.spinque.com/ipa/session/json' trying https://ipa01.hq.spinque.com/ipa/session/json Connection to https://ipa01.hq.spinque.com/ipa/session/json failed with <ProtocolError for ipa01.hq.spinque.com/ipa/session/json: 500 Internal Server Error> trying https://ipa02.hq.spinque.com/ipa/session/json [try 1]: Forwarding 'ping/1' to json server ' https://ipa02.hq.spinque.com/ipa/session/json' Execute check on remote master [try 1]: Forwarding 'server_conncheck' to json server ' https://ipa02.hq.spinque.com/ipa/session/json' *ERROR: Remote master check failed with following error message(s):invalid 'cn': must be "ipa02.hq.spinque.com <http://ipa02.hq.spinque.com>"* Now, without --auto-master-check: On ipa02 (I suppose the many "Failed to bind" below are expected?): [root@ipa02 ~]# /usr/sbin/ipa-replica-conncheck --master ipa01.hq.spinque.com --realm HQ.SPINQUE.COM --hostname ipa02.hq.spinque.com Check connection from replica to remote master 'ipa01.hq.spinque.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocoland would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check 389 tcp: Failed to bind 636 tcp: Failed to bind 88 tcp: Failed to bind 88 udp: Failed to bind 464 tcp: Failed to bind 464 udp: Failed to bind 80 tcp: Failed to bind 443 tcp: Failed to bind Listeners are started. Use CTRL+C to terminate the listening part after the test. Please run the following command on remote master: /usr/sbin/ipa-replica-conncheck --replica ipa02.hq.spinque.com ^C Cleaning up... On ipa01: [root@ipa01 ~]# /usr/sbin/ipa-replica-conncheck --replica ipa02.hq.spinque.com Check connection from master to remote replica 'ipa02.hq.spinque.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 88, 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder. Connection from master to replica is OK. On Thu, 23 Jul 2020 at 15:15, Roberto Cornacchia < [email protected]> wrote: > Hi, > > I have successfully created a replica from a 4.2.4 master (ipa01) into a > new 4.6.6 master (ipa02). > > I did it without --setup-ca option (because it had failed), so the only CA > is still on the 4.2.4 server (ipa01). > > When I try to setup theCA on ipa02 (the same replica file was used with > ipa-replica-install), this fails: > > $ ipa-ca-install replica-info-ipa02.hq.spinque.com.gpg > Directory Manager (existing master) password: > > Run connection check to master > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Connection check failed! > See /var/log/ipareplica-conncheck.log for more information. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > > The log of conncheck (generated by ipa-ca-install) is in attachment. In > there, I can see a couple of things going wrong: > > ProtocolError: <ProtocolError for ipa01.hq.spinque.com/ipa/session/json: > 500 Internal Server Error> > ... > 2020-07-23T12:20:50Z ERROR ERROR: Remote master check failed with > following error message(s): > invalid 'cn': must be "ipa02.hq.spinque.com" > > Not sure if relevant, but also ipa-replica-install, though it completed > successfully, gave this error: > > Upgrading IPA:. Estimated time: 1 minute 30 seconds > [1/10]: stopping directory server > [2/10]: saving configuration > [3/10]: disabling listeners > [4/10]: enabling DS global lock > [5/10]: disabling Schema Compat > [6/10]: starting directory server > [7/10]: upgrading server > ipaserver.install.ldapupdate: ERROR Add failure attribute "cn" not > allowed > [8/10]: stopping directory server > [9/10]: restoring configuration > [10/10]: starting directory server > > > Could you please help me find the issue? > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
