t-woerner
commented
2 years ago I tried to verify your issue. I have deployed the server on a 7.9 and also successfully deployed a replica on a 8.6. I have used ansible-core-2.12.7-1. Please provide more information about your domain and also the settings for the replica deployment. Which ansible-freeipa version are you using? In case that you want to use latest ansible-freeipa 1.8.2, it is needed to add this patch: https://github.com/freeipa/ansible-freeipa/pull/877 additionally.
AdriwanKenoby
I am attempting to replicate an IPA instance on a RHEL7.9 host to a RHEL8.6 host using this role on Ansible 2.12. I have used the role to configure the RHEL7 host and as I troubleshot my current issue I also configured the RHEL7 host manually, however, each time I receive an error on the same task when replicating RHEL7 host against the new RHEL8 host. I am receiving an ambiguous failure on the the following task:
TASK [ipareplica : Install - Setup DS] fatal: [cas02]: FAILED! => {"changed": false, "msg": "Failed to start replication"}
I tailed the /var/log/ipareplica-install.log on the RHEL8 host that I'm trying to install the replication on. (it's messy):
2022-07-29T16:38:35Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2022-07-29T16:38:35Z DEBUG Successfully updated nsDS5ReplicaId. 2022-07-29T16:38:35Z DEBUG Add or update replica config cn=replica,cn=dc\=domain\,dc\=local,cn=mapping tree,cn=config 2022-07-29T16:38:35Z DEBUG Added replica config cn=replica,cn=dc\=domain\,dc\=local,cn=mapping tree,cn=config 2022-07-29T16:38:35Z DEBUG Waiting up to 300 seconds for replication (ldapi://%2Frun%2Fslapd-REALM.socket) cn=meTorhel7.domain.cn=replica,cn=dc\=local\,dc\=local,cn=mapping tree,cn=config (objectclass=) 2022-07-29T16:38:35Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn=meTorhel7.domain.cn=replica,cn=dc\=local\,dc\=local,cn=mapping tree,cn=config'), {'objectClass': [b'nsds5replicationagreement', b'top'], 'cn': [b'meTorhel7.domain.'], 'nsDS5ReplicaHost': [b'rhel7.domain'], 'nsDS5ReplicaPort': [b'389'], 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': [b'dc=domain,dc=local'], 'description': [b'me to rhel7.domain'], 'nsDS5ReplicatedAttributeList': [b'(objectclass=) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], 'nsDS5ReplicaTransportInfo': [b'LDAP'], 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs': [b'modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp'], 'nsDS5ReplicatedAttributeListTotal': [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'], 'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions started since server startup'], 'nsds5replicaLastUpdateStatusJSON': [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", "repl_rc": "0", "repl_rc_text": "replica acquired", "date": "2022-07-29T16:38:35Z", "message": "Error (0) No replication sessions started since server startup"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'], 'nsds5replicaLastInitStart': [b'19700101000000Z'], 'nsds5replicaLastInitEnd': [b'19700101000000Z']})] 2022-07-29T16:38:52Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 432, in __setup_replica cacert=self.ca_file File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py", line 1929, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication 2022-07-29T16:38:52Z DEBUG Destroyed connection context.ldap2_140711600082784
I have obfuscated the domain name, but this is the final few entries at the end of the log upon failure of the above Ansible task. As it stands I don't believe the role allows for a successful replication of a RHEL7 host to a RHEL8 one.