On Срд, 28 мая 2025, Gato Sombrero via FreeIPA-users wrote:
I am attempting to create an IPA replica.
I have been stuck at this for about 3-4 months.
Can you start by explaining your environment? What distribution do you
use, what package versions are for 389-ds-base and ipa-server
(freeipa-server on Fedora), etc. What are your firewall settings.
This is what I am at:
args=['/bin/systemctl', 'restart', '[email protected]']
Process finished, return code=0
stdout=
stderr=
Restart of [email protected] complete
Created connection context.ldap2_xxxxxxxxxxxxxxxx
Fetching nsDS5ReplicaId from master [attempt 1/5]
retrieving schema for SchemaCache url=ldap://primary.example.internal:389
conn=<ldap.ldapobject.SimpleLDAPObject object at 0xXXXXXXXXXXXX>
Successfully updated nsDS5ReplicaId.
Add or update replica config cn=replica,cn=dc\=example\,dc\=internal,cn=mapping
tree,cn=config
Added replica config cn=replica,cn=dc\=example\,dc\=internal,cn=mapping
tree,cn=config
update_entry modlist [(2, 'nsslapd-changelogmaxage', [b'30d'])]
update_entry modlist [(0, 'nsDS5ReplicaBindDN',
[b'cn=ldap/[email protected],cn=config'])]
Fetching nsDS5ReplicaId from master [attempt 1/5]
Successfully updated nsDS5ReplicaId.
Add or update replica config cn=replica,cn=dc\=example\,dc\=internal,cn=mapping
tree,cn=config
Added replica config cn=replica,cn=dc\=example\,dc\=internal,cn=mapping
tree,cn=config
update_entry modlist [(2, 'nsslapd-changelogmaxage', [b'30d'])]
Waiting up to 300 seconds for replication (ldap://primary.example.internal:389)
cn=meTosecondary.example.internal,cn=replica,cn=dc\=example\,dc\=internal,cn=mapping
tree,cn=config (objectclass=*)
Entry found
[LDAPEntry(ipapython.dn.DN('cn=meTosecondary.example.internal,cn=replica,cn=dc\=example\,dc\=internal,cn=mapping
tree,cn=config'), {... 'description': [b'me to secondary.example.internal'], ... 'nsDS5ReplicaBindMethod':
[b'SASL/GSSAPI'], ... 'nsDS5ReplicaLastUpdateStatusJSON': [b'{"state": "green", ...
"message": "Error (0) No replication sessions started since server startup"}'], ...})]
Waiting up to 300 seconds for replication (ldapi://%2Frun%2Fslapd-REALM.socket)
cn=meToprimary.example.internal,cn=replica,cn=dc\=example\,dc\=internal,cn=mapping
tree,cn=config (objectclass=*)
Entry found
[LDAPEntry(ipapython.dn.DN('cn=meToprimary.example.internal,cn=replica,cn=dc\=example\,dc\=internal,cn=mapping
tree,cn=config'), {... 'description': [b'me to primary.example.internal'], ... 'nsDS5ReplicaBindMethod':
[b'SASL/GSSAPI'], ... 'nsDS5ReplicaLastUpdateStatusJSON': [b'{"state": "green", ...
"message": "Error (0) No replication sessions started since server startup"}'], ...})]
Starting replication, please wait until this has completed.
Update in progress, 15 seconds elapsed
[ldap://primary.example.internal:389] reports: Update failed! Status: [Error
(49) - LDAP error: Invalid credentials - no response received]
This sounds like the replica-to-be has issues being accessed by the
primary server over port 389. Firewall setup issues?
'no response received' is a catch-all NSDS50_REPL_REPLICA_NO_RESPONSE
error during replication. A primary server would attempt to authenticate
with SASL GSSAPI to the replica using its ldap/primary.example.internal
service principal. It would be visible in the access log of the replica
being created in /var/log/dirsrv/slapd-.../.
I obviously scrubbed my information and replaced it with placeholders.
The main issue that I am getting is:
Update failed! Status: [Error (49) - LDAP error: Invalid credentials - no
response received]
This is what I am doing:
##### STEP1: Create the FreeIPA Master #####
sudo ipa-server-install --setup-dns --no-forwarders --auto-reverse --hostname=$(hostname -f) --domain=$(hostname
-d) --realm=$(hostname -d | awk '{print toupper($0)}') --netbios-name=$(hostname -d | awk -F.
'{out=""; for(i=NF-1;i>=1;i--) out=out (out?"-":"") toupper($i); print
substr(out,1,15)}')
##### STEP2: Add Service Account #####
ipa user-add svc --first=svc --last=svc --cn=svc --displayname='' --initials=''
--gecos=''
ipa hbacrule-add allow_svc --desc="Allow the service account to access any host from any host"
&& ipa hbacrule-mod allow_svc --hostcat=all --servicecat=all && ipa hbacrule-add-user allow_svc
--users=svc && ipa hbacrule-enable allow_svc
ipa hbacrule-add allow_svc --desc="Allow the service account to access any host from any host"
&& ipa hbacrule-mod allow_svc --hostcat=all --servicecat=all && ipa hbacrule-add-user allow_svc
--users=svc && ipa hbacrule-enable allow_svc
##### STEP3: Enroll Client #####
eval $(sudo cat /root/.ipa_enroll_admin | tr -d '\r' | grep -v '^#') && sudo ipa-client-install
--principal=${IPA_PRINCIPAL} --password=${IPA_SECRET} --enable-dns-updates --mkhomedir
--all-ip-addresses --force-join --unattended && unset IPA_PRINCIPAL && unset IPA_SECRET
##### STEP4: Add Client to Group "ipaservers" #####
ipa hostgroup-add-member ipaservers --hosts="$host"; done
##### STEP5: Promote Replica #####
sudo ipa-replica-install --setup-dns --setup-ca --no-forwarders --verbose
--unattended
These are the steps DIRECTLY from the documentation on RedHat's website as well
as the FreeIPA website. I have not deviated from them. I have not done anything
different or special.
I am using the commands above in order to simplify as much as I can since I
have been installing and configuring these over and over and over again from
scratch and after a certain point, I am tired of entering in all the
information.
If anyone has any advice or assistance. I have dug deep inside the docs and
found nothing. I have searched my exact problem on Google and have gotten
exactly 2 pages of results and half of them are useless and the other half are
at least somewhat relevant but not what I am dealing with.
Any advice or assistance would be greatly appreciated.
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
