701763 – ipa replica install failed

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 701763 - ipa replica install failed

Summary: ipa replica install failed

Keywords:
Status:	CLOSED DUPLICATE of bug 698421
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-05-03 19:14 UTC by Yi Zhang
Modified:	2015-01-04 23:48 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-11 17:50:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Yi Zhang 2011-05-03 19:14:15 UTC

Description of problem:
ipa-replica-install failed. /var/log/ipareplica-install.log says:
2011-05-03 12:05:46,725 DEBUG   [7/9]: enable GSSAPI for replication
2011-05-03 12:05:46,759 INFO Changing agreement cn=meTodhcp-122.sjc.redhat.com,cn=replica,cn=dc\3Dsjc\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
2011-05-03 12:05:47,771 INFO Changing agreement cn=meTodhcp-122.sjc.redhat.com,cn=replica,cn=dc\3Dsjc\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config to restore original schedule 0000-2359 0123456
2011-05-03 12:05:48,785 INFO Replication Update in progress: TRUE: status: 0 Replica acquired successfully: Incremental update started: start: 20110503190548Z: end: 0
2011-05-03 12:05:49,787 INFO Replication Update in progress: TRUE: status: 0 Replica acquired successfully: Incremental update started: start: 20110503190548Z: end: 0
2011-05-03 12:05:50,790 INFO Replication Update in progress: TRUE: status: 0 Replica acquired successfully: Incremental update started: start: 20110503190548Z: end: 0
2011-05-03 12:05:51,792 INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20110503190548Z: end: 20110503190550Z
2011-05-03 12:05:51,795 INFO Changing agreement cn=meTodhcp-123.sjc.redhat.com,cn=replica,cn=dc\3Dsjc\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
2011-05-03 12:05:52,807 INFO Changing agreement cn=meTodhcp-123.sjc.redhat.com,cn=replica,cn=dc\3Dsjc\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config to restore original schedule 0000-2359 0123456
2011-05-03 12:05:53,832 INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20110503190552Z: end: 20110503190552Z
2011-05-03 12:05:53,930 DEBUG list index out of range
  File "/usr/sbin/ipa-replica-install", line 540, in <module>
    main()

  File "/usr/sbin/ipa-replica-install", line 501, in main
    install_krb(config, setup_pkinit=options.setup_pkinit)

  File "/usr/sbin/ipa-replica-install", line 242, in install_krb
    setup_pkinit, pkcs12_info)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py", line 217, in create_replica
    self.start_creation("Configuring Kerberos KDC", 30)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 301, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py", line 562, in __convert_to_gssapi_replication
    r_bindpw=self.dm_password)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 714, in convert_to_gssapi_replication
    self.gssapi_update_agreements(self.conn, r_conn)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 456, in gssapi_update_agreements
    self.setup_krb_princs_as_replica_binddns(a, b)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 449, in setup_krb_princs_as_replica_binddns
    mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)]



Version-Release number of selected component (if applicable):
[x86_64.c root@dhcp-123 ~] rpm -qa | grep ipa-server
ipa-server-2.0.0-23.el6.x86_64
ipa-server-selinux-2.0.0-23.el6.x86_64

[x86_64.c root@dhcp-123 ~] rpm -qa | grep ds-replication
ds-replication-1.2.8.0-1.el6.x86_64


How reproducible: always, since last Friday (4/29/2011)


Steps to Reproduce:
1. ON IPA Server: 
   ipa-server-install
   service iptables stop 
   yum install ds-replication  
   yum install bind-dyndb-ldap
   ipa-dns-install 
   ipa-replica-prepare dhcp-123.sjc.redhat.com --ip-address 10.14.54.123
   scp /var/lib/ipa/replica-info-dhcp-123.sjc.redhat.com.gpg root.redhat.com:/var/lib/ipa/.

2. ON IPA Replica
   service iptables stop
   ipa-replica-install /var/lib/ipa/replica-info-dhcp-123.sjc.redhat.com.gpg

  
Actual results: install failed
 
Additional info: firewall has been turned off on both ipa server and replica

Comment 2 Rich Megginson 2011-05-03 20:53:44 UTC

Isn't this https://fedorahosted.org/freeipa/ticket/1188 ?  What version of RHEL-6 ipa has this fix?

Comment 3 RHEL Program Management 2011-05-04 06:00:39 UTC

Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

Comment 4 Yi Zhang 2011-05-04 15:42:08 UTC

Rich:

It doesn't look relate to the ticket 1188.
What I observed is that all ds setup related work are done. The entry syncing are also finished. It is more like KDC related problem

[i386.c root@dhcp-120 ~] ipa-replica-install /var/lib/ipa/replica-info-dhcp-120.sjc.redhat.com.gpg 
Directory Manager (existing master) password: 

Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 6 minutes
  [1/11]: creating certificate server user
  [2/11]: creating pki-ca instance
  [3/11]: restarting certificate server
  [4/11]: configuring certificate server instance
  [5/11]: restarting certificate server
  [6/11]: creating RA agent certificate database
  [7/11]: importing CA chain to RA certificate database
  [8/11]: fixing RA database permissions
  [9/11]: setting up signing cert profile
  [10/11]: set up CRL publishing
  [11/11]: configuring certificate server to start on boot
done configuring pki-cad.
Restarting the directory and certificate servers
Configuring directory server: Estimated time 1 minute
  [1/27]: creating directory server user
  [2/27]: creating directory server instance
  [3/27]: adding default schema
  [4/27]: enabling memberof plugin
  [5/27]: enabling referential integrity plugin
  [6/27]: enabling winsync plugin
  [7/27]: configuring replication version plugin
  [8/27]: enabling IPA enrollment plugin
  [9/27]: enabling ldapi
  [10/27]: configuring uniqueness plugin
  [11/27]: configuring uuid plugin
  [12/27]: configuring modrdn plugin
  [13/27]: enabling entryUSN plugin
  [14/27]: configuring lockout plugin
  [15/27]: creating indices
  [16/27]: configuring ssl for ds instance
  [17/27]: configuring certmap.conf
  [18/27]: configure autobind for root
  [19/27]: restarting directory server
  [20/27]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update succeeded
  [21/27]: adding replication acis
  [22/27]: initializing group membership
  [23/27]: adding master entry
  [24/27]: configuring Posix uid/gid generation
  [25/27]: enabling compatibility plugin
  [26/27]: tuning directory server
  [27/27]: configuring directory to start on boot
done configuring dirsrv.
Configuring Kerberos KDC: Estimated time 30 seconds
  [1/9]: adding sasl mappings to the directory
  [2/9]: writing stash file from DS
  [3/9]: configuring KDC
  [4/9]: creating a keytab for the directory
  [5/9]: creating a keytab for the machine
  [6/9]: adding the password extension to the directory
  [7/9]: enable GSSAPI for replication
creation of replica failed: list index out of range

Comment 5 Rich Megginson 2011-05-04 15:53:46 UTC

The reason why the list index is out of range is because the search to find the principal DN for the given principal failed.  The reason why the search failed is because the database is corrupted.  The reason why the database is corrupted is because the replica crashed during the fixup-memberof operation.  And the reason that happens is due to ticket 1188.  So I just want to confirm that you are testing a version of ipa with that fix in it.

Comment 6 Jenny Severance 2011-05-04 17:05:00 UTC

This is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=698421

Comment 7 Jenny Severance 2011-05-11 17:50:02 UTC


*** This bug has been marked as a duplicate of bug 698421 ***

Note You need to log in before you can comment on or make changes to this bug.