[Freeipa-devel] [PATCHSET] Replica promotion patches
Simo Sorce
simo at redhat.com
Thu Oct 1 22:16:41 UTC 2015
On 01/10/15 10:33, Oleg Fayans wrote:
> First glance on the packages built from today's tree reveal the
> following problems:
>
> 1.
> Having PTR sync enabled in global DNS configuration and installing
> client with --enable-dns-updates option, ipa master still does not
> create a PTR record for the client machine. As a result,
> ipa-repolica-install throws the following error:
>
> ipa : ERROR Reverse DNS resolution of address 192.168.122.171
> (f22replica1.pesen.net) failed. Clients may not function properly.
> Please check your DNS setup. (Note that this check queries IPA DNS
> directly and ignores /etc/hosts.)
I work around this by passing in --no-host-dns for now
> 2.
> When corresponding PTR record is created manually, ipa-replica-install
> still fails:
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERROR no matching
> entry found
>
> The same error was catched by Jan Pazdziora (current discussion in #ipa
> channel)
I pushed a rebase patchset on top of current master that includes a
small patch that should deal with the kra detection bug properly.
HTH,
Simo.
>
>
> On 08/26/2015 11:27 PM, Simo Sorce wrote:
>> This patchset implements https://fedorahosted.org/freeipa/ticket/2888
>> and introduces a number of required changes and dependencies to achieve
>> this goal.
>> This work requires the custodia project to securely transfer keys
>> between ipa servers.
>>
>> This work is not 100% complete, it still misses the ability to install
>> kra instances and the ability to install a CA (via ipa-ca-install) with
>> externally signed certs.
>>
>> However it is massive enough that warrants review and pushing, the resat
>> of the changes can be applied later as this work should not disrupt the
>> classic install methods.
>>
>> In order to build my previous patches (530-533) are needed as well as a
>> number of updated components.
>>
>> I used the following coprs for testing:
>> simo/jwcrypto
>> simo/custodia
>> abbra/sssd-kkdcproxy (for sssd 1.13.1)
>> lkrispen/389-ds-current (for 389 > 1.3.4.4)
>> vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
>> mkosek/freeipa-4.2-fedora-22 (misc)
>> fedora/updates-testing (python-gssapi 1.1.2)
>>
>> Ludwig's copr is necessary to have a functional DNA plugin in replicas,
>> eventually his patches should be committed in 389-ds-base 1.3.4.4 when
>> it will be released.
>>
>> We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
>> that may cause installation issues in some case (re-install of a
>> replica).
>>
>> The domain must be raised to level 1 in order to use replica promotion.
>>
>> In order to promote a replica the server must be first joined as a
>> regular client to the domain.
>>
>> This is the flow I usually use for testing:
>>
>> # ipa-client-install
>> # kinit admin
>> # ipa-replica-install --promote --setup-ca
>> <perform operations like add user, get keytabs, get certificates,
>> etc...>
>>
>> These patches are also available in this git tree rebnase on current
>> master:
>> https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review
>>
>>
>> Simo.
>>
>>
>>
>
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list