[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Shree
shreerajkarulkar at yahoo.com
Wed Feb 19 18:07:23 UTC 2014
Guys
Any word on this? New logs are attached to the email. I am still not able to add clients using the replica. Let me know if you need any other information and thanks for you help.
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Tuesday, February 18, 2014 1:18 PM, Shree <shreerajkarulkar at yahoo.com> wrote:
1) I have got a step furthur. My replica is not running CA Service. To achieve this I had to remove the existing cert with this command
pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
Now the replica looks like this
skarulkar at ldap2 tmp]$ sudo ipactl status
[sudo] password for skarulkar:
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
[skarulkar at ldap2 tmp]$
2) I am still not able to add client using ipa-client-install using the replica.
Logs for replica install and client install are attached.
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Tuesday, February 18, 2014 11:31 AM, Shree <shreerajkarulkar at yahoo.com> wrote:
Rob
The logs are attached in the email chain. If you need fresh ones, I can try to replicate it again.
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Tuesday, February 18, 2014 11:19 AM, Rob Crittenden <rcritten at redhat.com> wrote:
Shree wrote:
> Rob
> I am giving it a fresh start and I notice similar issues.
>
> 1) I wasn't able to use the "--setup-ca" while running the
> ipa-replica-install on the replica. It stopped the install after
the
> ntpd step see below.
>
> Done configuring NTP daemon (ntpd).
> A CA is already configured on this system.
This is left over from a previous failed installation. If the CA install
fails early enough we don't log the fact that it was installed so the
uninstall doesn't clean it up.
> 2) So I tried my install command again without the --setup-ca option. It
> went furthur although it completed it show one error see below.
>
> MY COMMAND: --> ipa-replica-install
> /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck
> the skip-conncheck was needed to complete the install. Connections
> checks were manually done.
> 14/31]:
configuring lockout plugin
> [15/31]: creating indices
> [16/31]:
enabling referential integrity plugin
> [17/31]: configuring ssl for ds instance
> ipa : ERROR certmonger failed starting to track certificate:
> Command '/usr/bin/ipa-getcert start-tracking -d
> /etc/dirsrv/slapd-MYDOMAIN.COM -n Server-Cert -p
> /etc/dirsrv/slapd-MYDOMAIN.COM/pwdfile.txt -C
> /usr/lib64/ipa/certmonger/restart_dirsrv MYDOMAIN.COM' returned non-zero
> exit status 1
> [18/31]: configuring certmap.conf
> [19/31]: configure autobind for root
> .........................................
Without logs there is no way to diagnose. This could leave you in a
situation where the certificate fails to renew in 2 years and IPA
suddenly stops working.
> 3) The replica installed fine I can access the same database from the
> replica's website.
>
> 4) I cannot add new clients.
> MY COMMAND: --> ipa-client-install --domain=mydomain.com
> --server=ldap2.mydomain.com --hostname=test500.mydomain.com -d
>
> ldap.mydomain.com = master
> ldap2.mydomain.com = replica
No idea without seeing the logs.
rob
_______________________________________________
Freeipa-users
mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140219/6fe6e338/attachment.htm>
More information about the Freeipa-users
mailing list