Satish Patel via FreeIPA-users wrote: > Thank you Fraser, > > Why not throw warning before it start running ipa-replica-install ( I > would say put human interaction there and without that it won't let > you move forward) > > something like following example: > > WARNING!!!!!!! you are running singel CA Master, Do you want to > install CA Replica on this server [Yes/No]: > > Not seeing any point in end if it remind you and then you have to > re-install again with --setup-ca
You can run ipa-ca-install at any time to add a CA to an existing master. rob > This is just me feeling that way because i went through this pain :( > and had lots of alcohol to wash that pain away :) > > On Mon, Sep 30, 2019 at 9:09 PM Fraser Tweedale <[email protected]> wrote: >> >> On Mon, Sep 30, 2019 at 10:20:16AM -0400, Satish Patel via FreeIPA-users >> wrote: >>> Stuart, >>> >>> All i would say please run multiple CA servers in your ldap >>> infrastructure, otherwise you will be in very big trouble like i was >>> in, I had no idea about role of CA and was running single CA which we >>> lost and then we totally screwed and won't able to create any replica >>> or anything totally dead end. >>> >>> FreeIPA document is really huge and sometime you get lost of what >>> components are mandatory no blaming to anyone but that was i felt. I >>> wish they add this CA verification feature in " ipa-replica-install" >>> command which won't let you move forward until you have minimum two CA >>> (and force you to use --setup-ca option) >>> >> >> We now have a warning at end of ipa-replica-install if there is only >> one CA replica in the topology. >> >> The freeipa-healthcheck project will also analyse the topology and >> warn of insufficient redundancy of CA/KRA, DNS, etc. >> >> Cheers, >> Fraser >> >>> On Mon, Sep 30, 2019 at 12:35 AM Fraser Tweedale via FreeIPA-users >>> <[email protected]> wrote: >>>> >>>> Hi Stuart, >>>> >>>> Adding the freeipa-users@ mailing list for visibility. >>>> >>>> I'd have to work through your scenario to work out why it fails. >>>> But it may be some time before I get around to that. >>>> >>>> I think your idea to first try creating a CA replica on F28 before >>>> moving forward to F30 is a sensible thing to try. >>>> >>>> One question though: are you on Domain Level 0 or 1? >>>> (`ipa domainlevel-get`). >>>> >>>> Cheers, >>>> Fraser >>>> >>>> On Thu, Sep 26, 2019 at 07:35:58PM +0100, Stuart McRobert wrote: >>>>> Dear Fraser, >>>>> >>>>> I've read through lots of posts but I am uncertain about the best way >>>>> forward and wonder if I could seek your guidance? I just don't want to >>>>> break >>>>> things. >>>>> >>>>> Currently we have three freeipa servers (1-3) on Fedora 26 (clearly need >>>>> updating) with ipa VERSION: 4.4.4, API_VERSION: 2.215 and one new Fedora >>>>> 30 >>>>> server (#4) which I just started to add with VERSION: 4.8.1, API_VERSION: >>>>> 2.233. >>>>> >>>>> The reason for adding a new server before updating the others is the web >>>>> interface warning: >>>>> >>>>> Warning: Only One CA Server Detected >>>>> It is strongly recommended to keep the CA services installed on >>>>> more than >>>>> one server >>>>> >>>>> which I fully understand is not good, but it doesn't offer to just fix it! >>>>> >>>>> I suspect server #4 may be too new, failing with both >>>>> >>>>> ipa-replica-install --setup-ca >>>>> >>>>> and >>>>> >>>>> ipa-ca-install >>>>> >>>>> in a very similar way, e.g. >>>>> >>>>> 2019-09-26T16:18:15Z ERROR Unable to log in as >>>>> uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca on >>>>> ldap://freeipa01.services.nsa.stats.ox.ac.uk:389 >>>>> 2019-09-26T16:18:15Z DEBUG Traceback (most recent call last): >>>>> File >>>>> "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line >>>>> 603, in start_creation >>>>> run_step(full_msg, method) >>>>> File >>>>> "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line >>>>> 589, in run_step >>>>> method() >>>>> File >>>>> "/usr/lib/python3.7/site-packages/ipaserver/install/dogtaginstance.py", >>>>> line 503, in setup_admin >>>>> self.admin_dn, master_conn >>>>> ipalib.errors.NotFound: >>>>> uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not >>>>> replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389 >>>>> >>>>> 2019-09-26T16:18:15Z DEBUG [error] NotFound: >>>>> uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not >>>>> replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389 >>>>> >>>>> >>>>> which I think others have also run into. >>>>> >>>>> Next thought was to confirm what we had: >>>>> >>>>> [root@freeipa01 ~]# ipa server-find >>>>> --------------------- >>>>> 4 IPA servers matched >>>>> --------------------- >>>>> Server name: freeipa01.services.nsa.stats.ox.ac.uk >>>>> F26 >>>>> >>>>> Server name: freeipa02.services.nsa.stats.ox.ac.uk >>>>> F26 >>>>> >>>>> Server name: freeipa03.services.nsa.stats.ox.ac.uk >>>>> F26 >>>>> >>>>> Server name: freeipa04.services.nsa.stats.ox.ac.uk >>>>> F30 >>>>> ---------------------------- >>>>> Number of entries returned 4 >>>>> ---------------------------- >>>>> [root@freeipa01 ~]# ipa server-role-find --role "CA server" >>>>> ---------------------- >>>>> 4 server roles matched >>>>> ---------------------- >>>>> Server name: freeipa01.services.nsa.stats.ox.ac.uk >>>>> Role name: CA server >>>>> Role status: enabled >>>>> >>>>> Server name: freeipa02.services.nsa.stats.ox.ac.uk >>>>> Role name: CA server >>>>> Role status: absent >>>>> >>>>> Server name: freeipa03.services.nsa.stats.ox.ac.uk >>>>> Role name: CA server >>>>> Role status: absent >>>>> >>>>> Server name: freeipa04.services.nsa.stats.ox.ac.uk >>>>> Role name: CA server >>>>> Role status: absent >>>>> ---------------------------- >>>>> Number of entries returned 4 >>>>> ---------------------------- >>>>> >>>>> >>>>> and then find out how to change the "Role status:" to enabled, starting on >>>>> freeipa02 but I am not sure how to achieve this, e.g. >>>>> >>>>> >>>>> [root@freeipa02 ~]# ipa-ca-install >>>>> CA is already installed on this host. >>>>> >>>>> true but doesn't really help. Sorry if this is very easy to do with a >>>>> command I have totally missed. >>>>> >>>>> Currently I know if freeipa01 fails, client logins also fail, and I assume >>>>> this is because it is the only CA server enabled. >>>>> >>>>> Work plan: >>>>> >>>>> 1. Enable more CA servers >>>>> >>>>> 2. Update Fedora 26 to 30, perhaps via 28 first if advised not to jump too >>>>> far at once, probably updating servers #2, then #3 and finally #1. >>>>> >>>>> 3. Add more servers for resiliency >>>>> >>>>> >>>>> Any idea how to get more CA servers enabled or any other suggestions? >>>>> >>>>> Many thanks >>>>> >>>>> Best wishes >>>>> >>>>> Stuart >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- [email protected] >>>> To unsubscribe send an email to [email protected] >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/[email protected] >>> _______________________________________________ >>> FreeIPA-users mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
