[Freeipa-devel] [PATCHSET] Replica promotion patches
Oleg Fayans
ofayans at redhat.com
Thu Oct 1 14:33:28 UTC 2015
First glance on the packages built from today's tree reveal the
following problems:
1.
Having PTR sync enabled in global DNS configuration and installing
client with --enable-dns-updates option, ipa master still does not
create a PTR record for the client machine. As a result,
ipa-repolica-install throws the following error:
ipa : ERROR Reverse DNS resolution of address 192.168.122.171
(f22replica1.pesen.net) failed. Clients may not function properly.
Please check your DNS setup. (Note that this check queries IPA DNS
directly and ignores /etc/hosts.)
2.
When corresponding PTR record is created manually, ipa-replica-install
still fails:
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR no matching
entry found
The same error was catched by Jan Pazdziora (current discussion in #ipa
channel)
On 08/26/2015 11:27 PM, Simo Sorce wrote:
> This patchset implements https://fedorahosted.org/freeipa/ticket/2888
> and introduces a number of required changes and dependencies to achieve
> this goal.
> This work requires the custodia project to securely transfer keys
> between ipa servers.
>
> This work is not 100% complete, it still misses the ability to install
> kra instances and the ability to install a CA (via ipa-ca-install) with
> externally signed certs.
>
> However it is massive enough that warrants review and pushing, the resat
> of the changes can be applied later as this work should not disrupt the
> classic install methods.
>
> In order to build my previous patches (530-533) are needed as well as a
> number of updated components.
>
> I used the following coprs for testing:
> simo/jwcrypto
> simo/custodia
> abbra/sssd-kkdcproxy (for sssd 1.13.1)
> lkrispen/389-ds-current (for 389 > 1.3.4.4)
> vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
> mkosek/freeipa-4.2-fedora-22 (misc)
> fedora/updates-testing (python-gssapi 1.1.2)
>
> Ludwig's copr is necessary to have a functional DNA plugin in replicas,
> eventually his patches should be committed in 389-ds-base 1.3.4.4 when
> it will be released.
>
> We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
> that may cause installation issues in some case (re-install of a
> replica).
>
> The domain must be raised to level 1 in order to use replica promotion.
>
> In order to promote a replica the server must be first joined as a
> regular client to the domain.
>
> This is the flow I usually use for testing:
>
> # ipa-client-install
> # kinit admin
> # ipa-replica-install --promote --setup-ca
> <perform operations like add user, get keytabs, get certificates,
> etc...>
>
> These patches are also available in this git tree rebnase on current
> master:
> https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review
>
> Simo.
>
>
>
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
More information about the Freeipa-devel
mailing list