[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

Shree shreerajkarulkar at yahoo.com
Wed Feb 12 23:12:27 UTC 2014


It is enforcing. Should I try to disable it? 


 
Shreeraj 
---------------------------------------------------------------------------------------- 

Change is the only Constant !



On Wednesday, February 12, 2014 2:55 PM, Dmitri Pal <dpal at redhat.com> wrote:
 
On 02/12/2014 04:57 PM, Shree wrote: 
If there aren't any other tests to perform, can I go ahead and uninstall the ipa client and configure this Vm as a replica?
Thanks for trying. At least we know that certmonger can run by
    itself.
When you install replica please collect all the install logs.
Is SELinux on/off?


 
>Shreeraj 
>---------------------------------------------------------------------------------------- 
>
>Change is the only Constant !
>
>
>
>On Wednesday, February 12, 2014 1:40 PM, Shree <shreerajkarulkar at yahoo.com> wrote:
> 
>"getcert list" returned a bunch of info, see below
>
>
>root at ldap2 ~]# getcert list
>Number of certificates and requests being tracked: 2.
>Request ID '20140206184920':
>status: MONITORING
>stuck: no
>key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
>CA: dogtag-ipa-retrieve-agent-submit
>issuer: CN=Certificate Authority,......................
>.............................
>
>
> 
>Shreeraj 
>---------------------------------------------------------------------------------------- 
>
>Change is the only Constant !
>
>
>
>On Wednesday, February 12, 2014 12:43 PM, Dmitri Pal <dpal at redhat.com> wrote:
> 
>On 02/12/2014 03:41 PM, Shree wrote: 
>So I uninstalled the ipa server and installed the client (ipa-client-install) on the same VM pointing at the master and everything seems to work OK. All the sudo rules etc. Are there any tests I can do check connectivity that could be helpful before I configure this as a "replica" again.
Ask certmonger to get a certificate
>
>
>
>>
>> 
>>Shreeraj 
>>---------------------------------------------------------------------------------------- 
>>
>>Change is the only Constant !
>>
>>
>>
>>On Wednesday, February 12, 2014 11:46 AM, Dmitri Pal <dpal at redhat.com> wrote:
>> 
>>On 02/12/2014 02:09 PM, Shree wrote: 
>>Rob
>>>I really appreciate your help, please bear with me. At this point I need to take you back to my  ipa-replica-install and what happened there.
>>>
>>>
>>>[1] My command: ipa-replica-install --setup-ca /var/tmp/replica-info-ldap2.mydomain.com.gpg
--skip-conncheck
>>> This ended with a 
>>>Done configuring NTP daemon (ntpd).
>>>A CA is already configured on this system.
>>>
>>>
>>>[2] So did a pkiremove with the following command
>>># pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
>>>
>>>
>>>
>>>[3] Re ran the ipa-replica-install command in step 1
>>>The install went a little further but ended below.
>>>
>>>
>>>Configuring directory server for the CA (pkids): Estimated time 30 seconds
>>>  [1/3]: creating directory server user
>>>  [2/3]: creating directory server instance
>>>  [3/3]: restarting directory server
>>>Done configuring directory server for the CA (pkids).
>>>ipa         : ERROR    certmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit status 1
>>>Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>>>  [1/17]: creating certificate server user
>>>  [2/17]: creating pki-ca instance
>>>  [3/17]: configuring certificate server instance
>>>ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname .................
>>>...........................
>>>Your system may be partly configured.
>>>Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>>
>>>Configuration of CA failed
>>>
>>>
>>>If I skip the "--setup-ca" option then the replica gets created without any CA services. The "master" and "replica" are in sync but I am unable to run a ipa-client-install using  the replica. Now I need to fix this to get a replica in place correctly.
>>>
>>>
>>>
>>>
>>>Shreeraj 
>>>---------------------------------------------------------------------------------------- 
>>>
>>>
>>>
>>>
>>>On Wednesday, February 12, 2014 10:42 AM, Rob Crittenden <rcritten at redhat.com> wrote:
>>> 
>>>Shree wrote:
>>>> OK I
                                                          thought CA is
                                                          a part of IPA
                                                          ? Below is
                                                          from my master
                                                          IPA server
>>>>
>>>> [root at ldap ~]# ipactl status
>>>> Directory
                                                          Service:
                                                          RUNNING
>>>> KDC
                                                          Service:
                                                          RUNNING
>>>> KPASSWD
                                                          Service:
                                                          RUNNING
>>>> MEMCACHE
                                                          Service:
                                                          RUNNING
>>>> HTTP
                                                          Service:
                                                          RUNNING
>>>> CA
                                                          Service:
                                                          RUNNING
>>>> [root at ldap ~]#
>>>>
>>>> I can
                                                          certainly send
                                                          you a log if
                                                          needed.
>>>
>>>It is part of
                                                          IPA but the
                                                          IPA server
                                                          talks to it,
                                                          not the
                                                          clients
                                                          directly.
>>>
>>>I can only
                                                          speculate what
                                                          the client is
                                                          doing without
                                                          seeing the log 
>>>files, but I
                                                          suspect both
                                                          masters are in
                                                          DNS and IPA is
                                                          trying to
                                                          enroll 
>>>to the initial
                                                          master which
                                                          isn't
                                                          available.
>>>
>>>rob
>>>
>>>> Shreeraj
>>>>
----------------------------------------------------------------------------------------
>>>>
>>>>
>>>> Change is
                                                          the only
                                                          Constant !
>>>>
>>>>
>>>> On
                                                          Wednesday,
                                                          February 12,
                                                          2014 10:32 AM,
                                                          Rob Crittenden
>>>> <rcritten at redhat.com> wrote:
>>>> Shree
                                                          wrote:
>>>>  >
                                                          Peter
>>>>  >
                                                          Actually I
                                                          mentioned
                                                          earlier that
                                                          my clients are
                                                          in a separate
                                                          VLAN and
>>>>  >
                                                          cannot access
                                                          the master. We
                                                          have made
                                                          provisions for
                                                          the master and
                                                          the
>>>>  >
                                                          replica to
                                                          sync by
                                                          opening the
                                                          needed ports
                                                          in the
                                                          firewall. We
                                                          have
>>>>  >
                                                          also opened up
                                                          ports between
                                                          the clients
                                                          and the
                                                          replica. I
                                                          have tested
>>>>  > the
                                                          connectivity
                                                          for these
                                                          ports.
>>>>  >
                                                          Perhaps you
                                                          can tell me if
                                                          what I am
                                                          trying to
                                                          achieve is
                                                          even possible?
>>>>  > i.e
>>>>  > I
                                                          seem to get
                                                          stuck with
                                                          making the
                                                          replica with
                                                          the
                                                          "--setup-ca"
>>>>  >
                                                          option. Wthout
                                                          that option I
                                                          am able to
                                                          create a
                                                          replica and
                                                          have it in
>>>>  >
                                                          sync with the
                                                          master.
                                                          However my
                                                          ipa-client-install
                                                          fails from
                                                          clients
>>>>  > as
                                                          they try
                                                          looking for
                                                          the master for
                                                          CA part of the
                                                          install.
>>>>
>>>> Clients
                                                          don't talk to
                                                          the CA, they
                                                          talk to an IPA
                                                          server which
                                                          talks to
>>>> the CA.
>>>>
>>>> I think
                                                          we need to see
                                                          /var/log/ipaclient-install.log
                                                          to see what is
>>>> going on.
>>>>
>>>> rob
>>>>
>>>>  >
                                                          Shreeraj
>>>>  >
>>>>
----------------------------------------------------------------------------------------
>>>>  >
>>>>  >
>>>>  >
                                                          Change is the
                                                          only Constant
                                                          !
>>>>  >
>>>>  >
>>>>  > On
                                                          Wednesday,
                                                          February 12,
                                                          2014 12:45 AM,
                                                          Petr Spacek
>>>>  >
                                                          <pspacek at redhat.com <mailto:pspacek at redhat.com>> wrote:
>>>>  > On
                                                          11.2.2014
                                                          23:53, Shree
                                                          wrote:
>>>>  >
>>>>  > 
                                                          > Following
                                                          ports are
                                                          opened between
                                                          the
>>>>  > 
                                                          > 1)
                                                          Between the
                                                          master and the
                                                          replica (bi
                                                          directional)
>>>>  > 
                                                          > 2) client
                                                          machine and
                                                          the ipa
                                                          replica
                                                          (unidirectional).
>>>>  > 
                                                          > When the
                                                          replica was up
                                                          it worked fine
                                                          as far as
                                                          syncing was
>>>>
                                                          concerned.
>>>>  > 
                                                          >
>>>>  > 
                                                          >  80 tcp
>>>>  > 
                                                          >  443 tcp
>>>>  > 
                                                          >  389 tcp
>>>>  > 
                                                          >  636 tcp
>>>>  > 
                                                          >  88 tcp
>>>>  > 
                                                          >  464 tcp
>>>>  > 
                                                          >  88 udp
>>>>  > 
                                                          >  464 udp
>>>>  > 
                                                          >  123 udp
>>>>  > 
                                                          >
>>>>  > 
                                                          > Shreeraj
>>>>  > 
                                                          >
>>>>  >
>>>>
----------------------------------------------------------------------------------------
>>>>  > 
                                                          >
>>>>  > 
                                                          > Change is
                                                          the only
                                                          Constant !
>>>>  > 
                                                          >
>>>>  > 
                                                          >
>>>>  > 
                                                          >
>>>>  > 
                                                          > On
                                                          Tuesday,
                                                          February 11,
                                                          2014 2:22 PM,
                                                          Dmitri Pal
                                                          <dpal at redhat.com
>>>>
                                                          <mailto:dpal at redhat.com>
>>>>  >
                                                          <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>> wrote:
>>>>  > 
                                                          >
>>>>  > 
                                                          > On
                                                          02/11/2014
                                                          05:05 PM,
                                                          Shree wrote:
>>>>  > 
                                                          > Dimitri
>>>>  > 
                                                          >> Sorry
                                                          some the mail
                                                          landed in my
                                                          SPAM folder.
                                                          Let answer
                                                          your
>>>>  >
                                                          questions
                                                          (thanks for
                                                          your help man)
>>>>  > 
                                                          > Please
                                                          republish it
                                                          on the list.
>>>>  > 
                                                          > Do not
                                                          reply to me
                                                          directly.
>>>>  > 
                                                          >
>>>>  > 
                                                          > Did you
                                                          set your first
                                                          server with
                                                          the CA? Does
                                                          all ports that
                                                          need
>>>>  > 
                                                          >      to
                                                          be open in the
                                                          firewall
                                                          between
                                                          primary or
                                                          server are
                                                          actually
>>>>  > 
                                                          >     
                                                          open?
>>>>  > 
                                                          >
>>>>  > 
                                                          >
>>>>  > 
                                                          >
>>>>  > 
                                                          >>
>>>>  > 
                                                          >> What
                                                          I have done so
                                                          far is
                                                          uninstalled
                                                          the replica
                                                          and tried to
>>>>  >
                                                          install it
                                                          again using
                                                          the
                                                          "--setup-ca"
                                                          option.
                                                          Previously I
                                                          had
>>>>  >
                                                          failures and
                                                          when I removed
                                                          the
                                                          "--setup-ca"
                                                          option the
                                                          installation
>>>>  >
                                                          succeeded (in
                                                          a way). I
                                                          understand now
                                                          that I really
                                                          need to fix
                                                          the CA
>>>>  >
                                                          installation
                                                          errors first.
>>>>  > 
                                                          >>
>>>>  > 
                                                          >>
>>>>  > 
                                                          >> 1)The
                                                          workaround
                                                          helped me go
                                                          forward a bit
                                                          but I got
                                                          stuck at this
>>>>  >
                                                          point see
                                                          below
>>>>  > 
                                                          >>
                                                          ===========
>>>>  > 
                                                          >>   
                                                          [1/3]:
                                                          creating
                                                          directory
                                                          server user
>>>>  > 
                                                          >>   
                                                          [2/3]:
                                                          creating
                                                          directory
                                                          server
                                                          instance
>>>>  > 
                                                          >>   
                                                          [3/3]:
                                                          restarting
                                                          directory
                                                          server
>>>>  > 
                                                          >> Done
                                                          configuring
                                                          directory
                                                          server for the
                                                          CA (pkids).
>>>>  > 
                                                          >> ipa 
                                                                : ERROR 
                                                            certmonger
                                                          failed
                                                          starting to
                                                          track
>>>>  >
                                                          certificate:
                                                          Command
                                                          '/usr/bin/ipa-getcert
                                                          start-tracking
                                                          -d
>>>>  >
                                                          /etc/dirsrv/slapd-PKI-IPA
                                                          -n Server-Cert
                                                          -p
>>>>  >
                                                          /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt
                                                          -C
>>>>  >
                                                          /usr/lib64/ipa/certmonger/restart_dirsrv
                                                          PKI-IPA'
                                                          returned
                                                          non-zero exit
>>>>  >
                                                          status 1
>>>>  > 
                                                          >>
                                                          Configuring
                                                          certificate
                                                          server
                                                          (pki-cad):
                                                          Estimated time
                                                          3 minutes
>>>>  > 30
                                                          seconds
>>>>  > 
                                                          >>   
                                                          [1/17]:
                                                          creating
                                                          certificate
                                                          server user
>>>>  > 
                                                          >>   
                                                          [2/17]:
                                                          creating
                                                          pki-ca
                                                          instance
>>>>  > 
                                                          >>   
                                                          [3/17]:
                                                          configuring
                                                          certificate
                                                          server
                                                          instance
>>>>  > 
                                                          >> ipa 
                                                                :
                                                          CRITICAL
                                                          failed to
                                                          configure ca
                                                          instance
                                                          Command
>>>>  >
                                                          '/usr/bin/perl
                                                          /usr/bin/pkisilent
                                                          ConfigureCA
                                                          -cs_hostname
>>>>  >
                                                          ldap2.macosforge.org
                                                          -cs_port 9445
                                                          -client_certdb_dir

/tmp/tmp-ipJSsT
>>>>  >
                                                          -client_certdb_pwd
                                                          XXXXXXXX
                                                          -preop_pin
                                                          OlGXcjPVXoQcuuQkGgoG
                                                          -
>>>>  > 
                                                          >>
                                                          ===========
>>>>  > 
                                                          >> 2) No
                                                          we do not use
                                                          IPA for a DNS
                                                          server.
>>>>  > 
                                                          >>
>>>>  > 
                                                          >>
>>>>  > 
                                                          >> 3)The
                                                          reason for
                                                          this could be
                                                          that I had
                                                          installed the
                                                          replica
>>>>  >
                                                          without the
                                                          "--setup-ca".
>>>>  > 
                                                          >>
>>>>  > 
                                                          >>
                                                          Shreeraj
>>>>  > 
                                                          >>
>>>>  >
>>>>
----------------------------------------------------------------------------------------
>>>>  > 
                                                          >>
>>>>  > 
                                                          >>
>>>>  >
                                                          >>
>>>>  > 
                                                          >>
                                                          Change is the
                                                          only Constant
                                                          !
>>>>  > 
                                                          >>
>>>>  > 
                                                          >>
>>>>  > 
                                                          >>
>>>>  > 
                                                          >> On
                                                          Monday,
                                                          February 10,
                                                          2014 12:43 PM,
                                                          Dmitri Pal
>>>> <dpal at redhat.com <mailto:dpal at redhat.com>
>>>>  >
                                                          <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>> wrote:
>>>>  > 
                                                          >>
>>>>  > 
                                                          >> On
                                                          02/09/2014
                                                          07:44 AM, Rob
                                                          Crittenden
                                                          wrote:
>>>>  > 
                                                          >>>
                                                          Shree wrote:
>>>>  > 
                                                          >>>>
                                                          Lukas
>>>>  > 
                                                          >>>>
                                                          Perhaps I
                                                          should explain
                                                          the design a
                                                          bit and
>>>>  > 
                                                          >         
                                                                  see if
                                                          FreeIPA even
>>>>  > 
                                                          >>>>
                                                          supports
                                                          this.Our
                                                          replica is in
                                                          a separate
>>>>  > 
                                                          >         
                                                                 
                                                          network and
                                                          all the
>>>>  > 
                                                          >>>>
                                                          appropriate
                                                          ports are
                                                          opened between
                                                          the master
>>>>  > 
                                                          >         
                                                                  and
                                                          the replica.
                                                          The
>>>>  > 
                                                          >>>>
                                                          "replica" got
                                                          created
                                                          successfully
                                                          and is in
>>>>  > 
                                                          >         
                                                                  sync
                                                          with the
                                                          master
>>>>  > 
                                                          >>>>
                                                          (except the CA
                                                          services which
                                                          I mentioned
>>>>  > 
                                                          >         
                                                                 
                                                          earlier)
>>>>  > 
                                                          >>>>
                                                          Now,when I try
                                                          to run
                                                          ipa-client-install
                                                          on
>>>>  > 
                                                          >    hosts
                                                          in the new
                                                          network
>>>>  > 
                                                          >>>>
                                                          using the
                                                          replica, it
                                                          complains that
                                                          about
>>>>  > 
                                                          >         
                                                                 
                                                          "Cannot
                                                          contact any
                                                          KDC for
>>>>  > 
                                                          >>>>
                                                          realm".
>>>>  > 
                                                          >>>>
                                                          I am wondering
                                                          it my hosts in
                                                          the new
                                                          network
>>>>  > 
                                                          >         
                                                                  are
                                                          trying to
                                                          access the
>>>>  > 
                                                          >>>>
                                                          "master" for
                                                          certificates
                                                          since the
                                                          replica
>>>>  > 
                                                          >         
                                                                  does
                                                          not have any
                                                          CA
>>>>  > 
                                                          >>>>
                                                          services
                                                          running? I
                                                          couldn't find
                                                          any obvious
>>>>  > 
                                                          >         
                                                                  proof
                                                          of this even
                                                          running
>>>>  > 
                                                          >>>>
                                                          the install in
                                                          a debug mode.
                                                          Do I need to
                                                          open
>>>>  > 
                                                          >         
                                                                  ports
                                                          between the
                                                          new
>>>>  > 
                                                          >>>>
                                                          hosts and the
                                                          master for CA
                                                          services?
>>>>  > 
                                                          >>>>
                                                          At this point
                                                          I cannot
                                                          disable or 
                                                          move the
>>>>  > 
                                                          >         
                                                                 
                                                          master, it
                                                          needs to
                                                          function
>>>>  > 
                                                          >>>>
                                                          in its
                                                          location but I
                                                          need
>>>>  > 
                                                          >>>
>>>>  > 
                                                          >>>
                                                          No, the
                                                          clients don't
                                                          directly talk
                                                          to the CA.
>>>>  > 
                                                          >>>
>>>>  > 
                                                          >>>
                                                          You'd need to
                                                          look in
>>>>  > 
                                                          >         
                                                                 
                                                          /var/log/ipaclient-install.log
                                                          to see what
                                                          KDC
>>>>  > 
                                                          >>>
                                                          was found and
                                                          we were trying
                                                          to use. If you
                                                          have
>>>>  > 
                                                          >         
                                                                  SRV
                                                          records for
                                                          both
>>>>  > 
                                                          >>>
                                                          but we try to
                                                          contact the
                                                          hidden master
                                                          this will
>>>>  > 
                                                          >         
                                                                 
                                                          happen. You
                                                          can try
>>>>  > 
                                                          >>>
                                                          specifying the
                                                          server on the
                                                          command-line
                                                          with
>>>>  > 
                                                          >         
                                                                 
                                                          --server but
                                                          this will
>>>>  > 
                                                          >>>
                                                          be hardcoding
                                                          things and
                                                          make it less
                                                          flexible
>>>>  > 
                                                          >         
                                                                  later.
>>>>  > 
                                                          >>>
>>>>  > 
                                                          >>>
                                                          rob
>>>>  > 
                                                          >>>
>>>>  > 
                                                          >>>>
                                                          Shreeraj
>>>>  > 
                                                          >>>>
>>>>  > 
                                                          >
>>>>  >
>>>>
----------------------------------------------------------------------------------------
>>>>  > 
                                                          >>>>
>>>>  > 
                                                          >>>>
>>>>  > 
                                                          >>>>
>>>>  > 
                                                          >>>>
                                                          Change is the
                                                          only Constant
                                                          !
>>>>  > 
                                                          >>>>
>>>>  > 
                                                          >>>>
>>>>  > 
                                                          >>>>
                                                          On Saturday,
                                                          February 8,
                                                          2014 1:29 AM,
                                                          Lukas
>>>>  > 
                                                          >         
                                                                 
                                                          Slebodnik
>>>>  > 
                                                          >>>>
                                                          <lslebodn at redhat.com <mailto:lslebodn at redhat.com>
>>>>
                                                          <mailto:lslebodn at redhat.com <mailto:lslebodn at redhat.com>>> wrote:
>>>>  > 
                                                          >>>>
                                                          On (06/02/14
                                                          18:33), Shree
                                                          wrote:
>>>>  > 
                                                          >>>>
>>>>  > 
                                                          >>>>>
                                                          First of all,
                                                          the
                                                          ipa-replica-install
                                                          did
>>>>  > 
                                                          >         
                                                                  not
                                                          allow me to
                                                          use
>>>>  > 
                                                          >>>>
                                                          the --setup-ca
>>>>  > 
                                                          >>>>>
                                                          option
                                                          complaining
                                                          that a cert
                                                          already
>>>>  > 
                                                          >         
                                                                 
                                                          exists,
                                                          replicate
                                                          creation was
>>>>  > 
                                                          >>>>>
                                                          successful
                                                          after I
                                                          skipped the
                                                          option.
>>>>  > 
                                                          >>>>>
                                                          Seems like the
                                                          replica is one
                                                          except
>>>>  > 
                                                          >>>>>
                                                          1) There is no
                                                          CA Service
                                                          running on the
>>>>  > 
                                                          >         
                                                                 
                                                          replica (which
                                                          I guess is
>>>>  >
                                                          >>>>
                                                          expected)
>>>>  > 
                                                          >>>>>
                                                          and
>>>>  > 
                                                          >>>>>
                                                          2) I am unable
                                                          to run
                                                          ipa-client-install
>>>>  > 
                                                          >         
                                                                 
                                                          successfully
                                                          on any clients
>>>>  > 
                                                          >>>>
                                                          using
>>>>  > 
                                                          >>>>>
                                                          the replica.
                                                          (I don't have
                                                          the option of
>>>>  > 
                                                          >         
                                                                  using
                                                          the primary
                                                          master as
>>>>  > 
                                                          >>>>
                                                          it is
>>>>  > 
                                                          >>>>>
                                                          configured in
                                                          a segregated
                                                          environment.
>>>>  > 
                                                          >         
                                                                  Only
                                                          the master and
                                                          replica
>>>>  > 
                                                          >>>>
                                                          are
>>>>  > 
                                                          >>>>>
                                                          allowed to
                                                          sync.
>>>>  >
                                                          >>>>>
                                                          Debug shows it
                                                          fails at
>>>>  > 
                                                          >>>>>
>>>>  > 
                                                          >>>>>
                                                          ipa        :
                                                          DEBUG   
                                                          stderr=kinit:
                                                          Cannot
>>>>  > 
                                                          >         
                                                                 
                                                          contact any
                                                          KDC for realm
>>>>  > 
                                                          >>>>
                                                          'mydomainname.com'
                                                          while getting
                                                          initial
>>>>  > 
                                                          >         
                                                                 
                                                          credentials
>>>>  > 
                                                          >>>>
>>>>  > 
                                                          >>>>>
>>>>  > 
                                                          >>>>>
>>>>  > 
                                                          >>>>
>>>>  > 
                                                          >>>>
                                                          I was not able
                                                          to install
                                                          replica witch
                                                          CA on
>>>>  > 
                                                          >         
                                                                  fedora
                                                          20,
>>>>  > 
                                                          >>>>
                                                          Bug is already
                                                          reported https://fedorahosted.org/pki/ticket/816
>>>>  > 
                                                          >>>>
>>>>  > 
                                                          >>>>
                                                          Guys from
                                                          dogtag found a
                                                          workaround
>>>>  > 
                                                          >>>> https://fedorahosted.org/pki/ticket/816#comment:12
>>>>  > 
                                                          >>>>
>>>>  > 
                                                          >>>>
                                                          Does it work
                                                          for you?
>>>>  > 
                                                          >>>>
>>>>  > 
                                                          >>>>
                                                          LS
>>>>  > 
                                                          >>>>
>>>>  > 
                                                          >>>>
>>>>  > 
                                                          >>>>
>>>>  > 
                                                          >>>>
>>>>  > 
                                                          >>>>
>>>>  > 
                                                          >>>>
_______________________________________________
>>>>  > 
                                                          >>>>
                                                          Freeipa-users
                                                          mailing list
>>>>  > 
                                                          >>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>
                                                          <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
>>>>  > 
                                                          >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>  > 
                                                          >>>>
>>>>  > 
                                                          >>>
>>>>  > 
                                                          >>>
                                                          _______________________________________________
>>>>  > 
                                                          >>>
                                                          Freeipa-users
                                                          mailing list
>>>>  > 
                                                          >>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>
                                                          <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
>>>>
>>>>  > 
                                                          >>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>  > 
                                                          >>
>>>>  > 
                                                          >> What
                                                          server
                                                          provides DNS
                                                          capabilities
                                                          to the
                                                          clients?
>>>>  > 
                                                          >> Do
                                                          you use IPA
                                                          DNS or some
                                                          other DNS?
>>>>  > 
                                                          >>
                                                          Clients seem
                                                          to not be able
                                                          to see replica
                                                          KDC and try
>>>>  > 
                                                          >         
                                                                  to
                                                          access hidden
>>>>  > 
                                                          >>
                                                          master but
                                                          they can know
                                                          about this
                                                          master only
                                                          via DNS.
>>>>  >
>>>>  >
>>>>  >
                                                          Shree, make
                                                          sure that
                                                          command
>>>>  > $
                                                          dig -t SRV
                                                          _kerberos._udp.ipa.example
>>>>  > on
                                                          the client
                                                          returns both
                                                          IPA servers
                                                          (in ANSWER
                                                          section).
>>>>  >
>>>>  > --
>>>>  >
                                                          Petr^2 Spacek
>>>>  >
>>>>  >
>>>>  >
>>>>  >
>>>>  >
>>>>  >
                                                          _______________________________________________
>>>>  >
                                                          Freeipa-users
                                                          mailing list
>>>>  > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>  > https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>  >
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>_______________________________________________
Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
I suggest that you temporarily try to install a client in place of the replica and see why it does not install.
>>The log above
                                                    suggests that
                                                    certmonger that is a
                                                    part of the replica
                                                    fails to connect to
                                                    the first master. We
                                                    need to understand
                                                    the reason why it
                                                    fails. Then we would
                                                    be able to make your
                                                    replica be a CA. 
>>I suspect that CA
                                                    related
                                                    communication
                                                    between replica and
                                                    master is not going
                                                    through for some
                                                    reasons.
>>The install log
                                                    would be really
                                                    helpful.
>>Please see 
>>http://www.freeipa.org/page/Troubleshooting to collect the right logs.
>>
>>
>>-- 
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/ 
>>
>>_______________________________________________
>>Freeipa-users mailing
                                                  list
>>Freeipa-users at redhat.com
>>https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
>
>-- 
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/ 
>
>
>
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/ 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140212/3afb73b5/attachment.htm>


More information about the Freeipa-users mailing list