<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt"><div><span>If there aren't any other tests to perform, can I go ahead and uninstall the ipa client and configure this Vm as a replica?</span></div><div></div><div> </div><div>Shreeraj
<br>----------------------------------------------------------------------------------------
<br>
<br>Change is the only Constant !</div><div class="yahoo_quoted" style="display: block;"> <br> <br> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 8pt;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;"> <div dir="ltr"> <font size="2" face="Arial"> On Wednesday, February 12, 2014 1:40 PM, Shree <shreerajkarulkar@yahoo.com> wrote:<br> </font> </div> <div class="y_msg_container"><div id="yiv7611590899"><div><div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 8pt;"><div><span>"getcert list" returned a bunch of info, see below</span></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;
background-color: transparent; font-style: normal;"><span><br clear="none"></span></div><div style="background-color:transparent;">root@ldap2 ~]# getcert list</div><div style="background-color:transparent;">Number of certificates and requests being tracked: 2.</div><div style="background-color:transparent;">Request ID '20140206184920':</div><div style="background-color:transparent;"><span class="yiv7611590899Apple-tab-span" style="white-space:pre;"> </span>status: MONITORING</div><div style="background-color:transparent;"><span class="yiv7611590899Apple-tab-span" style="white-space:pre;"> </span>stuck: no</div><div style="background-color:transparent;"><span class="yiv7611590899Apple-tab-span" style="white-space:pre;"> </span>key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div><div style="background-color:transparent;"><span class="yiv7611590899Apple-tab-span"
style="white-space:pre;"> </span>certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'</div><div style="background-color:transparent;"><span class="yiv7611590899Apple-tab-span" style="white-space:pre;"> </span>CA: dogtag-ipa-retrieve-agent-submit</div><div style="background-color:transparent;"><span></span></div><div style="background-color:transparent;"><span class="yiv7611590899Apple-tab-span" style="white-space:pre;"> </span>issuer: CN=Certificate Authority,......................</div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal;">.............................</div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal;"><br
clear="none"></div><div></div><div> </div><div>Shreeraj
<br clear="none">----------------------------------------------------------------------------------------
<br clear="none">
<br clear="none">Change is the only Constant !</div><div class="yiv7611590899yqt6319296983" id="yiv7611590899yqt52672"><div class="yiv7611590899yahoo_quoted" style="display: block;"> <br clear="none"> <br clear="none"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 8pt;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;"> <div dir="ltr"> <font size="2" face="Arial"> On Wednesday, February 12, 2014 12:43 PM, Dmitri Pal <dpal@redhat.com> wrote:<br clear="none"> </font> </div> <div class="yiv7611590899y_msg_container"><div id="yiv7611590899">
<div>
On 02/12/2014 03:41 PM, Shree wrote:
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 8pt;">
<div><span>So I uninstalled the ipa server and installed the
client (ipa-client-install) on the same VM pointing at the
master and everything seems to work OK. All the sudo rules
etc. Are there any tests I can do check connectivity that
could be helpful before I configure this as a "replica"
again.</span></div>
</div>
</blockquote>
Ask certmonger to get a certificate<br clear="none">
<br clear="none">
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 8pt;">
<div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span><br clear="none">
</span></div>
<div> </div>
<div>Shreeraj
<br clear="none">
----------------------------------------------------------------------------------------
<br clear="none">
<br clear="none">
Change is the only Constant !</div>
<div class="yiv7611590899yahoo_quoted" style="display:block;"> <br clear="none">
<br clear="none">
<div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 8pt;">
<div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;">
<div dir="ltr"> <font face="Arial" size="2"> On
Wednesday, February 12, 2014 11:46 AM, Dmitri Pal
<a rel="nofollow" shape="rect" class="yiv7611590899moz-txt-link-rfc2396E" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com"><dpal@redhat.com></a> wrote:<br clear="none">
</font> </div>
<div class="yiv7611590899y_msg_container">
<div id="yiv7611590899">
<div> On 02/12/2014 02:09 PM, Shree wrote:
<blockquote type="cite">
<div class="yiv7611590899yqt3190332770" id="yiv7611590899yqt44938">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 8pt;">
<div><span>Rob</span></div>
<div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span>I really
appreciate your help, please bear with me.
At this point I need to take you back to
my ipa-replica-install and what happened
there.</span></div>
<div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br clear="none">
</div>
<div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span>[1] My
command: ipa-replica-install --setup-ca
/var/tmp/replica-info-ldap2.mydomain.com.gpg
--skip-conncheck</span></div>
<div> This ended with a </div>
<div>
<div>Done configuring NTP daemon (ntpd).</div>
<div>A CA is already configured on this
system.</div>
<div><br clear="none">
</div>
<div>[2] So did a pkiremove with the
following command</div>
<div># pkiremove -pki_instance_root=/var/lib
-pki_instance_name=pki-ca -force<br clear="none">
</div>
<div><br clear="none">
</div>
<div>[3] Re ran the ipa-replica-install
command in step 1</div>
<div>The install went a little further but
ended below.</div>
<div><br clear="none">
</div>
<div>
<div>Configuring directory server for the
CA (pkids): Estimated time 30 seconds</div>
<div> [1/3]: creating directory server
user</div>
<div> [2/3]: creating directory server
instance</div>
<div> [3/3]: restarting directory server</div>
<div>Done configuring directory server for
the CA (pkids).</div>
<div>ipa : ERROR certmonger
failed starting to track certificate:
Command '/usr/bin/ipa-getcert
start-tracking -d
/etc/dirsrv/slapd-PKI-IPA -n Server-Cert
-p /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt
-C
/usr/lib64/ipa/certmonger/restart_dirsrv
PKI-IPA' returned non-zero exit status 1</div>
<div>Configuring certificate server
(pki-cad): Estimated time 3 minutes 30
seconds</div>
<div> [1/17]: creating certificate server
user</div>
<div> [2/17]: creating pki-ca instance</div>
<div> [3/17]: configuring certificate
server instance</div>
<div>ipa : CRITICAL failed to
configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent
ConfigureCA -cs_hostname
.................</div>
<div>...........................</div>
<div>
<div>Your system may be partly
configured.</div>
<div>Run /usr/sbin/ipa-server-install
--uninstall to clean up.</div>
<div><br clear="none">
</div>
<div>Configuration of CA failed</div>
<div><br clear="none">
</div>
<div>If I skip the "--setup-ca" option
then the replica gets created without
any CA services. The "master" and
"replica" are in sync but I am unable
to run a ipa-client-install using the
replica. Now I need to fix this to get
a replica in place correctly.</div>
</div>
</div>
<div><br clear="none">
</div>
<div><br clear="none">
</div>
</div>
<div>Shreeraj <br clear="none">
----------------------------------------------------------------------------------------
<br clear="none">
</div>
<div class="yiv7611590899yahoo_quoted" style="display:block;"> <br clear="none">
<br clear="none">
<div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 8pt;">
<div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;">
<div dir="ltr"> <font face="Arial" size="2"> On Wednesday, February 12,
2014 10:42 AM, Rob Crittenden <a rel="nofollow" shape="rect" class="yiv7611590899moz-txt-link-rfc2396E" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a>
wrote:<br clear="none">
</font> </div>
<div class="yiv7611590899y_msg_container">Shree
wrote:<br clear="none">
> OK I thought CA is a part of IPA
? Below is from my master IPA server<br clear="none">
><br clear="none">
> [<a rel="nofollow" shape="rect" ymailto="mailto:root@ldap" target="_blank" href="mailto:root@ldap">root@ldap</a>
~]# ipactl status<br clear="none">
> Directory Service: RUNNING<br clear="none">
> KDC Service: RUNNING<br clear="none">
> KPASSWD Service: RUNNING<br clear="none">
> MEMCACHE Service: RUNNING<br clear="none">
> HTTP Service: RUNNING<br clear="none">
> CA Service: RUNNING<br clear="none">
> [<a rel="nofollow" shape="rect" ymailto="mailto:root@ldap" target="_blank" href="mailto:root@ldap">root@ldap</a>
~]#<br clear="none">
><br clear="none">
> I can certainly send you a log if
needed.<br clear="none">
<br clear="none">
It is part of IPA but the IPA server
talks to it, not the clients directly.<br clear="none">
<br clear="none">
I can only speculate what the client
is doing without seeing the log <br clear="none">
files, but I suspect both masters are
in DNS and IPA is trying to enroll <br clear="none">
to the initial master which isn't
available.<br clear="none">
<br clear="none">
rob<br clear="none">
<br clear="none">
> Shreeraj<br clear="none">
>
----------------------------------------------------------------------------------------<br clear="none">
><br clear="none">
><br clear="none">
> Change is the only Constant !<br clear="none">
><br clear="none">
><br clear="none">
> On Wednesday, February 12, 2014
10:32 AM, Rob Crittenden<br clear="none">
> <<a rel="nofollow" shape="rect" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>
wrote:<br clear="none">
> Shree wrote:<br clear="none">
> > Peter<br clear="none">
> > Actually I mentioned
earlier that my clients are in a
separate VLAN and<br clear="none">
> > cannot access the master.
We have made provisions for the master
and the<br clear="none">
> > replica to sync by opening
the needed ports in the firewall. We
have<br clear="none">
> > also opened up ports
between the clients and the replica. I
have tested<br clear="none">
> > the connectivity for these
ports.<br clear="none">
> > Perhaps you can tell me if
what I am trying to achieve is even
possible?<br clear="none">
> > i.e<br clear="none">
> > I seem to get stuck with
making the replica with the
"--setup-ca"<br clear="none">
> > option. Wthout that option
I am able to create a replica and have
it in<br clear="none">
> > sync with the master.
However my ipa-client-install fails
from clients<br clear="none">
> > as they try looking for the
master for CA part of the install.<br clear="none">
><br clear="none">
> Clients don't talk to the CA,
they talk to an IPA server which talks
to<br clear="none">
> the CA.<br clear="none">
><br clear="none">
> I think we need to see
/var/log/ipaclient-install.log to see
what is<br clear="none">
> going on.<br clear="none">
><br clear="none">
> rob<br clear="none">
><br clear="none">
> > Shreeraj<br clear="none">
> ><br clear="none">
>
----------------------------------------------------------------------------------------<br clear="none">
> ><br clear="none">
> ><br clear="none">
> > Change is the only Constant
!<br clear="none">
> ><br clear="none">
> ><br clear="none">
> > On Wednesday, February 12,
2014 12:45 AM, Petr Spacek<br clear="none">
> > <<a rel="nofollow" shape="rect" ymailto="mailto:pspacek@redhat.com" target="_blank" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:pspacek@redhat.com" target="_blank" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>>>
wrote:<br clear="none">
> > On 11.2.2014 23:53, Shree
wrote:<br clear="none">
> ><br clear="none">
> > > Following ports are
opened between the<br clear="none">
> > > 1) Between the master
and the replica (bi directional)<br clear="none">
> > > 2) client machine and
the ipa replica (unidirectional).<br clear="none">
> > > When the replica was
up it worked fine as far as syncing
was<br clear="none">
> concerned.<br clear="none">
> > ><br clear="none">
> > > 80 tcp<br clear="none">
> > > 443 tcp<br clear="none">
> > > 389 tcp<br clear="none">
> > > 636 tcp<br clear="none">
> > > 88 tcp<br clear="none">
> > > 464 tcp<br clear="none">
> > > 88 udp<br clear="none">
> > > 464 udp<br clear="none">
> > > 123 udp<br clear="none">
> > ><br clear="none">
> > > Shreeraj<br clear="none">
> > ><br clear="none">
> ><br clear="none">
>
----------------------------------------------------------------------------------------<br clear="none">
> > ><br clear="none">
> > > Change is the only
Constant !<br clear="none">
> > ><br clear="none">
> > ><br clear="none">
> > ><br clear="none">
> > > On Tuesday, February
11, 2014 2:22 PM, Dmitri Pal <<a rel="nofollow" shape="rect" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com">dpal@redhat.com</a><br clear="none">
> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com">dpal@redhat.com</a>><br clear="none">
> > <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com">dpal@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>>
wrote:<br clear="none">
> > ><br clear="none">
> > > On 02/11/2014 05:05
PM, Shree wrote:<br clear="none">
> > > Dimitri<br clear="none">
> > >> Sorry some the
mail landed in my SPAM folder. Let
answer your<br clear="none">
> > questions (thanks for your
help man)<br clear="none">
> > > Please republish it
on the list.<br clear="none">
> > > Do not reply to me
directly.<br clear="none">
> > ><br clear="none">
> > > Did you set your
first server with the CA? Does all
ports that need<br clear="none">
> > > to be open in
the firewall between primary or server
are actually<br clear="none">
> > > open?<br clear="none">
> > ><br clear="none">
> > ><br clear="none">
> > ><br clear="none">
> > >><br clear="none">
> > >> What I have done
so far is uninstalled the replica and
tried to<br clear="none">
> > install it again using the
"--setup-ca" option. Previously I had<br clear="none">
> > failures and when I removed
the "--setup-ca" option the
installation<br clear="none">
> > succeeded (in a way). I
understand now that I really need to
fix the CA<br clear="none">
> > installation errors first.<br clear="none">
> > >><br clear="none">
> > >><br clear="none">
> > >> 1)The workaround
helped me go forward a bit but I got
stuck at this<br clear="none">
> > point see below<br clear="none">
> > >> ===========<br clear="none">
> > >> [1/3]:
creating directory server user<br clear="none">
> > >> [2/3]:
creating directory server instance<br clear="none">
> > >> [3/3]:
restarting directory server<br clear="none">
> > >> Done configuring
directory server for the CA (pkids).<br clear="none">
> > >> ipa :
ERROR certmonger failed starting to
track<br clear="none">
> > certificate: Command
'/usr/bin/ipa-getcert start-tracking
-d<br clear="none">
> > /etc/dirsrv/slapd-PKI-IPA
-n Server-Cert -p<br clear="none">
> >
/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt
-C<br clear="none">
> >
/usr/lib64/ipa/certmonger/restart_dirsrv
PKI-IPA' returned non-zero exit<br clear="none">
> > status 1<br clear="none">
> > >> Configuring
certificate server (pki-cad):
Estimated time 3 minutes<br clear="none">
> > 30 seconds<br clear="none">
> > >> [1/17]:
creating certificate server user<br clear="none">
> > >> [2/17]:
creating pki-ca instance<br clear="none">
> > >> [3/17]:
configuring certificate server
instance<br clear="none">
> > >> ipa :
CRITICAL failed to configure ca
instance Command<br clear="none">
> > '/usr/bin/perl
/usr/bin/pkisilent ConfigureCA
-cs_hostname<br clear="none">
> > ldap2.macosforge.org
-cs_port 9445 -client_certdb_dir
/tmp/tmp-ipJSsT<br clear="none">
> > -client_certdb_pwd XXXXXXXX
-preop_pin OlGXcjPVXoQcuuQkGgoG -<br clear="none">
> > >> ===========<br clear="none">
> > >> 2) No we do not
use IPA for a DNS server.<br clear="none">
> > >><br clear="none">
> > >><br clear="none">
> > >> 3)The reason for
this could be that I had installed the
replica<br clear="none">
> > without the "--setup-ca".<br clear="none">
> > >><br clear="none">
> > >> Shreeraj<br clear="none">
> > >><br clear="none">
> ><br clear="none">
>
----------------------------------------------------------------------------------------<br clear="none">
> > >><br clear="none">
> > >><br clear="none">
> > >><br clear="none">
> > >> Change is the
only Constant !<br clear="none">
> > >><br clear="none">
> > >><br clear="none">
> > >><br clear="none">
> > >> On Monday,
February 10, 2014 12:43 PM, Dmitri Pal<br clear="none">
> <<a rel="nofollow" shape="rect" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com">dpal@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com">dpal@redhat.com</a>><br clear="none">
> > <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com">dpal@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>>
wrote:<br clear="none">
> > >><br clear="none">
> > >> On 02/09/2014
07:44 AM, Rob Crittenden wrote:<br clear="none">
> > >>> Shree wrote:<br clear="none">
> > >>>> Lukas<br clear="none">
> > >>>> Perhaps I
should explain the design a bit and<br clear="none">
> > > see
if FreeIPA even<br clear="none">
> > >>>> supports
this.Our replica is in a separate<br clear="none">
> > >
network and all the<br clear="none">
> > >>>>
appropriate ports are opened between
the master<br clear="none">
> > > and
the replica. The<br clear="none">
> > >>>> "replica"
got created successfully and is in<br clear="none">
> > > sync
with the master<br clear="none">
> > >>>> (except
the CA services which I mentioned<br clear="none">
> > >
earlier)<br clear="none">
> > >>>> Now,when
I try to run ipa-client-install on<br clear="none">
> > > hosts in the new
network<br clear="none">
> > >>>> using the
replica, it complains that about<br clear="none">
> > >
"Cannot contact any KDC for<br clear="none">
> > >>>> realm".<br clear="none">
> > >>>> I am
wondering it my hosts in the new
network<br clear="none">
> > > are
trying to access the<br clear="none">
> > >>>> "master"
for certificates since the replica<br clear="none">
> > > does
not have any CA<br clear="none">
> > >>>> services
running? I couldn't find any obvious<br clear="none">
> > >
proof of this even running<br clear="none">
> > >>>> the
install in a debug mode. Do I need to
open<br clear="none">
> > >
ports between the new<br clear="none">
> > >>>> hosts and
the master for CA services?<br clear="none">
> > >>>> At this
point I cannot disable or move the<br clear="none">
> > >
master, it needs to function<br clear="none">
> > >>>> in its
location but I need<br clear="none">
> > >>><br clear="none">
> > >>> No, the
clients don't directly talk to the CA.<br clear="none">
> > >>><br clear="none">
> > >>> You'd need to
look in<br clear="none">
> > >
/var/log/ipaclient-install.log to see
what KDC<br clear="none">
> > >>> was found and
we were trying to use. If you have<br clear="none">
> > > SRV
records for both<br clear="none">
> > >>> but we try to
contact the hidden master this will<br clear="none">
> > >
happen. You can try<br clear="none">
> > >>> specifying
the server on the command-line with<br clear="none">
> > >
--server but this will<br clear="none">
> > >>> be hardcoding
things and make it less flexible<br clear="none">
> > >
later.<br clear="none">
> > >>><br clear="none">
> > >>> rob<br clear="none">
> > >>><br clear="none">
> > >>>> Shreeraj<br clear="none">
> > >>>><br clear="none">
> > ><br clear="none">
> ><br clear="none">
>
----------------------------------------------------------------------------------------<br clear="none">
> > >>>><br clear="none">
> > >>>><br clear="none">
> > >>>><br clear="none">
> > >>>> Change is
the only Constant !<br clear="none">
> > >>>><br clear="none">
> > >>>><br clear="none">
> > >>>> On
Saturday, February 8, 2014 1:29 AM,
Lukas<br clear="none">
> > >
Slebodnik<br clear="none">
> > >>>> <<a rel="nofollow" shape="rect" ymailto="mailto:lslebodn@redhat.com" target="_blank" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:lslebodn@redhat.com" target="_blank" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>><br clear="none">
> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:lslebodn@redhat.com" target="_blank" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:lslebodn@redhat.com" target="_blank" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>>>>
wrote:<br clear="none">
> > >>>> On
(06/02/14 18:33), Shree wrote:<br clear="none">
> > >>>><br clear="none">
> > >>>>> First
of all, the ipa-replica-install did<br clear="none">
> > > not
allow me to use<br clear="none">
> > >>>> the
--setup-ca<br clear="none">
> > >>>>>
option complaining that a cert already<br clear="none">
> > >
exists, replicate creation was<br clear="none">
> > >>>>>
successful after I skipped the option.<br clear="none">
> > >>>>> Seems
like the replica is one except<br clear="none">
> > >>>>> 1)
There is no CA Service running on the<br clear="none">
> > >
replica (which I guess is<br clear="none">
> > >>>> expected)<br clear="none">
> > >>>>> and<br clear="none">
> > >>>>> 2) I
am unable to run ipa-client-install<br clear="none">
> > >
successfully on any clients<br clear="none">
> > >>>> using<br clear="none">
> > >>>>> the
replica. (I don't have the option of<br clear="none">
> > >
using the primary master as<br clear="none">
> > >>>> it is<br clear="none">
> > >>>>>
configured in a segregated
environment.<br clear="none">
> > > Only
the master and replica<br clear="none">
> > >>>> are<br clear="none">
> > >>>>>
allowed to sync.<br clear="none">
> > >>>>> Debug
shows it fails at<br clear="none">
> > >>>>><br clear="none">
> > >>>>> ipa
: DEBUG stderr=kinit: Cannot<br clear="none">
> > >
contact any KDC for realm<br clear="none">
> > >>>>
'mydomainname.com' while getting
initial<br clear="none">
> > >
credentials<br clear="none">
> > >>>><br clear="none">
> > >>>>><br clear="none">
> > >>>>><br clear="none">
> > >>>><br clear="none">
> > >>>> I was not
able to install replica witch CA on<br clear="none">
> > >
fedora 20,<br clear="none">
> > >>>> Bug is
already reported <a rel="nofollow" shape="rect" target="_blank" href="https://fedorahosted.org/pki/ticket/816">https://fedorahosted.org/pki/ticket/816</a><br clear="none">
> > >>>><br clear="none">
> > >>>> Guys from
dogtag found a workaround<br clear="none">
> > >>>> <a rel="nofollow" shape="rect" target="_blank" href="https://fedorahosted.org/pki/ticket/816#comment:12">https://fedorahosted.org/pki/ticket/816#comment:12</a><br clear="none">
> > >>>><br clear="none">
> > >>>> Does it
work for you?<br clear="none">
> > >>>><br clear="none">
> > >>>> LS<br clear="none">
> > >>>><br clear="none">
> > >>>><br clear="none">
> > >>>><br clear="none">
> > >>>><br clear="none">
> > >>>><br clear="none">
> > >>>>
_______________________________________________<br clear="none">
> > >>>>
Freeipa-users mailing list<br clear="none">
> > >>>> <a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br clear="none">
> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br clear="none">
> > >>>> <a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br clear="none">
> > >>>><br clear="none">
> > >>><br clear="none">
> > >>>
_______________________________________________<br clear="none">
> > >>> Freeipa-users
mailing list<br clear="none">
> > >>> <a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br clear="none">
> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br clear="none">
><br clear="none">
> > >>> <a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br clear="none">
> > >><br clear="none">
> > >> What server
provides DNS capabilities to the
clients?<br clear="none">
> > >> Do you use IPA
DNS or some other DNS?<br clear="none">
> > >> Clients seem to
not be able to see replica KDC and try<br clear="none">
> > > to
access hidden<br clear="none">
> > >> master but they
can know about this master only via
DNS.<br clear="none">
> ><br clear="none">
> ><br clear="none">
> > Shree, make sure that
command<br clear="none">
> > $ dig -t SRV
_kerberos._udp.ipa.example<br clear="none">
> > on the client returns both
IPA servers (in ANSWER section).<br clear="none">
> ><br clear="none">
> > --<br clear="none">
> > Petr^2 Spacek<br clear="none">
> ><br clear="none">
> ><br clear="none">
> ><br clear="none">
> ><br clear="none">
> ><br clear="none">
> >
_______________________________________________<br clear="none">
> > Freeipa-users mailing list<br clear="none">
> > <a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br clear="none">
> > <a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br clear="none">
> ><br clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
</div>
<br clear="none">
<fieldset class="yiv7611590899mimeAttachmentHeader"></fieldset>
<br clear="none">
<pre>_______________________________________________
Freeipa-users mailing list
<a rel="nofollow" shape="rect" class="yiv7611590899moz-txt-link-abbreviated" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a rel="nofollow" shape="rect" class="yiv7611590899moz-txt-link-freetext" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
I suggest that you temporarily try to install a
client in place of the replica and see why it does
not install.<br clear="none">
The log above suggests that certmonger that is a
part of the replica fails to connect to the first
master. We need to understand the reason why it
fails. Then we would be able to make your replica be
a CA. <br clear="none">
I suspect that CA related communication between
replica and master is not going through for some
reasons.<br clear="none">
The install log would be really helpful.<br clear="none">
Please see <br clear="none">
<a rel="nofollow" shape="rect" class="yiv7611590899moz-txt-link-freetext" target="_blank" href="http://www.freeipa.org/page/Troubleshooting">http://www.freeipa.org/page/Troubleshooting</a>
to collect the right logs.<br clear="none">
<br clear="none">
<pre class="yiv7611590899moz-signature">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a rel="nofollow" shape="rect" class="yiv7611590899moz-txt-link-abbreviated" target="_blank" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
<br clear="none">
<div class="yiv7611590899yqt3190332770" id="yiv7611590899yqt71476">_______________________________________________<br clear="none">
Freeipa-users mailing list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br clear="none">
<br clear="none">
<pre class="yiv7611590899moz-signature">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a rel="nofollow" shape="rect" class="yiv7611590899moz-txt-link-abbreviated" target="_blank" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div><br clear="none"><br clear="none"></div> </div> </div> </div></div> </div></div></div><br><div class="yqt6319296983" id="yqt85622">_______________________________________________<br clear="none">Freeipa-users mailing list<br clear="none"><a shape="rect" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br clear="none"><a shape="rect" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div><br><br></div> </div> </div> </div> </div></body></html>