<div dir="ltr"><div><div><div><div><div><div>Hi Timo,<br><br></div>I am trying to setup a Freeipa Server 4.1.4-1 in debian stretch. Domain provisioning and client functionalities are working as expected.<br></div>But when i try to replicate another server , then it is unable to proceed with the below error<br><br>-------------------------------<br>2016-09-09T07:35:17Z DEBUG Starting external process<br>2016-09-09T07:35:17Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-INDIA-IN/ -N -f /etc/dirsrv/slapd-INDIA-IN//pwdfile.txt<br>2016-09-09T07:35:17Z DEBUG Process finished, return code=0<br>2016-09-09T07:35:17Z DEBUG stdout=<br>2016-09-09T07:35:17Z DEBUG stderr=<br>2016-09-09T07:35:17Z DEBUG Starting external process<br>2016-09-09T07:35:17Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-INDIA-IN/ -A -n <a href="http://INDIA.IN">INDIA.IN</a> IPA CA -t CT,C,C -a<br>2016-09-09T07:35:17Z DEBUG Process finished, return code=0<br>2016-09-09T07:35:17Z DEBUG stdout=<br>2016-09-09T07:35:17Z DEBUG stderr=<br>2016-09-09T07:35:17Z DEBUG certmonger request is in state dbus.String(u'NEWLY_ADDED_READING_CERT', variant_level=1)<br>2016-09-09T07:35:22Z DEBUG certmonger request is in state dbus.String(u'CA_UNREACHABLE', variant_level=1)<br>2016-09-09T07:35:22Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-INDIA-IN.socket from SchemaCache<br>2016-09-09T07:35:22Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-INDIA-IN.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2950247e18><br>2016-09-09T07:35:23Z DEBUG duration: 5 seconds<br>2016-09-09T07:35:23Z DEBUG [27/43]: restarting directory server<br>2016-09-09T07:35:23Z DEBUG Starting external process<br>2016-09-09T07:35:23Z DEBUG args=/bin/systemctl --system daemon-reload<br>2016-09-09T07:35:23Z DEBUG Process finished, return code=0<br>2016-09-09T07:35:23Z DEBUG stdout=<br>2016-09-09T07:35:23Z DEBUG stderr=<br>2016-09-09T07:35:23Z DEBUG Starting external process<br>2016-09-09T07:35:23Z DEBUG args=/bin/systemctl restart dirsrv@INDIA-IN.service<br>2016-09-09T07:35:23Z DEBUG Process finished, return code=0<br>2016-09-09T07:35:23Z DEBUG stdout=<br>2016-09-09T07:35:23Z DEBUG stderr=<br>2016-09-09T07:35:23Z DEBUG Starting external process<br>2016-09-09T07:35:23Z DEBUG args=/bin/systemctl is-active dirsrv@INDIA-IN.service<br>2016-09-09T07:35:24Z DEBUG Process finished, return code=0<br>2016-09-09T07:35:24Z DEBUG stdout=active<br><br>2016-09-09T07:35:24Z DEBUG stderr=<br>2016-09-09T07:35:24Z DEBUG wait_for_open_ports: localhost [389] timeout 300<br>2016-09-09T07:40:24Z CRITICAL Failed to restart the directory server (Timeout exceeded). See the installation log for details.<br>2016-09-09T07:40:24Z DEBUG duration: 301 seconds<br>2016-09-09T07:40:24Z DEBUG [28/43]: setting up initial replication<br>2016-09-09T07:40:34Z DEBUG Traceback (most recent call last):<br> File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 447, in start_creation<br> run_step(full_msg, method)<br> File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 437, in run_step<br> method()<br> File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 405, in __setup_replica<br> self.dm_password)<br> File "/usr/lib/python2.7/dist-packages/ipaserver/install/replication.py", line 114, in enable_replication_version_checking<br> conn.do_simple_bind(bindpw=dirman_passwd)<br> File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1621, in do_simple_bind<br> self.__bind_with_wait(self.simple_bind, timeout, binddn, bindpw)<br> File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1616, in __bind_with_wait<br> self.__wait_for_connection(timeout)<br> File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1599, in __wait_for_connection<br> wait_for_open_socket(lurl.hostport, timeout)<br> File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 1371, in wait_for_open_socket<br> raise e<br>error: [Errno 111] Connection refused<br><br>2016-09-09T07:40:34Z DEBUG [error] error: [Errno 111] Connection refused<br>2016-09-09T07:40:34Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute<br> return_value = self.run()<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 318, in run<br> cfgr.run()<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 310, in run<br> self.execute()<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 332, in execute<br> for nothing in self._executor():<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 372, in __runner<br> self._handle_exception(exc_info)<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception<br> six.reraise(*exc_info)<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 362, in __runner<br> step()<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 359, in <lambda><br> step = lambda: next(self.__gen)<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from<br> six.reraise(*exc_info)<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from<br> value = gen.send(prev_value)<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 586, in _configure<br> next(executor)<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 372, in __runner<br> self._handle_exception(exc_info)<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 449, in _handle_exception<br> self.__parent._handle_exception(exc_info)<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception<br> six.reraise(*exc_info)<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 446, in _handle_exception<br> super(ComponentBase, self)._handle_exception(exc_info)<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception<br> six.reraise(*exc_info)<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 362, in __runner<br> step()<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 359, in <lambda><br> step = lambda: next(self.__gen)<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from<br> six.reraise(*exc_info)<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from<br> value = gen.send(prev_value)<br> File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line 63, in _install<br> for nothing in self._installer(self.parent):<br> File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/replicainstall.py", line 1652, in main<br> promote(self)<br> File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/replicainstall.py", line 375, in decorated<br> func(installer)<br> File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/replicainstall.py", line 1359, in promote<br> promote=True, pkcs12_info=dirsrv_pkcs12_info)<br> File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/replicainstall.py", line 125, in install_replica_ds<br> promote=promote,<br> File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 399, in create_replica<br> self.start_creation(runtime=60)<br> File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 447, in start_creation<br> run_step(full_msg, method)<br> File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 437, in run_step<br> method()<br> File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 405, in __setup_replica<br> self.dm_password)<br> File "/usr/lib/python2.7/dist-packages/ipaserver/install/replication.py", line 114, in enable_replication_version_checking<br> conn.do_simple_bind(bindpw=dirman_passwd)<br> File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1621, in do_simple_bind<br> self.__bind_with_wait(self.simple_bind, timeout, binddn, bindpw)<br> File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1616, in __bind_with_wait<br> self.__wait_for_connection(timeout)<br> File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1599, in __wait_for_connection<br> wait_for_open_socket(lurl.hostport, timeout)<br> File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 1371, in wait_for_open_socket<br> raise e<br><br>2016-09-09T07:40:34Z DEBUG The ipa-replica-install command failed, exception: error: [Errno 111] Connection refused<br>2016-09-09T07:40:34Z ERROR [Errno 111] Connection refused<br>2016-09-09T07:40:34Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information<br>---------------------------<br><br></div>/var/log/syslog shows below error when in try to start ns-slapd service manually.<br><br>Sep 9 13:05:23 ipatt systemd[1]: Reloading.<br>Sep 9 13:05:23 ipatt systemd[1]: Stopping 389 Directory Server INDIA-IN....<br>Sep 9 13:05:23 ipatt systemd[1]: Stopped 389 Directory Server INDIA-IN..<br>Sep 9 13:05:23 ipatt systemd[1]: Starting 389 Directory Server INDIA-IN....<br>Sep 9 13:05:23 ipatt systemd[1]: Started 389 Directory Server INDIA-IN..<br>Sep 9 13:05:23 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:23 +051800] - SSL alert: Security Initialization: Enabling default cipher set.<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: Configured NSS Ciphers<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: Security Initialization: Can't find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.)<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL alert: Security Initialization: Unable to retrieve private key for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.)<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - SSL failure: None of the cipher are valid<br>Sep 9 13:05:24 ipatt ns-slapd[4444]: [09/Sep/2016:13:05:24 +051800] - ERROR: SSL2 Initialization Failed. Disabling SSL2.<br>Sep 9 13:05:24 ipatt systemd[1]: dirsrv@INDIA-IN.service: Main process exited, code=exited, status=1/FAILURE<br>Sep 9 13:05:24 ipatt systemd[1]: dirsrv@INDIA-IN.service: Unit entered failed state.<br>Sep 9 13:05:24 ipatt systemd[1]: dirsrv@INDIA-IN.service: Failed with result 'exit-code'.<br>Sep 9 13:05:28 ipatt ntpd[4144]: Deferring DNS for <a href="http://1.debian.pool.ntp.org">1.debian.pool.ntp.org</a> 1<br>Sep 9 13:05:38 ipatt ntpd[4144]: Deferring DNS for <a href="http://2.debian.pool.ntp.org">2.debian.pool.ntp.org</a> 1<br>Sep 9 13:05:48 ipatt ntpd[4144]: Deferring DNS for <a href="http://3.debian.pool.ntp.org">3.debian.pool.ntp.org</a> 1<br>Sep 9 13:05:48 ipatt ntpd[4457]: signal_no_reset: signal 17 had flags 4000000<br><br>------------<br><br><br></div>is there any package missing here., am sure i have taken then 389 to be compiled against nss<br></div>does sssd also need to be compiled against nss or what is the sate here.,<br></div>how to make replication work in debian?<br><div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 19, 2016 at 11:42 AM, Timo Aaltonen <span dir="ltr"><<a href="mailto:tjaalton@debian.org" target="_blank">tjaalton@debian.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">19.04.2016, 08:53, Prema kirjoitti:<br>
> thanks for the prompt reply Timo.<br>
><br>
> On Tue, Apr 19, 2016 at 11:20 AM, Timo Aaltonen <<a href="mailto:tjaalton@debian.org">tjaalton@debian.org</a><br>
</span><span class="">> <mailto:<a href="mailto:tjaalton@debian.org">tjaalton@debian.org</a>>> wrote:<br>
><br>
> 19.04.2016, 08:43, Prema kirjoitti:<br>
> > Dear team,<br>
> ><br>
> > I would like to try and deploy Freeipa-Server in Debian jessie.<br>
> > Is there any build available for this version where I can check and test<br>
> > on Jessie.<br>
> > I can test the full functionality and give feedback to you people.<br>
><br>
> It's not even in unstable yet until it has been processed through the<br>
> NEW queue..<br>
><br>
> I don't have plans to backport it to jessie, because it depends on a<br>
> number of components not available there.<br>
><br>
> Even if i can do it in stretch / sid is also okey.<br>
> If not., can u send / assist me with steps to build it in Debian, so<br>
> that I can build the latest version for Debian<br>
<br>
</span>Just wait until it's available in sid, shouldn't take long. It won't<br>
enter testing before #787593 is fixed, and that'll take some time.<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
t<br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Regards.,<br>Prema S</div>
</div>