<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt"><div>OK I thought CA is a part of IPA ? Below is from my master IPA server</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"> </div><div style="background-color: transparent;">[root@ldap ~]# ipactl status</div><div style="background-color: transparent;">Directory Service: RUNNING</div><div style="background-color: transparent;">KDC Service: RUNNING</div><div style="background-color: transparent;">KPASSWD Service: RUNNING</div><div style="background-color: transparent;">MEMCACHE Service: RUNNING</div><div style="background-color: transparent;">HTTP Service: RUNNING</div><div style="background-color: transparent;">CA Service: RUNNING</div><div style="background-color: transparent;"></div><div style="background-color: transparent;">[root@ldap ~]#</div><div style="background-color: transparent;"> </div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal;">I can certainly send you a log if needed.</div><div></div><div> </div><div>Shreeraj ---------------------------------------------------------------------------------------- Change is the only Constant !</div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 8pt;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;"> <div dir="ltr"> On Wednesday, February 12, 2014 10:32 AM, Rob Crittenden <rcritten@redhat.com> wrote: </div> <div class="y_msg_container">Shree wrote: > Peter > Actually I mentioned earlier that my clients are in a separate VLAN and > cannot access the master. We have made provisions for the master and the > replica to sync by opening the needed ports in the firewall. We have > also opened up ports between the clients and the replica. I have tested > the connectivity for these ports. > Perhaps you can tell me if what I am trying to achieve is even possible? > i.e > I seem to get stuck with making the replica with the "--setup-ca" > option. Wthout that option I am able to create a replica and have it in > sync with the master. However my ipa-client-install fails from clients > as they try looking for the master for CA part of the install. Clients don't talk to the CA, they talk to an IPA server which talks to the CA. I think we need to see /var/log/ipaclient-install.log to see what is going on. rob > Shreeraj > ---------------------------------------------------------------------------------------- > > > Change is the only Constant ! > > > On Wednesday, February 12, 2014 12:45 AM, Petr Spacek > <<a shape="rect" ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>> wrote: > On 11.2.2014 23:53, Shree wrote: > > > Following ports are opened between the > > 1) Between the master and the replica (bi directional) > > 2) client machine and the ipa replica (unidirectional). > > When the replica was up it worked fine as far as syncing was concerned. > > > > 80 tcp > > 443 tcp > > 389 tcp > > 636 tcp > > 88 tcp > > 464 tcp > > 88 udp > > 464 udp > > 123 udp > > > > Shreeraj > > > ---------------------------------------------------------------------------------------- > > > > Change is the only Constant ! > > > > > > > > On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal <<a shape="rect" ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> > <mailto:<a shape="rect" ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> wrote: > > > > On 02/11/2014 05:05 PM, Shree wrote: > > Dimitri > >> Sorry some the mail landed in my SPAM folder. Let answer your > questions (thanks for your help man) > > Please republish it on the list. > > Do not reply to me directly. > > > > Did you set your first server with the CA? Does all ports that need > > to be open in the firewall between primary or server are actually > > open? > > > > > > > >> > >> What I have done so far is uninstalled the replica and tried to > install it again using the "--setup-ca" option. Previously I had > failures and when I removed the "--setup-ca" option the installation > succeeded (in a way). I understand now that I really need to fix the CA > installation errors first. > >> > >> > >> 1)The workaround helped me go forward a bit but I got stuck at this > point see below > >> =========== > >> [1/3]: creating directory server user > >> [2/3]: creating directory server instance > >> [3/3]: restarting directory server > >> Done configuring directory server for the CA (pkids). > >> ipa : ERROR certmonger failed starting to track > certificate: Command '/usr/bin/ipa-getcert start-tracking -d > /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p > /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C > /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit > status 1 > >> Configuring certificate server (pki-cad): Estimated time 3 minutes > 30 seconds > >> [1/17]: creating certificate server user > >> [2/17]: creating pki-ca instance > >> [3/17]: configuring certificate server instance > >> ipa : CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > ldap2.macosforge.org -cs_port 9445 -client_certdb_dir /tmp/tmp-ipJSsT > -client_certdb_pwd XXXXXXXX -preop_pin OlGXcjPVXoQcuuQkGgoG - > >> =========== > >> 2) No we do not use IPA for a DNS server. > >> > >> > >> 3)The reason for this could be that I had installed the replica > without the "--setup-ca". > >> > >> Shreeraj > >> > ---------------------------------------------------------------------------------------- > >> > >> > >> > >> Change is the only Constant ! > >> > >> > >> > >> On Monday, February 10, 2014 12:43 PM, Dmitri Pal <<a shape="rect" ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> > <mailto:<a shape="rect" ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> wrote: > >> > >> On 02/09/2014 07:44 AM, Rob Crittenden wrote: > >>> Shree wrote: > >>>> Lukas > >>>> Perhaps I should explain the design a bit and > > see if FreeIPA even > >>>> supports this.Our replica is in a separate > > network and all the > >>>> appropriate ports are opened between the master > > and the replica. The > >>>> "replica" got created successfully and is in > > sync with the master > >>>> (except the CA services which I mentioned > > earlier) > >>>> Now,when I try to run ipa-client-install on > > hosts in the new network > >>>> using the replica, it complains that about > > "Cannot contact any KDC for > >>>> realm". > >>>> I am wondering it my hosts in the new network > > are trying to access the > >>>> "master" for certificates since the replica > > does not have any CA > >>>> services running? I couldn't find any obvious > > proof of this even running > >>>> the install in a debug mode. Do I need to open > > ports between the new > >>>> hosts and the master for CA services? > >>>> At this point I cannot disable or move the > > master, it needs to function > >>>> in its location but I need > >>> > >>> No, the clients don't directly talk to the CA. > >>> > >>> You'd need to look in > > /var/log/ipaclient-install.log to see what KDC > >>> was found and we were trying to use. If you have > > SRV records for both > >>> but we try to contact the hidden master this will > > happen. You can try > >>> specifying the server on the command-line with > > --server but this will > >>> be hardcoding things and make it less flexible > > later. > >>> > >>> rob > >>> > >>>> Shreeraj > >>>> > > > ---------------------------------------------------------------------------------------- > >>>> > >>>> > >>>> > >>>> Change is the only Constant ! > >>>> > >>>> > >>>> On Saturday, February 8, 2014 1:29 AM, Lukas > > Slebodnik > >>>> <<a shape="rect" ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a shape="rect" ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>>> wrote: > >>>> On (06/02/14 18:33), Shree wrote: > >>>> > >>>>> First of all, the ipa-replica-install did > > not allow me to use > >>>> the --setup-ca > >>>>> option complaining that a cert already > > exists, replicate creation was > >>>>> successful after I skipped the option. > >>>>> Seems like the replica is one except > >>>>> 1) There is no CA Service running on the > > replica (which I guess is > >>>> expected) > >>>>> and > >>>>> 2) I am unable to run ipa-client-install > > successfully on any clients > >>>> using > >>>>> the replica. (I don't have the option of > > using the primary master as > >>>> it is > >>>>> configured in a segregated environment. > > Only the master and replica > >>>> are > >>>>> allowed to sync. > >>>>> Debug shows it fails at > >>>>> > >>>>> ipa : DEBUG stderr=kinit: Cannot > > contact any KDC for realm > >>>> 'mydomainname.com' while getting initial > > credentials > >>>> > >>>>> > >>>>> > >>>> > >>>> I was not able to install replica witch CA on > > fedora 20, > >>>> Bug is already reported <a shape="rect" href="https://fedorahosted.org/pki/ticket/816" target="_blank">https://fedorahosted.org/pki/ticket/816</a> > >>>> > >>>> Guys from dogtag found a workaround > >>>> <a shape="rect" href="https://fedorahosted.org/pki/ticket/816#comment:12" target="_blank">https://fedorahosted.org/pki/ticket/816#comment:12</a> > >>>> > >>>> Does it work for you? > >>>> > >>>> LS > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> Freeipa-users mailing list > >>>> <a shape="rect" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a shape="rect" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> > >>>> <a shape="rect" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > >>>> > >>> > >>> _______________________________________________ > >>> Freeipa-users mailing list > >>> <a shape="rect" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a shape="rect" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><div class="yqt7881356010" id="yqtfd70929"> > >>> <a shape="rect" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > >> > >> What server provides DNS capabilities to the clients? > >> Do you use IPA DNS or some other DNS? > >> Clients seem to not be able to see replica KDC and try > > to access hidden > >> master but they can know about this master only via DNS. > > > Shree, make sure that command > $ dig -t SRV _kerberos._udp.ipa.example > on the client returns both IPA servers (in ANSWER section). > > -- > Petr^2 Spacek > > > > > > _______________________________________________ > Freeipa-users mailing list > <a shape="rect" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <a shape="rect" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > </div> </div> </div> </div> </div> </div></body></html>