First glance on the packages built from today's tree reveal the
Having PTR sync enabled in global DNS configuration and installing
client with --enable-dns-updates option, ipa master still does not
create a PTR record for the client machine. As a result,
ipa-repolica-install throws the following error:
ipa : ERROR Reverse DNS resolution of address 192.168.122.171
(f22replica1.pesen.net) failed. Clients may not function properly.
Please check your DNS setup. (Note that this check queries IPA DNS
directly and ignores /etc/hosts.)
When corresponding PTR record is created manually, ipa-replica-install
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR no matching
The same error was catched by Jan Pazdziora (current discussion in #ipa
On 08/26/2015 11:27 PM, Simo Sorce wrote:
This patchset implements https://fedorahosted.org/freeipa/ticket/2888
and introduces a number of required changes and dependencies to achieve
This work requires the custodia project to securely transfer keys
between ipa servers.
This work is not 100% complete, it still misses the ability to install
kra instances and the ability to install a CA (via ipa-ca-install) with
externally signed certs.
However it is massive enough that warrants review and pushing, the resat
of the changes can be applied later as this work should not disrupt the
classic install methods.
In order to build my previous patches (530-533) are needed as well as a
number of updated components.
I used the following coprs for testing:
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 126.96.36.199)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
fedora/updates-testing (python-gssapi 1.1.2)
Ludwig's copr is necessary to have a functional DNA plugin in replicas,
eventually his patches should be committed in 389-ds-base 188.8.131.52 when
it will be released.
We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
that may cause installation issues in some case (re-install of a
The domain must be raised to level 1 in order to use replica promotion.
In order to promote a replica the server must be first joined as a
regular client to the domain.
This is the flow I usually use for testing:
# kinit admin
# ipa-replica-install --promote --setup-ca
<perform operations like add user, get keytabs, get certificates,
These patches are also available in this git tree rebnase on current
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code