On 13.2.2014 01:13, Todd Maugh wrote:
thanks Guys, turns out this was a redhat bug in the 6.4 image of the aws
instance, so I built in 6.5
and was able to get past it, but now I'm failing with this:
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Unexpected error - see /var/log/ipareplica-install.log for details:
ObjectclassViolation: missing attribute "idnsSOAserial" required by object class
"idnsZone"
i tried attaching the log file but unfortunately its 30 mb trying to compress
That is interesting. Which version of ipa-server package you are trying to
install? Is it RHEL or CentOS 6.5?
My guess that you have DNS installed on one IPA server and now you are
installing another replica without DNS (without --setup-dns option), right?
May be that you are hitting
https://bugzilla.redhat.com/show_bug.cgi?id=894131
but it was fixed in ipa-3.0.0-22.el6.
Petr^2 Spacek
________________________________________
From: [email protected] [[email protected]] on
behalf of Rob Crittenden [[email protected]]
Sent: Wednesday, February 12, 2014 10:36 AM
To: [email protected]; [email protected]
Subject: Re: [Freeipa-users] trouble creating a replica in the cloud
Dmitri Pal wrote:
On 02/11/2014 05:02 PM, Todd Maugh wrote:
Hey Guys,
So I have my master and replica up in my datacenter.
I have a client, I have a winsync agreement, I have a password sync.
It's working lovely.
So Now I have spun up an AWS instance of redh hat 6.5 (same as my
master and first replica)
I run the ipa replica and it fails
ipa-replica-install --setup-ca --setup-dns --no-forwarders
/var/lib/ipa/replica-info-se-idm-03.boingo.com.gpg
Directory Manager (existing master) password:
Run connection check to master
Check connection from replica to remote master 'se-idm-01.boingo.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
PKI-CA: Directory Service port (7389): OK
The following list of ports use UDP protocol and would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
[email protected] password:
Execute check on remote master
Check connection from master to remote replica 'se-idm-03.boingo.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
PKI-CA: Directory Service port (7389): OK
Connection from master to replica is OK.
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
ipa : CRITICAL failed to create ds instance Command
'/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3'
returned non-zero exit status 1
[3/3]: restarting directory server
ipa : CRITICAL Failed to restart the directory server. See the
installation log for details.
Done configuring directory server for the CA (pkids).
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Can't contact LDAP server
I check the log file and this is what I get
2014-02-11T19:55:48Z DEBUG calling setup-ds.pl
2014-02-11T19:57:53Z DEBUG args=/usr/sbin/setup-ds.pl --silent
--logfile - -f /tmp/tmpo9ROF3
2014-02-11T19:57:53Z DEBUG stdout=[11/Feb/2014:14:57:53 -0500]
createprlistensockets - PR_Bind() on All Interfaces port 7389 failed:
Netscape Portable Runtime error -5966 (Access Denied.)
[11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All
Interfaces port 7389 failed: Netscape Portable Runtime error -5966
(Access Denied.)
[14/02/11:14:57:53] - [Setup] Info Could not start the directory
server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'.
The last line from the error log was '[11/Feb/2014:14:57:53 -0500] create
prlistensockets - PR_Bind() on All Interfaces port 7389 failed:
Netscape Portable Runtime error -5966 (Access Denied.)
'. Error: Unknown error 256
Could not start the directory server using command
'/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'. The last line from the
error log was '[11/Feb/2014:14:57:53 -0500] createprlistensockets -
PR_Bind() on All
Interfaces port 7389 failed: Netscape Portable Runtime error -5966
(Access Denied.)
'. Error: Unknown error 256
[14/02/11:14:57:53] - [Setup] Fatal Error: Could not create directory
server instance 'PKI-IPA'.
Error: Could not create directory server instance 'PKI-IPA'.
[14/02/11:14:57:53] - [Setup] Fatal Exiting . . .
Log file is '-'
Exiting . . .
Log file is '-'
Please help
Bind failed. This usually happens when the system has an identity crisis
and tries to bind to the interface that is not there.
Access Denied is a bit unexpected though it may have to do with the AWS
network config. Any SELinux errors or anything in /var/log/messages?
Running IPA in AWS is a bit strange because of the dynamic nature of
AWS. Have you seen
http://cloud-mechanic.blogspot.com/2013/10/diversion-kerberos-freeipa-in-aws-ec2.html
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
