Roberto Cornacchia via FreeIPA-users wrote: > ipa-replica-conncheck fails with --auto-master-check (used by > ipa-ca-install), but not without: > > > [root@ipa02 ~]# /usr/sbin/ipa-replica-conncheck --master > ipa01.hq.spinque.com <http://ipa01.hq.spinque.com> --auto-master-check > --realm HQ.SPINQUE.COM <http://HQ.SPINQUE.COM> --hostname > ipa02.hq.spinque.com <http://ipa02.hq.spinque.com> > Check connection from replica to remote master 'ipa01.hq.spinque.com > <http://ipa01.hq.spinque.com>': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos KDC: TCP (88): OK > Kerberos Kpasswd: TCP (464): OK > HTTP Server: Unsecure port (80): OK > HTTP Server: Secure port (443): OK > > The following list of ports use UDP protocoland would need to be > checked manually: > Kerberos KDC: UDP (88): SKIPPED > Kerberos Kpasswd: UDP (464): SKIPPED > > Connection from replica to master is OK. > Start listening on required ports for remote master check > 389 tcp: Failed to bind > 636 tcp: Failed to bind > 88 tcp: Failed to bind > 88 udp: Failed to bind > 464 tcp: Failed to bind > 464 udp: Failed to bind > 80 tcp: Failed to bind > 443 tcp: Failed to bind > Get credentials to log in to remote master > Check RPC connection to remote master > trying https://ipa01.hq.spinque.com/ipa/session/json > *Connection to https://ipa01.hq.spinque.com/ipa/session/json failed with > <ProtocolError for ipa01.hq.spinque.com/ipa/session/json > <http://ipa01.hq.spinque.com/ipa/session/json>: 500 Internal Server Error>* > trying https://ipa02.hq.spinque.com/ipa/session/json > [try 1]: Forwarding 'schema' to json server > 'https://ipa02.hq.spinque.com/ipa/session/json' > trying https://ipa01.hq.spinque.com/ipa/session/json > Connection to https://ipa01.hq.spinque.com/ipa/session/json failed with > <ProtocolError for ipa01.hq.spinque.com/ipa/session/json > <http://ipa01.hq.spinque.com/ipa/session/json>: 500 Internal Server Error> > trying https://ipa02.hq.spinque.com/ipa/session/json > [try 1]: Forwarding 'ping/1' to json server > 'https://ipa02.hq.spinque.com/ipa/session/json' > Execute check on remote master > [try 1]: Forwarding 'server_conncheck' to json server > 'https://ipa02.hq.spinque.com/ipa/session/json' > *ERROR: Remote master check failed with following error message(s): > invalid 'cn': must be "ipa02.hq.spinque.com <http://ipa02.hq.spinque.com>"* > > > Now, without --auto-master-check: > > On ipa02 (I suppose the many "Failed to bind" below are expected?): > [root@ipa02 ~]# /usr/sbin/ipa-replica-conncheck --master > ipa01.hq.spinque.com <http://ipa01.hq.spinque.com> --realm > HQ.SPINQUE.COM <http://HQ.SPINQUE.COM> --hostname ipa02.hq.spinque.com > <http://ipa02.hq.spinque.com> > Check connection from replica to remote master 'ipa01.hq.spinque.com > <http://ipa01.hq.spinque.com>': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos KDC: TCP (88): OK > Kerberos Kpasswd: TCP (464): OK > HTTP Server: Unsecure port (80): OK > HTTP Server: Secure port (443): OK > > The following list of ports use UDP protocoland would need to be > checked manually: > Kerberos KDC: UDP (88): SKIPPED > Kerberos Kpasswd: UDP (464): SKIPPED > > Connection from replica to master is OK. > Start listening on required ports for remote master check > 389 tcp: Failed to bind > 636 tcp: Failed to bind > 88 tcp: Failed to bind > 88 udp: Failed to bind > 464 tcp: Failed to bind > 464 udp: Failed to bind > 80 tcp: Failed to bind > 443 tcp: Failed to bind > Listeners are started. Use CTRL+C to terminate the listening part after > the test. > > Please run the following command on remote master: > /usr/sbin/ipa-replica-conncheck --replica ipa02.hq.spinque.com > <http://ipa02.hq.spinque.com> > ^C > Cleaning up... > > On ipa01: > [root@ipa01 ~]# /usr/sbin/ipa-replica-conncheck --replica > ipa02.hq.spinque.com <http://ipa02.hq.spinque.com> > Check connection from master to remote replica 'ipa02.hq.spinque.com > <http://ipa02.hq.spinque.com>': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos KDC: TCP (88): OK > Kerberos KDC: UDP (88): WARNING > Kerberos Kpasswd: TCP (464): OK > Kerberos Kpasswd: UDP (464): WARNING > HTTP Server: Unsecure port (80): OK > HTTP Server: Secure port (443): OK > The following UDP ports could not be verified as open: 88, 464 > This can happen if they are already bound to an application > and ipa-replica-conncheck cannot attach own UDP responder. > > Connection from master to replica is OK. > > > > On Thu, 23 Jul 2020 at 15:15, Roberto Cornacchia > <[email protected] <mailto:[email protected]>> wrote: > > Hi, > > I have successfully created a replica from a 4.2.4 master (ipa01) > into a new 4.6.6 master (ipa02). > > I did it without --setup-ca option (because it had failed), so the > only CA is still on the 4.2.4 server (ipa01). > > When I try to setup theCA on ipa02 (the same replica file was used > with ipa-replica-install), this fails: > > $ ipa-ca-install replica-info-ipa02.hq.spinque.com.gpg > Directory Manager (existing master) password: > > Run connection check to master > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Connection check failed! > See /var/log/ipareplica-conncheck.log for more information. > If the check results are not valid it can be skipped with > --skip-conncheck parameter. > > The log of conncheck (generated by ipa-ca-install) is in attachment. > In there, I can see a couple of things going wrong: > > ProtocolError: <ProtocolError for > ipa01.hq.spinque.com/ipa/session/json > <http://ipa01.hq.spinque.com/ipa/session/json>: 500 Internal Server > Error> > ... > 2020-07-23T12:20:50Z ERROR ERROR: Remote master check failed with > following error message(s): > invalid 'cn': must be "ipa02.hq.spinque.com > <http://ipa02.hq.spinque.com>" > > Not sure if relevant, but also ipa-replica-install, though it > completed successfully, gave this error: > > Upgrading IPA:. Estimated time: 1 minute 30 seconds > [1/10]: stopping directory server > [2/10]: saving configuration > [3/10]: disabling listeners > [4/10]: enabling DS global lock > [5/10]: disabling Schema Compat > [6/10]: starting directory server > [7/10]: upgrading server > ipaserver.install.ldapupdate: ERROR Add failure attribute "cn" > not allowed > [8/10]: stopping directory server > [9/10]: restoring configuration > [10/10]: starting directory server > > > Could you please help me find the issue?
Look on ipa01.hq.spinque.com in /var/log/httpd/error_log for those internal errors. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
