[Freeipa-users] Replica without CA: implications?
Cal Sawyer
cal-s at blue-bolt.com
Wed Jun 8 09:05:52 UTC 2016
On 08/06/16 09:23, Martin Kosek wrote:
> On 06/07/2016 04:10 PM, Cal Sawyer wrote:
> ...
>> I found that installing a replica with firewalld enabled would consistently fail
>> during initial replication. Disabling firewalld always allowed replication and
>> later stages to complete
>>
>> [24/38]: setting up initial replication
>> Starting replication, please wait until this has completed.
>>
>> [ipa.localdomain.local] reports: Update failed! Status: [-1 - LDAP error:
>> Can't contact LDAP server]
> This is strange. ipa-replica-install should have run the conncheck to exactly
> prevent issues like this. Did you by any chance run ipa-replica-install with
> --skip-conncheck option?
>
Yes, i did. Why i can't recall now but i just started using it. Once
i'd discovered firewalld was causing the connection problem, i neglected
to stop using it
Of course, once a replica is installed and working, there's little cause
to want to redo it to test conncheck's effectiveness. Might throw
together another, though, just to put my mind at ease
>> The first master and all replicas are all CentOS Linux release 7.2.1511 (Core)
>> with ipa-server-4.2.0-15.0.1.el7
>>
>>
>> One other thing. if, during ipa-replica-install,+ you choose the default answer
>> to the following:
>>
>> Existing BIND configuration detected, overwrite? [no]:
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR Aborting installation.
>>
>> Not sure if that is intended? Which BIND configuration is being detected?
> This should be only trigged if you install replica with DNS (--setup-dns)
>
Sorry - yes, i did use --setup-dns . I might have bothered to include
the ipa-replica-install command line i used. Still, that is what i got
if i answered No to the question.
Seems like it's the wrong default answer to the question in a
--setup-dns scenario?
>> Anyhow, up and running with 4 replicas, 2 of which will be split off to a
>> failover instance of ESXi in the future. When it works, it's a joy
>>
>> Now back to getting these Mac clients to play nicely with IPA ...
>>
>> thanks for the help and advice
> Thanks for sharing the results.
> Martin
>
More information about the Freeipa-users
mailing list