URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
@simo5, it turns out the request fails not on the replica, but on the initial 
master, so it's actually `ipa-server-install` which is broken - if you install 
server from current master and replica from this PR it works fine. Steps to 
server# certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' 
| xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'"
server# rm -rf /etc/ipa/ca.crt /etc/httpd/alias/kra-agent.pem /var/lib/ipa/radb
server# ipa-server-install -n abc.idm.lab.eng.brq.redhat.com -r 
ABC.IDM.LAB.ENG.BRQ.REDHAT.COM -p blablabla -a blablabla -U
replica# certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' 
| xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'"
replica# rm -rf /etc/ipa/ca.crt /etc/httpd/alias/kra-agent.pem /var/lib/ipa/radb
replica# ipa-replica-install -n abc.idm.lab.eng.brq.redhat.com --server 
vm-226.abc.idm.lab.eng.brq.redhat.com -P admin -p blablabla

Note that you won't actually be able to do the above, as the 
`ipa-server-install` step will fail with:
Restarting the KDC
Please add records in this file to your DNS system: 
Unable to set admin password Command '/usr/bin/ldappasswd -h 
vm-226.abc.idm.lab.eng.brq.redhat.com -ZZ -x -D cn=Directory Manager -y 
/var/lib/ipa/tmpKyxwZX -T /var/lib/ipa/tmpMY13CP 
 returned non-zero exit status 1
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Skip vm-226.abc.idm.lab.eng.brq.redhat.com: cannot verify if this is an IPA 
Failed to verify that vm-226.abc.idm.lab.eng.brq.redhat.com is an IPA Server.
This may mean that the remote server is not up or is not reachable due to 
network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly 
after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
The ipa-client-install command failed. See /var/log/ipaclient-install.log for 
more information
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    
Configuration of client side components failed!
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The 
ipa-server-install command failed. See /var/log/ipaserver-install.log for more 
This does not happen with current master.

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to