[Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master
Rob Crittenden
rcritten at redhat.com
Tue Jun 7 15:29:27 UTC 2016
Dan.Finkelstein at high5games.com wrote:
> This advice has gotten me much further, thanks. We didn't have an HBAC
> rule for admin and, now with it in place, connection checks and other
> commands appear to be working that haven't worked before. I'm still
> getting caught on the CA portion of the replica installation.
> Confoundingly, neither the ipa-replica-install or ipa-ca-install
> commands will complete (the former with the —setup-ca option), the
> latter producing this output in the last few lines of
> pareplica-ca-install.log:
>
> 2016-06-07T12:44:32Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
>
> 2016-06-07T12:44:32Z DEBUG Checking if IPA schema is present in
> ldap://ipa-replica.example.com:7389
>
> 2016-06-07T12:44:32Z DEBUG retrieving schema for SchemaCache
> url=ldap://ipa-replica.example.com:7389
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2ecf710>
>
> 2016-06-07T12:44:32Z DEBUG Check OK
>
> 2016-06-07T12:44:32Z DEBUG Destroyed connection context.ldap2_50387920
>
> 2016-06-07T12:44:32Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
>
> 2016-06-07T12:44:32Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 732, in run_script
>
> return_value = main_function()
>
> File "/usr/sbin/ipa-ca-install", line 202, in main
>
> install_replica(safe_options, options, filename)
>
> File "/usr/sbin/ipa-ca-install", line 150, in install_replica
>
> ca.install(True, config, options)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
> 106, in install
>
> install_step_0(standalone, replica_config, options)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
> 130, in install_step_0
>
> ra_p12=getattr(options, 'ra_p12', None))
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 1530, in install_replica_ca
>
> sys.exit("A CA is already configured on this system.")
>
> 2016-06-07T12:44:32Z DEBUG The ipa-ca-install command failed, exception:
> SystemExit: A CA is already configured on this system.
>
> This occurs when I run either the replica or ca installer commands a
> second time.
A second time how? Are you running ipa-server-install --uninstall in
between?
In any case, when the CA install fails 99 times out of 100 the ipa*
install logs will contain nothing useful. You need to dig into the CA
logs to see why the install failed.
rob
>
> Best regards,
>
> Dan
>
> <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Senior Dev Ops Engineer
>
> _Dan.Finkelstein at h5g.com <mailto:Dan.Finkelstein at h5g.com>_| 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com <http://www.high5games.com/>
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
> the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
> <https://twitter.com/High5Games>, YouTube
> <http://www.youtube.com/High5Games>, Linkedin
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
> //
>
> /This message and any attachments may contain confidential or privileged
> information and are only for the use of the intended recipient of this
> message. If you are not the intended recipient, please notify the sender
> by return email, and delete or destroy this and all copies of this
> message and all attachments. Any unauthorized disclosure, use,
> distribution, or reproduction of this message or any attachments is
> prohibited and may be unlawful./
>
> *From: *Rob Crittenden <rcritten at redhat.com>
> *Date: *Monday, June 6, 2016 at 18:08
> *To: *Daniel Finkestein <Dan.Finkelstein at high5games.com>,
> "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of
> FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,
> cannot promote to master
>
> Dan.Finkelstein at high5games.com <mailto:Dan.Finkelstein at high5games.com>
> wrote:
>
> By the way, I want to mention the conncheck: if I don't skip it, it
>
> tries to ssh into the master IPA instance as 'admin@<domain>', rather
>
> than the user (root), and fails. All other parts of the connectivity
>
> check work, however. Why does it try to access the master as a Kerberos
>
> principal instead of the process user?
>
> Because the remote master, being an IPA server, should have an admin
>
> account, so it's a known. root over ssh is not allowed in some environments.
>
> There is a ticket open to be able to set the login to be used, right now
>
> admin is hardcoded.
>
> As for the install failure you should now have the appropriate logs to
>
> start diagnosing what was going on in /var/log/pki.
>
> rob
>
> Thanks,
>
> Dan
>
> <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Senior Dev Ops Engineer
>
> _Dan.Finkelstein at h5g.com <mailto:_Dan.Finkelstein at h5g.com>
> <mailto:Dan.Finkelstein at h5g.com>_|
> <mailto:Dan.Finkelstein at h5g.com%3E_|> 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com <http://www.high5games.com/>
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
>
> the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
>
> <https://twitter.com/High5Games>, YouTube
>
> <http://www.youtube.com/High5Games>, Linkedin
>
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
> //
>
> /This message and any attachments may contain confidential or privileged
>
> information and are only for the use of the intended recipient of this
>
> message. If you are not the intended recipient, please notify the sender
>
> by return email, and delete or destroy this and all copies of this
>
> message and all attachments. Any unauthorized disclosure, use,
>
> distribution, or reproduction of this message or any attachments is
>
> prohibited and may be unlawful./
>
> *From: *Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>>
>
> *Date: *Monday, June 6, 2016 at 11:44
>
> *To: *Daniel Finkestein <Dan.Finkelstein at high5games.com
> <mailto:Dan.Finkelstein at high5games.com>>,
>
> "freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>"
> <freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>
>
> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of
>
> FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,
>
> cannot promote to master
>
> Skipping the conncheck can mask odd problems and should be used
> sparingly.
>
> rob
>
>
>
More information about the Freeipa-users
mailing list