<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt">It is enforcing. Should I try to disable it? <br><div><span></span></div><div> </div><div>Shreeraj
<br>----------------------------------------------------------------------------------------
<br>
<br>Change is the only Constant !</div><div style="display: block;" class="yahoo_quoted"> <br> <br> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 8pt;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> On Wednesday, February 12, 2014 2:55 PM, Dmitri Pal <dpal@redhat.com> wrote:<br> </font> </div> <div class="y_msg_container"><div id="yiv4066880410">
<div>
On 02/12/2014 04:57 PM, Shree wrote:
<blockquote type="cite">
<div style="color:rgb(0, 0, 0);background-color:rgb(255, 255,
255);font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;">
<div><span>If there aren't any other tests to perform, can I go
ahead and uninstall the ipa client and configure this Vm as
a replica?</span></div>
</div>
</blockquote>
<br>
Thanks for trying. At least we know that certmonger can run by
itself.<br>
When you install replica please collect all the install logs.<br>
Is SELinux on/off?<br>
<br>
<blockquote type="cite">
<div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;">
<div> </div>
<div>Shreeraj
<br>
----------------------------------------------------------------------------------------
<br>
<br>
Change is the only Constant !</div>
<div class="yiv4066880410yahoo_quoted" style="display:block;"> <br>
<br>
<div style="font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;
font-size:8pt;">
<div style="font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;
font-size:12pt;">
<div dir="ltr"> <font face="Arial" size="2"> On
Wednesday, February 12, 2014 1:40 PM, Shree
<a rel="nofollow" class="yiv4066880410moz-txt-link-rfc2396E" ymailto="mailto:shreerajkarulkar@yahoo.com" target="_blank" href="mailto:shreerajkarulkar@yahoo.com"><shreerajkarulkar@yahoo.com></a> wrote:<br>
</font> </div>
<div class="yiv4066880410y_msg_container">
<div id="yiv4066880410">
<div>
<div style="color:rgb(0, 0, 0);
background-color:rgb(255, 255, 255);font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;font-size:8pt;">
<div><span>"getcert list" returned a bunch of
info, see below</span></div>
<div style="color:rgb(0, 0, 0);font-size:11px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;background-color:transparent;
font-style:normal;"><span><br clear="none">
</span></div>
<div style="background-color:transparent;">root@ldap2
~]# getcert list</div>
<div style="background-color:transparent;">Number
of certificates and requests being tracked: 2.</div>
<div style="background-color:transparent;">Request
ID '20140206184920':</div>
<div style="background-color:transparent;"><span class="yiv4066880410Apple-tab-span" style="white-space:pre;"> </span>status:
MONITORING</div>
<div style="background-color:transparent;"><span class="yiv4066880410Apple-tab-span" style="white-space:pre;"> </span>stuck: no</div>
<div style="background-color:transparent;"><span class="yiv4066880410Apple-tab-span" style="white-space:pre;"> </span>key pair
storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div>
<div style="background-color:transparent;"><span class="yiv4066880410Apple-tab-span" style="white-space:pre;"> </span>certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'</div>
<div style="background-color:transparent;"><span class="yiv4066880410Apple-tab-span" style="white-space:pre;"> </span>CA:
dogtag-ipa-retrieve-agent-submit</div>
<div style="background-color:transparent;"><span></span></div>
<div style="background-color:transparent;"><span class="yiv4066880410Apple-tab-span" style="white-space:pre;"> </span>issuer:
CN=Certificate Authority,......................</div>
<div style="background-color:transparent;
color:rgb(0, 0, 0);font-size:11px;
font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;
font-style:normal;">.............................</div>
<div style="background-color:transparent;
color:rgb(0, 0, 0);font-size:11px;
font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;
font-style:normal;"><br clear="none">
</div>
<div> </div>
<div>Shreeraj
<br clear="none">
----------------------------------------------------------------------------------------
<br clear="none">
<br clear="none">
Change is the only Constant !</div>
<div class="yiv4066880410yqt6319296983" id="yiv4066880410yqt52672">
<div class="yiv4066880410yahoo_quoted" style="display:block;"> <br clear="none">
<br clear="none">
<div style="font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;font-size:8pt;">
<div style="font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;
font-size:12pt;">
<div dir="ltr"> <font face="Arial" size="2"> On Wednesday, February 12,
2014 12:43 PM, Dmitri Pal
<a rel="nofollow" class="yiv4066880410moz-txt-link-rfc2396E" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com"><dpal@redhat.com></a> wrote:<br clear="none">
</font> </div>
<div class="yiv4066880410y_msg_container">
<div id="yiv4066880410">
<div> On 02/12/2014 03:41 PM, Shree
wrote:
<blockquote type="cite">
<div style="color:rgb(0, 0, 0);background-color:rgb(255, 255,
255);
font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;
font-size:8pt;">
<div><span>So I uninstalled the
ipa server and installed the
client (ipa-client-install)
on the same VM pointing at
the master and everything
seems to work OK. All the
sudo rules etc. Are there
any tests I can do check
connectivity that could be
helpful before I configure
this as a "replica" again.</span></div>
</div>
</blockquote>
Ask certmonger to get a certificate<br clear="none">
<br clear="none">
<blockquote type="cite">
<div style="color:rgb(0, 0, 0);background-color:rgb(255, 255,
255);
font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;
font-size:8pt;">
<div style="color:rgb(0, 0, 0);font-size:11px;
font-family:HelveticaNeue, 'Helvetica
Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;background-color:transparent;font-style:normal;"><span><br clear="none">
</span></div>
<div> </div>
<div>Shreeraj <br clear="none">
----------------------------------------------------------------------------------------
<br clear="none">
<br clear="none">
Change is the only Constant !</div>
<div class="yiv4066880410yahoo_quoted" style="display:block;"> <br clear="none">
<br clear="none">
<div style="
font-family:HelveticaNeue, 'Helvetica
Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;font-size:8pt;">
<div style="
font-family:HelveticaNeue, 'Helvetica
Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;
font-size:12pt;">
<div dir="ltr"> <font face="Arial" size="2">
On Wednesday, February
12, 2014 11:46 AM,
Dmitri Pal <a rel="nofollow" shape="rect" class="yiv4066880410moz-txt-link-rfc2396E" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com"><dpal@redhat.com></a>
wrote:<br clear="none">
</font> </div>
<div class="yiv4066880410y_msg_container">
<div id="yiv4066880410">
<div> On 02/12/2014
02:09 PM, Shree
wrote:
<blockquote type="cite">
<div class="yiv4066880410yqt3190332770" id="yiv4066880410yqt44938">
<div style="
color:rgb(0, 0, 0);
background-color:rgb(255, 255,
255);
font-family:HelveticaNeue, 'Helvetica
Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;
font-size:8pt;">
<div><span>Rob</span></div>
<div style="
color:rgb(0, 0, 0);
font-size:11px;
font-family:HelveticaNeue, 'Helvetica
Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;
background-color:transparent;
font-style:normal;"><span>I
really
appreciate
your help,
please bear
with me. At
this point I
need to take
you back to my
ipa-replica-install
and what
happened
there.</span></div>
<div style="
color:rgb(0, 0, 0);
font-size:11px;
font-family:HelveticaNeue, 'Helvetica
Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;
background-color:transparent;
font-style:normal;"><br clear="none">
</div>
<div style="
color:rgb(0, 0, 0);
font-size:11px;
font-family:HelveticaNeue, 'Helvetica
Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;
background-color:transparent;
font-style:normal;"><span>[1]
My
command: ipa-replica-install
--setup-ca
/var/tmp/replica-info-ldap2.mydomain.com.gpg
--skip-conncheck</span></div>
<div> This
ended with a </div>
<div>
<div>Done
configuring
NTP daemon
(ntpd).</div>
<div>A CA is
already
configured on
this system.</div>
<div><br clear="none">
</div>
<div>[2] So
did a
pkiremove with
the following
command</div>
<div>#
pkiremove
-pki_instance_root=/var/lib
-pki_instance_name=pki-ca
-force<br clear="none">
</div>
<div><br clear="none">
</div>
<div>[3] Re
ran the
ipa-replica-install
command in
step 1</div>
<div>The
install went a
little further
but ended
below.</div>
<div><br clear="none">
</div>
<div>
<div>Configuring
directory
server for the
CA (pkids):
Estimated time
30 seconds</div>
<div> [1/3]:
creating
directory
server user</div>
<div> [2/3]:
creating
directory
server
instance</div>
<div> [3/3]:
restarting
directory
server</div>
<div>Done
configuring
directory
server for the
CA (pkids).</div>
<div>ipa
: ERROR
certmonger
failed
starting to
track
certificate:
Command
'/usr/bin/ipa-getcert
start-tracking
-d
/etc/dirsrv/slapd-PKI-IPA
-n Server-Cert
-p
/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt
-C
/usr/lib64/ipa/certmonger/restart_dirsrv
PKI-IPA'
returned
non-zero exit
status 1</div>
<div>Configuring
certificate
server
(pki-cad):
Estimated time
3 minutes 30
seconds</div>
<div> [1/17]:
creating
certificate
server user</div>
<div> [2/17]:
creating
pki-ca
instance</div>
<div> [3/17]:
configuring
certificate
server
instance</div>
<div>ipa
: CRITICAL
failed to
configure ca
instance
Command
'/usr/bin/perl
/usr/bin/pkisilent
ConfigureCA
-cs_hostname
.................</div>
<div>...........................</div>
<div>
<div>Your
system may be
partly
configured.</div>
<div>Run
/usr/sbin/ipa-server-install
--uninstall to
clean up.</div>
<div><br clear="none">
</div>
<div>Configuration
of CA failed</div>
<div><br clear="none">
</div>
<div>If I skip
the
"--setup-ca"
option then
the replica
gets created
without any CA
services. The
"master" and
"replica" are
in sync but I
am unable to
run a
ipa-client-install
using the
replica. Now I
need to fix
this to get a
replica in
place
correctly.</div>
</div>
</div>
<div><br clear="none">
</div>
<div><br clear="none">
</div>
</div>
<div>Shreeraj
<br clear="none">
----------------------------------------------------------------------------------------
<br clear="none">
</div>
<div class="yiv4066880410yahoo_quoted" style="display:block;"> <br clear="none">
<br clear="none">
<div style="
font-family:HelveticaNeue, 'Helvetica
Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;
font-size:8pt;">
<div style="
font-family:HelveticaNeue, 'Helvetica
Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif;
font-size:12pt;">
<div dir="ltr">
<font face="Arial" size="2"> On
Wednesday,
February 12,
2014 10:42 AM,
Rob Crittenden
<a rel="nofollow" shape="rect" class="yiv4066880410moz-txt-link-rfc2396E" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a>
wrote:<br clear="none">
</font> </div>
<div class="yiv4066880410y_msg_container">Shree
wrote:<br clear="none">
> OK I
thought CA is
a part of IPA
? Below is
from my master
IPA server<br clear="none">
><br clear="none">
> [<a rel="nofollow" shape="rect" ymailto="mailto:root@ldap" target="_blank" href="mailto:root@ldap">root@ldap</a> ~]# ipactl status<br clear="none">
> Directory
Service:
RUNNING<br clear="none">
> KDC
Service:
RUNNING<br clear="none">
> KPASSWD
Service:
RUNNING<br clear="none">
> MEMCACHE
Service:
RUNNING<br clear="none">
> HTTP
Service:
RUNNING<br clear="none">
> CA
Service:
RUNNING<br clear="none">
> [<a rel="nofollow" shape="rect" ymailto="mailto:root@ldap" target="_blank" href="mailto:root@ldap">root@ldap</a> ~]#<br clear="none">
><br clear="none">
> I can
certainly send
you a log if
needed.<br clear="none">
<br clear="none">
It is part of
IPA but the
IPA server
talks to it,
not the
clients
directly.<br clear="none">
<br clear="none">
I can only
speculate what
the client is
doing without
seeing the log
<br clear="none">
files, but I
suspect both
masters are in
DNS and IPA is
trying to
enroll <br clear="none">
to the initial
master which
isn't
available.<br clear="none">
<br clear="none">
rob<br clear="none">
<br clear="none">
> Shreeraj<br clear="none">
>
----------------------------------------------------------------------------------------<br clear="none">
><br clear="none">
><br clear="none">
> Change is
the only
Constant !<br clear="none">
><br clear="none">
><br clear="none">
> On
Wednesday,
February 12,
2014 10:32 AM,
Rob Crittenden<br clear="none">
> <<a rel="nofollow" shape="rect" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>
wrote:<br clear="none">
> Shree
wrote:<br clear="none">
> >
Peter<br clear="none">
> >
Actually I
mentioned
earlier that
my clients are
in a separate
VLAN and<br clear="none">
> >
cannot access
the master. We
have made
provisions for
the master and
the<br clear="none">
> >
replica to
sync by
opening the
needed ports
in the
firewall. We
have<br clear="none">
> >
also opened up
ports between
the clients
and the
replica. I
have tested<br clear="none">
> > the
connectivity
for these
ports.<br clear="none">
> >
Perhaps you
can tell me if
what I am
trying to
achieve is
even possible?<br clear="none">
> > i.e<br clear="none">
> > I
seem to get
stuck with
making the
replica with
the
"--setup-ca"<br clear="none">
> >
option. Wthout
that option I
am able to
create a
replica and
have it in<br clear="none">
> >
sync with the
master.
However my
ipa-client-install
fails from
clients<br clear="none">
> > as
they try
looking for
the master for
CA part of the
install.<br clear="none">
><br clear="none">
> Clients
don't talk to
the CA, they
talk to an IPA
server which
talks to<br clear="none">
> the CA.<br clear="none">
><br clear="none">
> I think
we need to see
/var/log/ipaclient-install.log
to see what is<br clear="none">
> going on.<br clear="none">
><br clear="none">
> rob<br clear="none">
><br clear="none">
> >
Shreeraj<br clear="none">
> ><br clear="none">
>
----------------------------------------------------------------------------------------<br clear="none">
> ><br clear="none">
> ><br clear="none">
> >
Change is the
only Constant
!<br clear="none">
> ><br clear="none">
> ><br clear="none">
> > On
Wednesday,
February 12,
2014 12:45 AM,
Petr Spacek<br clear="none">
> >
<<a rel="nofollow" shape="rect" ymailto="mailto:pspacek@redhat.com" target="_blank" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:pspacek@redhat.com" target="_blank" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>>>
wrote:<br clear="none">
> > On
11.2.2014
23:53, Shree
wrote:<br clear="none">
> ><br clear="none">
> >
> Following
ports are
opened between
the<br clear="none">
> >
> 1)
Between the
master and the
replica (bi
directional)<br clear="none">
> >
> 2) client
machine and
the ipa
replica
(unidirectional).<br clear="none">
> >
> When the
replica was up
it worked fine
as far as
syncing was<br clear="none">
>
concerned.<br clear="none">
> >
><br clear="none">
> >
> 80 tcp<br clear="none">
> >
> 443 tcp<br clear="none">
> >
> 389 tcp<br clear="none">
> >
> 636 tcp<br clear="none">
> >
> 88 tcp<br clear="none">
> >
> 464 tcp<br clear="none">
> >
> 88 udp<br clear="none">
> >
> 464 udp<br clear="none">
> >
> 123 udp<br clear="none">
> >
><br clear="none">
> >
> Shreeraj<br clear="none">
> >
><br clear="none">
> ><br clear="none">
>
----------------------------------------------------------------------------------------<br clear="none">
> >
><br clear="none">
> >
> Change is
the only
Constant !<br clear="none">
> >
><br clear="none">
> >
><br clear="none">
> >
><br clear="none">
> >
> On
Tuesday,
February 11,
2014 2:22 PM,
Dmitri Pal
<<a rel="nofollow" shape="rect" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com">dpal@redhat.com</a><br clear="none">
>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com">dpal@redhat.com</a>><br clear="none">
> >
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com">dpal@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>>
wrote:<br clear="none">
> >
><br clear="none">
> >
> On
02/11/2014
05:05 PM,
Shree wrote:<br clear="none">
> >
> Dimitri<br clear="none">
> >
>> Sorry
some the mail
landed in my
SPAM folder.
Let answer
your<br clear="none">
> >
questions
(thanks for
your help man)<br clear="none">
> >
> Please
republish it
on the list.<br clear="none">
> >
> Do not
reply to me
directly.<br clear="none">
> >
><br clear="none">
> >
> Did you
set your first
server with
the CA? Does
all ports that
need<br clear="none">
> >
> to
be open in the
firewall
between
primary or
server are
actually<br clear="none">
> >
>
open?<br clear="none">
> >
><br clear="none">
> >
><br clear="none">
> >
><br clear="none">
> >
>><br clear="none">
> >
>> What
I have done so
far is
uninstalled
the replica
and tried to<br clear="none">
> >
install it
again using
the
"--setup-ca"
option.
Previously I
had<br clear="none">
> >
failures and
when I removed
the
"--setup-ca"
option the
installation<br clear="none">
> >
succeeded (in
a way). I
understand now
that I really
need to fix
the CA<br clear="none">
> >
installation
errors first.<br clear="none">
> >
>><br clear="none">
> >
>><br clear="none">
> >
>> 1)The
workaround
helped me go
forward a bit
but I got
stuck at this<br clear="none">
> >
point see
below<br clear="none">
> >
>>
===========<br clear="none">
> >
>>
[1/3]:
creating
directory
server user<br clear="none">
> >
>>
[2/3]:
creating
directory
server
instance<br clear="none">
> >
>>
[3/3]:
restarting
directory
server<br clear="none">
> >
>> Done
configuring
directory
server for the
CA (pkids).<br clear="none">
> >
>> ipa
: ERROR
certmonger
failed
starting to
track<br clear="none">
> >
certificate:
Command
'/usr/bin/ipa-getcert
start-tracking
-d<br clear="none">
> >
/etc/dirsrv/slapd-PKI-IPA
-n Server-Cert
-p<br clear="none">
> >
/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt
-C<br clear="none">
> >
/usr/lib64/ipa/certmonger/restart_dirsrv
PKI-IPA'
returned
non-zero exit<br clear="none">
> >
status 1<br clear="none">
> >
>>
Configuring
certificate
server
(pki-cad):
Estimated time
3 minutes<br clear="none">
> > 30
seconds<br clear="none">
> >
>>
[1/17]:
creating
certificate
server user<br clear="none">
> >
>>
[2/17]:
creating
pki-ca
instance<br clear="none">
> >
>>
[3/17]:
configuring
certificate
server
instance<br clear="none">
> >
>> ipa
:
CRITICAL
failed to
configure ca
instance
Command<br clear="none">
> >
'/usr/bin/perl
/usr/bin/pkisilent
ConfigureCA
-cs_hostname<br clear="none">
> >
ldap2.macosforge.org
-cs_port 9445
-client_certdb_dir
/tmp/tmp-ipJSsT<br clear="none">
> >
-client_certdb_pwd
XXXXXXXX
-preop_pin
OlGXcjPVXoQcuuQkGgoG
-<br clear="none">
> >
>>
===========<br clear="none">
> >
>> 2) No
we do not use
IPA for a DNS
server.<br clear="none">
> >
>><br clear="none">
> >
>><br clear="none">
> >
>> 3)The
reason for
this could be
that I had
installed the
replica<br clear="none">
> >
without the
"--setup-ca".<br clear="none">
> >
>><br clear="none">
> >
>>
Shreeraj<br clear="none">
> >
>><br clear="none">
> ><br clear="none">
>
----------------------------------------------------------------------------------------<br clear="none">
> >
>><br clear="none">
> >
>><br clear="none">
> >
>><br clear="none">
> >
>>
Change is the
only Constant
!<br clear="none">
> >
>><br clear="none">
> >
>><br clear="none">
> >
>><br clear="none">
> >
>> On
Monday,
February 10,
2014 12:43 PM,
Dmitri Pal<br clear="none">
> <<a rel="nofollow" shape="rect" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com">dpal@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com">dpal@redhat.com</a>><br clear="none">
> >
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com">dpal@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>>
wrote:<br clear="none">
> >
>><br clear="none">
> >
>> On
02/09/2014
07:44 AM, Rob
Crittenden
wrote:<br clear="none">
> >
>>>
Shree wrote:<br clear="none">
> >
>>>>
Lukas<br clear="none">
> >
>>>>
Perhaps I
should explain
the design a
bit and<br clear="none">
> >
>
see if
FreeIPA even<br clear="none">
> >
>>>>
supports
this.Our
replica is in
a separate<br clear="none">
> >
>
network and
all the<br clear="none">
> >
>>>>
appropriate
ports are
opened between
the master<br clear="none">
> >
>
and
the replica.
The<br clear="none">
> >
>>>>
"replica" got
created
successfully
and is in<br clear="none">
> >
>
sync
with the
master<br clear="none">
> >
>>>>
(except the CA
services which
I mentioned<br clear="none">
> >
>
earlier)<br clear="none">
> >
>>>>
Now,when I try
to run
ipa-client-install
on<br clear="none">
> >
> hosts
in the new
network<br clear="none">
> >
>>>>
using the
replica, it
complains that
about<br clear="none">
> >
>
"Cannot
contact any
KDC for<br clear="none">
> >
>>>>
realm".<br clear="none">
> >
>>>>
I am wondering
it my hosts in
the new
network<br clear="none">
> >
>
are
trying to
access the<br clear="none">
> >
>>>>
"master" for
certificates
since the
replica<br clear="none">
> >
>
does
not have any
CA<br clear="none">
> >
>>>>
services
running? I
couldn't find
any obvious<br clear="none">
> >
>
proof
of this even
running<br clear="none">
> >
>>>>
the install in
a debug mode.
Do I need to
open<br clear="none">
> >
>
ports
between the
new<br clear="none">
> >
>>>>
hosts and the
master for CA
services?<br clear="none">
> >
>>>>
At this point
I cannot
disable or
move the<br clear="none">
> >
>
master, it
needs to
function<br clear="none">
> >
>>>>
in its
location but I
need<br clear="none">
> >
>>><br clear="none">
> >
>>>
No, the
clients don't
directly talk
to the CA.<br clear="none">
> >
>>><br clear="none">
> >
>>>
You'd need to
look in<br clear="none">
> >
>
/var/log/ipaclient-install.log
to see what
KDC<br clear="none">
> >
>>>
was found and
we were trying
to use. If you
have<br clear="none">
> >
>
SRV
records for
both<br clear="none">
> >
>>>
but we try to
contact the
hidden master
this will<br clear="none">
> >
>
happen. You
can try<br clear="none">
> >
>>>
specifying the
server on the
command-line
with<br clear="none">
> >
>
--server but
this will<br clear="none">
> >
>>>
be hardcoding
things and
make it less
flexible<br clear="none">
> >
>
later.<br clear="none">
> >
>>><br clear="none">
> >
>>>
rob<br clear="none">
> >
>>><br clear="none">
> >
>>>>
Shreeraj<br clear="none">
> >
>>>><br clear="none">
> >
><br clear="none">
> ><br clear="none">
>
----------------------------------------------------------------------------------------<br clear="none">
> >
>>>><br clear="none">
> >
>>>><br clear="none">
> >
>>>><br clear="none">
> >
>>>>
Change is the
only Constant
!<br clear="none">
> >
>>>><br clear="none">
> >
>>>><br clear="none">
> >
>>>>
On Saturday,
February 8,
2014 1:29 AM,
Lukas<br clear="none">
> >
>
Slebodnik<br clear="none">
> >
>>>>
<<a rel="nofollow" shape="rect" ymailto="mailto:lslebodn@redhat.com" target="_blank" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:lslebodn@redhat.com" target="_blank" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>><br clear="none">
>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:lslebodn@redhat.com" target="_blank" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:lslebodn@redhat.com" target="_blank" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>>>>
wrote:<br clear="none">
> >
>>>>
On (06/02/14
18:33), Shree
wrote:<br clear="none">
> >
>>>><br clear="none">
> >
>>>>>
First of all,
the
ipa-replica-install
did<br clear="none">
> >
>
not
allow me to
use<br clear="none">
> >
>>>>
the --setup-ca<br clear="none">
> >
>>>>>
option
complaining
that a cert
already<br clear="none">
> >
>
exists,
replicate
creation was<br clear="none">
> >
>>>>>
successful
after I
skipped the
option.<br clear="none">
> >
>>>>>
Seems like the
replica is one
except<br clear="none">
> >
>>>>>
1) There is no
CA Service
running on the<br clear="none">
> >
>
replica (which
I guess is<br clear="none">
> >
>>>>
expected)<br clear="none">
> >
>>>>>
and<br clear="none">
> >
>>>>>
2) I am unable
to run
ipa-client-install<br clear="none">
> >
>
successfully
on any clients<br clear="none">
> >
>>>>
using<br clear="none">
> >
>>>>>
the replica.
(I don't have
the option of<br clear="none">
> >
>
using
the primary
master as<br clear="none">
> >
>>>>
it is<br clear="none">
> >
>>>>>
configured in
a segregated
environment.<br clear="none">
> >
>
Only
the master and
replica<br clear="none">
> >
>>>>
are<br clear="none">
> >
>>>>>
allowed to
sync.<br clear="none">
> >
>>>>>
Debug shows it
fails at<br clear="none">
> >
>>>>><br clear="none">
> >
>>>>>
ipa :
DEBUG
stderr=kinit:
Cannot<br clear="none">
> >
>
contact any
KDC for realm<br clear="none">
> >
>>>>
'mydomainname.com'
while getting
initial<br clear="none">
> >
>
credentials<br clear="none">
> >
>>>><br clear="none">
> >
>>>>><br clear="none">
> >
>>>>><br clear="none">
> >
>>>><br clear="none">
> >
>>>>
I was not able
to install
replica witch
CA on<br clear="none">
> >
>
fedora
20,<br clear="none">
> >
>>>>
Bug is already
reported <a rel="nofollow" shape="rect" target="_blank" href="https://fedorahosted.org/pki/ticket/816">https://fedorahosted.org/pki/ticket/816</a><br clear="none">
> >
>>>><br clear="none">
> >
>>>>
Guys from
dogtag found a
workaround<br clear="none">
> >
>>>>
<a rel="nofollow" shape="rect" target="_blank" href="https://fedorahosted.org/pki/ticket/816#comment:12">https://fedorahosted.org/pki/ticket/816#comment:12</a><br clear="none">
> >
>>>><br clear="none">
> >
>>>>
Does it work
for you?<br clear="none">
> >
>>>><br clear="none">
> >
>>>>
LS<br clear="none">
> >
>>>><br clear="none">
> >
>>>><br clear="none">
> >
>>>><br clear="none">
> >
>>>><br clear="none">
> >
>>>><br clear="none">
> >
>>>>
_______________________________________________<br clear="none">
> >
>>>>
Freeipa-users
mailing list<br clear="none">
> >
>>>>
<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br clear="none">
>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br clear="none">
> >
>>>>
<a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br clear="none">
> >
>>>><br clear="none">
> >
>>><br clear="none">
> >
>>>
_______________________________________________<br clear="none">
> >
>>>
Freeipa-users
mailing list<br clear="none">
> >
>>> <a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br clear="none">
>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br clear="none">
><br clear="none">
> >
>>> <a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br clear="none">
> >
>><br clear="none">
> >
>> What
server
provides DNS
capabilities
to the
clients?<br clear="none">
> >
>> Do
you use IPA
DNS or some
other DNS?<br clear="none">
> >
>>
Clients seem
to not be able
to see replica
KDC and try<br clear="none">
> >
>
to
access hidden<br clear="none">
> >
>>
master but
they can know
about this
master only
via DNS.<br clear="none">
> ><br clear="none">
> ><br clear="none">
> >
Shree, make
sure that
command<br clear="none">
> > $
dig -t SRV
_kerberos._udp.ipa.example<br clear="none">
> > on
the client
returns both
IPA servers
(in ANSWER
section).<br clear="none">
> ><br clear="none">
> > --<br clear="none">
> >
Petr^2 Spacek<br clear="none">
> ><br clear="none">
> ><br clear="none">
> ><br clear="none">
> ><br clear="none">
> ><br clear="none">
> >
_______________________________________________<br clear="none">
> >
Freeipa-users
mailing list<br clear="none">
> > <a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br clear="none">
> > <a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br clear="none">
> ><br clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
</div>
<br clear="none">
<fieldset class="yiv4066880410mimeAttachmentHeader"></fieldset>
<br clear="none">
<pre>_______________________________________________
Freeipa-users mailing list
<a rel="nofollow" shape="rect" class="yiv4066880410moz-txt-link-abbreviated" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a rel="nofollow" shape="rect" class="yiv4066880410moz-txt-link-freetext" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
I suggest that you
temporarily try to
install a client in
place of the replica
and see why it does
not install.<br clear="none">
The log above
suggests that
certmonger that is a
part of the replica
fails to connect to
the first master. We
need to understand
the reason why it
fails. Then we would
be able to make your
replica be a CA. <br clear="none">
I suspect that CA
related
communication
between replica and
master is not going
through for some
reasons.<br clear="none">
The install log
would be really
helpful.<br clear="none">
Please see <br clear="none">
<a rel="nofollow" shape="rect" class="yiv4066880410moz-txt-link-freetext" target="_blank" href="http://www.freeipa.org/page/Troubleshooting">http://www.freeipa.org/page/Troubleshooting</a>
to collect the right
logs.<br clear="none">
<br clear="none">
<pre class="yiv4066880410moz-signature">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a rel="nofollow" shape="rect" class="yiv4066880410moz-txt-link-abbreviated" target="_blank" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
<br clear="none">
<div class="yiv4066880410yqt3190332770" id="yiv4066880410yqt71476">_______________________________________________<br clear="none">
Freeipa-users mailing
list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br clear="none">
<br clear="none">
<pre class="yiv4066880410moz-signature">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a rel="nofollow" shape="rect" class="yiv4066880410moz-txt-link-abbreviated" target="_blank" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="yiv4066880410yqt6319296983" id="yiv4066880410yqt85622">_______________________________________________<br clear="none">
Freeipa-users mailing list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div>
<br>
<br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
<br>
<pre class="yiv4066880410moz-signature">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a rel="nofollow" class="yiv4066880410moz-txt-link-abbreviated" target="_blank" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div><br><br></div> </div> </div> </div> </div></body></html>