[Freeipa-users] Replica without CA: implications?
Martin Kosek
mkosek at redhat.com
Wed Jun 8 10:07:24 UTC 2016
On 06/08/2016 11:05 AM, Cal Sawyer wrote:
>
> On 08/06/16 09:23, Martin Kosek wrote:
>> On 06/07/2016 04:10 PM, Cal Sawyer wrote:
>> ...
>>> I found that installing a replica with firewalld enabled would consistently
>>> fail
>>> during initial replication. Disabling firewalld always allowed replication and
>>> later stages to complete
>>>
>>> [24/38]: setting up initial replication
>>> Starting replication, please wait until this has completed.
>>>
>>> [ipa.localdomain.local] reports: Update failed! Status: [-1 - LDAP error:
>>> Can't contact LDAP server]
>> This is strange. ipa-replica-install should have run the conncheck to exactly
>> prevent issues like this. Did you by any chance run ipa-replica-install with
>> --skip-conncheck option?
>>
> Yes, i did.
There you go - pure PEBKAC :-)
> Why i can't recall now but i just started using it. Once i'd
> discovered firewalld was causing the connection problem, i neglected to stop
> using it
> Of course, once a replica is installed and working, there's little cause to
> want to redo it to test conncheck's effectiveness. Might throw together
> another, though, just to put my mind at ease
For the record, you can also run ipa-replica-conncheck outside ipa-replica-install.
>
>>> The first master and all replicas are all CentOS Linux release 7.2.1511 (Core)
>>> with ipa-server-4.2.0-15.0.1.el7
>>>
>>>
>>> One other thing. if, during ipa-replica-install,+ you choose the default
>>> answer
>>> to the following:
>>>
>>> Existing BIND configuration detected, overwrite? [no]:
>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR Aborting
>>> installation.
>>>
>>> Not sure if that is intended? Which BIND configuration is being detected?
>> This should be only trigged if you install replica with DNS (--setup-dns)
>>
> Sorry - yes, i did use --setup-dns . I might have bothered to include the
> ipa-replica-install command line i used. Still, that is what i got if i
> answered No to the question.
> Seems like it's the wrong default answer to the question in a --setup-dns
> scenario?
Yes. This means you do not want installer to modify and update named.conf for
FreeIPA, i.e. it cannot install FreeIPA DNS module and has to abort.
>>> Anyhow, up and running with 4 replicas, 2 of which will be split off to a
>>> failover instance of ESXi in the future. When it works, it's a joy
>>>
>>> Now back to getting these Mac clients to play nicely with IPA ...
>>>
>>> thanks for the help and advice
>> Thanks for sharing the results.
>> Martin
>>
>
More information about the Freeipa-users
mailing list