On pe, 12 tammi 2018, Nacho del Rey via FreeIPA-users wrote:
Hi list
I have spent several days trying to configure a mater<->replica scenario but I'm having a problem with the dns which doesn't allow to me to go ahead
I could deploy an IPA server successfully in a Centos 7.3 using the following command ipa-server-install --realm XXXX.COM --ds-password XXXX --admin-password XXXX --hostname=name.domain.com --setup-dns --no-forwarders --unattended
but when I try to configure an IPA replica with dns activated I'm getting the following error once and again ipa-replica-install --skip-conncheck --setup-dns --principal=admin -w XXXX --force-join --ssh-trust-dns --no-dnssec-validation --unattended --realm= XXXX.COM --domain=domain.com --auto-forwarders
Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: ipa : INFO Commencing sync process Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: Traceback (most recent call last): Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 114, in <module> Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: File "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 348, in syncrepl_poll Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: add_intermediates=1, add_ctrls=1, all = 0 Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 476, in result4 Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: result = func(*args,**kwargs) Jan 12 10:27:41 replica01 ipa-dnskeysyncd[5159]: ldap.UNAVAILABLE_CRITICAL_EXTENSION: {'desc': 'Critical extension is unavailable'} Jan 12 10:27:41 replica01 systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILURE Jan 12 10:27:41 replica01 systemd[1]: Unit ipa-dnskeysyncd.service entered failed state. Jan 12 10:27:41 replica01 systemd[1]: ipa-dnskeysyncd.service failed. Jan 12 10:28:30 replica01 named-pkcs11[5110]: GSSAPI client step 1 Jan 12 10:28:30 replica01 named-pkcs11[5110]: GSSAPI client step 1 Jan 12 10:28:30 replica01 ns-slapd[3651]: GSSAPI server step 1 Jan 12 10:28:30 replica01 named-pkcs11[5110]: GSSAPI client step 1 Jan 12 10:28:30 replica01 ns-slapd[3651]: GSSAPI server step 2 Jan 12 10:28:30 replica01 named-pkcs11[5110]: GSSAPI client step 2 Jan 12 10:28:30 replica01 ns-slapd[3651]: GSSAPI server step 3 Jan 12 10:28:30 replica01 named-pkcs11[5110]: successfully reconnected to LDAP server Jan 12 10:28:30 replica01 named-pkcs11[5110]: LDAP error: Critical extension is unavailable: unable to start SyncRepl session: is RFC 4533 supported by LDAP server? Jan 12 10:28:30 replica01 named-pkcs11[5110]: LDAP configuration synchronization failed: socket is not connected Jan 12 10:28:30 replica01 named-pkcs11[5110]: ldap_syncrepl will reconnect in 60 seconds
These are the parameters generated by this failing service
[root@replica01 etc]# cat ./sysconfig/ipa-dnskeysyncd SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
[root@replica01 etc]# cat /etc/ipa/dnssec/softhsm2.conf # SoftHSM v2 configuration file # File generated by IPA instalation directories.tokendir = /var/lib/ipa/dnssec/tokens objectstore.backend = file
[root@replica01 etc]# ls -lart /var/lib/ipa/dnssec/tokens/b591e51f-56c3-dc08-158f-a01b7f177bc3/ total 16 drwxrws---. 3 ods named 50 Jan 12 10:06 .. -rwxrwx---. 1 ods named 320 Jan 12 10:06 token.object -rwxrwx---. 1 ods named 0 Jan 12 10:06 token.lock -rwxrwx---. 1 ods named 0 Jan 12 10:06 0c1e587e-443b-cc05-dd3d-2ddaccde958f.lock -rwxrwx---. 1 ods named 931 Jan 12 10:06 0c1e587e-443b-cc05-dd3d-2ddaccde958f.object drwxrws---. 2 ods named 262 Jan 12 10:06 . -rwxrwx---. 1 ods named 0 Jan 12 10:06 194085eb-3127-4e35-3874-4f935a069025.lock -rwxrwx---. 1 ods named 2208 Jan 12 10:06 194085eb-3127-4e35-3874-4f935a069025.object -rwxrwx---. 1 ods named 8 Jan 12 10:25 generation
any help would be too much appreciated
An issue is in LDAP server that named tries to connect to is not supporting SyncRepl extension. Same with ipa-dnskeysyncd.
Could you check in the logs which LDAP server they talk to?
On IPA LDAP server we have SyncRepl enabled and accessible to all authenticated users:
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( read, search ) userdn = "ldap:///all";) cn: Sync Request Control objectClass: top objectClass: directoryServerFeature oid: 1.3.6.1.4.1.4203.1.9.1.1