[Freeipa-users] replica installation issue
Petr Spacek
pspacek at redhat.com
Fri Jan 17 12:12:31 UTC 2014
On 17.1.2014 12:44, Thomas Sailer wrote:
> After being unable to rescue my old freeipa installation, I installed a new
> machine from scratch and imported the user data from the old installation (so
> I could get rid of the separate PKI dirserv, too). That worked fine.
>
> Then I prepared a replica, and installed the replica on the old machine (after
> first running ipa-server-install --uninstall). The installation completed
> without error message.
>
> The replica however has a few issues:
>
> - GSSAPI authentication to the directory service doesn't work:
>
> # ldapsearch -D "cn=Directory Manager" -W \*
> returns a few hundred records, however
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at XXXX.COM
>
> Valid starting Expires Service principal
> 01/16/2014 14:14:51 01/17/2014 14:14:47 krbtgt/XXXX.COM at XXXX.COM
> 01/16/2014 14:14:54 01/17/2014 14:14:47 HTTP/replica.xxxx.com at XXXX.COM
> 01/16/2014 14:15:22 01/17/2014 14:14:47 ldap/replica.xxxx.com at XXXX.COM
>
> # ldapsearch -Y GSSAPI \*
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
> GSS failure. Minor code may provide more information (Server
> krbtgt/LOCALDOMAIN at XXXX.COM not found in Kerberos database)
The LOCALDOMAIN part should equal to the REALM (after @). Is it the same and
the difference came from your obfuscation or not?
Does kdestroy && kinit work?
Anyway, I would double check DNS (including reverse records for all involved
machines) and the data in /etc/krb5.conf.
> The localdomain apparently comes from /etc/hosts:
> 127.0.0.1 localhost.localdomain localhost localhost4
> ::1 localhost6.localdomain6 localhost6
> 192.168.1.2 replica.xxxx.com replica
> 192.168.1.3 master.xxxx.com master
>
> I tried to comment out the first two entries, which made it want to use
> ldap/localhost at XXXX.COM, which failed too.
>
> krb5.keytab looks the same on both the master and the replica, with the
> exception that the replica lacks the host key for the camellia*-cts-cmac cypher.
>
> - When I use the web server of the replica and click on
> Identity->Certificates, I get:
> IPA Error 4301: Certificate operation cannot be completed: Unable to
> communicate with CMS ([Errno 113] No route to host)
>
> This same operation on the master works. Is this supposed to be like this?
I suspect firewall on the replica. Did you opened all the ports in the same
was as on the first server?
See
http://adam.younglogic.com/2013/03/iptables-rules-for-freeipa/
> - Is there a more up to date description of how to make a replica a master?
> The fedora15 documentation seems to have gathered some dust...
Replicas will be equal if you install CA to all servers. The only difference
is that one of them generates CRL and renews CA certificates.
You can move CRL generation from one server to another, see:
http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
Have a nice day!
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list