<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt">1) 7839 TCP is open between the master and replica, do I need 7389 udp also? What about clients and replica? I have the following ports opened and tested between master and replica. --> 389 (TCP), 636 (TCP), 88 (TCP), 464 (TCP), 80 (TCP), 443 (TCP), 7389 (TCP) and 88 (UDP) 464 (UDP) Do I need any more ports opened, I have to work with another team to get this done, so it will help having all the information. 2)I see you skip the connection check, what was failing? :-- Yes my replica install fails unless I user --skip connection check. I have tested the connection with the ports mentioned during the install. 3) In the ipareplica-install log this is reported: Failed to setup the replication for cloning. :--- Yes but what is the solution? 4) And in the debug log: :- Also what is the solution for the Java.io error? <div> </div><div> </div><div>Shreeraj ---------------------------------------------------------------------------------------- Change is the only Constant !</div><div style="display: block;" class="yahoo_quoted"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 8pt;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12pt;"> <div dir="ltr"> On Friday, February 14, 2014 10:21 AM, Rob Crittenden <rcritten@redhat.com> wrote: </div> <div class="y_msg_container">Shree wrote: > The logs are attached here. I had a day off yesterday. Is port 7389 open? I see you skip the connection check, what was failing? In the ipareplica-install log this is reported: Failed to setup the replication for cloning. And in the debug log: [12/Feb/2014:15:15:38][http-9445-2]: DatabasePanel setupReplication: java.io.IOException: consumer initialization failed. -1 - LDAP error: Can't contact LDAP server rob > Shreeraj > ---------------------------------------------------------------------------------------- > > > Change is the only Constant ! > > > On Thursday, February 13, 2014 6:41 AM, Rob Crittenden > <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> wrote: > Shree wrote: > > Ok, failed at the same stage, would you like the entire > > /var/log/ipareplica-install.log. If yes, should I attach to the email? > > > > > > > > pa : INFO File > > "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", > > line 614, in run_script > > return_value = main_function() > > > > File "/usr/sbin/ipa-replica-install", line 467, in main > > (CA, cs) = cainstance.install_replica_ca(config) > > > > File > > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line > > 1604, in install_replica_ca > > subject_base=config.subject_base) > > > > File > > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line > > 617, in configure_instance > > self.start_creation(runtime=210) > > > > File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", > > line 358, in start_creation > > method() > > > > File > > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line > > 879, in __configure_instance > > raise RuntimeError('Configuration of CA failed') > > > > ipa : INFO The ipa-replica-install command failed, > > exception: RuntimeError: Configuration of CA failed > > > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > Configuration of CA failed > > [<a ymailto="mailto:root@ldap2" href="mailto:root@ldap2">root@ldap2</a> <mailto:<a ymailto="mailto:root@ldap2" href="mailto:root@ldap2">root@ldap2</a>> ~]# > > > > We need to see the full /var/log/ipareplica-install.log and the debug > log from /var/log/pki-ca. > > rob > > > Shreeraj > > > ---------------------------------------------------------------------------------------- > > > > > > Change is the only Constant ! > > > > > > On Wednesday, February 12, 2014 2:55 PM, Dmitri Pal <<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> wrote: > > On 02/12/2014 04:57 PM, Shree wrote: > >> If there aren't any other tests to perform, can I go ahead and > >> uninstall the ipa client and configure this Vm as a replica? > > > > Thanks for trying. At least we know that certmonger can run by itself. > > When you install replica please collect all the install logs. > > Is SELinux on/off? > > > >> Shreeraj > >> > ---------------------------------------------------------------------------------------- > >> > >> > >> Change is the only Constant ! > >> > >> > >> On Wednesday, February 12, 2014 1:40 PM, Shree > >> <<a ymailto="mailto:shreerajkarulkar@yahoo.com" href="mailto:shreerajkarulkar@yahoo.com">shreerajkarulkar@yahoo.com</a> <mailto:<a ymailto="mailto:shreerajkarulkar@yahoo.com" href="mailto:shreerajkarulkar@yahoo.com">shreerajkarulkar@yahoo.com</a>>> > <mailto:<a ymailto="mailto:shreerajkarulkar@yahoo.com" href="mailto:shreerajkarulkar@yahoo.com">shreerajkarulkar@yahoo.com</a> <mailto:<a ymailto="mailto:shreerajkarulkar@yahoo.com" href="mailto:shreerajkarulkar@yahoo.com">shreerajkarulkar@yahoo.com</a>>> > wrote: > >> "getcert list" returned a bunch of info, see below > >> > >> <a ymailto="mailto:root@ldap2" href="mailto:root@ldap2">root@ldap2</a> <mailto:<a ymailto="mailto:root@ldap2" href="mailto:root@ldap2">root@ldap2</a>> ~]# getcert list > >> Number of certificates and requests being tracked: 2. > >> Request ID '20140206184920': > >> status: MONITORING > >> stuck: no > >> key pair storage: > >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > >> certificate: > >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > >> Certificate DB' > >> CA: dogtag-ipa-retrieve-agent-submit > >> issuer: CN=Certificate Authority,...................... > >> ............................. > >> > >> Shreeraj > >> > ---------------------------------------------------------------------------------------- > >> > >> > >> Change is the only Constant ! > >> > >> > >> On Wednesday, February 12, 2014 12:43 PM, Dmitri Pal > <<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> > >> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> wrote: > >> On 02/12/2014 03:41 PM, Shree wrote: > >>> So I uninstalled the ipa server and installed the client > >>> (ipa-client-install) on the same VM pointing at the master and > >>> everything seems to work OK. All the sudo rules etc. Are there any > >>> tests I can do check connectivity that could be helpful before I > >>> configure this as a "replica" again. > >> Ask certmonger to get a certificate > >> > >>> > >>> Shreeraj > >>> > ---------------------------------------------------------------------------------------- > >>> > >>> > >>> Change is the only Constant ! > >>> > >>> > >>> On Wednesday, February 12, 2014 11:46 AM, Dmitri Pal > >>> <<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> wrote: > >>> On 02/12/2014 02:09 PM, Shree wrote: > >>>> Rob > >>>> I really appreciate your help, please bear with me. At this point I > >>>> need to take you back to my ipa-replica-install and what happened > >>>> there. > >>>> > >>>> [1] My command: ipa-replica-install --setup-ca > >>>> /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck > >>>> This ended with a > >>>> Done configuring NTP daemon (ntpd). > >>>> A CA is already configured on this system. > >>>> > >>>> [2] So did a pkiremove with the following command > >>>> # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca > -force > >>>> > >>>> [3] Re ran the ipa-replica-install command in step 1 > >>>> The install went a little further but ended below. > >>>> > >>>> Configuring directory server for the CA (pkids): Estimated time 30 > >>>> seconds > >>>> [1/3]: creating directory server user > >>>> [2/3]: creating directory server instance > >>>> [3/3]: restarting directory server > >>>> Done configuring directory server for the CA (pkids). > >>>> ipa : ERROR certmonger failed starting to track certificate: > >>>> Command '/usr/bin/ipa-getcert start-tracking -d > >>>> /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p > >>>> /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C > >>>> /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero > >>>> exit status 1 > >>>> Configuring certificate server (pki-cad): Estimated time 3 minutes > >>>> 30 seconds > >>>> [1/17]: creating certificate server user > >>>> [2/17]: creating pki-ca instance > >>>> [3/17]: configuring certificate server instance > >>>> ipa : CRITICAL failed to configure ca instance Command > >>>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > >>>> ................. > >>>> ........................... > >>>> Your system may be partly configured. > >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. > >>>> > >>>> Configuration of CA failed > >>>> > >>>> If I skip the "--setup-ca" option then the replica gets created > >>>> without any CA services. The "master" and "replica" are in sync but > >>>> I am unable to run a ipa-client-install using the replica. Now I > >>>> need to fix this to get a replica in place correctly. > >>>> > >>>> > >>>> Shreeraj > >>>> > ---------------------------------------------------------------------------------------- > >>>> > >>>> > >>>> > >>>> On Wednesday, February 12, 2014 10:42 AM, Rob Crittenden > >>>> <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>> > <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>> wrote: > >>>> Shree wrote: > >>>> > OK I thought CA is a part of IPA ? Below is from my master IPA > server > >>>> > > >>>> > [<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a> <mailto:<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a>> <mailto:<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a> > <mailto:<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a>>> ~]# ipactl status > >>>> > Directory Service: RUNNING > >>>> > KDC Service: RUNNING > >>>> > KPASSWD Service: RUNNING > >>>> > MEMCACHE Service: RUNNING > >>>> > HTTP Service: RUNNING > >>>> > CA Service: RUNNING > >>>> > [<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a> <mailto:<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a>> <mailto:<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a> > <mailto:<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a>>> ~]# > >>>> > > >>>> > I can certainly send you a log if needed. > >>>> > >>>> It is part of IPA but the IPA server talks to it, not the clients > >>>> directly. > >>>> > >>>> I can only speculate what the client is doing without seeing the log > >>>> files, but I suspect both masters are in DNS and IPA is trying to > >>>> enroll > >>>> to the initial master which isn't available. > >>>> > >>>> rob > >>>> > >>>> > Shreeraj > >>>> > > >>>> > ---------------------------------------------------------------------------------------- > >>>> > > >>>> > > >>>> > Change is the only Constant ! > >>>> > > >>>> > > >>>> > On Wednesday, February 12, 2014 10:32 AM, Rob Crittenden > >>>> > <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> > <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>> wrote: > >>>> > Shree wrote: > >>>> > > Peter > >>>> > > Actually I mentioned earlier that my clients are in a separate > >>>> VLAN and > >>>> > > cannot access the master. We have made provisions for the > >>>> master and the > >>>> > > replica to sync by opening the needed ports in the firewall. We > >>>> have > >>>> > > also opened up ports between the clients and the replica. I > >>>> have tested > >>>> > > the connectivity for these ports. > >>>> > > Perhaps you can tell me if what I am trying to achieve is even > >>>> possible? > >>>> > > i.e > >>>> > > I seem to get stuck with making the replica with the "--setup-ca" > >>>> > > option. Wthout that option I am able to create a replica and > >>>> have it in > >>>> > > sync with the master. However my ipa-client-install fails from > >>>> clients > >>>> > > as they try looking for the master for CA part of the install. > >>>> > > >>>> > Clients don't talk to the CA, they talk to an IPA server which > >>>> talks to > >>>> > the CA. > >>>> > > >>>> > I think we need to see /var/log/ipaclient-install.log to see what is > >>>> > going on. > >>>> > > >>>> > rob > >>>> > > >>>> > > Shreeraj > >>>> > > > >>>> > > >>>> > ---------------------------------------------------------------------------------------- > >>>> > > > >>>> > > > >>>> > > Change is the only Constant ! > >>>> > > > >>>> > > > >>>> > > On Wednesday, February 12, 2014 12:45 AM, Petr Spacek > >>>> > > <<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a> <mailto:<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>> > <mailto:<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a> <mailto:<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>>> > >>>> <mailto:<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a> <mailto:<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>> > <mailto:<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a> <mailto:<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>>>>> wrote: > >>>> > > On 11.2.2014 23:53, Shree wrote: > >>>> > > > >>>> > > > Following ports are opened between the > >>>> > > > 1) Between the master and the replica (bi directional) > >>>> > > > 2) client machine and the ipa replica (unidirectional). > >>>> > > > When the replica was up it worked fine as far as syncing was > >>>> > concerned. > >>>> > > > > >>>> > > > 80 tcp > >>>> > > > 443 tcp > >>>> > > > 389 tcp > >>>> > > > 636 tcp > >>>> > > > 88 tcp > >>>> > > > 464 tcp > >>>> > > > 88 udp > >>>> > > > 464 udp > >>>> > > > 123 udp > >>>> > > > > >>>> > > > Shreeraj > >>>> > > > > >>>> > > > >>>> > > >>>> > ---------------------------------------------------------------------------------------- > >>>> > > > > >>>> > > > Change is the only Constant ! > >>>> > > > > >>>> > > > > >>>> > > > > >>>> > > > On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal > >>>> <<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> > >>>> > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>> > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>> > >>>> > > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>> > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> > >>>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>> > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>>>> wrote: > >>>> > > > > >>>> > > > On 02/11/2014 05:05 PM, Shree wrote: > >>>> > > > Dimitri > >>>> > > >> Sorry some the mail landed in my SPAM folder. Let answer your > >>>> > > questions (thanks for your help man) > >>>> > > > Please republish it on the list. > >>>> > > > Do not reply to me directly. > >>>> > > > > >>>> > > > Did you set your first server with the CA? Does all ports > >>>> that need > >>>> > > > to be open in the firewall between primary or server are > >>>> actually > >>>> > > > open? > >>>> > > > > >>>> > > > > >>>> > > > > >>>> > > >> > >>>> > > >> What I have done so far is uninstalled the replica and > tried to > >>>> > > install it again using the "--setup-ca" option. Previously I had > >>>> > > failures and when I removed the "--setup-ca" option the > >>>> installation > >>>> > > succeeded (in a way). I understand now that I really need to > >>>> fix the CA > >>>> > > installation errors first. > >>>> > > >> > >>>> > > >> > >>>> > > >> 1)The workaround helped me go forward a bit but I got stuck > >>>> at this > >>>> > > point see below > >>>> > > >> =========== > >>>> > > >> [1/3]: creating directory server user > >>>> > > >> [2/3]: creating directory server instance > >>>> > > >> [3/3]: restarting directory server > >>>> > > >> Done configuring directory server for the CA (pkids). > >>>> > > >> ipa : ERROR certmonger failed starting to track > >>>> > > certificate: Command '/usr/bin/ipa-getcert start-tracking -d > >>>> > > /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p > >>>> > > /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C > >>>> > > /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned > >>>> non-zero exit > >>>> > > status 1 > >>>> > > >> Configuring certificate server (pki-cad): Estimated time 3 > >>>> minutes > >>>> > > 30 seconds > >>>> > > >> [1/17]: creating certificate server user > >>>> > > >> [2/17]: creating pki-ca instance > >>>> > > >> [3/17]: configuring certificate server instance > >>>> > > >> ipa : CRITICAL failed to configure ca instance Command > >>>> > > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > >>>> > > ldap2.macosforge.org -cs_port 9445 -client_certdb_dir > >>>> /tmp/tmp-ipJSsT > >>>> > > -client_certdb_pwd XXXXXXXX -preop_pin OlGXcjPVXoQcuuQkGgoG - > >>>> > > >> =========== > >>>> > > >> 2) No we do not use IPA for a DNS server. > >>>> > > >> > >>>> > > >> > >>>> > > >> 3)The reason for this could be that I had installed the > replica > >>>> > > without the "--setup-ca". > >>>> > > >> > >>>> > > >> Shreeraj > >>>> > > >> > >>>> > > > >>>> > > >>>> > ---------------------------------------------------------------------------------------- > >>>> > > >> > >>>> > > >> > >>>> > > >> > >>>> > > >> Change is the only Constant ! > >>>> > > >> > >>>> > > >> > >>>> > > >> > >>>> > > >> On Monday, February 10, 2014 12:43 PM, Dmitri Pal > >>>> > <<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>> > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>> > >>>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>> > >>>> > > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>> > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> > >>>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>> > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>>>> wrote: > >>>> > > >> > >>>> > > >> On 02/09/2014 07:44 AM, Rob Crittenden wrote: > >>>> > > >>> Shree wrote: > >>>> > > >>>> Lukas > >>>> > > >>>> Perhaps I should explain the design a bit and > >>>> > > > see if FreeIPA even > >>>> > > >>>> supports this.Our replica is in a separate > >>>> > > > network and all the > >>>> > > >>>> appropriate ports are opened between the master > >>>> > > > and the replica. The > >>>> > > >>>> "replica" got created successfully and is in > >>>> > > > sync with the master > >>>> > > >>>> (except the CA services which I mentioned > >>>> > > > earlier) > >>>> > > >>>> Now,when I try to run ipa-client-install on > >>>> > > > hosts in the new network > >>>> > > >>>> using the replica, it complains that about > >>>> > > > "Cannot contact any KDC for > >>>> > > >>>> realm". > >>>> > > >>>> I am wondering it my hosts in the new network > >>>> > > > are trying to access the > >>>> > > >>>> "master" for certificates since the replica > >>>> > > > does not have any CA > >>>> > > >>>> services running? I couldn't find any obvious > >>>> > > > proof of this even running > >>>> > > >>>> the install in a debug mode. Do I need to open > >>>> > > > ports between the new > >>>> > > >>>> hosts and the master for CA services? > >>>> > > >>>> At this point I cannot disable or move the > >>>> > > > master, it needs to function > >>>> > > >>>> in its location but I need > >>>> > > >>> > >>>> > > >>> No, the clients don't directly talk to the CA. > >>>> > > >>> > >>>> > > >>> You'd need to look in > >>>> > > > /var/log/ipaclient-install.log to see what KDC > >>>> > > >>> was found and we were trying to use. If you have > >>>> > > > SRV records for both > >>>> > > >>> but we try to contact the hidden master this will > >>>> > > > happen. You can try > >>>> > > >>> specifying the server on the command-line with > >>>> > > > --server but this will > >>>> > > >>> be hardcoding things and make it less flexible > >>>> > > > later. > >>>> > > >>> > >>>> > > >>> rob > >>>> > > >>> > >>>> > > >>>> Shreeraj > >>>> > > >>>> > >>>> > > > > >>>> > > > >>>> > > >>>> > ---------------------------------------------------------------------------------------- > >>>> > > >>>> > >>>> > > >>>> > >>>> > > >>>> > >>>> > > >>>> Change is the only Constant ! > >>>> > > >>>> > >>>> > > >>>> > >>>> > > >>>> On Saturday, February 8, 2014 1:29 AM, Lukas > >>>> > > > Slebodnik > >>>> > > >>>> <<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>> > <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>>> > >>>> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>> > <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>>>> > >>>> > <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>> > <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>>> > >>>> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>> > <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>>>>>> wrote: > >>>> > > >>>> On (06/02/14 18:33), Shree wrote: > >>>> > > >>>> > >>>> > > >>>>> First of all, the ipa-replica-install did > >>>> > > > not allow me to use > >>>> > > >>>> the --setup-ca > >>>> > > >>>>> option complaining that a cert already > >>>> > > > exists, replicate creation was > >>>> > > >>>>> successful after I skipped the option. > >>>> > > >>>>> Seems like the replica is one except > >>>> > > >>>>> 1) There is no CA Service running on the > >>>> > > > replica (which I guess is > >>>> > > >>>> expected) > >>>> > > >>>>> and > >>>> > > >>>>> 2) I am unable to run ipa-client-install > >>>> > > > successfully on any clients > >>>> > > >>>> using > >>>> > > >>>>> the replica. (I don't have the option of > >>>> > > > using the primary master as > >>>> > > >>>> it is > >>>> > > >>>>> configured in a segregated environment. > >>>> > > > Only the master and replica > >>>> > > >>>> are > >>>> > > >>>>> allowed to sync. > >>>> > > >>>>> Debug shows it fails at > >>>> > > >>>>> > >>>> > > >>>>> ipa : DEBUG stderr=kinit: Cannot > >>>> > > > contact any KDC for realm > >>>> > > >>>> 'mydomainname.com' while getting initial > >>>> > > > credentials > >>>> > > >>>> > >>>> > > >>>>> > >>>> > > >>>>> > >>>> > > >>>> > >>>> > > >>>> I was not able to install replica witch CA on > >>>> > > > fedora 20, > >>>> > > >>>> Bug is already reported > >>>> <a href="https://fedorahosted.org/pki/ticket/816" target="_blank">https://fedorahosted.org/pki/ticket/816</a> > >>>> > > >>>> > >>>> > > >>>> Guys from dogtag found a workaround > >>>> > > >>>> <a href="https://fedorahosted.org/pki/ticket/816#comment:12" target="_blank">https://fedorahosted.org/pki/ticket/816#comment:12</a> > >>>> > > >>>> > >>>> > > >>>> Does it work for you? > >>>> > > >>>> > >>>> > > >>>> LS > >>>> > > >>>> > >>>> > > >>>> > >>>> > > >>>> > >>>> > > >>>> > >>>> > > >>>> > >>>> > > >>>> _______________________________________________ > >>>> > > >>>> Freeipa-users mailing list > >>>> > > >>>> <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>> > >>>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>>> > >>>> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>> > >>>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>>>> > >>>> > > >>>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > >>>> > > >>>> > >>>> > > >>> > >>>> > > >>> _______________________________________________ > >>>> > > >>> Freeipa-users mailing list > >>>> > > >>> <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>> > >>>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>>> > >>>> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>> > >>>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>>>> > >>>> > > >>>> > > >>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > >>>> > > >> > >>>> > > >> What server provides DNS capabilities to the clients? > >>>> > > >> Do you use IPA DNS or some other DNS? > >>>> > > >> Clients seem to not be able to see replica KDC and try > >>>> > > > to access hidden > >>>> > > >> master but they can know about this master only via DNS. > >>>> > > > >>>> > > > >>>> > > Shree, make sure that command > >>>> > > $ dig -t SRV _kerberos._udp.ipa.example > >>>> > > on the client returns both IPA servers (in ANSWER section). > >>>> > > > >>>> > > -- > >>>> > > Petr^2 Spacek > >>>> > > > >>>> > > > >>>> > > > >>>> > > > >>>> > > > >>>> > > _______________________________________________ > >>>> > > Freeipa-users mailing list > >>>> > > <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>> > >>>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>>> > >>>> > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > >>>> > > > >>>> > > >>>> > > >>>> > > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> Freeipa-users mailing list > >>>> <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>> > >>>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > >>> I suggest that you temporarily try to install a client in place of > >>> the replica and see why it does not install. > >>> The log above suggests that certmonger that is a part of the replica > >>> fails to connect to the first master. We need to understand the > >>> reason why it fails. Then we would be able to make your replica be > a CA. > >>> I suspect that CA related communication between replica and master is > >>> not going through for some reasons. > >>> The install log would be really helpful. > >>> Please see > >>> <a href="http://www.freeipa.org/page/Troubleshooting" target="_blank">http://www.freeipa.org/page/Troubleshooting</a> > <<a href="http://www.freeipa.org/page/Troubleshooting" target="_blank">http://www.freeipa.org/page/Troubleshooting</a>>to collect the right logs. > >>> > >>> -- > >>> Thank you, > >>> Dmitri Pal > >>> > >>> Sr. Engineering Manager for IdM portfolio > >>> Red Hat Inc. > >>> > >>> > >>> ------------------------------- > >>> Looking to carve out IT costs? > >>> www.redhat.com/carveoutcosts/ <<a href="http://www.redhat.com/carveoutcosts/" target="_blank">http://www.redhat.com/carveoutcosts/</a>> > >>> > >>> > >>> > >>> _______________________________________________ > >>> Freeipa-users mailing list > >>> <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>> > >>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > >>> > >>> > >> > >> > >> -- > >> Thank you, > >> Dmitri Pal > >> > >> Sr. Engineering Manager for IdM portfolio > >> Red Hat Inc. > >> > >> > >> ------------------------------- > >> Looking to carve out IT costs? > >> www.redhat.com/carveoutcosts/ <<a href="http://www.redhat.com/carveoutcosts/" target="_blank">http://www.redhat.com/carveoutcosts/</a>> > >> > >> > >> > >> > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>> > >> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > >> > >> > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager for IdM portfolio > > Red Hat Inc. > > > > > > ------------------------------- > > Looking to carve out IT costs? > > www.redhat.com/carveoutcosts/ <<a href="http://www.redhat.com/carveoutcosts/" target="_blank">http://www.redhat.com/carveoutcosts/</a>> > > > > > > > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > > > > </div> </div> </div> </div> </div></body></html>