hi All, I'm trying to replicate the CA server:
$ ipa-replica-install -p XXXXXXX --setup-ca -d --mkhomedir replica-info-ipa11.bpo.cxn.gpg Without --setup-ca it works correctly. The output of the above command: [...] ipa : DEBUG Starting external process ipa : DEBUG args=/bin/systemctl is-enabled dirsrv.target ipa : DEBUG Process finished, return code=1 ipa : DEBUG stdout=disabled ipa : DEBUG stderr= ipa : DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' ipa : DEBUG Starting external process ipa : DEBUG args=/bin/systemctl disable dirsrv.target ipa : DEBUG Process finished, return code=0 ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG duration: 0 seconds ipa : DEBUG Done configuring directory server (dirsrv). Done configuring directory server (dirsrv). ipa : DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipa : DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipa : DEBUG Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds ipa : DEBUG [1/19]: creating certificate server user [1/19]: creating certificate server user ipa : DEBUG ca user pkiuser exists ipa : DEBUG duration: 0 seconds ipa : DEBUG [2/19]: configuring certificate server instance [2/19]: configuring certificate server instance ipa : DEBUG Contents of pkispawn configuration file (/tmp/tmpoRxk1S): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = XXXXXXXX pki_client_database_dir = /tmp/tmp-XPC2YR pki_client_database_password = XXXXXXXX pki_client_database_purge = False pki_client_pkcs12_password = XXXXXXXX pki_admin_name = admin pki_admin_uid = admin pki_admin_email = root@localhost pki_admin_password = XXXXXXXX pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=CXN pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = XXXXXXXX pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_subsystem_subject_dn = cn=CA Subsystem,O=CXN pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=CXN pki_ssl_server_subject_dn = cn=ipa11.bpo.cxn,O=CXN pki_audit_signing_subject_dn = cn=CA Audit,O=CXN pki_ca_signing_subject_dn = cn=Certificate Authority,O=CXN pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca pki_security_domain_hostname = ipa12.bpo.cxn pki_security_domain_https_port = 443 pki_security_domain_user = admin pki_security_domain_password = XXXXXXXX pki_clone = True pki_clone_pkcs12_path = /tmp/ca.p12 pki_clone_pkcs12_password = XXXXXXXX pki_clone_replication_security = TLS pki_clone_replication_master_port = 389 pki_clone_replication_clone_port = 389 pki_clone_replicate_schema = False pki_clone_uri = https://ipa12.bpo.cxn:443 ipa : DEBUG Starting external process ipa : DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpoRxk1S And it's waiting here forever, not even timeout. strace output of pkispawn shows up it's trying to get data from the local ldap service: open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=281, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f46307e2000 read(4, "127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4\n::1 localhost localhost.localdomain localhost6 localhost6.localdomain6\n\n10.0.0.73\tipa12.bpo.cxn ipa12\n10.128.0.5\tipa31.bph.cxn ipa31\n10.128.0.6\tipa32.bph.cxn ipa32\n10.0.0.12\tipa11.bpo.cxn ipa11\n", 4096) = 281 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f46307e2000, 4096) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 setsockopt(4, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 setsockopt(4, SOL_TCP, TCP_NODELAY, [1], 4) = 0 connect(4, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("10.0.0.12")}, 16) = 0 write(4, "0%\2\1\1c \4\0\n\1\0\n\1\0\2\1\0\2\1\0\1\1\0\207\vobjectClass0\0", 39) = 39 poll([{fd=4, events=POLLIN|POLLPRI}], 1, 4294967295 If I run ldapsearch -x -h ipa11, then indeed, I can see the same behaviour. strace output of ns-slapd: [pid 2028] accept(6, {sa_family=AF_INET6, sin6_port=htons(59587), inet_pton(AF_INET6, "::ffff:10.0.0.12", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 24 [pid 2028] fcntl(24, F_GETFL) = 0x2 (flags O_RDWR) [pid 2028] fcntl(24, F_SETFL, O_RDWR|O_NONBLOCK) = 0 [pid 2028] fcntl(24, F_DUPFD, 64) = 109 [pid 2028] close(24) = 0 [pid 2028] setsockopt(109, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 [pid 2028] setsockopt(109, SOL_TCP, TCP_NODELAY, [0], 4) = 0 [pid 2028] getsockname(109, {sa_family=AF_INET6, sin6_port=htons(389), inet_pton(AF_INET6, "::ffff:10.0.0.12", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0 [pid 2028] poll([{fd=28, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=109, events=POLLIN}, {fd=64, events=POLLIN}, {fd=66, events=POLLIN}, {fd=65, events=POLLIN}], 8, 250) = 1 ([{fd=109, revents=POLLIN}]) [pid 2028] poll([{fd=28, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=64, events=POLLIN}, {fd=66, events=POLLIN}, {fd=65, events=POLLIN}], 7, 250 <unfinished ...> [pid 2030] <... select resumed> ) = 0 (Timeout) (Yes, it is ip6) Both servers are KVMs, the source is F19, destination is F20. What do I miss? Thanks, tamas _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
