[Freeipa-users] Promote CA-less replica
Rob Crittenden
rcritten at redhat.com
Fri Oct 21 13:18:15 UTC 2016
James Harrison wrote:
> Hi,
> Thanks again.
>
> Lastly, we've switched away from Ubuntu's FreeIPA due to a bad Samba
> compilation choice stopping AD trusts from working (samba isn't using
> MIT kerberos????). We're now using CentOS 7.2.
>
> While we know the CentOS version will operate correctly, we only get to
> use 4.2 of FreeIPA, but the Ubuntu version is 4.4.2. Is there 4.4.2 for
> CentOS?
Not until RHEL 7.3 is released and rebuilt for CentOS.
rob
>
> Best regards
> James Harrison
> ------------------------------------------------------------------------
> *From:* Rob Crittenden <rcritten at redhat.com>
> *To:* James Harrison <jamesaharrisonuk at yahoo.co.uk>; Martin Babinsky
> <mbabinsk at redhat.com>; "freeipa-users at redhat.com"
> <freeipa-users at redhat.com>
> *Sent:* Wednesday, 19 October 2016, 14:28
> *Subject:* Re: [Freeipa-users] Promote CA-less replica
>
> James Harrison wrote:
> > Hi,
> > Martin thanks for your quick response. Based on your comments. I have
> > further questions.
> >
> > >> equal peers and can be considered masters
> >
> > 1. If there any urgency for us to recreate a "master" server to perform
> > any "master" type functions? How do we re-attach "replicas" to this new
> > "master"?
>
> Like he said, all IPA servers are equal (some are just more equal than
> others). If you truly have a CA-less system the the only thing that
> distinguishes one master from another is the presence of the DNS
> service. From below it looks like you install DNS on all which makes
> them all masters.
>
> You can manage the replication topology using ipa-replica-manage.
>
> >
> > >> As long as the others have valid CA and server certs
> > 2. This is the install script we are using on the "replicas"
> >
> > ipa-replica-install \
> > --setup-dns --ssh-trust-dns --no-dnssec-validation \
> > -p xxxxxxxxx \
> > --admin-password=xxxxxxx \
> > --ip-address=replica_ip \
> > --no-forwarders \
> > -U --mkhomedir --log-file=freeipa_log_file $1
> >
> > 3. The $1 is the cert generated from the "master". If theres no
> > distinction between a "master" and a "replica" in a CA-less environment,
> > can a "replica" run the ipa-replica-prepare script once
> > ipa-replica-install has been successfully run?
>
> I think you mean $1 is the replica file generated from some master.
> Seeing how you generate that would tell us whether you are truly in a
> CA-less environment or not (e.g. you'd need to pass in PKCS#12 files to
> ipa-replica-prepare).
>
> To answer your question, yes. In a CA-less environment any master can
> generate a prepare file.
>
> You can add/remove connections using ipa-replica-manage. The initial
> connection is between the master that generated the prepare file and the
> host it was installed on.
>
> rob
>
>
> >
> > Thank you for any help.
> > Best regards,
> > James Harrison
> >
> > ------------------------------------------------------------------------
> > *From:* Martin Babinsky <mbabinsk at redhat.com <javascript:return>>
> > *To:* freeipa-users at redhat.com <javascript:return>
> > *Sent:* Wednesday, 19 October 2016, 11:01
> > *Subject:* Re: [Freeipa-users] Promote CA-less replica
> >
> > On 10/19/2016 11:35 AM, James Harrison wrote:
> >
> > Hi James,
> >
> > > Hi,
> > > Were using FreeIPA on Ubuntu Xenial. We lost the Master server.
> > >
> > > I have some questions:
> > > 1. Do DNS replicate among other replicas is we change/add DNS records?
> > > If not can this behaviour be changed?
> > IPA-intergrated DNS stores records in the replicated LDAP subtree so any
> > added/removed DNS record will replicate to other IPA DNS servers.
> >
> > > 2. How do we promote a replica to become a master? We have not
> > > configured our servers to become a CA. Our CA is Comodo and we have
> > > configured FreeIPA to use a certificate, key and interim certificates
> > > from Comodo. using the options:
> > >
> > > --http_pkcs12=....
> > > --http_pin=....
> > > --dirsrv_pkcs12=...
> > > --dirsrv_pin=....
> > >
> > > Hope someone can help. Quite urgent.
> > >
> > The terms FreeIPA master/replica are quite arbitrary as all replicas are
> > equal peers and can be considered masters. The only notion of 'master'
> > is when you use a Dogtag CA (then one of the CA replicas is designated a
> > renewal master and does renew certificates in the topology and one is
> > CRL master generating certificate revocation lists) and/or DNSSec (then
> > one of DNS replica is designated a key master generating zone signing
> > keys and other DNS replicas pull these keys).
> >
> > As you are using CA-less replicas then there should be no loss in the
> > fact that the one designated 'master' is down (unless it was e.g. the
> > only DNS server). As long as the others have valid CA and server certs
> > they should be working just fine.
> >
> >
> >
> > You can just install a new replica in place of the master by generating
> > replica file on another replicaa nd supplying the required certificates
> > through options.
> >
> >
> > > Regards,
> > > James Harrison
> >
> > >
> > >
> >
> >
> > --
> > Martin^3 Babinsky
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org
> <http://freeipa.org/><http://freeipa.org/>for more info on the project
> >
> >
> >
> >
> >
>
>
>
More information about the Freeipa-users
mailing list