<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 02/12/2014 02:09 PM, Shree wrote:
<blockquote
cite="mid:1392232194.61475.YahooMailNeo@web160104.mail.bf1.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff;
font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial,
Lucida Grande, sans-serif;font-size:8pt">
<div><span>Rob</span></div>
<div style="color: rgb(0, 0, 0); font-size: 11px; font-family:
HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif; background-color: transparent;
font-style: normal;"><span>I really appreciate your help,
please bear with me. At this point I need to take you back
to my ipa-replica-install and what happened there.</span></div>
<div style="color: rgb(0, 0, 0); font-size: 11px; font-family:
HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif; background-color: transparent;
font-style: normal;"><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 11px; font-family:
HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif; background-color: transparent;
font-style: normal;"><span>[1] My command: ipa-replica-install
--setup-ca /var/tmp/replica-info-ldap2.mydomain.com.gpg
--skip-conncheck</span></div>
<div> This ended with a </div>
<div>
<div>Done configuring NTP daemon (ntpd).</div>
<div>A CA is already configured on this system.</div>
<div><br>
</div>
<div>[2] So did a pkiremove with the following command</div>
<div># pkiremove -pki_instance_root=/var/lib
-pki_instance_name=pki-ca -force<br>
</div>
<div><br>
</div>
<div>[3] Re ran the ipa-replica-install command in step 1</div>
<div>The install went a little further but ended below.</div>
<div><br>
</div>
<div>
<div>Configuring directory server for the CA (pkids):
Estimated time 30 seconds</div>
<div> [1/3]: creating directory server user</div>
<div> [2/3]: creating directory server instance</div>
<div> [3/3]: restarting directory server</div>
<div>Done configuring directory server for the CA (pkids).</div>
<div>ipa : ERROR certmonger failed starting to
track certificate: Command '/usr/bin/ipa-getcert
start-tracking -d /etc/dirsrv/slapd-PKI-IPA -n Server-Cert
-p /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C
/usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned
non-zero exit status 1</div>
<div>Configuring certificate server (pki-cad): Estimated
time 3 minutes 30 seconds</div>
<div> [1/17]: creating certificate server user</div>
<div> [2/17]: creating pki-ca instance</div>
<div> [3/17]: configuring certificate server instance</div>
<div>ipa : CRITICAL failed to configure ca instance
Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA
-cs_hostname .................</div>
<div>...........................</div>
<div>
<div>Your system may be partly configured.</div>
<div>Run /usr/sbin/ipa-server-install --uninstall to clean
up.</div>
<div><br>
</div>
<div>Configuration of CA failed</div>
<div><br>
</div>
<div>If I skip the "--setup-ca" option then the replica
gets created without any CA services. The "master" and
"replica" are in sync but I am unable to run a
ipa-client-install using the replica. Now I need to fix
this to get a replica in place correctly.</div>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div>Shreeraj
<br>
----------------------------------------------------------------------------------------
<br>
</div>
<div class="yahoo_quoted" style="display: block;"> <br>
<br>
<div style="font-family: HelveticaNeue, 'Helvetica Neue',
Helvetica, Arial, 'Lucida Grande', sans-serif; font-size:
8pt;">
<div style="font-family: HelveticaNeue, 'Helvetica Neue',
Helvetica, Arial, 'Lucida Grande', sans-serif; font-size:
12pt;">
<div dir="ltr"> <font face="Arial" size="2"> On
Wednesday, February 12, 2014 10:42 AM, Rob Crittenden
<a class="moz-txt-link-rfc2396E" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a> wrote:<br>
</font> </div>
<div class="y_msg_container">Shree wrote:<br>
> OK I thought CA is a part of IPA ? Below is from my
master IPA server<br>
><br>
> [<a moz-do-not-send="true"
ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a>
~]# ipactl status<br>
> Directory Service: RUNNING<br>
> KDC Service: RUNNING<br>
> KPASSWD Service: RUNNING<br>
> MEMCACHE Service: RUNNING<br>
> HTTP Service: RUNNING<br>
> CA Service: RUNNING<br>
> [<a moz-do-not-send="true"
ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a>
~]#<br>
><br>
> I can certainly send you a log if needed.<br>
<br>
It is part of IPA but the IPA server talks to it, not
the clients directly.<br>
<br>
I can only speculate what the client is doing without
seeing the log <br>
files, but I suspect both masters are in DNS and IPA is
trying to enroll <br>
to the initial master which isn't available.<br>
<br>
rob<br>
<br>
> Shreeraj<br>
>
----------------------------------------------------------------------------------------<br>
><br>
><br>
> Change is the only Constant !<br>
><br>
><br>
> On Wednesday, February 12, 2014 10:32 AM, Rob
Crittenden<br>
> <<a moz-do-not-send="true"
ymailto="mailto:rcritten@redhat.com"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>
wrote:<br>
> Shree wrote:<br>
> > Peter<br>
> > Actually I mentioned earlier that my clients
are in a separate VLAN and<br>
> > cannot access the master. We have made
provisions for the master and the<br>
> > replica to sync by opening the needed ports
in the firewall. We have<br>
> > also opened up ports between the clients and
the replica. I have tested<br>
> > the connectivity for these ports.<br>
> > Perhaps you can tell me if what I am trying
to achieve is even possible?<br>
> > i.e<br>
> > I seem to get stuck with making the replica
with the "--setup-ca"<br>
> > option. Wthout that option I am able to
create a replica and have it in<br>
> > sync with the master. However my
ipa-client-install fails from clients<br>
> > as they try looking for the master for CA
part of the install.<br>
><br>
> Clients don't talk to the CA, they talk to an IPA
server which talks to<br>
> the CA.<br>
><br>
> I think we need to see
/var/log/ipaclient-install.log to see what is<br>
> going on.<br>
><br>
> rob<br>
><br>
> > Shreeraj<br>
> ><br>
>
----------------------------------------------------------------------------------------<br>
> ><br>
> ><br>
> > Change is the only Constant !<br>
> ><br>
> ><br>
> > On Wednesday, February 12, 2014 12:45 AM,
Petr Spacek<br>
> > <<a moz-do-not-send="true"
ymailto="mailto:pspacek@redhat.com"
href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>
<mailto:<a moz-do-not-send="true"
ymailto="mailto:pspacek@redhat.com"
href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>>>
wrote:<br>
> > On 11.2.2014 23:53, Shree wrote:<br>
> ><br>
> > > Following ports are opened between the<br>
> > > 1) Between the master and the replica
(bi directional)<br>
> > > 2) client machine and the ipa replica
(unidirectional).<br>
> > > When the replica was up it worked fine
as far as syncing was<br>
> concerned.<br>
> > ><br>
> > > 80 tcp<br>
> > > 443 tcp<br>
> > > 389 tcp<br>
> > > 636 tcp<br>
> > > 88 tcp<br>
> > > 464 tcp<br>
> > > 88 udp<br>
> > > 464 udp<br>
> > > 123 udp<br>
> > ><br>
> > > Shreeraj<br>
> > ><br>
> ><br>
>
----------------------------------------------------------------------------------------<br>
> > ><br>
> > > Change is the only Constant !<br>
> > ><br>
> > ><br>
> > ><br>
> > > On Tuesday, February 11, 2014 2:22 PM,
Dmitri Pal <<a moz-do-not-send="true"
ymailto="mailto:dpal@redhat.com"
href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
> <mailto:<a moz-do-not-send="true"
ymailto="mailto:dpal@redhat.com"
href="mailto:dpal@redhat.com">dpal@redhat.com</a>><br>
> > <mailto:<a moz-do-not-send="true"
ymailto="mailto:dpal@redhat.com"
href="mailto:dpal@redhat.com">dpal@redhat.com</a>
<mailto:<a moz-do-not-send="true"
ymailto="mailto:dpal@redhat.com"
href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>>
wrote:<br>
> > ><br>
> > > On 02/11/2014 05:05 PM, Shree wrote:<br>
> > > Dimitri<br>
> > >> Sorry some the mail landed in my
SPAM folder. Let answer your<br>
> > questions (thanks for your help man)<br>
> > > Please republish it on the list.<br>
> > > Do not reply to me directly.<br>
> > ><br>
> > > Did you set your first server with the
CA? Does all ports that need<br>
> > > to be open in the firewall between
primary or server are actually<br>
> > > open?<br>
> > ><br>
> > ><br>
> > ><br>
> > >><br>
> > >> What I have done so far is
uninstalled the replica and tried to<br>
> > install it again using the "--setup-ca"
option. Previously I had<br>
> > failures and when I removed the "--setup-ca"
option the installation<br>
> > succeeded (in a way). I understand now that I
really need to fix the CA<br>
> > installation errors first.<br>
> > >><br>
> > >><br>
> > >> 1)The workaround helped me go
forward a bit but I got stuck at this<br>
> > point see below<br>
> > >> ===========<br>
> > >> [1/3]: creating directory server
user<br>
> > >> [2/3]: creating directory server
instance<br>
> > >> [3/3]: restarting directory
server<br>
> > >> Done configuring directory server
for the CA (pkids).<br>
> > >> ipa : ERROR certmonger
failed starting to track<br>
> > certificate: Command '/usr/bin/ipa-getcert
start-tracking -d<br>
> > /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p<br>
> > /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C<br>
> > /usr/lib64/ipa/certmonger/restart_dirsrv
PKI-IPA' returned non-zero exit<br>
> > status 1<br>
> > >> Configuring certificate server
(pki-cad): Estimated time 3 minutes<br>
> > 30 seconds<br>
> > >> [1/17]: creating certificate
server user<br>
> > >> [2/17]: creating pki-ca instance<br>
> > >> [3/17]: configuring certificate
server instance<br>
> > >> ipa : CRITICAL failed to
configure ca instance Command<br>
> > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA
-cs_hostname<br>
> > ldap2.macosforge.org -cs_port 9445
-client_certdb_dir /tmp/tmp-ipJSsT<br>
> > -client_certdb_pwd XXXXXXXX -preop_pin
OlGXcjPVXoQcuuQkGgoG -<br>
> > >> ===========<br>
> > >> 2) No we do not use IPA for a DNS
server.<br>
> > >><br>
> > >><br>
> > >> 3)The reason for this could be that
I had installed the replica<br>
> > without the "--setup-ca".<br>
> > >><br>
> > >> Shreeraj<br>
> > >><br>
> ><br>
>
----------------------------------------------------------------------------------------<br>
> > >><br>
> > >><br>
> > >><br>
> > >> Change is the only Constant !<br>
> > >><br>
> > >><br>
> > >><br>
> > >> On Monday, February 10, 2014 12:43
PM, Dmitri Pal<br>
> <<a moz-do-not-send="true"
ymailto="mailto:dpal@redhat.com"
href="mailto:dpal@redhat.com">dpal@redhat.com</a>
<mailto:<a moz-do-not-send="true"
ymailto="mailto:dpal@redhat.com"
href="mailto:dpal@redhat.com">dpal@redhat.com</a>><br>
> > <mailto:<a moz-do-not-send="true"
ymailto="mailto:dpal@redhat.com"
href="mailto:dpal@redhat.com">dpal@redhat.com</a>
<mailto:<a moz-do-not-send="true"
ymailto="mailto:dpal@redhat.com"
href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>>
wrote:<br>
> > >><br>
> > >> On 02/09/2014 07:44 AM, Rob
Crittenden wrote:<br>
> > >>> Shree wrote:<br>
> > >>>> Lukas<br>
> > >>>> Perhaps I should explain
the design a bit and<br>
> > > see if FreeIPA even<br>
> > >>>> supports this.Our replica
is in a separate<br>
> > > network and all the<br>
> > >>>> appropriate ports are
opened between the master<br>
> > > and the replica. The<br>
> > >>>> "replica" got created
successfully and is in<br>
> > > sync with the master<br>
> > >>>> (except the CA services
which I mentioned<br>
> > > earlier)<br>
> > >>>> Now,when I try to run
ipa-client-install on<br>
> > > hosts in the new network<br>
> > >>>> using the replica, it
complains that about<br>
> > > "Cannot contact any
KDC for<br>
> > >>>> realm".<br>
> > >>>> I am wondering it my hosts
in the new network<br>
> > > are trying to access
the<br>
> > >>>> "master" for certificates
since the replica<br>
> > > does not have any CA<br>
> > >>>> services running? I
couldn't find any obvious<br>
> > > proof of this even
running<br>
> > >>>> the install in a debug
mode. Do I need to open<br>
> > > ports between the new<br>
> > >>>> hosts and the master for CA
services?<br>
> > >>>> At this point I cannot
disable or move the<br>
> > > master, it needs to
function<br>
> > >>>> in its location but I need<br>
> > >>><br>
> > >>> No, the clients don't directly
talk to the CA.<br>
> > >>><br>
> > >>> You'd need to look in<br>
> > >
/var/log/ipaclient-install.log to see what KDC<br>
> > >>> was found and we were trying to
use. If you have<br>
> > > SRV records for both<br>
> > >>> but we try to contact the
hidden master this will<br>
> > > happen. You can try<br>
> > >>> specifying the server on the
command-line with<br>
> > > --server but this will<br>
> > >>> be hardcoding things and make
it less flexible<br>
> > > later.<br>
> > >>><br>
> > >>> rob<br>
> > >>><br>
> > >>>> Shreeraj<br>
> > >>>><br>
> > ><br>
> ><br>
>
----------------------------------------------------------------------------------------<br>
> > >>>><br>
> > >>>><br>
> > >>>><br>
> > >>>> Change is the only Constant
!<br>
> > >>>><br>
> > >>>><br>
> > >>>> On Saturday, February 8,
2014 1:29 AM, Lukas<br>
> > > Slebodnik<br>
> > >>>> <<a
moz-do-not-send="true"
ymailto="mailto:lslebodn@redhat.com"
href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>
<mailto:<a moz-do-not-send="true"
ymailto="mailto:lslebodn@redhat.com"
href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>><br>
> <mailto:<a moz-do-not-send="true"
ymailto="mailto:lslebodn@redhat.com"
href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>
<mailto:<a moz-do-not-send="true"
ymailto="mailto:lslebodn@redhat.com"
href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>>>>
wrote:<br>
> > >>>> On (06/02/14 18:33), Shree
wrote:<br>
> > >>>><br>
> > >>>>> First of all, the
ipa-replica-install did<br>
> > > not allow me to use<br>
> > >>>> the --setup-ca<br>
> > >>>>> option complaining that
a cert already<br>
> > > exists, replicate
creation was<br>
> > >>>>> successful after I
skipped the option.<br>
> > >>>>> Seems like the replica
is one except<br>
> > >>>>> 1) There is no CA
Service running on the<br>
> > > replica (which I guess
is<br>
> > >>>> expected)<br>
> > >>>>> and<br>
> > >>>>> 2) I am unable to run
ipa-client-install<br>
> > > successfully on any
clients<br>
> > >>>> using<br>
> > >>>>> the replica. (I don't
have the option of<br>
> > > using the primary
master as<br>
> > >>>> it is<br>
> > >>>>> configured in a
segregated environment.<br>
> > > Only the master and
replica<br>
> > >>>> are<br>
> > >>>>> allowed to sync.<br>
> > >>>>> Debug shows it fails at<br>
> > >>>>><br>
> > >>>>> ipa : DEBUG
stderr=kinit: Cannot<br>
> > > contact any KDC for
realm<br>
> > >>>> 'mydomainname.com' while
getting initial<br>
> > > credentials<br>
> > >>>><br>
> > >>>>><br>
> > >>>>><br>
> > >>>><br>
> > >>>> I was not able to install
replica witch CA on<br>
> > > fedora 20,<br>
> > >>>> Bug is already reported <a
moz-do-not-send="true"
href="https://fedorahosted.org/pki/ticket/816"
target="_blank">https://fedorahosted.org/pki/ticket/816</a><br>
> > >>>><br>
> > >>>> Guys from dogtag found a
workaround<br>
> > >>>> <a moz-do-not-send="true"
href="https://fedorahosted.org/pki/ticket/816#comment:12"
target="_blank">https://fedorahosted.org/pki/ticket/816#comment:12</a><br>
> > >>>><br>
> > >>>> Does it work for you?<br>
> > >>>><br>
> > >>>> LS<br>
> > >>>><br>
> > >>>><br>
> > >>>><br>
> > >>>><br>
> > >>>><br>
> > >>>>
_______________________________________________<br>
> > >>>> Freeipa-users mailing list<br>
> > >>>> <a moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<mailto:<a moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br>
> <mailto:<a moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<mailto:<a moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br>
> > >>>> <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> > >>>><br>
> > >>><br>
> > >>>
_______________________________________________<br>
> > >>> Freeipa-users mailing list<br>
> > >>> <a moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<mailto:<a moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br>
> <mailto:<a moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<mailto:<a moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br>
><br>
> > >>> <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> > >><br>
> > >> What server provides DNS
capabilities to the clients?<br>
> > >> Do you use IPA DNS or some other
DNS?<br>
> > >> Clients seem to not be able to see
replica KDC and try<br>
> > > to access hidden<br>
> > >> master but they can know about this
master only via DNS.<br>
> ><br>
> ><br>
> > Shree, make sure that command<br>
> > $ dig -t SRV _kerberos._udp.ipa.example<br>
> > on the client returns both IPA servers (in
ANSWER section).<br>
> ><br>
> > --<br>
> > Petr^2 Spacek<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> >
_______________________________________________<br>
> > Freeipa-users mailing list<br>
> > <a moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<mailto:<a moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br>
> > <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> ><br>
><br>
><br>
><br>
<br>
<br>
<br>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
I suggest that you temporarily try to install a client in place of
the replica and see why it does not install.<br>
The log above suggests that certmonger that is a part of the replica
fails to connect to the first master. We need to understand the
reason why it fails. Then we would be able to make your replica be a
CA. <br>
I suspect that CA related communication between replica and master
is not going through for some reasons.<br>
The install log would be really helpful.<br>
Please see <br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Troubleshooting">http://www.freeipa.org/page/Troubleshooting</a> to collect the right
logs.<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>