[Freeipa-users] replica installation issue

Thomas Sailer t.sailer at alumni.ethz.ch
Fri Jan 17 11:44:24 UTC 2014 

After being unable to rescue my old freeipa installation, I installed a 
new machine from scratch and imported the user data from the old 
installation (so I could get rid of the separate PKI dirserv, too). That 
worked fine.

Then I prepared a replica, and installed the replica on the old machine 
(after first running ipa-server-install --uninstall). The installation 
completed without error message.

The replica however has a few issues:

- GSSAPI authentication to the directory service doesn't work:

# ldapsearch -D "cn=Directory Manager" -W \*
returns a few hundred records, however
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at XXXX.COM

Valid starting       Expires              Service principal
01/16/2014 14:14:51  01/17/2014 14:14:47  krbtgt/XXXX.COM at XXXX.COM
01/16/2014 14:14:54  01/17/2014 14:14:47 HTTP/replica.xxxx.com at XXXX.COM
01/16/2014 14:15:22  01/17/2014 14:14:47 ldap/replica.xxxx.com at XXXX.COM

# ldapsearch -Y GSSAPI \*
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
         additional info: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information 
(Server krbtgt/LOCALDOMAIN at XXXX.COM not found in Kerberos database)

The localdomain apparently comes from /etc/hosts:
127.0.0.1       localhost.localdomain   localhost       localhost4
::1     localhost6.localdomain6 localhost6
192.168.1.2             replica.xxxx.com replica
192.168.1.3             master.xxxx.com master

I tried to comment out the first two entries, which made it want to use 
ldap/localhost at XXXX.COM, which failed too.

krb5.keytab looks the same on both the master and the replica, with the 
exception that the replica lacks the host key for the camellia*-cts-cmac 
cypher.

- When I use the web server of the replica and click on 
Identity->Certificates, I get:
IPA Error 4301: Certificate operation cannot be completed: Unable to 
communicate with CMS ([Errno 113] No route to host)

This same operation on the master works. Is this supposed to be like this?

- Is there a more up to date description of how to make a replica a 
master? The fedora15 documentation seems to have gathered some dust...

Thanks,
Tom

More information about the Freeipa-users mailing list