<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt"><div><span>Rob</span></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span>I really appreciate your help, please bear with me. At this point I need to take you back to my ipa-replica-install and what happened there.</span></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span>[1] My command: ipa-replica-install --setup-ca /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck</span></div><div></div><div> This ended with a </div><div><div>Done configuring NTP daemon (ntpd).</div><div>A CA is already configured on this system.</div><div><br></div><div>[2] So did a pkiremove with the following command</div><div># pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force<br></div><div><br></div><div>[3] Re ran the ipa-replica-install command in step 1</div><div>The install went a little further but ended below.</div><div><br></div><div><div>Configuring directory server for the CA (pkids): Estimated time 30 seconds</div><div> [1/3]: creating directory server user</div><div> [2/3]: creating directory server instance</div><div> [3/3]: restarting directory server</div><div>Done configuring directory server for the CA (pkids).</div><div>ipa : ERROR certmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit status 1</div><div>Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds</div><div> [1/17]: creating certificate server user</div><div> [2/17]: creating pki-ca instance</div><div> [3/17]: configuring certificate server instance</div><div>ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname .................</div><div>...........................</div><div><div>Your system may be partly configured.</div><div>Run /usr/sbin/ipa-server-install --uninstall to clean up.</div><div><br></div><div>Configuration of CA failed</div><div><br></div><div>If I skip the "--setup-ca" option then the replica gets created without any CA services. The "master" and "replica" are in sync but I am unable to run a ipa-client-install using the replica. Now I need to fix this to get a replica in place correctly.</div></div></div><div><br></div><div><br></div></div><div>Shreeraj <br>---------------------------------------------------------------------------------------- <br></div><div class="yahoo_quoted" style="display: block;"> <br> <br> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 8pt;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;"> <div dir="ltr"> <font size="2" face="Arial"> On Wednesday, February 12, 2014 10:42 AM, Rob Crittenden <rcritten@redhat.com> wrote:<br> </font> </div> <div class="y_msg_container">Shree wrote:<br>> OK I thought CA is a part of IPA ? Below is from my master IPA server<br>><br>> [<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a> ~]# ipactl status<br>> Directory Service: RUNNING<br>> KDC Service: RUNNING<br>> KPASSWD Service: RUNNING<br>> MEMCACHE Service: RUNNING<br>> HTTP Service: RUNNING<br>> CA Service: RUNNING<br>> [<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a> ~]#<br>><br>> I can certainly send you a log if needed.<br><br>It is part of IPA but the IPA server talks to it, not the clients directly.<br><br>I can only speculate what the client is doing without seeing the log <br>files, but I suspect both masters are in DNS and IPA is trying to enroll <br>to the initial master which isn't available.<br><br>rob<br><br>> Shreeraj<br>> ----------------------------------------------------------------------------------------<br>><br>><br>> Change is the only Constant !<br>><br>><br>> On Wednesday, February 12, 2014 10:32 AM, Rob Crittenden<br>> <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> wrote:<br>> Shree wrote:<br>> > Peter<br>> > Actually I mentioned earlier that my clients are in a separate VLAN and<br>> > cannot access the master. We have made provisions for the master and the<br>> > replica to sync by opening the needed ports in the firewall. We have<br>> > also opened up ports between the clients and the replica. I have tested<br>> > the connectivity for these ports.<br>> > Perhaps you can tell me if what I am trying to achieve is even possible?<br>> > i.e<br>> > I seem to get stuck with making the replica with the "--setup-ca"<br>> > option. Wthout that option I am able to create a replica and have it in<br>> > sync with the master. However my ipa-client-install fails from clients<br>> > as they try looking for the master for CA part of the install.<br>><br>> Clients don't talk to the CA, they talk to an IPA server which talks to<br>> the CA.<br>><br>> I think we need to see /var/log/ipaclient-install.log to see what is<br>> going on.<br>><br>> rob<br>><br>> > Shreeraj<br>> ><br>> ----------------------------------------------------------------------------------------<br>> ><br>> ><br>> > Change is the only Constant !<br>> ><br>> ><br>> > On Wednesday, February 12, 2014 12:45 AM, Petr Spacek<br>> > <<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a> <mailto:<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>>> wrote:<br>> > On 11.2.2014 23:53, Shree wrote:<br>> ><br>> > > Following ports are opened between the<br>> > > 1) Between the master and the replica (bi directional)<br>> > > 2) client machine and the ipa replica (unidirectional).<br>> > > When the replica was up it worked fine as far as syncing was<br>> concerned.<br>> > ><br>> > > 80 tcp<br>> > > 443 tcp<br>> > > 389 tcp<br>> > > 636 tcp<br>> > > 88 tcp<br>> > > 464 tcp<br>> > > 88 udp<br>> > > 464 udp<br>> > > 123 udp<br>> > ><br>> > > Shreeraj<br>> > ><br>> ><br>> ----------------------------------------------------------------------------------------<br>> > ><br>> > > Change is the only Constant !<br>> > ><br>> > ><br>> > ><br>> > > On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal <<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>><br>> > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>> wrote:<br>> > ><br>> > > On 02/11/2014 05:05 PM, Shree wrote:<br>> > > Dimitri<br>> > >> Sorry some the mail landed in my SPAM folder. Let answer your<br>> > questions (thanks for your help man)<br>> > > Please republish it on the list.<br>> > > Do not reply to me directly.<br>> > ><br>> > > Did you set your first server with the CA? Does all ports that need<br>> > > to be open in the firewall between primary or server are actually<br>> > > open?<br>> > ><br>> > ><br>> > ><br>> > >><br>> > >> What I have done so far is uninstalled the replica and tried to<br>> > install it again using the "--setup-ca" option. Previously I had<br>> > failures and when I removed the "--setup-ca" option the installation<br>> > succeeded (in a way). I understand now that I really need to fix the CA<br>> > installation errors first.<br>> > >><br>> > >><br>> > >> 1)The workaround helped me go forward a bit but I got stuck at this<br>> > point see below<br>> > >> ===========<br>> > >> [1/3]: creating directory server user<br>> > >> [2/3]: creating directory server instance<br>> > >> [3/3]: restarting directory server<br>> > >> Done configuring directory server for the CA (pkids).<br>> > >> ipa : ERROR certmonger failed starting to track<br>> > certificate: Command '/usr/bin/ipa-getcert start-tracking -d<br>> > /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p<br>> > /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C<br>> > /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit<br>> > status 1<br>> > >> Configuring certificate server (pki-cad): Estimated time 3 minutes<br>> > 30 seconds<br>> > >> [1/17]: creating certificate server user<br>> > >> [2/17]: creating pki-ca instance<br>> > >> [3/17]: configuring certificate server instance<br>> > >> ipa : CRITICAL failed to configure ca instance Command<br>> > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname<br>> > ldap2.macosforge.org -cs_port 9445 -client_certdb_dir /tmp/tmp-ipJSsT<br>> > -client_certdb_pwd XXXXXXXX -preop_pin OlGXcjPVXoQcuuQkGgoG -<br>> > >> ===========<br>> > >> 2) No we do not use IPA for a DNS server.<br>> > >><br>> > >><br>> > >> 3)The reason for this could be that I had installed the replica<br>> > without the "--setup-ca".<br>> > >><br>> > >> Shreeraj<br>> > >><br>> ><br>> ----------------------------------------------------------------------------------------<br>> > >><br>> > >><br>> > >><br>> > >> Change is the only Constant !<br>> > >><br>> > >><br>> > >><br>> > >> On Monday, February 10, 2014 12:43 PM, Dmitri Pal<br>> <<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>><br>> > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>> wrote:<br>> > >><br>> > >> On 02/09/2014 07:44 AM, Rob Crittenden wrote:<br>> > >>> Shree wrote:<br>> > >>>> Lukas<br>> > >>>> Perhaps I should explain the design a bit and<br>> > > see if FreeIPA even<br>> > >>>> supports this.Our replica is in a separate<br>> > > network and all the<br>> > >>>> appropriate ports are opened between the master<br>> > > and the replica. The<br>> > >>>> "replica" got created successfully and is in<br>> > > sync with the master<br>> > >>>> (except the CA services which I mentioned<br>> > > earlier)<br>> > >>>> Now,when I try to run ipa-client-install on<br>> > > hosts in the new network<br>> > >>>> using the replica, it complains that about<br>> > > "Cannot contact any KDC for<br>> > >>>> realm".<br>> > >>>> I am wondering it my hosts in the new network<br>> > > are trying to access the<br>> > >>>> "master" for certificates since the replica<br>> > > does not have any CA<br>> > >>>> services running? I couldn't find any obvious<br>> > > proof of this even running<br>> > >>>> the install in a debug mode. Do I need to open<br>> > > ports between the new<br>> > >>>> hosts and the master for CA services?<br>> > >>>> At this point I cannot disable or move the<br>> > > master, it needs to function<br>> > >>>> in its location but I need<br>> > >>><br>> > >>> No, the clients don't directly talk to the CA.<br>> > >>><br>> > >>> You'd need to look in<br>> > > /var/log/ipaclient-install.log to see what KDC<br>> > >>> was found and we were trying to use. If you have<br>> > > SRV records for both<br>> > >>> but we try to contact the hidden master this will<br>> > > happen. You can try<br>> > >>> specifying the server on the command-line with<br>> > > --server but this will<br>> > >>> be hardcoding things and make it less flexible<br>> > > later.<br>> > >>><br>> > >>> rob<br>> > >>><br>> > >>>> Shreeraj<br>> > >>>><br>> > ><br>> ><br>> ----------------------------------------------------------------------------------------<br>> > >>>><br>> > >>>><br>> > >>>><br>> > >>>> Change is the only Constant !<br>> > >>>><br>> > >>>><br>> > >>>> On Saturday, February 8, 2014 1:29 AM, Lukas<br>> > > Slebodnik<br>> > >>>> <<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>><br>> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>>>> wrote:<br>> > >>>> On (06/02/14 18:33), Shree wrote:<br>> > >>>><br>> > >>>>> First of all, the ipa-replica-install did<br>> > > not allow me to use<br>> > >>>> the --setup-ca<br>> > >>>>> option complaining that a cert already<br>> > > exists, replicate creation was<br>> > >>>>> successful after I skipped the option.<br>> > >>>>> Seems like the replica is one except<br>> > >>>>> 1) There is no CA Service running on the<br>> > > replica (which I guess is<br>> > >>>> expected)<br>> > >>>>> and<br>> > >>>>> 2) I am unable to run ipa-client-install<br>> > > successfully on any clients<br>> > >>>> using<br>> > >>>>> the replica. (I don't have the option of<br>> > > using the primary master as<br>> > >>>> it is<br>> > >>>>> configured in a segregated environment.<br>> > > Only the master and replica<br>> > >>>> are<br>> > >>>>> allowed to sync.<br>> > >>>>> Debug shows it fails at<br>> > >>>>><br>> > >>>>> ipa : DEBUG stderr=kinit: Cannot<br>> > > contact any KDC for realm<br>> > >>>> 'mydomainname.com' while getting initial<br>> > > credentials<br>> > >>>><br>> > >>>>><br>> > >>>>><br>> > >>>><br>> > >>>> I was not able to install replica witch CA on<br>> > > fedora 20,<br>> > >>>> Bug is already reported <a href="https://fedorahosted.org/pki/ticket/816" target="_blank">https://fedorahosted.org/pki/ticket/816</a><br>> > >>>><br>> > >>>> Guys from dogtag found a workaround<br>> > >>>> <a href="https://fedorahosted.org/pki/ticket/816#comment:12" target="_blank">https://fedorahosted.org/pki/ticket/816#comment:12</a><br>> > >>>><br>> > >>>> Does it work for you?<br>> > >>>><br>> > >>>> LS<br>> > >>>><br>> > >>>><br>> > >>>><br>> > >>>><br>> > >>>><br>> > >>>> _______________________________________________<br>> > >>>> Freeipa-users mailing list<br>> > >>>> <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br>> > >>>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>> > >>>><br>> > >>><br>> > >>> _______________________________________________<br>> > >>> Freeipa-users mailing list<br>> > >>> <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br>><br>> > >>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>> > >><br>> > >> What server provides DNS capabilities to the clients?<br>> > >> Do you use IPA DNS or some other DNS?<br>> > >> Clients seem to not be able to see replica KDC and try<br>> > > to access hidden<br>> > >> master but they can know about this master only via DNS.<br>> ><br>> ><br>> > Shree, make sure that command<br>> > $ dig -t SRV _kerberos._udp.ipa.example<br>> > on the client returns both IPA servers (in ANSWER section).<br>> ><br>> > --<br>> > Petr^2 Spacek<br>> ><br>> ><br>> ><br>> ><br>> ><br>> > _______________________________________________<br>> > Freeipa-users mailing list<br>> > <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br>> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>> ><br>><br>><br>><br><br><br><br></div> </div> </div> </div> </div></body></html>