[Freeipa-users] Replica without CA: implications?

Martin Kosek mkosek at redhat.com
Wed Jun 8 10:07:24 UTC 2016 

On 06/08/2016 11:05 AM, Cal Sawyer wrote:
> 
> On 08/06/16 09:23, Martin Kosek wrote:
>> On 06/07/2016 04:10 PM, Cal Sawyer wrote:
>> ...
>>> I found that installing a replica with firewalld enabled would consistently
>>> fail
>>> during initial replication.  Disabling firewalld always allowed replication and
>>> later stages to complete
>>>
>>>         [24/38]: setting up initial replication
>>>      Starting replication, please wait until this has completed.
>>>
>>>      [ipa.localdomain.local] reports: Update failed! Status: [-1  - LDAP error:
>>>      Can't contact LDAP server]
>> This is strange. ipa-replica-install should have run the conncheck to exactly
>> prevent issues like this. Did you by any chance run ipa-replica-install with
>> --skip-conncheck option?
>>
> Yes, i did.

There you go - pure PEBKAC :-)

> Why i can't recall now but i just started using it. Once i'd
> discovered firewalld was causing the connection problem, i neglected to stop
> using it
> Of course, once a replica is installed and working, there's little cause to
> want to redo it to test conncheck's effectiveness.  Might throw together
> another, though, just to put my mind at ease

For the record, you can also run ipa-replica-conncheck outside ipa-replica-install.

> 
>>> The first master and all replicas are all CentOS Linux release 7.2.1511 (Core)
>>> with ipa-server-4.2.0-15.0.1.el7
>>>
>>>
>>> One other thing.  if, during ipa-replica-install,+ you choose the default
>>> answer
>>> to the following:
>>>
>>> Existing BIND configuration detected, overwrite? [no]:
>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR    Aborting
>>> installation.
>>>
>>> Not sure if that is intended?  Which BIND configuration is being detected?
>> This should be only trigged if you install replica with DNS (--setup-dns)
>>
> Sorry - yes, i did use --setup-dns .  I might have bothered to include the
> ipa-replica-install command line i used.  Still, that is what i got if i
> answered No to the question.
> Seems like it's the wrong default answer to the question in a --setup-dns
> scenario?

Yes. This means you do not want installer to modify and update named.conf for
FreeIPA, i.e. it cannot install FreeIPA DNS module and has to abort.

>>> Anyhow, up and running with 4 replicas, 2 of which will be split off to a
>>> failover instance of ESXi in the future.  When it works, it's a joy
>>>
>>> Now back to getting these Mac clients to play nicely with IPA ...
>>>
>>> thanks for the help and advice
>> Thanks for sharing the results.
>> Martin
>>
>

More information about the Freeipa-users mailing list