<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt">Guys<br>Any word on this? New logs are attached to the email. I am still not able to add clients using the replica. Let me know if you need any other information and thanks for you help.<br><div> <br></div><div>Shreeraj
<br>----------------------------------------------------------------------------------------
<br>
<br>Change is the only Constant !</div><div style="display: block;" class="yahoo_quoted"> <br> <br> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 8pt;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> On Tuesday, February 18, 2014 1:18 PM, Shree <shreerajkarulkar@yahoo.com> wrote:<br> </font> </div>  <div class="y_msg_container"><div id="yiv7790767263"><div><div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;">1) I have got a step furthur. My replica is not running CA Service. To achieve this I had to remove the existing cert with this command<br clear="none"><br clear="none">pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force<br clear="none"><br
 clear="none">Now the replica looks like this<br clear="none"><br clear="none">skarulkar@ldap2 tmp]$ sudo ipactl status<br clear="none">[sudo] password for skarulkar:<br clear="none">Directory Service: RUNNING<br clear="none">KDC Service: RUNNING<br clear="none">KPASSWD Service: RUNNING<br clear="none">MEMCACHE Service: RUNNING<br clear="none">HTTP Service: RUNNING<br clear="none">CA Service: RUNNING<br clear="none">[skarulkar@ldap2 tmp]$<br clear="none"><br clear="none">2) I am still not able to add client using ipa-client-install using the replica.<br clear="none"><br clear="none">Logs for replica install and client install are attached.<br clear="none"><div><span><br clear="none"></span></div><div> </div><div>Shreeraj
<br clear="none">----------------------------------------------------------------------------------------
<br clear="none">
<br clear="none">Change is the only Constant !</div><div class="yiv7790767263yahoo_quoted" style="display:block;"> <br clear="none"> <br clear="none"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt;"> <div class="yiv7790767263yqt0481913219" id="yiv7790767263yqt76240"><div dir="ltr"> <font face="Arial" size="2"> On Tuesday, February 18, 2014 11:31 AM, Shree <shreerajkarulkar@yahoo.com> wrote:<br clear="none"> </font> </div>  <div class="yiv7790767263y_msg_container"><div id="yiv7790767263"><div><div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;">Rob<br clear="none">The logs are attached in the email chain. If you need fresh ones, I can try to replicate it again.<br
 clear="none"><div><span><br clear="none"></span></div><div> </div><div>Shreeraj
<br clear="none">----------------------------------------------------------------------------------------
<br clear="none">
<br clear="none">Change is the only Constant !</div><div class="yiv7790767263yqt9823558989" id="yiv7790767263yqt71406"><div class="yiv7790767263yahoo_quoted" style="display:block;"> <br clear="none"> <br clear="none"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt;"> <div dir="ltr"> <font face="Arial" size="2"> On Tuesday, February 18, 2014 11:19 AM, Rob Crittenden <rcritten@redhat.com> wrote:<br clear="none"> </font> </div>  <div class="yiv7790767263y_msg_container">Shree wrote:<br clear="none">> Rob<br clear="none">> I am giving it a fresh start and I notice similar issues.<br clear="none">><br clear="none">> 1) I wasn't able to use the "--setup-ca" while running the<br clear="none">> ipa-replica-install on the replica. It stopped the install after
 the<br clear="none">> ntpd step see below.<br clear="none">><br clear="none">> Done configuring NTP daemon (ntpd).<br clear="none">> A CA is already configured on this system.<br clear="none"><br clear="none">This is left over from a previous failed installation. If the CA install <br clear="none">fails early enough we don't log the fact that it was installed so the <br clear="none">uninstall doesn't clean it up.<br clear="none"><br clear="none">> 2) So I tried my install command again without the --setup-ca option. It<br clear="none">> went furthur although it completed it show one error see below.<br clear="none">><br clear="none">>   MY COMMAND: --> ipa-replica-install<br clear="none">> /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck<br clear="none">> the skip-conncheck was needed to complete the install. Connections<br clear="none">> checks were manually done.<br clear="none">> 14/31]:
 configuring lockout plugin<br clear="none">>    [15/31]: creating indices<br clear="none">>    [16/31]:
 enabling referential integrity plugin<br clear="none">>    [17/31]: configuring ssl for ds instance<br clear="none">> ipa         : ERROR    certmonger failed starting to track certificate:<br clear="none">> Command '/usr/bin/ipa-getcert start-tracking -d<br clear="none">> /etc/dirsrv/slapd-MYDOMAIN.COM -n Server-Cert -p<br clear="none">> /etc/dirsrv/slapd-MYDOMAIN.COM/pwdfile.txt -C<br clear="none">> /usr/lib64/ipa/certmonger/restart_dirsrv MYDOMAIN.COM' returned non-zero<br clear="none">> exit status 1<br clear="none">>    [18/31]: configuring certmap.conf<br clear="none">>    [19/31]: configure autobind for root<br clear="none">> .........................................<br clear="none"><br clear="none">Without logs there is no way to diagnose. This could leave you in a <br clear="none">situation where the certificate fails to renew in 2 years and IPA <br
 clear="none">suddenly stops working.<br clear="none"><br clear="none">> 3) The replica installed fine I can access the same database from the<br clear="none">> replica's website.<br clear="none">><br clear="none">> 4) I cannot add new clients.<br clear="none">> MY COMMAND: --> ipa-client-install --domain=mydomain.com<br clear="none">> --server=ldap2.mydomain.com --hostname=test500.mydomain.com -d<br clear="none">><br clear="none">> ldap.mydomain.com = master<br clear="none">> ldap2.mydomain.com = replica<br clear="none"><br clear="none">No idea without seeing the logs.<div class="yiv7790767263yqt7283771377" id="yiv7790767263yqtfd87635"><br clear="none"><br clear="none">rob<br clear="none"><br clear="none"></div><br clear="none"><br clear="none"></div>  </div> </div>  </div></div> </div></div></div><br clear="none"><div class="yiv7790767263yqt9823558989"
 id="yiv7790767263yqt22204">_______________________________________________<br clear="none">Freeipa-users
 mailing list<br clear="none"><a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br clear="none"><a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div><br clear="none"><br clear="none"></div></div>  </div> </div>  </div> </div></div></div><br><br></div>  </div> </div>  </div> </div></body></html>