[Freeipa-devel] [PATCHSET] Replica promotion patches

Simo Sorce simo at redhat.com
Mon Oct 5 13:47:14 UTC 2015 

On 05/10/15 09:42, Oleg Fayans wrote:
> Hi Jan, Simo
>
> On 10/05/2015 02:15 PM, Jan Pazdziora wrote:
>> On Thu, Oct 01, 2015 at 04:33:28PM +0200, Oleg Fayans wrote:
>>>
>>> 1.
>>> Having PTR sync enabled in global DNS configuration and installing
>>> client
>>> with --enable-dns-updates option, ipa master still does not create a PTR
>>> record for the client machine. As a result, ipa-repolica-install
>>> throws the
>>> following error:
>>>
>>> ipa         : ERROR    Reverse DNS resolution of address 192.168.122.171
>>> (f22replica1.pesen.net) failed. Clients may not function properly.
>>> Please
>>> check your DNS setup. (Note that this check queries IPA DNS directly and
>>> ignores /etc/hosts.)
>>
>> I believe you also need to have the PTR sync enabled in the forward zone
>> (pesen.net).
>>
>
> Today I was unable to reproduce this issue with just PTR sync enabled in
> global dns configuration. I wonder, what might have caused it. Anyway,
> today I hit a number of other issues with replica promotion.
>
> 1. At one point ipa-replica-install on a configured client has thrown
> the following error:
>
> Configuring ipa-custodia
>    [1/5]: Generating ipa-custodia config file
>    [2/5]: Generating ipa-custodia keys
>    [3/5]: Importing RA Key
>    [error] HTTPError: 502 Server Error: Proxy Error
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    502 Server
> Error: Proxy Error
>
> (corresponding part of the error log of dirsrv attached)

Seem like the peer server was unreachable ?
Was there a networking problem ?

> 2. The second attempt after re-enrolling client resulted in the error of
> CA installation:
>
> Starting replication, please wait until this has completed.
> Update in progress, 7 seconds elapsed
> Update succeeded
>
>    [4/24]: creating installation admin user
>    [5/24]: setting up certificate server
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpHAJVFG'' returned non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> installation logs and the following files/directories for more information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki-ca-install.log
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki/pki-tomcat
>    [error] RuntimeError: CA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    CA
> configuration failed.

This is due to the known bug with authentication in Dogtag. Endy fixed 
it upstream.

Endy,
do you know when the bug will be released in a package we can use for 
testing ?

> Weird thing is that mentioned log files were missing in the system.
>
> 3. This is probably not related to replica promotions, but anyway:
> when I do `ipa host-del --updatedns %client_hostname%` on master, it
> does delete the host, but *preserves* dns records (in both zones).
> Is --updatedns option not aimed at automatic deletion of dns records?

I do not know that it does help, but I tend to use --force when deleting 
a failed replica.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list