After running ipa-restore, the service oddjobd is not restarted. This means that domain-level1 replica installation will fail during ipa-replica-conncheck because this step is using oddjob to start the process ipa-replica-conncheck on the master.
How to reproduce: 1. install ipa server with ipa-server-install 2. perform a backup with ipa-backup 3. uninstall the server with ipa-server-install --uninstall -U 4. restore the server with ipa-restore /path/to/backup 5. try to configure a replica with ipa-replica-install --server $MASTER
ipa-server-install
ipa-backup
ipa-server-install --uninstall -U
ipa-restore /path/to/backup
ipa-replica-install --server $MASTER
The replica installation fails in the conncheck step with the following output:
[...] Client configuration complete. The ipa-client-install command was successful Checking DNS forwarders, please wait ... Run connection check to master Removing client side components Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files Unconfiguring the NIS domain. nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Systemwide CA database updated. Client uninstall complete. The ipa-client-install command was successful Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Connection check failed! See /var/log/ipareplica-conncheck.log for more information. If the check results are not valid it can be skipped with --skip-conncheck parameter. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Content of ipareplication-install.log:
2017-11-02T09:25:35Z DEBUG Starting external process 2017-11-02T09:25:35Z DEBUG args=/usr/sbin/ipa-replica-conncheck --master master.domain.com --auto-master-check --realm DOMAIN.COM --hostname replica.domain.com --principal admin --password XXXXXXXX --ca-cert-file /etc/ipa/ca.crt 2017-11-02T09:25:39Z DEBUG Process finished, return code=1 2017-11-02T09:25:39Z DEBUG stdout= 2017-11-02T09:25:39Z DEBUG stderr=Check connection from replica to remote master 'master.domain.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocoland would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master Check RPC connection to remote master trying https://master.domain.com/ipa/json [try 1]: Forwarding 'ping/1' to json server 'https://master.domain.com/ipa/json' Execute check on remote master [try 1]: Forwarding 'server_conncheck' to json server 'https://master.domain.com/ipa/json' ERROR: Remote master check failed with following error message(s): an internal error has occurred 2017-11-02T09:25:39Z DEBUG Starting external process 2017-11-02T09:25:39Z DEBUG args=/usr/sbin/ipa-client-install --unattended --uninstall [...]
If the service oddjobd is manually restarted + enabled on the master (with systemctl enable oddjobd and systemctl start oddjobd), the replica-conncheck step succeeds.
systemctl enable oddjobd
systemctl start oddjobd
Metadata Update from @pvoborni: - Issue tagged with: bug
Metadata Update from @pvoborni: - Issue priority set to: important - Issue set to the milestone: FreeIPA 4.5.5
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1513041
Issue linked to Bugzilla: Bug 1513041
Metadata Update from @slaykovsky: - Issue assigned to slaykovsky
Metadata Update from @slaykovsky: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1472
master:
@slaykovsky ipatool wasn't able to create an automatic backport to 4.5. Please create a manual backport.
ipa-4-6:
ipa-4-5:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.