<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
For the benefit, or added confusion, of future generations, some
observations<br>
<br>
ipa-ca-install, run successful replica instantiation w/o --setup-ca
fails consistently with the errors in my orig post. Never figured
out what the script was finding that needed purging. After a
multitude of attempts (thank you, ESXi snapshots) with multiple
ipa-server-install --uninstall's , i gave up and rebuilt from the
gound up withlatest packages and --setup-ca which works great<br>
<br>
I found that installing a replica with firewalld enabled would
consistently fail during initial replication. Disabling firewalld
always allowed replication and later stages to complete<br>
<br>
<blockquote> [24/38]: setting up initial replication<br>
Starting replication, please wait until this has completed.<br>
<br>
[ipa.localdomain.local] reports: Update failed! Status: [-1 -
LDAP error: Can't contact LDAP server]<br>
</blockquote>
<br>
The first master and all replicas are all CentOS Linux release
7.2.1511 (Core) with ipa-server-4.2.0-15.0.1.el7<br>
<br>
<br>
One other thing. if, during ipa-replica-install,+ you choose the
default answer to the following: <br>
<br>
Existing BIND configuration detected, overwrite? [no]: <br>
ipa.ipapython.install.cli.install_tool(Replica): ERROR Aborting
installation.<br>
<br>
Not sure if that is intended? Which BIND configuration is being
detected?<br>
<br>
Anyhow, up and running with 4 replicas, 2 of which will be split off
to a failover instance of ESXi in the future. When it works, it's a
joy<br>
<br>
Now back to getting these Mac clients to play nicely with IPA ...<br>
<br>
thanks for the help and advice<br>
<br>
- cal<br>
<br>
<div class="moz-cite-prefix">On 02/06/16 22:27, Rob Crittenden
wrote:<br>
</div>
<blockquote cite="mid:5750A4DE.1090206@redhat.com" type="cite">Cal
Sawyer wrote:
<br>
<blockquote type="cite">Apologies for the lengthy pause in getting
back onto this. I ended up
<br>
destroying the replica and reprovisioning frmm scratch, but the
replica
<br>
still lists as being CA-less.
<br>
<br>
Is what i'm seeing normal? Would this 2-node setup in this
state
<br>
survive failure of the master?
<br>
</blockquote>
<br>
It will until the certificates start expiring. You want at least 2
CA's to avoid a single point of failure situation.
<br>
<br>
<blockquote type="cite">
<br>
-----------------
<br>
<br>
ON MASTER ipa.localdomain.local
<br>
<br>
# ipa-replica-manage list
<br>
<br>
ipa2.localdomain.local: master
<br>
ipa.localdomain.local: master
<br>
<br>
# ipa-csreplica-manage list
<br>
<br>
>> ipa2.localdomain.local: CA not configured
<br>
ipa.localdomain.local: master
<br>
<br>
<br>
------------------
<br>
<br>
ON REPLICA ipa2.localdomain.local
<br>
<br>
# ipa-ca-install
<br>
Directory Manager (existing master) password:
<br>
<br>
>> CA is already installed.
<br>
<br>
ok ....
<br>
<br>
# ipa-ca-install -d
<br>
<br>
<snip loading/importing>
<br>
<br>
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection
<br>
context.ldap2_73731152
<br>
ipa.ipalib.plugins.config.config_show: DEBUG raw:
<br>
config_show(version=u'2.156')
<br>
ipa.ipalib.plugins.config.config_show: DEBUG
config_show(rights=False,
<br>
all=False, raw=False, version=u'2.156')
<br>
ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema
for
<br>
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-LOCALDOMAIN-LOCAL.socket
<br>
conn=<ldap.ldapobject.SimpleLDAPObject instance at
0x4516ea8>
<br>
ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG raw:
<br>
ca_is_enabled(version=u'2.156')
<br>
ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG
<br>
ca_is_enabled(version=u'2.156')
<br>
ipa : DEBUG File
<br>
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
<br>
line 732, in run_script
<br>
return_value = main_function()
<br>
<br>
File "/usr/sbin/ipa-ca-install", line 204, in main
<br>
install_master(safe_options, options)
<br>
<br>
File "/usr/sbin/ipa-ca-install", line 191, in install_master
<br>
ca.install_check(True, None, options)
<br>
<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
<br>
49, in install_check
<br>
sys.exit("CA is already installed.\n")
<br>
<br>
ipa : DEBUG The ipa-ca-install command failed,
exception:
<br>
SystemExit: CA is already installed.
<br>
<br>
>> CA is already installed.
<br>
</blockquote>
<br>
It detects whether a CA is installed by the existence of something
like /var/lib/pki-tomcat/ca. You can use pkidestroy to remove any
remnants that might be left over from some previous failed
install.
<br>
<br>
Or it could be that something wasn't updated properly in LDAP and
there actually is a working CA. You might try manually starting
the CA to see if it comes up, and/or run ipa-csreplica-manage to
see if there are any working agreements.
<br>
<br>
rob
<br>
<br>
<br>
<blockquote type="cite">
<br>
<br>
<br>
<br>
thanks
<br>
<br>
- cal sawyer
<br>
<br>
<br>
<br>
On 09/03/16 16:13, Simo Sorce wrote:
<br>
<blockquote type="cite">On Wed, 2016-03-09 at 15:59 +0000, Cal
Sawyer wrote:
<br>
<blockquote type="cite">Hi
<br>
<br>
Somehow i picked the wrong cookbook when i provisioned my
first (and
<br>
only) replica and it lacks CA aso, as pointed out in a
recent thread,
<br>
creates a single point of failure. Not ready to set up more
2 replicas
<br>
yet and am still in testing. Is it possible to replicate
the master's
<br>
CA to the replica without destroying and reprovisioning with
--setup-ca
<br>
this time?
<br>
</blockquote>
Use ipa-ca-install on the replica.
<br>
<br>
Simo.
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>