<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt">The logs are attached here. I had a day off yesterday. <div></div><div> </div><div>Shreeraj ---------------------------------------------------------------------------------------- Change is the only Constant !</div><div style="display: block;" class="yahoo_quoted"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 8pt;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12pt;"> <div dir="ltr"> On Thursday, February 13, 2014 6:41 AM, Rob Crittenden <rcritten@redhat.com> wrote: </div> <div class="y_msg_container">Shree wrote: > Ok, failed at the same stage, would you like the entire > /var/log/ipareplica-install.log. If yes, should I attach to the email? > > > > pa : INFO File > "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", > line 614, in run_script > return_value = main_function() > > File "/usr/sbin/ipa-replica-install", line 467, in main > (CA, cs) = cainstance.install_replica_ca(config) > > File > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line > 1604, in install_replica_ca > subject_base=config.subject_base) > > File > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line > 617, in configure_instance > self.start_creation(runtime=210) > > File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", > line 358, in start_creation > method() > > File > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line > 879, in __configure_instance > raise RuntimeError('Configuration of CA failed') > > ipa : INFO The ipa-replica-install command failed, > exception: RuntimeError: Configuration of CA failed > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Configuration of CA failed > [<a ymailto="mailto:root@ldap2" href="mailto:root@ldap2">root@ldap2</a> ~]# > We need to see the full /var/log/ipareplica-install.log and the debug log from /var/log/pki-ca. rob > Shreeraj > ---------------------------------------------------------------------------------------- > > > Change is the only Constant ! > > > On Wednesday, February 12, 2014 2:55 PM, Dmitri Pal <<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>> wrote: > On 02/12/2014 04:57 PM, Shree wrote: >> If there aren't any other tests to perform, can I go ahead and >> uninstall the ipa client and configure this Vm as a replica? > > Thanks for trying. At least we know that certmonger can run by itself. > When you install replica please collect all the install logs. > Is SELinux on/off? > >> Shreeraj >> ---------------------------------------------------------------------------------------- >> >> >> Change is the only Constant ! >> >> >> On Wednesday, February 12, 2014 1:40 PM, Shree >> <<a ymailto="mailto:shreerajkarulkar@yahoo.com" href="mailto:shreerajkarulkar@yahoo.com">shreerajkarulkar@yahoo.com</a>> <mailto:<a ymailto="mailto:shreerajkarulkar@yahoo.com" href="mailto:shreerajkarulkar@yahoo.com">shreerajkarulkar@yahoo.com</a>> wrote: >> "getcert list" returned a bunch of info, see below >> >> <a ymailto="mailto:root@ldap2" href="mailto:root@ldap2">root@ldap2</a> ~]# getcert list >> Number of certificates and requests being tracked: 2. >> Request ID '20140206184920': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> CA: dogtag-ipa-retrieve-agent-submit >> issuer: CN=Certificate Authority,...................... >> ............................. >> >> Shreeraj >> ---------------------------------------------------------------------------------------- >> >> >> Change is the only Constant ! >> >> >> On Wednesday, February 12, 2014 12:43 PM, Dmitri Pal <<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>> >> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>> wrote: >> On 02/12/2014 03:41 PM, Shree wrote: >>> So I uninstalled the ipa server and installed the client >>> (ipa-client-install) on the same VM pointing at the master and >>> everything seems to work OK. All the sudo rules etc. Are there any >>> tests I can do check connectivity that could be helpful before I >>> configure this as a "replica" again. >> Ask certmonger to get a certificate >> >>> >>> Shreeraj >>> ---------------------------------------------------------------------------------------- >>> >>> >>> Change is the only Constant ! >>> >>> >>> On Wednesday, February 12, 2014 11:46 AM, Dmitri Pal >>> <<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>> wrote: >>> On 02/12/2014 02:09 PM, Shree wrote: >>>> Rob >>>> I really appreciate your help, please bear with me. At this point I >>>> need to take you back to my ipa-replica-install and what happened >>>> there. >>>> >>>> [1] My command: ipa-replica-install --setup-ca >>>> /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck >>>> This ended with a >>>> Done configuring NTP daemon (ntpd). >>>> A CA is already configured on this system. >>>> >>>> [2] So did a pkiremove with the following command >>>> # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force >>>> >>>> [3] Re ran the ipa-replica-install command in step 1 >>>> The install went a little further but ended below. >>>> >>>> Configuring directory server for the CA (pkids): Estimated time 30 >>>> seconds >>>> [1/3]: creating directory server user >>>> [2/3]: creating directory server instance >>>> [3/3]: restarting directory server >>>> Done configuring directory server for the CA (pkids). >>>> ipa : ERROR certmonger failed starting to track certificate: >>>> Command '/usr/bin/ipa-getcert start-tracking -d >>>> /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p >>>> /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C >>>> /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero >>>> exit status 1 >>>> Configuring certificate server (pki-cad): Estimated time 3 minutes >>>> 30 seconds >>>> [1/17]: creating certificate server user >>>> [2/17]: creating pki-ca instance >>>> [3/17]: configuring certificate server instance >>>> ipa : CRITICAL failed to configure ca instance Command >>>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname >>>> ................. >>>> ........................... >>>> Your system may be partly configured. >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>> >>>> Configuration of CA failed >>>> >>>> If I skip the "--setup-ca" option then the replica gets created >>>> without any CA services. The "master" and "replica" are in sync but >>>> I am unable to run a ipa-client-install using the replica. Now I >>>> need to fix this to get a replica in place correctly. >>>> >>>> >>>> Shreeraj >>>> ---------------------------------------------------------------------------------------- >>>> >>>> >>>> >>>> On Wednesday, February 12, 2014 10:42 AM, Rob Crittenden >>>> <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> wrote: >>>> Shree wrote: >>>> > OK I thought CA is a part of IPA ? Below is from my master IPA server >>>> > >>>> > [<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a> <mailto:<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a>> ~]# ipactl status >>>> > Directory Service: RUNNING >>>> > KDC Service: RUNNING >>>> > KPASSWD Service: RUNNING >>>> > MEMCACHE Service: RUNNING >>>> > HTTP Service: RUNNING >>>> > CA Service: RUNNING >>>> > [<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a> <mailto:<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a>> ~]# >>>> > >>>> > I can certainly send you a log if needed. >>>> >>>> It is part of IPA but the IPA server talks to it, not the clients >>>> directly. >>>> >>>> I can only speculate what the client is doing without seeing the log >>>> files, but I suspect both masters are in DNS and IPA is trying to >>>> enroll >>>> to the initial master which isn't available. >>>> >>>> rob >>>> >>>> > Shreeraj >>>> > >>>> ---------------------------------------------------------------------------------------- >>>> > >>>> > >>>> > Change is the only Constant ! >>>> > >>>> > >>>> > On Wednesday, February 12, 2014 10:32 AM, Rob Crittenden >>>> > <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>> wrote: >>>> > Shree wrote: >>>> > > Peter >>>> > > Actually I mentioned earlier that my clients are in a separate >>>> VLAN and >>>> > > cannot access the master. We have made provisions for the >>>> master and the >>>> > > replica to sync by opening the needed ports in the firewall. We >>>> have >>>> > > also opened up ports between the clients and the replica. I >>>> have tested >>>> > > the connectivity for these ports. >>>> > > Perhaps you can tell me if what I am trying to achieve is even >>>> possible? >>>> > > i.e >>>> > > I seem to get stuck with making the replica with the "--setup-ca" >>>> > > option. Wthout that option I am able to create a replica and >>>> have it in >>>> > > sync with the master. However my ipa-client-install fails from >>>> clients >>>> > > as they try looking for the master for CA part of the install. >>>> > >>>> > Clients don't talk to the CA, they talk to an IPA server which >>>> talks to >>>> > the CA. >>>> > >>>> > I think we need to see /var/log/ipaclient-install.log to see what is >>>> > going on. >>>> > >>>> > rob >>>> > >>>> > > Shreeraj >>>> > > >>>> > >>>> ---------------------------------------------------------------------------------------- >>>> > > >>>> > > >>>> > > Change is the only Constant ! >>>> > > >>>> > > >>>> > > On Wednesday, February 12, 2014 12:45 AM, Petr Spacek >>>> > > <<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a> <mailto:<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>> >>>> <mailto:<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a> <mailto:<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>>>> wrote: >>>> > > On 11.2.2014 23:53, Shree wrote: >>>> > > >>>> > > > Following ports are opened between the >>>> > > > 1) Between the master and the replica (bi directional) >>>> > > > 2) client machine and the ipa replica (unidirectional). >>>> > > > When the replica was up it worked fine as far as syncing was >>>> > concerned. >>>> > > > >>>> > > > 80 tcp >>>> > > > 443 tcp >>>> > > > 389 tcp >>>> > > > 636 tcp >>>> > > > 88 tcp >>>> > > > 464 tcp >>>> > > > 88 udp >>>> > > > 464 udp >>>> > > > 123 udp >>>> > > > >>>> > > > Shreeraj >>>> > > > >>>> > > >>>> > >>>> ---------------------------------------------------------------------------------------- >>>> > > > >>>> > > > Change is the only Constant ! >>>> > > > >>>> > > > >>>> > > > >>>> > > > On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal >>>> <<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>> >>>> > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> >>>> > > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>> >>>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>>> wrote: >>>> > > > >>>> > > > On 02/11/2014 05:05 PM, Shree wrote: >>>> > > > Dimitri >>>> > > >> Sorry some the mail landed in my SPAM folder. Let answer your >>>> > > questions (thanks for your help man) >>>> > > > Please republish it on the list. >>>> > > > Do not reply to me directly. >>>> > > > >>>> > > > Did you set your first server with the CA? Does all ports >>>> that need >>>> > > > to be open in the firewall between primary or server are >>>> actually >>>> > > > open? >>>> > > > >>>> > > > >>>> > > > >>>> > > >> >>>> > > >> What I have done so far is uninstalled the replica and tried to >>>> > > install it again using the "--setup-ca" option. Previously I had >>>> > > failures and when I removed the "--setup-ca" option the >>>> installation >>>> > > succeeded (in a way). I understand now that I really need to >>>> fix the CA >>>> > > installation errors first. >>>> > > >> >>>> > > >> >>>> > > >> 1)The workaround helped me go forward a bit but I got stuck >>>> at this >>>> > > point see below >>>> > > >> =========== >>>> > > >> [1/3]: creating directory server user >>>> > > >> [2/3]: creating directory server instance >>>> > > >> [3/3]: restarting directory server >>>> > > >> Done configuring directory server for the CA (pkids). >>>> > > >> ipa : ERROR certmonger failed starting to track >>>> > > certificate: Command '/usr/bin/ipa-getcert start-tracking -d >>>> > > /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p >>>> > > /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C >>>> > > /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned >>>> non-zero exit >>>> > > status 1 >>>> > > >> Configuring certificate server (pki-cad): Estimated time 3 >>>> minutes >>>> > > 30 seconds >>>> > > >> [1/17]: creating certificate server user >>>> > > >> [2/17]: creating pki-ca instance >>>> > > >> [3/17]: configuring certificate server instance >>>> > > >> ipa : CRITICAL failed to configure ca instance Command >>>> > > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname >>>> > > ldap2.macosforge.org -cs_port 9445 -client_certdb_dir >>>> /tmp/tmp-ipJSsT >>>> > > -client_certdb_pwd XXXXXXXX -preop_pin OlGXcjPVXoQcuuQkGgoG - >>>> > > >> =========== >>>> > > >> 2) No we do not use IPA for a DNS server. >>>> > > >> >>>> > > >> >>>> > > >> 3)The reason for this could be that I had installed the replica >>>> > > without the "--setup-ca". >>>> > > >> >>>> > > >> Shreeraj >>>> > > >> >>>> > > >>>> > >>>> ---------------------------------------------------------------------------------------- >>>> > > >> >>>> > > >> >>>> > > >> >>>> > > >> Change is the only Constant ! >>>> > > >> >>>> > > >> >>>> > > >> >>>> > > >> On Monday, February 10, 2014 12:43 PM, Dmitri Pal >>>> > <<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> >>>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> >>>> > > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>> >>>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>>> wrote: >>>> > > >> >>>> > > >> On 02/09/2014 07:44 AM, Rob Crittenden wrote: >>>> > > >>> Shree wrote: >>>> > > >>>> Lukas >>>> > > >>>> Perhaps I should explain the design a bit and >>>> > > > see if FreeIPA even >>>> > > >>>> supports this.Our replica is in a separate >>>> > > > network and all the >>>> > > >>>> appropriate ports are opened between the master >>>> > > > and the replica. The >>>> > > >>>> "replica" got created successfully and is in >>>> > > > sync with the master >>>> > > >>>> (except the CA services which I mentioned >>>> > > > earlier) >>>> > > >>>> Now,when I try to run ipa-client-install on >>>> > > > hosts in the new network >>>> > > >>>> using the replica, it complains that about >>>> > > > "Cannot contact any KDC for >>>> > > >>>> realm". >>>> > > >>>> I am wondering it my hosts in the new network >>>> > > > are trying to access the >>>> > > >>>> "master" for certificates since the replica >>>> > > > does not have any CA >>>> > > >>>> services running? I couldn't find any obvious >>>> > > > proof of this even running >>>> > > >>>> the install in a debug mode. Do I need to open >>>> > > > ports between the new >>>> > > >>>> hosts and the master for CA services? >>>> > > >>>> At this point I cannot disable or move the >>>> > > > master, it needs to function >>>> > > >>>> in its location but I need >>>> > > >>> >>>> > > >>> No, the clients don't directly talk to the CA. >>>> > > >>> >>>> > > >>> You'd need to look in >>>> > > > /var/log/ipaclient-install.log to see what KDC >>>> > > >>> was found and we were trying to use. If you have >>>> > > > SRV records for both >>>> > > >>> but we try to contact the hidden master this will >>>> > > > happen. You can try >>>> > > >>> specifying the server on the command-line with >>>> > > > --server but this will >>>> > > >>> be hardcoding things and make it less flexible >>>> > > > later. >>>> > > >>> >>>> > > >>> rob >>>> > > >>> >>>> > > >>>> Shreeraj >>>> > > >>>> >>>> > > > >>>> > > >>>> > >>>> ---------------------------------------------------------------------------------------- >>>> > > >>>> >>>> > > >>>> >>>> > > >>>> >>>> > > >>>> Change is the only Constant ! >>>> > > >>>> >>>> > > >>>> >>>> > > >>>> On Saturday, February 8, 2014 1:29 AM, Lukas >>>> > > > Slebodnik >>>> > > >>>> <<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>> >>>> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>>> >>>> > <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>> >>>> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>>>>> wrote: >>>> > > >>>> On (06/02/14 18:33), Shree wrote: >>>> > > >>>> >>>> > > >>>>> First of all, the ipa-replica-install did >>>> > > > not allow me to use >>>> > > >>>> the --setup-ca >>>> > > >>>>> option complaining that a cert already >>>> > > > exists, replicate creation was >>>> > > >>>>> successful after I skipped the option. >>>> > > >>>>> Seems like the replica is one except >>>> > > >>>>> 1) There is no CA Service running on the >>>> > > > replica (which I guess is >>>> > > >>>> expected) >>>> > > >>>>> and >>>> > > >>>>> 2) I am unable to run ipa-client-install >>>> > > > successfully on any clients >>>> > > >>>> using >>>> > > >>>>> the replica. (I don't have the option of >>>> > > > using the primary master as >>>> > > >>>> it is >>>> > > >>>>> configured in a segregated environment. >>>> > > > Only the master and replica >>>> > > >>>> are >>>> > > >>>>> allowed to sync. >>>> > > >>>>> Debug shows it fails at >>>> > > >>>>> >>>> > > >>>>> ipa : DEBUG stderr=kinit: Cannot >>>> > > > contact any KDC for realm >>>> > > >>>> 'mydomainname.com' while getting initial >>>> > > > credentials >>>> > > >>>> >>>> > > >>>>> >>>> > > >>>>> >>>> > > >>>> >>>> > > >>>> I was not able to install replica witch CA on >>>> > > > fedora 20, >>>> > > >>>> Bug is already reported >>>> <a href="https://fedorahosted.org/pki/ticket/816" target="_blank">https://fedorahosted.org/pki/ticket/816</a> >>>> > > >>>> >>>> > > >>>> Guys from dogtag found a workaround >>>> > > >>>> <a href="https://fedorahosted.org/pki/ticket/816#comment:12" target="_blank">https://fedorahosted.org/pki/ticket/816#comment:12</a> >>>> > > >>>> >>>> > > >>>> Does it work for you? >>>> > > >>>> >>>> > > >>>> LS >>>> > > >>>> >>>> > > >>>> >>>> > > >>>> >>>> > > >>>> >>>> > > >>>> >>>> > > >>>> _______________________________________________ >>>> > > >>>> Freeipa-users mailing list >>>> > > >>>> <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> >>>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>> >>>> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> >>>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>>> >>>> > > >>>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> >>>> > > >>>> >>>> > > >>> >>>> > > >>> _______________________________________________ >>>> > > >>> Freeipa-users mailing list >>>> > > >>> <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> >>>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>> >>>> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> >>>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>>> >>>> > >>>> > > >>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> >>>> > > >> >>>> > > >> What server provides DNS capabilities to the clients? >>>> > > >> Do you use IPA DNS or some other DNS? >>>> > > >> Clients seem to not be able to see replica KDC and try >>>> > > > to access hidden >>>> > > >> master but they can know about this master only via DNS. >>>> > > >>>> > > >>>> > > Shree, make sure that command >>>> > > $ dig -t SRV _kerberos._udp.ipa.example >>>> > > on the client returns both IPA servers (in ANSWER section). >>>> > > >>>> > > -- >>>> > > Petr^2 Spacek >>>> > > >>>> > > >>>> > > >>>> > > >>>> > > >>>> > > _______________________________________________ >>>> > > Freeipa-users mailing list >>>> > > <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> >>>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>> >>>> > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> >>>> > > >>>> > >>>> > >>>> > >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> >>>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> >>> I suggest that you temporarily try to install a client in place of >>> the replica and see why it does not install. >>> The log above suggests that certmonger that is a part of the replica >>> fails to connect to the first master. We need to understand the >>> reason why it fails. Then we would be able to make your replica be a CA. >>> I suspect that CA related communication between replica and master is >>> not going through for some reasons. >>> The install log would be really helpful. >>> Please see >>> <a href="http://www.freeipa.org/page/Troubleshooting" target="_blank">http://www.freeipa.org/page/Troubleshooting </a>to collect the right logs. >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager for IdM portfolio >>> Red Hat Inc. >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs? >>> www.redhat.com/carveoutcosts/ <<a href="http://www.redhat.com/carveoutcosts/" target="_blank">http://www.redhat.com/carveoutcosts/</a>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> >>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> >>> >>> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ <<a href="http://www.redhat.com/carveoutcosts/" target="_blank">http://www.redhat.com/carveoutcosts/</a>> >> >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> >> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ <<a href="http://www.redhat.com/carveoutcosts/" target="_blank">http://www.redhat.com/carveoutcosts/</a>> > > > > > > > _______________________________________________ > Freeipa-users mailing list > <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > </div> </div> </div> </div> </div></body></html>