On 6/20/20 9:59 PM, Auerbach, Steven via FreeIPA-users wrote:
I have finally been able to create an RHEL7/IPAv4 server using
ipa-replica-prepare on a RHEL6/IPA v3 server (ipa01)(added the needed
schema) and running ipa-replica-install on the RHEL7/IPAv4 server
(ipa03). I followed a number of steps to stop CA and CA Renewal on
ipa01 and make ipa03 the CA and CA Renewal master as well as the DNS
master. I then created another RHEL7 server (ipa04) and ran the
ipa-replica-prepare on ipa03 and ran ipa-replica-install in ipa04.
In the IPA Administrative GUI I am exploring the topology because I need
to ultimately get rid of ipa01 and ipa-r02 -Â both RHEL6/IPAv3 servers.
I have 2 suffixes: ca and domain.
The four servers show up in the IPA Servers pane. Only ipa03 and ipa04
have Managed Suffixes. Both have domain and ca. Both have Min Domain
Level 0 and Max Domain Level 1. Is this as it should be?
Hi,
The domain level is explained in "Displaying and raising the domain
level" [1]. Domain-level 1 was introduced in IPA 4.3 and adds:
- replica promotion
- topology management plugin
As ipa01 and ipa-r02 are IPAv3 servers, it's expected that they don't
show max domain level 1.
Server Roles pane shows that ipa01, ipa03, and ipa04 are CA servers.
Eventually I need to remove ipa01. DNS servers are only ipa03 and
ipa04. This is okay, I think.
Domain Level pane show Level 0
Topology Graph pane says “Managed topology requires minimum level 1�.
The Add and Delete buttons are greyed out.
As 2 nodes out of 4 are IPAv3, they are at domain level 0 and prevent
from moving to domain level 1. When they are removed from the topology
you will be able to raise the domain level if you want to benefit from
domain-level 1 features, using ipa domainlevel-set 1.
IPA Locations pane has No entries.
When I tried to run ipa-server-install –uninstall –U on ipa-r02 I
received a number of errors:
Shutting down all IPA services
Removing IPA client configuration
Unconfiguring ntpd
Unconfiguring named
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa_memcached
ipa        : ERROR   Some certificates may still be tracked by
certmonger.
This will cause re-installation to fail.
Start the certmonger service and list the certificates being tracked
# getcert list
These may be untracked by executing
# getcert stop-tracking -i <request_id>
for each id in: 20150127222017
In the CLI on ipa03 when I ran “ipa-replica-manage list� and the result
is ipa01: master, ipa-r02: master, ipa03: master, ipa04: master.
In the CLI on ipa03 when I ran “ipa-csreplica-manage list� and the
result is ipa01: master, ipa-r02: CA not configured, ipa03: master,
ipa04: master.
So ipa-r02 still shows up….How do I clean this up properly in the
system? And how do I properly remove ipa01 when the time comes?
On domain-level 0, the tool to manage replicas is ipa-replica-manage
[2]. In order to completely remove a server, you can use
ipa-replica-manage del <server> --force --cleanup
As a reminder, the supported method to remove a server in domain-level 0
is described in "Removing a replica" [3] and involves:
- (on another server) ipa-replica-manage del <server>
- (on another server) ipa-csreplica-manage del <server>
- (on the server to be removed) ipa-server-install --uninstall -U
All the documentation I find refers to replicas. It seems I do not have
any replicas, I have all masters.
You can find more explanation in "IdM terminology" [4] but there is no
functional difference between a master and a replica.
Hope this clarifies,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/domain-level
[2]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-topology-old
[3]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-topology-old#removing-replica-old
[4]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/planning_identity_management/overview-of-planning-for-identity-management-and-access-control-planning-dns-and-host-names#IdM_terminology_overview-of-planning-idm-and-access-control
There is something fundamental I continue to miss in administering this
environment.
*Steven Auerbach*
*Assistant Director of Information Systems*
*Information Technology & Security***
**
State University System of Florida
Board of Governors
325 W. Gaines Street
Tallahassee, Florida 32399
(850) 245-9592
www.flbog.edu <http://www.flbog.edu/>
Graphic for Email
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
