[Freeipa-users] replica installation issue
Thomas Sailer
t.sailer at alumni.ethz.ch
Fri Jan 17 11:44:24 UTC 2014
After being unable to rescue my old freeipa installation, I installed a
new machine from scratch and imported the user data from the old
installation (so I could get rid of the separate PKI dirserv, too). That
worked fine.
Then I prepared a replica, and installed the replica on the old machine
(after first running ipa-server-install --uninstall). The installation
completed without error message.
The replica however has a few issues:
- GSSAPI authentication to the directory service doesn't work:
# ldapsearch -D "cn=Directory Manager" -W \*
returns a few hundred records, however
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at XXXX.COM
Valid starting Expires Service principal
01/16/2014 14:14:51 01/17/2014 14:14:47 krbtgt/XXXX.COM at XXXX.COM
01/16/2014 14:14:54 01/17/2014 14:14:47 HTTP/replica.xxxx.com at XXXX.COM
01/16/2014 14:15:22 01/17/2014 14:14:47 ldap/replica.xxxx.com at XXXX.COM
# ldapsearch -Y GSSAPI \*
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Server krbtgt/LOCALDOMAIN at XXXX.COM not found in Kerberos database)
The localdomain apparently comes from /etc/hosts:
127.0.0.1 localhost.localdomain localhost localhost4
::1 localhost6.localdomain6 localhost6
192.168.1.2 replica.xxxx.com replica
192.168.1.3 master.xxxx.com master
I tried to comment out the first two entries, which made it want to use
ldap/localhost at XXXX.COM, which failed too.
krb5.keytab looks the same on both the master and the replica, with the
exception that the replica lacks the host key for the camellia*-cts-cmac
cypher.
- When I use the web server of the replica and click on
Identity->Certificates, I get:
IPA Error 4301: Certificate operation cannot be completed: Unable to
communicate with CMS ([Errno 113] No route to host)
This same operation on the master works. Is this supposed to be like this?
- Is there a more up to date description of how to make a replica a
master? The fedora15 documentation seems to have gathered some dust...
Thanks,
Tom
More information about the Freeipa-users
mailing list