Had some success earlier today, but I seem to be unable to replicate it. I've been working with the "full" proxy.conf file lately,. and even that seems to be preventing a replica. It is quite possible that the problem is something on one of the two systems, as I've found that install/uninstall often leaves some of the files being owned by non-existent users. At this point, I'm not sure if the patch I've submitted will work on a vanilla system. Testing it has proven to be a pretty time consuming endeavour. Here's what I've gotten it down to: ON One machine, run ipa-server-install -U -r ` hostname | tr '[:lower:]' '[:upper:]'` -p freeipa4all -a freeipa4all --setup-dns --no-forwarders once that succeeds, I have to reset /etc/resolv.conf as the lab DNS server gets removed: cp ~/resolve.conf /etc then ipa-replica-prepare $REPLICA scp /var/lib/ipa/replica-info-$REPLICA.gpg root@$REPLICA: On the replica: ipa-replica-install --setup-ca replica-info-$HOSTNAME.gpg I have firewall off on master and replica At one point I had a replica install that worked with the Proxy, so I know it is possible, but for the last couple of hours this last command has been failing with: creation of replica failed: Configuration of CA failed pkisilent reports the failure in the debug log, but not the URL it is trying to reach. I'm going to modify it to give some more information in the morning. I'm not seeing anything in /var/log/httpd/error|access.log on the master, which is weird. I see this in /var/log/ipareplica-conncheck.log. We should not be trying to do anything in /home/admin 2011-08-24 21:52:18,544 DEBUG stderr= 2011-08-24 21:52:19,521 DEBUG args=/usr/bin/ssh -q -o StrictHostKeychecking=no -o UserKnownHostsFile=/dev/null admin(a)vm-088.idm.lab.bos.redhat.com /usr/sbin/ipa-replica-conncheck --replica vm-116.idm.lab.bos.redhat.com --check-ca 2011-08-24 21:52:19,521 DEBUG stdout=Check connection from master to remote replica 'vm-116.idm.lab.bos.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos (88): OK PKI-CA: Directory Service port (7389): OK PKI-CA: Agent secure port (9443): OK PKI-CA: EE secure port (9444): OK PKI-CA: Admin secure port (9445): OK PKI-CA: EE secure client auth port (9446): OK PKI-CA: Unsecure port (9180): OK Connection from master to replica is OK. 2011-08-24 21:52:19,522 DEBUG stderr=Could not chdir to home directory /home/admin: No such file or directory Ade Lee noticed that the replica install is failing before it ever attempts to talk to the Master, which corresponds with what I am seeing. I see in the PKI install log that [2011-08-24 22:23:50] [error] FAILED run_command("/sbin/service pki-cad restart pki-ca"), exit status=1 output="Stopping pki-ca: [FAILED] Starting pki-ca: [ OK ]^M" Running this command by hand gets the same output. In less /var/log/pki-ca/catalina.out /var/lib/pki-ca/logs/catalina.out: Permission denied /var/log/pki-ca/catalina.out (END) SO it looks like another cleanup issue. _______________________________________________ Pki-devel mailing list Pki-devel(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

Had some success earlier today, but I seem to be unable to replicate it. I've been working with the "full" proxy.conf file lately,. and even that seems to be preventing a replica. It is quite possible that the problem is something on one of the two systems, as I've found that install/uninstall often leaves some of the files being owned by non-existent users. At this point, I'm not sure if the patch I've submitted will work on a vanilla system. Testing it has proven to be a pretty time consuming endeavour. Here's what I've gotten it down to: ON One machine, run ipa-server-install -U -r ` hostname | tr '[:lower:]' '[:upper:]'` -p freeipa4all -a freeipa4all --setup-dns --no-forwarders once that succeeds, I have to reset /etc/resolv.conf as the lab DNS server gets removed: cp ~/resolve.conf /etc

then ipa-replica-prepare $REPLICA scp /var/lib/ipa/replica-info-$REPLICA.gpg root@$REPLICA: On the replica: ipa-replica-install --setup-ca replica-info-$HOSTNAME.gpg I have firewall off on master and replica At one point I had a replica install that worked with the Proxy, so I know it is possible, but for the last couple of hours this last command has been failing with: creation of replica failed: Configuration of CA failed pkisilent reports the failure in the debug log, but not the URL it is trying to reach. I'm going to modify it to give some more information in the morning. I'm not seeing anything in /var/log/httpd/error|access.log on the master, which is weird. I see this in /var/log/ipareplica-conncheck.log. We should not be trying to do anything in /home/admin 2011-08-24 21:52:18,544 DEBUG stderr= 2011-08-24 21:52:19,521 DEBUG args=/usr/bin/ssh -q -o StrictHostKeychecking=no -o UserKnownHostsFile=/dev/null admin(a)vm-088.idm.lab.bos.redhat.com /usr/sbin/ipa-replica-conncheck --replica vm-116.idm.lab.bos.redhat.com --check-ca 2011-08-24 21:52:19,521 DEBUG stdout=Check connection from master to remote replica 'vm-116.idm.lab.bos.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos (88): OK PKI-CA: Directory Service port (7389): OK PKI-CA: Agent secure port (9443): OK PKI-CA: EE secure port (9444): OK PKI-CA: Admin secure port (9445): OK PKI-CA: EE secure client auth port (9446): OK PKI-CA: Unsecure port (9180): OK Connection from master to replica is OK. 2011-08-24 21:52:19,522 DEBUG stderr=Could not chdir to home directory /home/admin: No such file or directory

Ade Lee noticed that the replica install is failing before it ever attempts to talk to the Master, which corresponds with what I am seeing. I see in the PKI install log that [2011-08-24 22:23:50] [error] FAILED run_command("/sbin/service pki-cad restart pki-ca"), exit status=1 output="Stopping pki-ca: [FAILED] Starting pki-ca: [ OK ]^M" Running this command by hand gets the same output. In less /var/log/pki-ca/catalina.out /var/lib/pki-ca/logs/catalina.out: Permission denied /var/log/pki-ca/catalina.out (END) SO it looks like another cleanup issue.