[Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

Rob Crittenden rcritten at redhat.com
Mon Jun 6 22:08:39 UTC 2016 

Dan.Finkelstein at high5games.com wrote:
> By the way, I want to mention the conncheck: if I don't skip it, it
> tries to ssh into the master IPA instance as 'admin@<domain>', rather
> than the user (root), and fails. All other parts of the connectivity
> check work, however. Why does it try to access the master as a Kerberos
> principal instead of the process user?

Because the remote master, being an IPA server, should have an admin 
account, so it's a known. root over ssh is not allowed in some environments.

There is a ticket open to be able to set the login to be used, right now 
admin is hardcoded.

As for the install failure you should now have the appropriate logs to 
start diagnosing what was going on in /var/log/pki.

rob

>
> Thanks,
>
> Dan
>
> <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Senior Dev Ops Engineer
>
> _Dan.Finkelstein at h5g.com <mailto:Dan.Finkelstein at h5g.com>_| 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com <http://www.high5games.com/>
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
> the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
> <https://twitter.com/High5Games>, YouTube
> <http://www.youtube.com/High5Games>, Linkedin
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
> //
>
> /This message and any attachments may contain confidential or privileged
> information and are only for the use of the intended recipient of this
> message. If you are not the intended recipient, please notify the sender
> by return email, and delete or destroy this and all copies of this
> message and all attachments. Any unauthorized disclosure, use,
> distribution, or reproduction of this message or any attachments is
> prohibited and may be unlawful./
>
> *From: *Rob Crittenden <rcritten at redhat.com>
> *Date: *Monday, June 6, 2016 at 11:44
> *To: *Daniel Finkestein <Dan.Finkelstein at high5games.com>,
> "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of
> FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,
> cannot promote to master
>
> Skipping the conncheck can mask odd problems and should be used sparingly.
>
> rob
>
>
>

More information about the Freeipa-users mailing list