[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Rob Crittenden
rcritten at redhat.com
Fri Feb 14 18:20:51 UTC 2014
Shree wrote:
> The logs are attached here. I had a day off yesterday.
Is port 7389 open? I see you skip the connection check, what was failing?
In the ipareplica-install log this is reported:
Failed to setup the replication for cloning.
And in the debug log:
[12/Feb/2014:15:15:38][http-9445-2]: DatabasePanel setupReplication:
java.io.IOException: consumer initialization failed. -1 - LDAP error:
Can't contact LDAP server
rob
> Shreeraj
> ----------------------------------------------------------------------------------------
>
>
> Change is the only Constant !
>
>
> On Thursday, February 13, 2014 6:41 AM, Rob Crittenden
> <rcritten at redhat.com> wrote:
> Shree wrote:
> > Ok, failed at the same stage, would you like the entire
> > /var/log/ipareplica-install.log. If yes, should I attach to the email?
> >
> >
> >
> > pa : INFO File
> > "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
> > line 614, in run_script
> > return_value = main_function()
> >
> > File "/usr/sbin/ipa-replica-install", line 467, in main
> > (CA, cs) = cainstance.install_replica_ca(config)
> >
> > File
> > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line
> > 1604, in install_replica_ca
> > subject_base=config.subject_base)
> >
> > File
> > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line
> > 617, in configure_instance
> > self.start_creation(runtime=210)
> >
> > File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
> > line 358, in start_creation
> > method()
> >
> > File
> > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line
> > 879, in __configure_instance
> > raise RuntimeError('Configuration of CA failed')
> >
> > ipa : INFO The ipa-replica-install command failed,
> > exception: RuntimeError: Configuration of CA failed
> >
> > Your system may be partly configured.
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> > Configuration of CA failed
> > [root at ldap2 <mailto:root at ldap2> ~]#
> >
>
> We need to see the full /var/log/ipareplica-install.log and the debug
> log from /var/log/pki-ca.
>
> rob
>
> > Shreeraj
> >
> ----------------------------------------------------------------------------------------
> >
> >
> > Change is the only Constant !
> >
> >
> > On Wednesday, February 12, 2014 2:55 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
> > On 02/12/2014 04:57 PM, Shree wrote:
> >> If there aren't any other tests to perform, can I go ahead and
> >> uninstall the ipa client and configure this Vm as a replica?
> >
> > Thanks for trying. At least we know that certmonger can run by itself.
> > When you install replica please collect all the install logs.
> > Is SELinux on/off?
> >
> >> Shreeraj
> >>
> ----------------------------------------------------------------------------------------
> >>
> >>
> >> Change is the only Constant !
> >>
> >>
> >> On Wednesday, February 12, 2014 1:40 PM, Shree
> >> <shreerajkarulkar at yahoo.com <mailto:shreerajkarulkar at yahoo.com>>
> <mailto:shreerajkarulkar at yahoo.com <mailto:shreerajkarulkar at yahoo.com>>
> wrote:
> >> "getcert list" returned a bunch of info, see below
> >>
> >> root at ldap2 <mailto:root at ldap2> ~]# getcert list
> >> Number of certificates and requests being tracked: 2.
> >> Request ID '20140206184920':
> >> status: MONITORING
> >> stuck: no
> >> key pair storage:
> >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >> certificate:
> >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> >> Certificate DB'
> >> CA: dogtag-ipa-retrieve-agent-submit
> >> issuer: CN=Certificate Authority,......................
> >> .............................
> >>
> >> Shreeraj
> >>
> ----------------------------------------------------------------------------------------
> >>
> >>
> >> Change is the only Constant !
> >>
> >>
> >> On Wednesday, February 12, 2014 12:43 PM, Dmitri Pal
> <dpal at redhat.com <mailto:dpal at redhat.com>>
> >> <mailto:dpal at redhat.com <mailto:dpal at redhat.com>> wrote:
> >> On 02/12/2014 03:41 PM, Shree wrote:
> >>> So I uninstalled the ipa server and installed the client
> >>> (ipa-client-install) on the same VM pointing at the master and
> >>> everything seems to work OK. All the sudo rules etc. Are there any
> >>> tests I can do check connectivity that could be helpful before I
> >>> configure this as a "replica" again.
> >> Ask certmonger to get a certificate
> >>
> >>>
> >>> Shreeraj
> >>>
> ----------------------------------------------------------------------------------------
> >>>
> >>>
> >>> Change is the only Constant !
> >>>
> >>>
> >>> On Wednesday, February 12, 2014 11:46 AM, Dmitri Pal
> >>> <dpal at redhat.com <mailto:dpal at redhat.com>> <mailto:dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
> >>> On 02/12/2014 02:09 PM, Shree wrote:
> >>>> Rob
> >>>> I really appreciate your help, please bear with me. At this point I
> >>>> need to take you back to my ipa-replica-install and what happened
> >>>> there.
> >>>>
> >>>> [1] My command: ipa-replica-install --setup-ca
> >>>> /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck
> >>>> This ended with a
> >>>> Done configuring NTP daemon (ntpd).
> >>>> A CA is already configured on this system.
> >>>>
> >>>> [2] So did a pkiremove with the following command
> >>>> # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca
> -force
> >>>>
> >>>> [3] Re ran the ipa-replica-install command in step 1
> >>>> The install went a little further but ended below.
> >>>>
> >>>> Configuring directory server for the CA (pkids): Estimated time 30
> >>>> seconds
> >>>> [1/3]: creating directory server user
> >>>> [2/3]: creating directory server instance
> >>>> [3/3]: restarting directory server
> >>>> Done configuring directory server for the CA (pkids).
> >>>> ipa : ERROR certmonger failed starting to track certificate:
> >>>> Command '/usr/bin/ipa-getcert start-tracking -d
> >>>> /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p
> >>>> /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C
> >>>> /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero
> >>>> exit status 1
> >>>> Configuring certificate server (pki-cad): Estimated time 3 minutes
> >>>> 30 seconds
> >>>> [1/17]: creating certificate server user
> >>>> [2/17]: creating pki-ca instance
> >>>> [3/17]: configuring certificate server instance
> >>>> ipa : CRITICAL failed to configure ca instance Command
> >>>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> >>>> .................
> >>>> ...........................
> >>>> Your system may be partly configured.
> >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >>>>
> >>>> Configuration of CA failed
> >>>>
> >>>> If I skip the "--setup-ca" option then the replica gets created
> >>>> without any CA services. The "master" and "replica" are in sync but
> >>>> I am unable to run a ipa-client-install using the replica. Now I
> >>>> need to fix this to get a replica in place correctly.
> >>>>
> >>>>
> >>>> Shreeraj
> >>>>
> ----------------------------------------------------------------------------------------
> >>>>
> >>>>
> >>>>
> >>>> On Wednesday, February 12, 2014 10:42 AM, Rob Crittenden
> >>>> <rcritten at redhat.com <mailto:rcritten at redhat.com>>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
> >>>> Shree wrote:
> >>>> > OK I thought CA is a part of IPA ? Below is from my master IPA
> server
> >>>> >
> >>>> > [root at ldap <mailto:root at ldap> <mailto:root at ldap
> <mailto:root at ldap>> ~]# ipactl status
> >>>> > Directory Service: RUNNING
> >>>> > KDC Service: RUNNING
> >>>> > KPASSWD Service: RUNNING
> >>>> > MEMCACHE Service: RUNNING
> >>>> > HTTP Service: RUNNING
> >>>> > CA Service: RUNNING
> >>>> > [root at ldap <mailto:root at ldap> <mailto:root at ldap
> <mailto:root at ldap>> ~]#
> >>>> >
> >>>> > I can certainly send you a log if needed.
> >>>>
> >>>> It is part of IPA but the IPA server talks to it, not the clients
> >>>> directly.
> >>>>
> >>>> I can only speculate what the client is doing without seeing the log
> >>>> files, but I suspect both masters are in DNS and IPA is trying to
> >>>> enroll
> >>>> to the initial master which isn't available.
> >>>>
> >>>> rob
> >>>>
> >>>> > Shreeraj
> >>>> >
> >>>>
> ----------------------------------------------------------------------------------------
> >>>> >
> >>>> >
> >>>> > Change is the only Constant !
> >>>> >
> >>>> >
> >>>> > On Wednesday, February 12, 2014 10:32 AM, Rob Crittenden
> >>>> > <rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
> >>>> > Shree wrote:
> >>>> > > Peter
> >>>> > > Actually I mentioned earlier that my clients are in a separate
> >>>> VLAN and
> >>>> > > cannot access the master. We have made provisions for the
> >>>> master and the
> >>>> > > replica to sync by opening the needed ports in the firewall. We
> >>>> have
> >>>> > > also opened up ports between the clients and the replica. I
> >>>> have tested
> >>>> > > the connectivity for these ports.
> >>>> > > Perhaps you can tell me if what I am trying to achieve is even
> >>>> possible?
> >>>> > > i.e
> >>>> > > I seem to get stuck with making the replica with the "--setup-ca"
> >>>> > > option. Wthout that option I am able to create a replica and
> >>>> have it in
> >>>> > > sync with the master. However my ipa-client-install fails from
> >>>> clients
> >>>> > > as they try looking for the master for CA part of the install.
> >>>> >
> >>>> > Clients don't talk to the CA, they talk to an IPA server which
> >>>> talks to
> >>>> > the CA.
> >>>> >
> >>>> > I think we need to see /var/log/ipaclient-install.log to see what is
> >>>> > going on.
> >>>> >
> >>>> > rob
> >>>> >
> >>>> > > Shreeraj
> >>>> > >
> >>>> >
> >>>>
> ----------------------------------------------------------------------------------------
> >>>> > >
> >>>> > >
> >>>> > > Change is the only Constant !
> >>>> > >
> >>>> > >
> >>>> > > On Wednesday, February 12, 2014 12:45 AM, Petr Spacek
> >>>> > > <pspacek at redhat.com <mailto:pspacek at redhat.com>
> <mailto:pspacek at redhat.com <mailto:pspacek at redhat.com>>
> >>>> <mailto:pspacek at redhat.com <mailto:pspacek at redhat.com>
> <mailto:pspacek at redhat.com <mailto:pspacek at redhat.com>>>> wrote:
> >>>> > > On 11.2.2014 23:53, Shree wrote:
> >>>> > >
> >>>> > > > Following ports are opened between the
> >>>> > > > 1) Between the master and the replica (bi directional)
> >>>> > > > 2) client machine and the ipa replica (unidirectional).
> >>>> > > > When the replica was up it worked fine as far as syncing was
> >>>> > concerned.
> >>>> > > >
> >>>> > > > 80 tcp
> >>>> > > > 443 tcp
> >>>> > > > 389 tcp
> >>>> > > > 636 tcp
> >>>> > > > 88 tcp
> >>>> > > > 464 tcp
> >>>> > > > 88 udp
> >>>> > > > 464 udp
> >>>> > > > 123 udp
> >>>> > > >
> >>>> > > > Shreeraj
> >>>> > > >
> >>>> > >
> >>>> >
> >>>>
> ----------------------------------------------------------------------------------------
> >>>> > > >
> >>>> > > > Change is the only Constant !
> >>>> > > >
> >>>> > > >
> >>>> > > >
> >>>> > > > On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal
> >>>> <dpal at redhat.com <mailto:dpal at redhat.com> <mailto:dpal at redhat.com
> <mailto:dpal at redhat.com>>
> >>>> > <mailto:dpal at redhat.com <mailto:dpal at redhat.com>
> <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>>
> >>>> > > <mailto:dpal at redhat.com <mailto:dpal at redhat.com>
> <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>
> >>>> <mailto:dpal at redhat.com <mailto:dpal at redhat.com>
> <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>>>> wrote:
> >>>> > > >
> >>>> > > > On 02/11/2014 05:05 PM, Shree wrote:
> >>>> > > > Dimitri
> >>>> > > >> Sorry some the mail landed in my SPAM folder. Let answer your
> >>>> > > questions (thanks for your help man)
> >>>> > > > Please republish it on the list.
> >>>> > > > Do not reply to me directly.
> >>>> > > >
> >>>> > > > Did you set your first server with the CA? Does all ports
> >>>> that need
> >>>> > > > to be open in the firewall between primary or server are
> >>>> actually
> >>>> > > > open?
> >>>> > > >
> >>>> > > >
> >>>> > > >
> >>>> > > >>
> >>>> > > >> What I have done so far is uninstalled the replica and
> tried to
> >>>> > > install it again using the "--setup-ca" option. Previously I had
> >>>> > > failures and when I removed the "--setup-ca" option the
> >>>> installation
> >>>> > > succeeded (in a way). I understand now that I really need to
> >>>> fix the CA
> >>>> > > installation errors first.
> >>>> > > >>
> >>>> > > >>
> >>>> > > >> 1)The workaround helped me go forward a bit but I got stuck
> >>>> at this
> >>>> > > point see below
> >>>> > > >> ===========
> >>>> > > >> [1/3]: creating directory server user
> >>>> > > >> [2/3]: creating directory server instance
> >>>> > > >> [3/3]: restarting directory server
> >>>> > > >> Done configuring directory server for the CA (pkids).
> >>>> > > >> ipa : ERROR certmonger failed starting to track
> >>>> > > certificate: Command '/usr/bin/ipa-getcert start-tracking -d
> >>>> > > /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p
> >>>> > > /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C
> >>>> > > /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned
> >>>> non-zero exit
> >>>> > > status 1
> >>>> > > >> Configuring certificate server (pki-cad): Estimated time 3
> >>>> minutes
> >>>> > > 30 seconds
> >>>> > > >> [1/17]: creating certificate server user
> >>>> > > >> [2/17]: creating pki-ca instance
> >>>> > > >> [3/17]: configuring certificate server instance
> >>>> > > >> ipa : CRITICAL failed to configure ca instance Command
> >>>> > > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> >>>> > > ldap2.macosforge.org -cs_port 9445 -client_certdb_dir
> >>>> /tmp/tmp-ipJSsT
> >>>> > > -client_certdb_pwd XXXXXXXX -preop_pin OlGXcjPVXoQcuuQkGgoG -
> >>>> > > >> ===========
> >>>> > > >> 2) No we do not use IPA for a DNS server.
> >>>> > > >>
> >>>> > > >>
> >>>> > > >> 3)The reason for this could be that I had installed the
> replica
> >>>> > > without the "--setup-ca".
> >>>> > > >>
> >>>> > > >> Shreeraj
> >>>> > > >>
> >>>> > >
> >>>> >
> >>>>
> ----------------------------------------------------------------------------------------
> >>>> > > >>
> >>>> > > >>
> >>>> > > >>
> >>>> > > >> Change is the only Constant !
> >>>> > > >>
> >>>> > > >>
> >>>> > > >>
> >>>> > > >> On Monday, February 10, 2014 12:43 PM, Dmitri Pal
> >>>> > <dpal at redhat.com <mailto:dpal at redhat.com>
> <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>
> <mailto:dpal at redhat.com <mailto:dpal at redhat.com>
> >>>> <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>>
> >>>> > > <mailto:dpal at redhat.com <mailto:dpal at redhat.com>
> <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>
> >>>> <mailto:dpal at redhat.com <mailto:dpal at redhat.com>
> <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>>>> wrote:
> >>>> > > >>
> >>>> > > >> On 02/09/2014 07:44 AM, Rob Crittenden wrote:
> >>>> > > >>> Shree wrote:
> >>>> > > >>>> Lukas
> >>>> > > >>>> Perhaps I should explain the design a bit and
> >>>> > > > see if FreeIPA even
> >>>> > > >>>> supports this.Our replica is in a separate
> >>>> > > > network and all the
> >>>> > > >>>> appropriate ports are opened between the master
> >>>> > > > and the replica. The
> >>>> > > >>>> "replica" got created successfully and is in
> >>>> > > > sync with the master
> >>>> > > >>>> (except the CA services which I mentioned
> >>>> > > > earlier)
> >>>> > > >>>> Now,when I try to run ipa-client-install on
> >>>> > > > hosts in the new network
> >>>> > > >>>> using the replica, it complains that about
> >>>> > > > "Cannot contact any KDC for
> >>>> > > >>>> realm".
> >>>> > > >>>> I am wondering it my hosts in the new network
> >>>> > > > are trying to access the
> >>>> > > >>>> "master" for certificates since the replica
> >>>> > > > does not have any CA
> >>>> > > >>>> services running? I couldn't find any obvious
> >>>> > > > proof of this even running
> >>>> > > >>>> the install in a debug mode. Do I need to open
> >>>> > > > ports between the new
> >>>> > > >>>> hosts and the master for CA services?
> >>>> > > >>>> At this point I cannot disable or move the
> >>>> > > > master, it needs to function
> >>>> > > >>>> in its location but I need
> >>>> > > >>>
> >>>> > > >>> No, the clients don't directly talk to the CA.
> >>>> > > >>>
> >>>> > > >>> You'd need to look in
> >>>> > > > /var/log/ipaclient-install.log to see what KDC
> >>>> > > >>> was found and we were trying to use. If you have
> >>>> > > > SRV records for both
> >>>> > > >>> but we try to contact the hidden master this will
> >>>> > > > happen. You can try
> >>>> > > >>> specifying the server on the command-line with
> >>>> > > > --server but this will
> >>>> > > >>> be hardcoding things and make it less flexible
> >>>> > > > later.
> >>>> > > >>>
> >>>> > > >>> rob
> >>>> > > >>>
> >>>> > > >>>> Shreeraj
> >>>> > > >>>>
> >>>> > > >
> >>>> > >
> >>>> >
> >>>>
> ----------------------------------------------------------------------------------------
> >>>> > > >>>>
> >>>> > > >>>>
> >>>> > > >>>>
> >>>> > > >>>> Change is the only Constant !
> >>>> > > >>>>
> >>>> > > >>>>
> >>>> > > >>>> On Saturday, February 8, 2014 1:29 AM, Lukas
> >>>> > > > Slebodnik
> >>>> > > >>>> <lslebodn at redhat.com <mailto:lslebodn at redhat.com>
> <mailto:lslebodn at redhat.com <mailto:lslebodn at redhat.com>>
> >>>> <mailto:lslebodn at redhat.com <mailto:lslebodn at redhat.com>
> <mailto:lslebodn at redhat.com <mailto:lslebodn at redhat.com>>>
> >>>> > <mailto:lslebodn at redhat.com <mailto:lslebodn at redhat.com>
> <mailto:lslebodn at redhat.com <mailto:lslebodn at redhat.com>>
> >>>> <mailto:lslebodn at redhat.com <mailto:lslebodn at redhat.com>
> <mailto:lslebodn at redhat.com <mailto:lslebodn at redhat.com>>>>> wrote:
> >>>> > > >>>> On (06/02/14 18:33), Shree wrote:
> >>>> > > >>>>
> >>>> > > >>>>> First of all, the ipa-replica-install did
> >>>> > > > not allow me to use
> >>>> > > >>>> the --setup-ca
> >>>> > > >>>>> option complaining that a cert already
> >>>> > > > exists, replicate creation was
> >>>> > > >>>>> successful after I skipped the option.
> >>>> > > >>>>> Seems like the replica is one except
> >>>> > > >>>>> 1) There is no CA Service running on the
> >>>> > > > replica (which I guess is
> >>>> > > >>>> expected)
> >>>> > > >>>>> and
> >>>> > > >>>>> 2) I am unable to run ipa-client-install
> >>>> > > > successfully on any clients
> >>>> > > >>>> using
> >>>> > > >>>>> the replica. (I don't have the option of
> >>>> > > > using the primary master as
> >>>> > > >>>> it is
> >>>> > > >>>>> configured in a segregated environment.
> >>>> > > > Only the master and replica
> >>>> > > >>>> are
> >>>> > > >>>>> allowed to sync.
> >>>> > > >>>>> Debug shows it fails at
> >>>> > > >>>>>
> >>>> > > >>>>> ipa : DEBUG stderr=kinit: Cannot
> >>>> > > > contact any KDC for realm
> >>>> > > >>>> 'mydomainname.com' while getting initial
> >>>> > > > credentials
> >>>> > > >>>>
> >>>> > > >>>>>
> >>>> > > >>>>>
> >>>> > > >>>>
> >>>> > > >>>> I was not able to install replica witch CA on
> >>>> > > > fedora 20,
> >>>> > > >>>> Bug is already reported
> >>>> https://fedorahosted.org/pki/ticket/816
> >>>> > > >>>>
> >>>> > > >>>> Guys from dogtag found a workaround
> >>>> > > >>>> https://fedorahosted.org/pki/ticket/816#comment:12
> >>>> > > >>>>
> >>>> > > >>>> Does it work for you?
> >>>> > > >>>>
> >>>> > > >>>> LS
> >>>> > > >>>>
> >>>> > > >>>>
> >>>> > > >>>>
> >>>> > > >>>>
> >>>> > > >>>>
> >>>> > > >>>> _______________________________________________
> >>>> > > >>>> Freeipa-users mailing list
> >>>> > > >>>> Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> >>>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>>
> >>>> > <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> >>>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>>>
> >>>> > > >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>> > > >>>>
> >>>> > > >>>
> >>>> > > >>> _______________________________________________
> >>>> > > >>> Freeipa-users mailing list
> >>>> > > >>> Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> >>>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>>
> >>>> > <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> >>>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>>>
> >>>> >
> >>>> > > >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>> > > >>
> >>>> > > >> What server provides DNS capabilities to the clients?
> >>>> > > >> Do you use IPA DNS or some other DNS?
> >>>> > > >> Clients seem to not be able to see replica KDC and try
> >>>> > > > to access hidden
> >>>> > > >> master but they can know about this master only via DNS.
> >>>> > >
> >>>> > >
> >>>> > > Shree, make sure that command
> >>>> > > $ dig -t SRV _kerberos._udp.ipa.example
> >>>> > > on the client returns both IPA servers (in ANSWER section).
> >>>> > >
> >>>> > > --
> >>>> > > Petr^2 Spacek
> >>>> > >
> >>>> > >
> >>>> > >
> >>>> > >
> >>>> > >
> >>>> > > _______________________________________________
> >>>> > > Freeipa-users mailing list
> >>>> > > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
> >>>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>>
> >>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>> > >
> >>>> >
> >>>> >
> >>>> >
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Freeipa-users mailing list
> >>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>> I suggest that you temporarily try to install a client in place of
> >>> the replica and see why it does not install.
> >>> The log above suggests that certmonger that is a part of the replica
> >>> fails to connect to the first master. We need to understand the
> >>> reason why it fails. Then we would be able to make your replica be
> a CA.
> >>> I suspect that CA related communication between replica and master is
> >>> not going through for some reasons.
> >>> The install log would be really helpful.
> >>> Please see
> >>> http://www.freeipa.org/page/Troubleshooting
> <http://www.freeipa.org/page/Troubleshooting>to collect the right logs.
> >>>
> >>> --
> >>> Thank you,
> >>> Dmitri Pal
> >>>
> >>> Sr. Engineering Manager for IdM portfolio
> >>> Red Hat Inc.
> >>>
> >>>
> >>> -------------------------------
> >>> Looking to carve out IT costs?
> >>> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Freeipa-users mailing list
> >>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>
> >>>
> >>
> >>
> >> --
> >> Thank you,
> >> Dmitri Pal
> >>
> >> Sr. Engineering Manager for IdM portfolio
> >> Red Hat Inc.
> >>
> >>
> >> -------------------------------
> >> Looking to carve out IT costs?
> >> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Freeipa-users mailing list
> >> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>
> >>
> >
> >
> > --
> > Thank you,
> > Dmitri Pal
> >
> > Sr. Engineering Manager for IdM portfolio
> > Red Hat Inc.
> >
> >
> > -------------------------------
> > Looking to carve out IT costs?
> > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
>
>
>
More information about the Freeipa-users
mailing list