<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt"><div><span>Following ports are opened between the </span></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span>1) Between the master and the replica (bi directional)</span></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span>2) client machine and the ipa replica (unidirectional). </span></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style:
normal;"><span>When the replica was up it worked fine as far as syncing was concerned. </span></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span><br></span></div><div style="background-color: transparent;"> 80 tcp</div><div style="background-color: transparent;"> 443 tcp</div><div style="background-color: transparent;"> 389 tcp</div><div style="background-color: transparent;"> 636 tcp</div><div style="background-color: transparent;"> 88 tcp</div><div style="background-color: transparent;"> 464 tcp</div><div style="background-color: transparent;"> 88 udp</div><div style="background-color: transparent;"> 464 udp</div><div style="background-color: transparent;"><span></span></div><div style="background-color: transparent;"> 123
udp</div><div></div><div> </div><div>Shreeraj
<br>----------------------------------------------------------------------------------------
<br>
<br>Change is the only Constant !</div><div class="yahoo_quoted" style="display: block;"> <br> <br> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 8pt;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;"> <div dir="ltr"> <font size="2" face="Arial"> On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal <dpal@redhat.com> wrote:<br> </font> </div> <div class="y_msg_container"><div id="yiv3386774039">
<div>
On 02/11/2014 05:05 PM, Shree wrote:
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;">
<div><span>Dimitri</span></div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;background-color:transparent;font-style:normal;">Sorry some the mail landed in my SPAM
folder. Let answer your questions (thanks for your help man)</div>
</div>
</blockquote>
Please republish it on the list.<br>
Do not reply to me directly.<br>
<br>
Did you set your first server with the CA? Does all ports that need
to be open in the firewall between primary or server are actually
open? <br>
<br>
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;">
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;background-color:transparent;font-style:normal;"><br>
</div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;background-color:transparent;font-style:normal;">What I have done so far is uninstalled
the replica and tried to install it again using the
"--setup-ca" option. Previously I had failures and when I
removed the "--setup-ca" option the installation succeeded (in
a way). I understand now that I really need to fix the CA
installation errors first.</div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;background-color:transparent;font-style:normal;"><br>
</div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;background-color:transparent;font-style:normal;">1)The workaround helped me go forward a
bit but I got stuck at this point see below</div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;background-color:transparent;font-style:normal;">===========</div>
<div style="background-color:transparent;"> [1/3]: creating
directory server user</div>
<div style="background-color:transparent;"> [2/3]: creating
directory server instance</div>
<div style="background-color:transparent;"> [3/3]: restarting
directory server</div>
<div style="background-color:transparent;">Done configuring
directory server for the CA (pkids).</div>
<div style="background-color:transparent;">ipa : ERROR
certmonger failed starting to track certificate: Command
'/usr/bin/ipa-getcert start-tracking -d
/etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p
/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C
/usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned
non-zero exit status 1</div>
<div style="background-color:transparent;">Configuring
certificate server (pki-cad): Estimated time 3 minutes 30
seconds</div>
<div style="background-color:transparent;"> [1/17]: creating
certificate server user</div>
<div style="background-color:transparent;"> [2/17]: creating
pki-ca instance</div>
<div style="background-color:transparent;"> [3/17]:
configuring certificate server instance</div>
<div style="background-color:transparent;">ipa :
CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
ldap2.macosforge.org -cs_port 9445 -client_certdb_dir
/tmp/tmp-ipJSsT -client_certdb_pwd XXXXXXXX -preop_pin
OlGXcjPVXoQcuuQkGgoG -</div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;background-color:transparent;font-style:normal;">===========</div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;background-color:transparent;font-style:normal;">2) No we do not use IPA for a DNS server.</div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;background-color:transparent;font-style:normal;"><br>
</div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;background-color:transparent;font-style:normal;">3)The reason for this could be that I had
installed the replica without the "--setup-ca".</div>
<div> </div>
<div>Shreeraj<br>
----------------------------------------------------------------------------------------</div>
<div><br>
<br>
</div>
<div>Change is the only Constant !</div>
<div class="yiv3386774039yahoo_quoted" style="display: block;"> <br>
<br>
<div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;">
<div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;">
<div dir="ltr"> <font face="Arial" size="2"> On Monday,
February 10, 2014 12:43 PM, Dmitri Pal
<a rel="nofollow" class="yiv3386774039moz-txt-link-rfc2396E" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com"><dpal@redhat.com></a> wrote:<br>
</font> </div>
<div class="yiv3386774039y_msg_container">On 02/09/2014 07:44 AM, Rob
Crittenden wrote:<br clear="none">
> Shree wrote:<br clear="none">
>> Lukas<br clear="none">
>> Perhaps I should explain the design a bit and
see if FreeIPA even<br clear="none">
>> supports this.Our replica is in a separate
network and all the<br clear="none">
>> appropriate ports are opened between the master
and the replica. The<br clear="none">
>> "replica" got created successfully and is in
sync with the master<br clear="none">
>> (except the CA services which I mentioned
earlier)<br clear="none">
>> Now,when I try to run ipa-client-install on
hosts in the new network<br clear="none">
>> using the replica, it complains that about
"Cannot contact any KDC for<br clear="none">
>> realm".<br clear="none">
>> I am wondering it my hosts in the new network
are trying to access the<br clear="none">
>> "master" for certificates since the replica
does not have any CA<br clear="none">
>> services running? I couldn't find any obvious
proof of this even running<br clear="none">
>> the install in a debug mode. Do I need to open
ports between the new<br clear="none">
>> hosts and the master for CA services?<br clear="none">
>> At this point I cannot disable or move the
master, it needs to function<br clear="none">
>> in its location but I need<br clear="none">
><br clear="none">
> No, the clients don't directly talk to the CA.<br clear="none">
><br clear="none">
> You'd need to look in
/var/log/ipaclient-install.log to see what KDC <br clear="none">
> was found and we were trying to use. If you have
SRV records for both <br clear="none">
> but we try to contact the hidden master this will
happen. You can try <br clear="none">
> specifying the server on the command-line with
--server but this will <br clear="none">
> be hardcoding things and make it less flexible
later.<br clear="none">
><br clear="none">
> rob<br clear="none">
><br clear="none">
>> Shreeraj<br clear="none">
>>
----------------------------------------------------------------------------------------
<br clear="none">
>><br clear="none">
>><br clear="none">
>><br clear="none">
>> Change is the only Constant !<br clear="none">
>><br clear="none">
>><br clear="none">
>> On Saturday, February 8, 2014 1:29 AM, Lukas
Slebodnik<br clear="none">
>> <<a rel="nofollow" shape="rect" ymailto="mailto:lslebodn@redhat.com" target="_blank" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>>
wrote:<br clear="none">
>> On (06/02/14 18:33), Shree wrote:<br clear="none">
>><br clear="none">
>> >First of all, the ipa-replica-install did
not allow me to use<br clear="none">
>> the --setup-ca<br clear="none">
>> > option complaining that a cert already
exists, replicate creation was<br clear="none">
>> > successful after I skipped the option.<br clear="none">
>> >Seems like the replica is one except<br clear="none">
>> >1) There is no CA Service running on the
replica (which I guess is<br clear="none">
>> expected)<br clear="none">
>> >and<br clear="none">
>> >2) I am unable to run ipa-client-install
successfully on any clients <br clear="none">
>> using<br clear="none">
>> > the replica. (I don't have the option of
using the primary master as<br clear="none">
>> it is<br clear="none">
>> > configured in a segregated environment.
Only the master and replica <br clear="none">
>> are<br clear="none">
>> > allowed to sync.<br clear="none">
>> >Debug shows it fails at<br clear="none">
>> ><br clear="none">
>> >ipa : DEBUG stderr=kinit: Cannot
contact any KDC for realm<br clear="none">
>> 'mydomainname.com' while getting initial
credentials<br clear="none">
>><br clear="none">
>> ><br clear="none">
>> ><br clear="none">
>><br clear="none">
>> I was not able to install replica witch CA on
fedora 20,<br clear="none">
>> Bug is already reported <a rel="nofollow" shape="rect" target="_blank" href="https://fedorahosted.org/pki/ticket/816">https://fedorahosted.org/pki/ticket/816</a><br clear="none">
>><br clear="none">
>> Guys from dogtag found a workaround<br clear="none">
>> <a rel="nofollow" shape="rect" target="_blank" href="https://fedorahosted.org/pki/ticket/816#comment:12">https://fedorahosted.org/pki/ticket/816#comment:12</a><br clear="none">
>><br clear="none">
>> Does it work for you?<br clear="none">
>><br clear="none">
>> LS<br clear="none">
>><br clear="none">
>><br clear="none">
>><br clear="none">
>><br clear="none">
>><br clear="none">
>> _______________________________________________<br clear="none">
>> Freeipa-users mailing list<br clear="none">
>> <a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br clear="none">
>> <a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br clear="none">
>><br clear="none">
><br clear="none">
> _______________________________________________<br clear="none">
> Freeipa-users mailing list<br clear="none">
> <a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br clear="none">
> <a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br clear="none">
<br clear="none">
What server provides DNS capabilities to the clients?<br clear="none">
Do you use IPA DNS or some other DNS?<br clear="none">
Clients seem to not be able to see replica KDC and try
to access hidden <br clear="none">
master but they can know about this master only via DNS.<br clear="none">
<br clear="none">
<br clear="none">
-- <br clear="none">
Thank you,<br clear="none">
Dmitri Pal<br clear="none">
<br clear="none">
Sr. Engineering Manager for IdM portfolio<br clear="none">
Red Hat Inc.<br clear="none">
<br clear="none">
<br clear="none">
-------------------------------<br clear="none">
Looking to carve out IT costs?<br clear="none">
<a rel="nofollow" class="yiv3386774039moz-txt-link-abbreviated" target="_blank" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
<div class="yiv3386774039yqt6343257977" id="yiv3386774039yqtfd35430"><br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
_______________________________________________<br clear="none">
Freeipa-users mailing list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br clear="none">
</div>
<br>
<br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
<br>
<pre class="yiv3386774039moz-signature">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a rel="nofollow" class="yiv3386774039moz-txt-link-abbreviated" target="_blank" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div><br><br></div> </div> </div> </div> </div></body></html>