Ticket #2062 fixed UDP checks in ipa-replica-conncheck. However, these now fail in ipa-ca-install where UDP checks are performed against live KDC which is running on the replica:
ipa-replica-conncheck
# ipa-ca-install /home/mkosek/replica-info-vm-115.idm.lab.bos.redhat.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'vm-068.idm.lab.bos.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin@IDM.LAB.BOS.REDHAT.COM password: Execute check on remote master Check connection from master to remote replica 'vm-115.idm.lab.bos.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): FAILED Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): FAILED HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Remote master check failed with following error message(s): Port check failed! Inaccessible port(s): 88 (UDP), 464 (UDP) Connection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter.
I think we should either skip UDP checks during ipa-ca-install or check only the new CA ports that were not checked during ipa-replica-install.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=802860
attachment freeipa-mkosek-239-tolerate-udp-port-failures-in-conncheck.patch
Patch freeipa-mkosek-239-tolerate-udp-port-failures-in-conncheck.patch sent for review
master: 159e848
ipa-2-2: f1f6b1d
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03
Login to comment on this ticket.