[Freeipa-users] install IPA replica multi-hosts (ipa packages version 3.3.3-18)

Fri Mar 7 14:45:46 UTC 2014

On 7.3.2014 14:16, artjazz at free.fr wrote:
> I want to install ipa server with a replica. The replica has 2 NICs : the ipa
> server is connected on the first interface and all the clients are connected on
> the second interface. The two networks are completely separated, 2 subnets and
> not routed.
I'm curious - what is the reasoning behind this? :-)

> I'am wondering if this kind of configuration is supported with IPA.
>
> Ipa server has been installed with success on the first interface:
>
>
> First, I prepared the replica on its first interface name (that which is on the
> same network as the ipa server), install it with success. In this case the
> ipa-client-install fails;
> See below ==== errors ipacli1 ====
See my reply below :-)

> Second, I prepared the replica on its second interface name (that which is on
> the same network as the ipa client). This case is worst I'm even not able to
> install the replica. The installation fails with the following errors , see
> below ==== errors iparpl2 ====
I'm not sure I understand what you did.

You have installed the replica on one machine and then you have tried to 
install the replica again on the same machine? I guess I have misunderstood 
something ...

> Thanks a lot for your help.
>
> ===================================== errors ipacli1
> =====================================
> - messages in screen or std output:
> Skip iparpl1.blue.mydomain: cannot verify if this is an IPA server
> Failed to verify that iparpl1.blue.mydomain is an IPA Server.
>
> - messages in log /var/log/ipaclient-install.log:
> 2014-03-07T12:20:24Z DEBUG [LDAP server check]
> 2014-03-07T12:20:24Z DEBUG Verifying that iparpl1.blue.mydomain (realm None) is
> an IPA server
> 2014-03-07T12:20:24Z DEBUG Init LDAP connection to: iparpl1.blue.mydomain
> 2014-03-07T12:20:29Z DEBUG wait_for_open_ports: iparpl1.blue.mydomain [389]
> timeout 10
> 2014-03-07T12:20:34Z DEBUG Error checking LDAP: [Errno -2] Name or service not
> known
The problem is that your client can't resolve name of the server.

> 2014-03-07T12:20:34Z WARNING Skip iparpl1.blue.mydomain: cannot verify if this
> is an IPA server
>
> - check in iparpl1
> [root at iparpl1 ~]# ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
> [root at iparpl1 ~]# ldapsearch -x -H ldap://iparpl1.blue.mydomain:389 -W -ZZ
> ldap_start_tls: Connect error (-11)
> 	additional info: TLS error -8157:Certificate extension not found.
> [root at iparpl1 ~]# ldapsearch -x -H ldap://iparpl1.mydomain:389 -W –ZZ
> OK
>
> ===================================== errors iparpl2
> =====================================
> - messages in screen or std output
> KO normal because the master doesn't connect to replica in second interface
> Connection from replica to master is OK.
> Start listening on required ports for remote master check
> Get credentials to log in to remote master
> Check SSH connection to remote master
> Execute check on remote master
> Check connection from master to remote replica 'iparpl2.green.mydomain':
>     Directory Service: Unsecure port (389): FAILED
>     Directory Service: Secure port (636): FAILED
>     Kerberos KDC: TCP (88): FAILED
>     Kerberos KDC: UDP (88): WARNING
>     Kerberos Kpasswd: TCP (464): FAILED
>     Kerberos Kpasswd: UDP (464): WARNING
>     HTTP Server: Unsecure port (80): FAILED
>     HTTP Server: Secure port (443): FAILED
> The following UDP ports could not be verified as open: 88, 464
> This can happen if they are already bound to an application
> and ipa-replica-conncheck cannot attach own UDP responder.
>
> Remote master check failed with following error message(s):
> Warning: Permanently added 'ipasrv.mydomain,110.0.0.2' (ECDSA) to the list of
> known hosts.
> Port check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464
> (TCP), 80 (TCP), 443 (TCP)
> Connection check failed!
> Please fix your network settings according to error messages above.
> If the check results are not valid it can be skipped with --skip-conncheck
> parameter.

My guess is that you use different name for each interface, right? I'm afraid 
that it can't work, FreeIPA doesn't support that.

Generally, setups like this do not work very well when Kerberos is in the mix.

You can try to add both IP addresses to A record for the multi-homed replica 
but then you will depend on failover between those two IP addresses etc...

-- 
Petr^2 Spacek