<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Hmm ya. So before I rebuilt anything I thought maybe it was my DNS records but it looks like that’s not it.</div><div class=""><br class=""></div><div class="">More background, I used to have sso-109 and sso-110, both CA’s. I rebuilt sso-110 without CA.</div><div class=""><br class=""></div><div class="">My DNS is external, BIND on another host.</div><div class=""><br class=""></div><div class="">Using the following (at the end of the message) host/key issue as an example. On this host, in sssd.conf, ipa_server and krb5_server values are both _srv_ so that means they’ll discover from DNS right?</div><div class=""><br class=""></div><div class="">But in my krb5.conf I have:</div><div class=""><br class=""></div><div class=""><div class="">[realms]</div><div class="">  <a href="http://placeiq.net" class="">PLACEIQ.NET</a> = {</div><div class="">    kdc = <a href="http://sso-110.nym1.placeiq.net" class="">sso-110.nym1.placeiq.net</a>:88</div><div class="">    master_kdc = <a href="http://sso-110.nym1.placeiq.net" class="">sso-110.nym1.placeiq.net</a>:88</div><div class="">    admin_server = <a href="http://sso-110.nym1.placeiq.net" class="">sso-110.nym1.placeiq.net</a>:749</div><div class="">    default_domain = <a href="http://placeiq.net" class="">placeiq.net</a></div><div class="">    pkinit_anchors = FILE:/etc/ipa/ca.crt</div><div class="">  }</div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Is there any other IPA related config file that might reference a host name?</div><div class=""><br class=""></div><div class="">I’ll include my DNS records at the end here, do they look correct for a two server setup, one with a CA (sso-109) and the other no CA (sso-110)?</div><div class=""><br class=""></div><div class="">I never have been sure about the “kerberos-master” entries, what makes an IPA host a “kerberos master” and is this related to the CA in any way?</div><div class=""><br class=""></div><div class=""><div class="">; ldap servers</div><div class="">_ldap._tcp      IN SRV 0 100 389    <a href="http://sso-109.nym1.placeiq.net" class="">sso-109.nym1.placeiq.net</a>.</div><div class="">_ldap._tcp      IN SRV 0 100 389    <a href="http://sso-110.nym1.placeiq.net" class="">sso-110.nym1.placeiq.net</a>.</div><div class=""><br class=""></div><div class="">;kerberos realm</div><div class="">_kerberos               IN TXT <a href="http://placeiq.net" class="">PLACEIQ.NET</a></div><div class=""><br class=""></div><div class="">; kerberos servers</div><div class="">_kerberos._tcp          IN SRV 0 100 88         <a href="http://sso-109.nym1.placeiq.net" class="">sso-109.nym1.placeiq.net</a>.</div><div class="">_kerberos._tcp          IN SRV 0 100 88         <a href="http://sso-110.nym1.placeiq.net" class="">sso-110.nym1.placeiq.net</a>.</div><div class=""><br class=""></div><div class="">_kerberos._udp          IN SRV 0 100 88         <a href="http://sso-109.nym1.placeiq.net" class="">sso-109.nym1.placeiq.net</a>.</div><div class="">_kerberos._udp          IN SRV 0 100 88         <a href="http://sso-110.nym1.placeiq.net" class="">sso-110.nym1.placeiq.net</a>.</div><div class=""><br class=""></div><div class="">_kerberos-master._tcp   IN SRV 0 100 88         <a href="http://sso-109.nym1.placeiq.net" class="">sso-109.nym1.placeiq.net</a>.</div><div class="">_kerberos-master._udp   IN SRV 0 100 88         <a href="http://sso-109.nym1.placeiq.net" class="">sso-109.nym1.placeiq.net</a>.</div><div class="">_kerberos-adm._tcp      IN SRV 0 100 749        <a href="http://sso-109.nym1.placeiq.net" class="">sso-109.nym1.placeiq.net</a>.</div><div class="">_kerberos-adm._udp      IN SRV 0 100 749        <a href="http://sso-109.nym1.placeiq.net" class="">sso-109.nym1.placeiq.net</a>.</div><div class=""><br class=""></div><div class="">_kpasswd._tcp           IN SRV 0 100 464        <a href="http://sso-109.nym1.placeiq.net" class="">sso-109.nym1.placeiq.net</a>.</div><div class="">_kpasswd._tcp           IN SRV 0 100 464        <a href="http://sso-110.nym1.placeiq.net" class="">sso-110.nym1.placeiq.net</a>.</div><div class=""><br class=""></div><div class="">_kpasswd._udp           IN SRV 0 100 464        <a href="http://sso-109.nym1.placeiq.net" class="">sso-109.nym1.placeiq.net</a>.</div><div class="">_kpasswd._udp           IN SRV 0 100 464        <a href="http://sso-110.nym1.placeiq.net" class="">sso-110.nym1.placeiq.net</a>.</div><div class=""><br class=""></div><div class="">; CNAME for IPA CA replicas (used for CRL, OCSP)</div><div class="">ipa-ca                  IN A                    10.1.41.109</div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div class="">Number of certificates and requests being tracked: 1.</div><div class="">Request ID '20141110221330':</div><div class="">        status: MONITORING</div><div class="">        ca-error: Server at <a href="https://sso-110.nym1.placeiq.net/ipa/xml" class="">https://sso-110.nym1.placeiq.net/ipa/xml</a> denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: not allowed to perform this command).</div><div class="">        stuck: no</div><div class="">        key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - <a href="http://phoenix-142.nym1.placeiq.net" class="">phoenix-142.nym1.placeiq.net</a>',token='NSS Certificate DB'</div><div class="">        certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - <a href="http://phoenix-142.nym1.placeiq.net" class="">phoenix-142.nym1.placeiq.net</a>',token='NSS Certificate DB'</div><div class="">        CA: IPA</div><div class="">        issuer: CN=Certificate Authority,O=<a href="http://placeiq.net" class="">PLACEIQ.NET</a></div><div class="">        subject: CN=<a href="http://phoenix-142.nym1.placeiq.net" class="">phoenix-142.nym1.placeiq.net</a>,O=<a href="http://placeiq.net" class="">PLACEIQ.NET</a></div><div class="">        expires: 2016-11-10 22:13:31 UTC</div><div class="">        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div class="">        eku: id-kp-serverAuth,id-kp-clientAuth</div><div class="">        pre-save command:</div><div class="">        post-save command:</div><div class="">        track: yes</div><div class="">        auto-renew: yes</div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">We are moving to latest version on RHEL so we’ll have paid support but before than, gaining this understanding is massively valuable :)</div><div class=""><br class=""></div><br class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><table width="550px" bgcolor="#ffffff" border="0" cellpadding="0" cellspacing="0" style="color: rgb(51, 51, 51); font-size: 13.3333px; orphans: 2; widows: 2; font-family: 'Times New Roman';" class=""><tbody class=""><tr height="10" class=""></tr><tr border="0" cellspacing="0" cellpadding="0" class=""><td style="font-family: arial, sans-serif; margin: 0px; padding: 6px 0px 0px; color: rgb(136, 136, 136); width: 550px; border-top-width: 8px; border-top-style: solid; border-top-color: rgb(103, 89, 163);" class=""><table width="100%" border="0" cellspacing="0" cellpadding="0" class=""><tbody class=""><tr class=""><th rowspan="3" style="border-right-width: 1px; border-right-style: solid; border-right-color: rgb(210, 210, 210); padding-right: 1px; width: 90px;" class=""><a href="http://www.placeiq.com/" target="_blank" style="color: rgb(17, 85, 204);" class=""></a><a href="http://www.placeiq.com/" target="_blank" style="color: rgb(17, 85, 204);" class=""></a><a href="http://www.placeiq.com/" target="_blank" style="color: rgb(17, 85, 204);" class=""><img src="https://ci3.googleusercontent.com/proxy/tFn1I-GEOnccUtv8DHHEc49-6g3x3CbuQKzbfl2Z1BObEy0Qz6QebJimpP96TK3Za5MXwXTuwBZaobKp22nYAG3NdxAC0Q=s0-d-e1-ft#https://marketing.placeiq.net/images/placeiq.png" alt="" style="width: 80px;" class=""></a></th><td align="left" style="font-family: sans-serif; margin: 0px; color: rgb(136, 136, 136); line-height: 10px; padding-left: 10px; padding-top: 5px;" class=""><span style="color: rgb(94, 95, 94); font-family: Trebuchet, sans-serif; font-size: 16px; font-weight: bold;" class="">Jim Richard</span></td><th rowspan="3" style="padding-right: 1px; width: 40px; padding-left: 5px;" class=""><a href="https://twitter.com/placeiq" target="_blank" style="color: rgb(17, 85, 204);" class=""></a><a href="https://twitter.com/placeiq" target="_blank" style="color: rgb(17, 85, 204);" class=""></a><a href="https://twitter.com/placeiq" target="_blank" style="color: rgb(17, 85, 204);" class=""><img src="https://ci4.googleusercontent.com/proxy/490PXYv9O6OiIp_DL4vuabJqVn53fMon5xNYZdftCVea9ySR2LcFDHe6Cdntb2G68uDAuA6FgLny8wKWLFWpsrPAt_FtLaE=s0-d-e1-ft#https://marketing.placeiq.net/images/twitter1.png" alt="" style="width: 35px;" class=""></a></th><th rowspan="3" style="padding-right: 1px; width: 40px;" class=""><a href="https://www.facebook.com/PlaceIQ" target="_blank" style="color: rgb(17, 85, 204);" class=""></a><a href="https://www.facebook.com/PlaceIQ" target="_blank" style="color: rgb(17, 85, 204);" class=""><img src="https://ci3.googleusercontent.com/proxy/fztHf1lRKLQYcAxebqfp2PYXCwVap3GobHVIbyp0j3NcuJOY16bUAZBibVOFf-fd1GsiuhrOfYy6dSwhlCwWU8ZUlw9OX5I=s0-d-e1-ft#https://marketing.placeiq.net/images/facebook.png" alt="" style="width: 35px;" class=""></a></th><th rowspan="3" style="padding-right: 1px; width: 40px;" class=""><a href="https://www.linkedin.com/company/placeiq" target="_blank" style="color: rgb(17, 85, 204);" class=""></a><a href="https://www.linkedin.com/company/placeiq" target="_blank" style="color: rgb(17, 85, 204);" class=""><img src="https://ci5.googleusercontent.com/proxy/H26ThD7R6DOqxoLTgzi6k5SMrHoF2Tj44xI_7XlD9KfOIiGwe1WIMc5iQBxUBA9EuIyJMdaRXrhZTOrnkrn8O9Rf1FP9UQU=s0-d-e1-ft#https://marketing.placeiq.net/images/linkedin.png" alt="" style="width: 35px;" class=""></a></th></tr><tr class=""><td align="left" style="font-family: Trebuchet, sans-serif; margin: 0px; font-size: 9px; text-transform: uppercase; font-weight: bold; color: rgb(136, 136, 136); line-height: 10px; padding-left: 10px; padding-top: 7px;" class=""><span rowspan="1" class="">SYSTEM ADMINISTRATOR III</span></td></tr><tr class=""><td align="left" style="font-family: sans-serif; margin: 0px; color: rgb(136, 136, 136); line-height: 10px; padding-left: 10px; padding-top: 3px;" class=""><font face="Georgia, sans-serif" class=""><span style="font-size: 10px;" class=""><i class="">(646) 338-8905 </i></span></font> </td></tr></tbody></table></td></tr></tbody></table><a href="http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/" class=""><br style="color: rgb(51, 51, 51); font-family: 'Open Sans', sans-serif; font-size: 13.3333px; font-variant-ligatures: normal; line-height: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""><img src="https://marketing.placeiq.net/images/Alibaba.png" alt="PlaceIQ:Alibaba" style="font-family: 'open sans', sans-serif; font-size: 13px;" class=""></a></div></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline"><br class="Apple-interchange-newline">
</div>
<br class=""><div><blockquote type="cite" class=""><div class="">On Dec 1, 2016, at 10:56 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" class="">rcritten@redhat.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Jim Richard wrote:<br class=""><blockquote type="cite" class="">I think I know what the issue is.<br class=""><br class="">I had 2 IPA servers, both with CA’s<br class=""><br class="">I dropped one and rebuilt without the CA but a bunch of clients are<br class="">still pointing at this one server that now is without a CA.<br class=""><br class="">Will rebuild that one with a CA and almost sure that will fix.<br class=""></blockquote><br class="">I'm rather skeptical of that. Not having a CA should not result in an<br class="">ACI error. It should internally forward any cert requests to an IPA<br class="">server that does have a CA and relay the result back to the requester.<br class=""><br class="">rob<br class=""><br class=""><blockquote type="cite" class=""><br class=""><<a href="http://www.placeiq.com/" class="">http://www.placeiq.com/</a>><<a href="http://www.placeiq.com/" class="">http://www.placeiq.com/</a>><<a href="http://www.placeiq.com/" class="">http://www.placeiq.com/</a>><br class="">Jim Richard<br class=""><<a href="https://twitter.com/placeiq" class="">https://twitter.com/placeiq</a>><<a href="https://twitter.com/placeiq" class="">https://twitter.com/placeiq</a>><<a href="https://twitter.com/placeiq" class="">https://twitter.com/placeiq</a>><br class=""><<a href="https://www.facebook.com/PlaceIQ" class="">https://www.facebook.com/PlaceIQ</a>><<a href="https://www.facebook.com/PlaceIQ" class="">https://www.facebook.com/PlaceIQ</a>><br class=""><<a href="https://www.linkedin.com/company/placeiq" class="">https://www.linkedin.com/company/placeiq</a>><<a href="https://www.linkedin.com/company/placeiq" class="">https://www.linkedin.com/company/placeiq</a>><br class="">SYSTEM ADMINISTRATOR III<br class="">/(646) 338-8905 / <br class=""><br class=""><br class="">PlaceIQ:Alibaba<br class=""><<a href="http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/" class="">http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/</a>><br class=""><br class=""><br class=""><br class=""><br class=""><blockquote type="cite" class="">On Nov 28, 2016, at 2:39 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" class="">rcritten@redhat.com</a><br class=""><<a href="mailto:rcritten@redhat.com" class="">mailto:rcritten@redhat.com</a>>> wrote:<br class=""><br class="">Jim Richard wrote:<br class=""><blockquote type="cite" class="">Honestly I’m not even sure if something is not working correctly :)<br class=""><br class="">All I know is that my httpd, access and krb5 logs are filling up all my<br class="">disk space extremely quickly and I have no idea why.<br class=""><br class="">Centos 6.8 + IPA 3.0<br class=""><br class="">One master and one replica.<br class=""><br class="">Are these things related?<br class=""><br class="">How do I fix, where do I even start?<br class=""><br class="">Thanks !<br class=""><br class="">On the replica the httpd log is constantly getting spammed with:<br class=""><br class="">[Thu Nov 24 05:55:18 2016] [error] ipa: INFO:<br class=""><a href="mailto:host/phoenix-153.nym1.placeiq.net@placeiq.net" class="">host/phoenix-153.nym1.placeiq.net@PLACEIQ.NET</a><br class=""><mailto:host/phoenix-153.nym1.placeiq.net@placeiq.net>:<br class="">cert_request(u’actual cert removed<br class=""></blockquote>.. , add=True): ACIError<br class=""><blockquote type="cite" class=""><br class="">and on the master the access log is filling up quickly with:<br class=""><br class="">10.1.41.110 - - [24/Nov/2016:06:09:54 +0000] "POST<br class="">/ca/agent/ca/displayBySerial HTTP/1.1" 200 10106<br class=""></blockquote><br class="">Looks like certmonger trying to renew the per-client SSL certificate.<br class="">You can confirm by pulling out the CSR and poking at it with openssl req.<br class=""><br class="">On the client you can try running: ipa-getcert list<br class=""><br class="">This may show more details on why the request was rejected.<br class=""><br class="">rob<br class=""></blockquote><br class=""></blockquote><br class=""></div></div></blockquote></div><br class=""></body></html>