<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mv="http://macVmlSchemaUri" xmlns="http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="Title" content=""> <meta name="Keywords" content=""> <meta name="Generator" content="Microsoft Word 15 (filtered medium)"> <style></style> </head> <body bgcolor="white" lang="EN-US" link="blue" vlink="purple"> <div class="WordSection1"> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">This advice has gotten me much further, thanks. We didn't have an HBAC rule for admin and, now with it in place, connection checks and other commands appear to be working that haven't worked before. I'm still getting caught on the CA portion of the replica installation. Confoundingly, neither the ipa-replica-install or ipa-ca-install commands will complete (the former with the —setup-ca option), the latter producing this output in the last few lines of pareplica-ca-install.log:<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri">2016-06-07T12:44:32Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'<o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri">2016-06-07T12:44:32Z DEBUG Checking if IPA schema is present in ldap://ipa-replica.example.com:7389<o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri">2016-06-07T12:44:32Z DEBUG retrieving schema for SchemaCache url=ldap://ipa-replica.example.com:7389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2ecf710><o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri">2016-06-07T12:44:32Z DEBUG Check OK<o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri">2016-06-07T12:44:32Z DEBUG Destroyed connection context.ldap2_50387920<o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri">2016-06-07T12:44:32Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'<o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri">2016-06-07T12:44:32Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 732, in run_script<o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri"> return_value = main_function()<o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri"> File "/usr/sbin/ipa-ca-install", line 202, in main<o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri"> install_replica(safe_options, options, filename)<o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri"> File "/usr/sbin/ipa-ca-install", line 150, in install_replica<o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri"> ca.install(True, config, options)<o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri"> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 106, in install<o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri"> install_step_0(standalone, replica_config, options)<o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri"> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 130, in install_step_0<o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri"> ra_p12=getattr(options, 'ra_p12', None))<o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri"> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1530, in install_replica_ca<o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri"> sys.exit("A CA is already configured on this system.")<o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p> <p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:Calibri">2016-06-07T12:44:32Z DEBUG The ipa-ca-install command failed, exception: SystemExit: A CA is already configured on this system.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">This occurs when I run either the replica or ca installer commands a second time.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Best regards,<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Dan<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p> <div> <p class="MsoNormal" style="text-autospace:none"><a href="http://www.high5games.com/"><span style="font-size:18.0pt;text-decoration:none"><img border="0" width="220" height="50" id="_x0000_i1025" src="cid:image001.jpg@01D1C09A.0E1C0930"></span></a><span style="font-size:15.0pt;font-family:Calibri"><o:p></o:p></span></p> <p class="MsoNormal" style="text-autospace:none"><b><span style="font-family:Calibri">Daniel Alex Finkelstein</span></b><span style="font-family:Calibri">| Senior Dev Ops Engineer<o:p></o:p></span></p> <p class="MsoNormal" style="text-autospace:none"><u><span style="font-family:Calibri;color:blue"><a href="mailto:Dan.Finkelstein@h5g.com">Dan.Finkelstein@h5g.com</a></span></u><span style="font-family:Calibri"> | 212.604.3447</span><span style="font-size:15.0pt;font-family:Calibri"><o:p></o:p></span></p> <p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:Calibri">One World Trade Center, New York, NY 10007<o:p></o:p></span></p> <p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:Calibri"><a href="http://www.high5games.com/">www.high5games.com</a><o:p></o:p></span></p> <p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:Calibri">Play <a href="https://apps.facebook.com/highfivecasino/">High 5 Casino</a> and <a href="https://apps.facebook.com/shakethesky/"> Shake the Sky</a><o:p></o:p></span></p> <p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:Calibri">Follow us on: <a href="http://www.facebook.com/high5games">Facebook</a>, <a href="https://twitter.com/High5Games">Twitter</a>, <a href="http://www.youtube.com/High5Games">YouTube</a>, <a href="http://www.linkedin.com/company/1072533?trk=tyah">Linkedin</a><o:p></o:p></span></p> <p class="MsoNormal"><i><span style="font-size:10.0pt;font-family:Calibri"><o:p> </o:p></span></i></p> </div> <p class="MsoNormal"><i><span style="font-size:10.0pt;font-family:Calibri">This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.</span></i><span style="font-size:11.0pt;font-family:Calibri"><o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p> <div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"> <p class="MsoNormal"><b><span style="font-family:Calibri;color:black">From: </span> </b><span style="font-family:Calibri;color:black">Rob Crittenden <rcritten@redhat.com><br> <b>Date: </b>Monday, June 6, 2016 at 18:08<br> <b>To: </b>Daniel Finkestein <Dan.Finkelstein@high5games.com>, "freeipa-users@redhat.com" <freeipa-users@redhat.com><br> <b>Subject: </b>Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <div> <div> <p class="MsoNormal"><a href="mailto:Dan.Finkelstein@high5games.com">Dan.Finkelstein@high5games.com</a> wrote:<o:p></o:p></p> </div> <blockquote style="border:none;border-left:solid #B5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-right:0in" id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE"> <div> <p class="MsoNormal">By the way, I want to mention the conncheck: if I don't skip it, it<o:p></o:p></p> </div> <div> <p class="MsoNormal">tries to ssh into the master IPA instance as 'admin@<domain>', rather<o:p></o:p></p> </div> <div> <p class="MsoNormal">than the user (root), and fails. All other parts of the connectivity<o:p></o:p></p> </div> <div> <p class="MsoNormal">check work, however. Why does it try to access the master as a Kerberos<o:p></o:p></p> </div> <div> <p class="MsoNormal">principal instead of the process user?<o:p></o:p></p> </div> </blockquote> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">Because the remote master, being an IPA server, should have an admin <o:p></o:p></p> </div> <div> <p class="MsoNormal">account, so it's a known. root over ssh is not allowed in some environments.<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">There is a ticket open to be able to set the login to be used, right now <o:p></o:p></p> </div> <div> <p class="MsoNormal">admin is hardcoded.<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">As for the install failure you should now have the appropriate logs to <o:p></o:p></p> </div> <div> <p class="MsoNormal">start diagnosing what was going on in /var/log/pki.<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">rob<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <blockquote style="border:none;border-left:solid #B5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-right:0in" id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE"> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">Thanks,<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">Dan<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal"><<a href="http://www.high5games.com/">http://www.high5games.com/</a>><o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">*Daniel Alex Finkelstein*| Senior Dev Ops Engineer<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal"><a href="mailto:_Dan.Finkelstein@h5g.com">_Dan.Finkelstein@h5g.com</a> <<a href="mailto:Dan.Finkelstein@h5g.com%3E_|">mailto:Dan.Finkelstein@h5g.com>_|</a> 212.604.3447<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">One World Trade Center, New York, NY 10007<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">www.high5games.com <<a href="http://www.high5games.com/">http://www.high5games.com/</a>><o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">Play High 5 Casino <<a href="https://apps.facebook.com/highfivecasino/">https://apps.facebook.com/highfivecasino/</a>> and Shake<o:p></o:p></p> </div> <div> <p class="MsoNormal">the Sky <<a href="https://apps.facebook.com/shakethesky/">https://apps.facebook.com/shakethesky/</a>><o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">Follow us on: Facebook <<a href="http://www.facebook.com/high5games">http://www.facebook.com/high5games</a>>, Twitter<o:p></o:p></p> </div> <div> <p class="MsoNormal"><<a href="https://twitter.com/High5Games">https://twitter.com/High5Games</a>>, YouTube<o:p></o:p></p> </div> <div> <p class="MsoNormal"><<a href="http://www.youtube.com/High5Games">http://www.youtube.com/High5Games</a>>, Linkedin<o:p></o:p></p> </div> <div> <p class="MsoNormal"><<a href="http://www.linkedin.com/company/1072533?trk=tyah">http://www.linkedin.com/company/1072533?trk=tyah</a>><o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">//<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">/This message and any attachments may contain confidential or privileged<o:p></o:p></p> </div> <div> <p class="MsoNormal">information and are only for the use of the intended recipient of this<o:p></o:p></p> </div> <div> <p class="MsoNormal">message. If you are not the intended recipient, please notify the sender<o:p></o:p></p> </div> <div> <p class="MsoNormal">by return email, and delete or destroy this and all copies of this<o:p></o:p></p> </div> <div> <p class="MsoNormal">message and all attachments. Any unauthorized disclosure, use,<o:p></o:p></p> </div> <div> <p class="MsoNormal">distribution, or reproduction of this message or any attachments is<o:p></o:p></p> </div> <div> <p class="MsoNormal">prohibited and may be unlawful./<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">*From: *Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><o:p></o:p></p> </div> <div> <p class="MsoNormal">*Date: *Monday, June 6, 2016 at 11:44<o:p></o:p></p> </div> <div> <p class="MsoNormal">*To: *Daniel Finkestein <<a href="mailto:Dan.Finkelstein@high5games.com">Dan.Finkelstein@high5games.com</a>>,<o:p></o:p></p> </div> <div> <p class="MsoNormal">"<a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>" <<a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><o:p></o:p></p> </div> <div> <p class="MsoNormal">*Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of<o:p></o:p></p> </div> <div> <p class="MsoNormal">FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,<o:p></o:p></p> </div> <div> <p class="MsoNormal">cannot promote to master<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">Skipping the conncheck can mask odd problems and should be used sparingly.<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">rob<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> </blockquote> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> </div> </div> </div> </body> </html>