[Freeipa-users] replica installation issue

Petr Spacek pspacek at redhat.com
Fri Jan 17 12:12:31 UTC 2014 

On 17.1.2014 12:44, Thomas Sailer wrote:
> After being unable to rescue my old freeipa installation, I installed a new
> machine from scratch and imported the user data from the old installation (so
> I could get rid of the separate PKI dirserv, too). That worked fine.
>
> Then I prepared a replica, and installed the replica on the old machine (after
> first running ipa-server-install --uninstall). The installation completed
> without error message.
>
> The replica however has a few issues:
>
> - GSSAPI authentication to the directory service doesn't work:
>
> # ldapsearch -D "cn=Directory Manager" -W \*
> returns a few hundred records, however
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at XXXX.COM
>
> Valid starting       Expires              Service principal
> 01/16/2014 14:14:51  01/17/2014 14:14:47  krbtgt/XXXX.COM at XXXX.COM
> 01/16/2014 14:14:54  01/17/2014 14:14:47 HTTP/replica.xxxx.com at XXXX.COM
> 01/16/2014 14:15:22  01/17/2014 14:14:47 ldap/replica.xxxx.com at XXXX.COM
>
> # ldapsearch -Y GSSAPI \*
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
>          additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
> GSS failure.  Minor code may provide more information (Server
> krbtgt/LOCALDOMAIN at XXXX.COM not found in Kerberos database)

The LOCALDOMAIN part should equal to the REALM (after @). Is it the same and 
the difference came from your obfuscation or not?

Does kdestroy && kinit work?

Anyway, I would double check DNS (including reverse records for all involved 
machines) and the data in /etc/krb5.conf.

> The localdomain apparently comes from /etc/hosts:
> 127.0.0.1       localhost.localdomain   localhost       localhost4
> ::1     localhost6.localdomain6 localhost6
> 192.168.1.2             replica.xxxx.com replica
> 192.168.1.3             master.xxxx.com master
>
> I tried to comment out the first two entries, which made it want to use
> ldap/localhost at XXXX.COM, which failed too.
>
> krb5.keytab looks the same on both the master and the replica, with the
> exception that the replica lacks the host key for the camellia*-cts-cmac cypher.
>
> - When I use the web server of the replica and click on
> Identity->Certificates, I get:
> IPA Error 4301: Certificate operation cannot be completed: Unable to
> communicate with CMS ([Errno 113] No route to host)
>
> This same operation on the master works. Is this supposed to be like this?
I suspect firewall on the replica. Did you opened all the ports in the same 
was as on the first server?

See
http://adam.younglogic.com/2013/03/iptables-rules-for-freeipa/

> - Is there a more up to date description of how to make a replica a master?
> The fedora15 documentation seems to have gathered some dust...

Replicas will be equal if you install CA to all servers. The only difference 
is that one of them generates CRL and renews CA certificates.

You can move CRL generation from one server to another, see:
http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

Have a nice day!

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list