One of my FreeIPA servers is on a VM that’s too small and I’ve been having problems with it. I should have known that anything that runs Java and Tomcat should have double the processing power, double the memory, and double the drive space of whatever I think it should have. Rather than merely adjust the VM settings though, I thought I would spin up a new VM with better specs and create a new replica. Should be easy, right?<\/p>\n
I created a new CentOS 7 VM, trinculo.osric.net, and installed ipa-server 4.5.0:<\/p>\n
$ sudo yum install ipa-server<\/code><\/pre>\nI checked the connection from the replica target to the master:<\/p>\n
$ sudo ipa-replica-conncheck --master=ariel.osric.net<\/code><\/pre>\nLikewise I checked the connection from the master to the replica target:<\/p>\n
$ sudo ipa-replica-conncheck --replica=trinculo.osric.net<\/code><\/pre>\nEverything was successful, so on the existing master I created the replica file:<\/p>\n
$ sudo ipa-replica-prepare --ip-address=192.168.0.101 trinculo.osric.net<\/code><\/pre>\nI copied that over to the replica target, but the replica installer indicated a failed connection check:<\/p>\n
$ sudo ipa-replica-install \/root\/replica-info-trinculo.osric.net.gpg --ip-address=192.168.0.101\r\n...\r\nipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Connection check failed!\r\nSee \/var\/log\/ipareplica-conncheck.log for more information.\r\nIf the check results are not valid it can be skipped with --skip-conncheck parameter.<\/code><\/pre>\nA failed connection check when the connection checks passed?<\/p>\n
I looked at the log:<\/p>\n
...\r\n2017-10-20T15:55:04Z DEBUG args=\/usr\/sbin\/ipa-replica-conncheck --master ariel.osric.net --auto-master-check --realm IPA.OSRIC.NET --hostname trinculo.osric.net --principal admin --ca-cert-file \/tmp\/tmp52pKZbria\/real_info\/ca.crt\r\n2017-10-20T15:55:04Z DEBUG Process finished, return code=1\r\n...<\/code><\/pre>\nOK, the return code=1<\/code> means there was an error. The arguments to the ipa-replica-conncheck<\/code> command listed contain items in addition to what I actually specified as well, although those are likely defaults and\/or pulled from the replica file generated on the FreeIPA master. There was additional info in the \/var\/log\/ipareplica-conncheck.log<\/code> file though:<\/p>\nConnection from replica to master is OK.\r\nStart listening on required ports for remote master check\r\nGet credentials to log in to remote master\r\nCheck RPC connection to remote master\r\ntrying https:\/\/ariel.osric.net\/ipa\/json\r\nRetrying using SSH...\r\nCheck SSH connection to remote master\r\nERROR: Could not SSH to remote host.\r\nSee \/var\/log\/ipareplica-conncheck.log for more information.\r\n\r\n2017-10-20T15:55:27Z DEBUG Starting external process\r\n2017-10-20T15:55:27Z DEBUG args=\/usr\/sbin\/ipa-client-install --unattended --uninstall\r\n2017-10-20T15:55:27Z DEBUG Process finished, return code=2\r\n2017-10-20T15:55:27Z DEBUG File \"\/usr\/lib\/python2.7\/site-packages\/ipapython\/admintool.py\", line 172, in execute\r\n return_value = self.run()\r\n File \"\/usr\/lib\/python2.7\/site-packages\/ipapython\/install\/cli.py\", line 333, in run\r\n cfgr.run()\r\n File \"\/usr\/lib\/python2.7\/site-packages\/ipapython\/install\/core.py\", line 366, in run\r\n self.validate()\r\n\r\n ...\r\n\r\n2017-10-20T15:55:28Z DEBUG The ipa-replica-install command failed, exception: ScriptError: Connection check failed!<\/code><\/pre>\nOne log file, but conflicting messages!<\/p>\n
\n- Connection from replica to master is OK.<\/li>\n
- ERROR: Could not SSH to remote host.<\/li>\n
- ScriptError: Connection check failed!<\/li>\n<\/ol>\n
Two things I was thinking:<\/p>\n
\n- If SSH is a required connection, why isn’t it part of the
ipa-replica-conncheck<\/code> command?<\/li>\n- Maybe I should try the
--skip-conncheck<\/code> flag.<\/li>\n<\/ol>\nI had to uninstall ipa-server on the replica target first, since some portion was installed before it encountered an error:<\/p>\n
$ sudo ipa-server-install --uninstall<\/code><\/pre>\nLikewise, I had to remove the replica from FreeIPA on the master:<\/p>\n
$ sudo ipa host-del trinculo.osric.net<\/code><\/pre>\nI’d like to say that, at this point, I ran the following and everything went perfectly:<\/p>\n
$ sudo ipa-replica-install \/root\/replica-info-trinculo.osric.net.gpg --ip-address=192.168.0.101 --skip-conncheck<\/code><\/pre>\nThat would be a lie, of course.<\/p>\n