[email protected] wrote: > > I am running the latest patched CentOS 7.2, with FreeIPA 4.2.0, and I > the Master node in the Data Center, then i created 3 replica's, one in > the DC for High Availability, and then 2 Replica's in the AWS Cloud. I'm > having major issues with the Replica's in the AWS Cloud. I am trying to > have it so it auto-discovers the servers automatically so the failover > is dynamic. I created the replica's as well to have a Certificate > Authority. When I attempt to join a virtual machine in AWS to the domain > it fails half way thru the process. I have attached a full debug of my > ipa-client-install, hoping someone can assist me. I know prior to > joining the 2 replicas in AWS I had absolutely no issues with joining > servers in the DC to IDM. I built all my replica's from the Master > server (rspsna-ipa01), so rspsna-ipa02, ipa01-ore, ipa02-ore were built > from rspsna-ipa01. > > The main part that seems to fail during the (client) join is:
The important bits are needed. This part of the log is just trying to clean things up (so failures are expected and ok). We'd really need to see a full ipaclient-install.log. > > When I look at the slapd error log on one of the replica's i see this: > > [02/Mar/2016:23:40:09 +0000] - Listening on All Interfaces port 636 for > LDAPS requests > [02/Mar/2016:23:40:09 +0000] - Listening on > /var/run/slapd-MYINC-LOCAL.socket for LDAPI requests > [02/Mar/2016:23:40:09 +0000] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [02/Mar/2016:23:40:09 +0000] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [02/Mar/2016:23:40:09 +0000] NSMMReplicationPlugin - > agmt="cn=meTorspsna-ipa01.prod.i2x.myinc.local" (rspsna-ipa01:389): > Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) > (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (No Kerberos credentials available)) > [02/Mar/2016:23:40:12 +0000] NSMMReplicationPlugin - > agmt="cn=meToipa02-ore.prod.cloud.myinc.local" (ipa02-ore:389): > Replication bind with GSSAPI auth resumed > [02/Mar/2016:23:40:12 +0000] NSMMReplicationPlugin - > agmt="cn=meTorspsna-ipa01.prod.i2x.myinc.local" (rspsna-ipa01:389): > Replication bind with GSSAPI auth resumed Up to here is ok and expected, this is just 389-ds realizing it doesn't have Kerberos credentials yet and obtaining them. > [03/Mar/2016:00:07:00 +0000] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is > not connected) For these I'd run: $ ipa-replica-manage list -v `hostname` to see the status of the agreements. It seems that one is unable to connect. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
