[Freeipa-users] Replica and CA mess
Sigbjorn Lie
sigbjorn at nixtra.com
Sun Nov 27 17:53:02 UTC 2011
I had an odd performing IPA replica server, it had no knowledge to any
other services besides dirsrv, DNS and CA, lots of GSSAPI errors in the
dirsrv logs, etc, so I decided to re-configure the IPA replica.
# ipactl status
Directory Service: RUNNING
DNS Service: RUNNING
CA Service: RUNNING
I removed the IPA instance on the host as per the document below.
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/Uninstalling_IPA_Servers.html
I prepared a new replica package for the host using ipa-replica-prepare
on ipa01. And started ipa-replica-install on ipa03. This gave unexpected
results.
# ipa-replica-install --setup-dns --forwarder=192.168.1.1
--forwarder=192.168.1.2 /var/lib/ipa/replica-info-ipa03.ix.test.com.gpg
Directory Manager (existing master) password:
Run connection check to master
Check connection from replica to remote master 'ipa01.ix.test.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: port 80 (80): OK
HTTP Server: port 443(https) (443): OK
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin at IX.TEST.COM password:
Execute check on remote master
Check connection from master to remote replica 'ipa03.ix.test.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: port 80 (80): OK
HTTP Server: port 443(https) (443): OK
Connection from master to replica is OK.
Connection check OK
The host ipa03.ix.test.com already exists on the master server.
Depending on your configuration, you may perform the following:
Remove the replication agreement, if any:
% ipa-replica-manage del ipa03.ix.test.com
Remove the host entry:
% ipa host-del ipa03.ix.test.com
So I went back to ipa01 to remove the replica:
# ipa-replica-manage del ipa03.ix.test.com
Unable to delete replica ipa03.ix.test.com: {'desc': "Can't contact LDAP
server"}
Hm, ok, I tried to force removal.
]# ipa-replica-manage del -f ipa03.ix.test.com
Unable to connect to replica ipa03.ix.test.com, forcing removal
Failed to get data from 'ipa03.ix.test.com': {'desc': "Can't contact
LDAP server"}
Forcing removal on 'ipa01.ix.test.com'
Failed to get data from 'ipa02.ix.test.com': {'info': 'SASL(-1): generic
failure: GSSAPI Error: An invalid name was supplied (Cannot determine
realm for numeric host address)', 'desc': 'Local error'}
Failed to get data from 'ipa03.ix.test.com': {'desc': "Can't contact
LDAP server"}
Not a complete success? However I was now able to install my replica.
But I no now longer have a CA instance on the replica:
# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
HTTP Service: RUNNING
Perhaps an opertunity for improvements here? My suggestions:
* First off, add to the documentation to remove the replica on another
IPA server before uninstalling the IPA replica?
* Why not automatically delete the replication agreement when
uninstalling the replica?
* Where did the CA instance go? I see nothing in the documentation about
this, but I found a ipa-ca-install command. ipa-ca-install yelded the
error below. Same error occour if I attempt to --setup-ca while doing
the ipa-replica-install:
Configuring certificate server: Estimated time 3 minutes 30 seconds
[1/11]: creating certificate server user
[2/11]: creating pki-ca instance
[3/11]: configuring certificate server instance
root : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname'
'ipa03.ix.test.com' '-cs_port' '9445' '-client_certdb_dir'
'/tmp/tmp-GyGkkW' '-client_certdb_pwd' XXXXXXXX '-preop_pin'
'BZiIPv9BeXIPIKs7hJrv' '-domain_name' 'IPA' '-admin_user' 'admin'
'-admin_email' 'root at localhost' '-admin_password' XXXXXXXX '-agent_name'
'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa'
'-agent_cert_subject' 'CN=ipa-ca-agent,O=IX.TEST.COM' '-ldap_host'
'ipa03.ix.test.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory
Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name'
'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm'
'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX
'-subsystem_name' 'pki-cad' '-token_name' 'internal'
'-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=IX.TEST.COM'
'-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=IX.TEST.COM'
'-ca_server_cert_subject_name' 'CN=ipa03.ix.test.com,O=IX.TEST.COM'
'-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=IX.TEST.COM'
'-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=IX.TEST.COM'
'-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
'-clone_p12_password' XXXXXXXX '-sd_hostname' 'ipa01.ix.test.com'
'-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password'
XXXXXXXX '-clone_start_tls' 'true' '-clone_uri'
'https://ipa01.ix.test.com:443'' returned non-zero exit status 255
creation of replica failed: Configuration of CA failed
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Running ipa-ca-install on a IPv6 enabled host is even worse off:
root : DEBUG stderr=gpg: WARNING: unsafe permissions on
homedir `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg'
gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/secring.gpg' created
gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/pubring.gpg' created
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
root : DEBUG args=tar xf /tmp/tmpQ_4Prsipa/files.tar -C
/tmp/tmpQ_4Prsipa
root : DEBUG stdout=
root : DEBUG stderr=
creation of replica failed: The network address 2001:db8:abab:2::21 does
not match the DNS lookup 192.168.1.21. Check /etc/hosts and ensure that
2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com
root : DEBUG The network address 2001:db8:abab:2::21 does not
match the DNS lookup 192.168.1.21. Check /etc/hosts and ensure that
2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com
File "/usr/sbin/ipa-ca-install", line 156, in <module>
main()
File "/usr/sbin/ipa-ca-install", line 121, in main
host = get_host_name(options.no_host_dns)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 540, in get_host_name
verify_fqdn(hostname, no_host_dns)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 201, in verify_fqdn
verify_dns_records(host_name, rs, resaddr, 'ipv6')
File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 113, in verify_dns_records
raise RuntimeError("The network address %s does not match the DNS
lookup %s. Check /etc/hosts and ensure that %s is the IP address for %s"
% (dns_addr.format(), resaddr, dns_addr.format(), host_name))
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Both A and AAAA records are configure for both hosts, as well as ipv4
and ipv6 reverse addresses. All addresses, forward and reverse, are
resolvable from both IPA hosts.
As a sidenote: The ipa-replica-install scripts works sucessfully on the
IPv6 enabled hosts, and I use IPv6 from Linux and Solaris clients for
LDAPS and kerberos without any issues.
Regards,
Siggi
More information about the Freeipa-users
mailing list