<html><head></head><body><div style="color:#000; background-color:#fff; font-family:verdana, helvetica, sans-serif;font-size:16px"><div id="yui_3_16_0_ym19_1_1477033626768_14188">Hello all, </div><div id="yui_3_16_0_ym19_1_1477033626768_14184">That is really good to know. Thank you for helping me out with this.</div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1477033626768_13876"><div id="yui_3_16_0_ym19_1_1477033626768_14065"> </div><div id="yui_3_16_0_ym19_1_1477033626768_14063">James </div> </div><div class="yahoo_quoted" id="yui_3_16_0_ym19_1_1477033626768_13991" style="display: block;"> <div style="font-family: verdana, helvetica, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1477033626768_13990"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1477033626768_13989"> <div dir="ltr" id="yui_3_16_0_ym19_1_1477033626768_13988"> <hr id="yui_3_16_0_ym19_1_1477033626768_14153" size="1"> From: Rob Crittenden <rcritten@redhat.com> To: "jamesaharrisonuk@yahoo.co.uk" <jamesaharrisonuk@yahoo.co.uk>; Martin Babinsky <mbabinsk@redhat.com>; "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Friday, 21 October 2016, 14:18 Subject: Re: [Freeipa-users] Promote CA-less replica </div> <div class="y_msg_container" id="yui_3_16_0_ym19_1_1477033626768_13993"> James Harrison wrote: > Hi, > Thanks again. > > Lastly, we've switched away from Ubuntu's FreeIPA due to a bad Samba > compilation choice stopping AD trusts from working (samba isn't using > MIT kerberos????). We're now using CentOS 7.2. > > While we know the CentOS version will operate correctly, we only get to > use 4.2 of FreeIPA, but the Ubuntu version is 4.4.2. Is there 4.4.2 for > CentOS? Not until RHEL 7.3 is released and rebuilt for CentOS. rob > > Best regards > James Harrison > ------------------------------------------------------------------------ > *From:* Rob Crittenden <<a shape="rect" ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> > *To:* James Harrison <<a shape="rect" ymailto="mailto:jamesaharrisonuk@yahoo.co.uk" href="mailto:jamesaharrisonuk@yahoo.co.uk">jamesaharrisonuk@yahoo.co.uk</a>>; Martin Babinsky > <<a shape="rect" ymailto="mailto:mbabinsk@redhat.com" href="mailto:mbabinsk@redhat.com">mbabinsk@redhat.com</a>>; "<a shape="rect" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>" > <<a shape="rect" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> > *Sent:* Wednesday, 19 October 2016, 14:28 > *Subject:* Re: [Freeipa-users] Promote CA-less replica > > James Harrison wrote: > > Hi, > > Martin thanks for your quick response. Based on your comments. I have > > further questions. > > > > >> equal peers and can be considered masters > > > > 1. If there any urgency for us to recreate a "master" server to perform > > any "master" type functions? How do we re-attach "replicas" to this new > > "master"? > > Like he said, all IPA servers are equal (some are just more equal than > others). If you truly have a CA-less system the the only thing that > distinguishes one master from another is the presence of the DNS > service. From below it looks like you install DNS on all which makes > them all masters. > > You can manage the replication topology using ipa-replica-manage. > > > > > >> As long as the others have valid CA and server certs > > 2. This is the install script we are using on the "replicas" > > > > ipa-replica-install \ > > --setup-dns --ssh-trust-dns --no-dnssec-validation \ > > -p xxxxxxxxx \ > > --admin-password=xxxxxxx \ > > --ip-address=replica_ip \ > > --no-forwarders \ > > -U --mkhomedir --log-file=freeipa_log_file $1 > > > > 3. The $1 is the cert generated from the "master". If theres no > > distinction between a "master" and a "replica" in a CA-less environment, > > can a "replica" run the ipa-replica-prepare script once > > ipa-replica-install has been successfully run? > > I think you mean $1 is the replica file generated from some master. > Seeing how you generate that would tell us whether you are truly in a > CA-less environment or not (e.g. you'd need to pass in PKCS#12 files to > ipa-replica-prepare). > > To answer your question, yes. In a CA-less environment any master can > generate a prepare file. > > You can add/remove connections using ipa-replica-manage. The initial > connection is between the master that generated the prepare file and the > host it was installed on. > > rob > > > > > > Thank you for any help. > > Best regards, > > James Harrison > > > > ------------------------------------------------------------------------ > > *From:* Martin Babinsky <<a shape="rect" ymailto="mailto:mbabinsk@redhat.com" href="mailto:mbabinsk@redhat.com">mbabinsk@redhat.com</a> <javascript:return>> > > *To:* <a shape="rect" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <javascript:return><div class="yqt2176529836" id="yqtfd23958"> > > *Sent:* Wednesday, 19 October 2016, 11:01 > > *Subject:* Re: [Freeipa-users] Promote CA-less replica > > > > On 10/19/2016 11:35 AM, James Harrison wrote: > > > > Hi James, > > > > > Hi, > > > Were using FreeIPA on Ubuntu Xenial. We lost the Master server. > > > > > > I have some questions: > > > 1. Do DNS replicate among other replicas is we change/add DNS records? > > > If not can this behaviour be changed? > > IPA-intergrated DNS stores records in the replicated LDAP subtree so any > > added/removed DNS record will replicate to other IPA DNS servers. > > > > > 2. How do we promote a replica to become a master? We have not > > > configured our servers to become a CA. Our CA is Comodo and we have > > > configured FreeIPA to use a certificate, key and interim certificates > > > from Comodo. using the options: > > > > > > --http_pkcs12=.... > > > --http_pin=.... > > > --dirsrv_pkcs12=... > > > --dirsrv_pin=.... > > > > > > Hope someone can help. Quite urgent. > > > > > The terms FreeIPA master/replica are quite arbitrary as all replicas are > > equal peers and can be considered masters. The only notion of 'master' > > is when you use a Dogtag CA (then one of the CA replicas is designated a > > renewal master and does renew certificates in the topology and one is > > CRL master generating certificate revocation lists) and/or DNSSec (then > > one of DNS replica is designated a key master generating zone signing > > keys and other DNS replicas pull these keys). > > > > As you are using CA-less replicas then there should be no loss in the > > fact that the one designated 'master' is down (unless it was e.g. the > > only DNS server). As long as the others have valid CA and server certs > > they should be working just fine. > > > > > > > > You can just install a new replica in place of the master by generating > > replica file on another replicaa nd supplying the required certificates > > through options. > > > > > > > Regards, > > > James Harrison > > > > > > > > > > > > > > -- > > Martin^3 Babinsky > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > <a shape="rect" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > Go to <a shape="rect" href="http://freeipa.org/" target="_blank">http://freeipa.org</a> > <<a shape="rect" href="http://freeipa.org/" target="_blank">http://freeipa.org/</a>><<a shape="rect" href="http://freeipa.org/" target="_blank">http://freeipa.org/</a>>for more info on the project > > > > > > > > > > > > > </div> </div> </div> </div> </div></div></body></html>