On 04/07/2016 06:12 AM, John Williams wrote: > I've setup an initial FreeIPA instance on a CentOS 7 host. The install went > without a hitch. I can login to the GUI with no problems. However, I am not > able to install the replica on another CentOS 7 host. I get the following > errors: > > [root@ipa2 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders > /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheck
It was run with '--skip-conncheck'. Is there a reason? If you remove it, what does it complain about? In general, using --skip-conncheck should be avoided because it may hide errors. You could also check master server /var/log/dirsrv/slapd-your-instance/access and errors logs if there is some connection attempt from the replica visible. And maybe /var/log/ipareplica-install.log contains more info. > WARNING: conflicting time&date synchronization service 'chronyd' will > be disabled in favor of ntpd > > Directory Manager (existing master) password: > > Existing BIND configuration detected, overwrite? [no]: yes > Using reverse zone(s) 1.168.192.in-addr.arpa. > Configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv). Estimated time: 1 minute > [1/38]: creating directory server user > [2/38]: creating directory server instance > [3/38]: adding default schema > [4/38]: enabling memberof plugin > [5/38]: enabling winsync plugin > [6/38]: configuring replication version plugin > [7/38]: enabling IPA enrollment plugin > [8/38]: enabling ldapi > [9/38]: configuring uniqueness plugin > [10/38]: configuring uuid plugin > [11/38]: configuring modrdn plugin > [12/38]: configuring DNS plugin > [13/38]: enabling entryUSN plugin > [14/38]: configuring lockout plugin > [15/38]: creating indices > [16/38]: enabling referential integrity plugin > [17/38]: configuring ssl for ds instance > [18/38]: configuring certmap.conf > [19/38]: configure autobind for root > [20/38]: configure new location for managed entries > [21/38]: configure dirsrv ccache > [22/38]: enable SASL mapping fallback > [23/38]: restarting directory server > [24/38]: setting up initial replication > Starting replication, please wait until this has completed. > > [ipa1.nrln.us] reports: Update failed! Status: [-1 - LDAP error: Can't > contact > LDAP server] > > [error] RuntimeError: Failed to start replication > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to start > replication > > > The error message is misleading. The two hosts sit on the same subnet. All > firewalls are off. Selinux is disabled. Here is an nmap port scan from the > replica to the master: > > > [root@ipa2 ~]# nmap ipa1 > > Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-07 00:12 EDT > Nmap scan report for ipa1 (192.168.1.38) > Host is up (0.000086s latency). > rDNS record for 192.168.1.38: ipa1.nrln.us > Not shown: 990 closed ports > PORT STATE SERVICE > 22/tcp open ssh > 80/tcp open http > 88/tcp open kerberos-sec > 389/tcp open ldap > 443/tcp open https > 464/tcp open kpasswd5 > 636/tcp open ldapssl > 749/tcp open kerberos-adm > 8080/tcp open http-proxy > 8443/tcp open https-alt > MAC Address: 52:54:00:33:34:F0 (QEMU Virtual NIC) > > Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds > [root@ipa2 ~]# > > > Why do I get this message? > > TIA!! > > > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
