Bug 688925

Summary: IPA Replica Install Hangs if DS port is unreachable by Master Server
Product: Red Hat Enterprise Linux 6 Reporter: Jenny Severance <jgalipea>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.1CC: benl, dpal, grajaiya
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.1.0-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: Setting up an IPA replica will hang if it cannot contact a master. Consequence: Setting up an IPA replica fails. Fix: Add a new utility, ipa-replica-conncheck, that verifies that the replica and master can communicate in both directions. Result: If there is a network communication issue it will be caught and a warning printed instead of proceeding and having the installation hang.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 18:20:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jenny Severance 2011-03-18 14:34:23 UTC 
Description of problem:
If the IPA replica's DS port is unreachable (PKI-CA instance), the replica install will hang attempting to initialize the replication agreement.

Install attempt with Replica's Firewall running:

# ipa-replica-install -p Secret123 /dev/shm/replica-info-dhcp-100-19-174.testrelm.gpg
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 6 minutes
  [1/13]: creating certificate server user
  [2/13]: creating pki-ca instance
  [3/13]: restarting certificate server
  [4/13]: configuring certificate server instance


DS error log:

Last entry:
[18/Mar/2011:09:46:10 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-dhcp-100-19-174.testrelm-pki-ca" (dhcp-100-19-174:7389): Replica has a different generation ID than the local data.


Subsequently, stopping the replica's firewall, the DS errors log gets flooded with the above message.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:
installation hangs initializing replication agreement

Expected results:
Installation to abort with appropriate error message and ask the user to run ipa-server-install --uninstall to clean up

Additional info:
Comment 2 Dmitri Pal 2011-03-22 01:31:37 UTC 
https://fedorahosted.org/freeipa/ticket/1107
Comment 4 Rob Crittenden 2011-07-19 17:28:24 UTC 
master: 241ee334defda108e22855331d5d9a14f261ce16
Comment 6 Rob Crittenden 2011-10-31 16:12:49 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Setting up an IPA replica will hang if it cannot contact a master.
Consequence: Setting up an IPA replica fails.
Fix: Add a new utility, ipa-replica-conncheck, that verifies that the replica and master can communicate in both directions.
Result: If there is a network communication issue it will be caught and a warning printed instead of proceeding and having the installation hang.
Comment 7 Gowrishankar Rajaiyan 2011-11-03 12:29:04 UTC 
[root@bumblebee ~]# ipa-replica-conncheck --master decepticons.lab.eng.pnq.redhat.com
Check connection from replica to remote master 'decepticons.lab.eng.pnq.redhat.com':
   Directory Service: Unsecure port (389): FAILED
   Directory Service: Secure port (636): FAILED
   Kerberos KDC: TCP (88): FAILED
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): FAILED
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: port 80 (80): FAILED
   HTTP Server: port 443(https) (443): FAILED
Port check failed! Inaccessible port(s): 389, 636, 88, 464, 80, 443
[root@bumblebee ~]#



[root@bumblebee ~]# ipa-replica-install /var/tmp/replica-info-bumblebee.lab.eng.pnq.redhat.com.gpg 
Directory Manager (existing master) password: 

Run connection check to master
Check connection from replica to remote master 'decepticons.lab.eng.pnq.redhat.com':
   Directory Service: Unsecure port (389): FAILED
   Directory Service: Secure port (636): FAILED
   Kerberos KDC: TCP (88): FAILED
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): FAILED
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: port 80 (80): FAILED
   HTTP Server: port 443(https) (443): FAILED
Port check failed! Inaccessible port(s): 389, 636, 88, 464, 80, 443
Connection check failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with --skip-conncheck parameter.
[root@bumblebee ~]# 


Verified in version:

Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Thu 03 Nov 2011 10:13:53 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
Comment 8 errata-xmlrpc 2011-12-06 18:20:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html