#6778 replica install against IPA v3 master fails with ACIError without using "--skip-conncheck"
Closed: invalid 7 years ago Opened 7 years ago by fbarreto.

sudo ipa-replica-install fails with:

2017-03-17T11:53:59Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 366, in run
    self.validate()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 375, in validate
    for _nothing in self._validator():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 458, in _handle_validate_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 636, in _configure
    next(validator)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 458, in _handle_validate_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
    for _nothing in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 602, in main
    replica_install_check(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 398, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 420, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 899, in install_check
    ca_cert_file=cafile)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 106, in replica_conn_check
    "Connection check failed!"

/var/log/ipareplica-conncheck.log :

2017-03-17T11:53:54Z DEBUG IPA version 4.4.90.dev201703161935+git72de679-0.fc25
2017-03-17T11:53:54Z INFO Check connection from replica to remote master 'vm-133.abc.idm.lab.eng.brq.redhat.com':
2017-03-17T11:53:54Z ERROR Failed to connect to port 389 tcp on 2620:52:0:224e:21a:4aff:fe23:166f
2017-03-17T11:53:54Z INFO    Directory Service: Unsecure port (389): FAILED
2017-03-17T11:53:54Z ERROR Failed to connect to port 636 tcp on 2620:52:0:224e:21a:4aff:fe23:166f
2017-03-17T11:53:54Z INFO    Directory Service: Secure port (636): FAILED
2017-03-17T11:53:55Z ERROR Failed to connect to port 88 tcp on 2620:52:0:224e:21a:4aff:fe23:166f
2017-03-17T11:53:55Z INFO    Kerberos KDC: TCP (88): FAILED
2017-03-17T11:53:56Z ERROR Failed to connect to port 464 tcp on 2620:52:0:224e:21a:4aff:fe23:166f
2017-03-17T11:53:56Z INFO    Kerberos Kpasswd: TCP (464): FAILED
2017-03-17T11:53:57Z ERROR Failed to connect to port 80 tcp on 2620:52:0:224e:21a:4aff:fe23:166f
2017-03-17T11:53:57Z INFO    HTTP Server: Unsecure port (80): FAILED
2017-03-17T11:53:58Z ERROR Failed to connect to port 443 tcp on 2620:52:0:224e:21a:4aff:fe23:166f
2017-03-17T11:53:58Z INFO    HTTP Server: Secure port (443): FAILED
2017-03-17T11:53:58Z ERROR ERROR: Port check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 (TCP), 80 (TCP), 443 (TCP)

iptables -L -n on the master:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:389 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:389 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:636 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:636 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:464 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:464 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:88 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:88 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:123 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:7389 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

ip tables -L -n on the replica (shorted)

...
Chain IN_public_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:389 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:636 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:88 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:464 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 ctstate NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:88 ctstate NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:464 ctstate NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 ctstate NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:123 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251          udp dpt:5353 ctstate NEW

...

The replica conncheck code has been recently changed to require open ports on all IPs the hostname resolves to.

From the log file, it seems that there are issues with IPv6 connectivity. Can you please check if ip6tables is correctly configured?

hi @tkrizek,

the output to sudo ip6tables -L -n on the replica: https://paste.fedoraproject.org/paste/HwEdu3ErGSUMxlFMIrWAiV5M1UNdIGYhyRLivL9gydE=
the output to sudo ip6tables -L -n on the master: http://pastebin.test.redhat.com/465944

the /var/log/ipareplica-install.log result: http://pastebin.com/2GzmQz1A

there is something that I'm missing?

The ip6tables on master are probably incorrectly configured. I can't see to what interface do rules on line 6 (accept all) and 9 (reject all) apply, but it's probably cause of the issue.

Can you check if the ports on IPv6 master are reachable from the replica?

nmap -6 2620:52:0:224e:21a:4aff:fe23:166f

Metadata Update from @mbasti:
- Issue priority set to: 1
- Issue set to the milestone: FreeIPA 4.5.1
- Issue tagged with: regression

7 years ago

Metadata Update from @tkrizek:
- Issue assigned to tkrizek

7 years ago

I've confirmed this issue is not present.

If the server's hostname resolves to multiple IPs and they are all reachable, the conncheck passes as expected.

Metadata Update from @tkrizek:
- Issue untagged with: regression
- Issue close_status updated to: invalid
- Issue priority set to: None (was: 1)
- Issue set to the milestone: None (was: FreeIPA 4.5.1)
- Issue status updated to: Closed (was: Open)

7 years ago

Login to comment on this ticket.

Metadata