Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/2514 Ticket #2062 fixed UDP checks in `ipa-replica-conncheck`. However, these now fail in ipa-ca-install where UDP checks are performed against live KDC which is running on the replica: {{{ # ipa-ca-install /home/mkosek/replica-info-vm-115.idm.lab.bos.redhat.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'vm-068.idm.lab.bos.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin.BOS.REDHAT.COM password: Execute check on remote master Check connection from master to remote replica 'vm-115.idm.lab.bos.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): FAILED Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): FAILED HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Remote master check failed with following error message(s): Port check failed! Inaccessible port(s): 88 (UDP), 464 (UDP) Connection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter. }}} I think we should either skip UDP checks during ipa-ca-install or check only the new CA ports that were not checked during ipa-replica-install.
Fixed upstream. master: 159e848d85779e8fb3a9b2ed84490423014bf609 ipa-2-2: f1f6b1dfca3d9f296ab57a26ef893073e3d415a8 You will be warning about UDP ports that fail or are not checked, rather than failing the entire check.
[root@rodimus ~]# ipa-replica-install /var/lib/ipa/replica-info-rodimus.lab.eng.pnq.redhat.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'primenova.lab.eng.pnq.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin.PNQ.REDHAT.COM password: Execute check on remote master Check connection from master to remote replica 'rodimus.lab.eng.pnq.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK [root@rodimus ~]# iptables -A INPUT -p udp --dport 464 -j DROP [root@rodimus ~]# ipa-replica-install /var/lib/ipa/replica-info-rodimus.lab.eng.pnq.redhat.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'primenova.lab.eng.pnq.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin.PNQ.REDHAT.COM password: Execute check on remote master Check connection from master to remote replica 'rodimus.lab.eng.pnq.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): WARNING <<<<<<<<<<<<< HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder. Connection from master to replica is OK. Connection check OK Verified: ipa-server-2.2.0-8.el6.x86_64
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html