[Freeipa-users] Re: on stand-alone detached master - force-add KRA - ?

Mon, 17 Jan 2022 08:40:00 -0800 

On 17/01/2022 16:20, Rob Crittenden wrote:

lejeczek via FreeIPA-users wrote:

Hi guys

Is it possible on a detached master to setup KRA, as if it was first
master?

What is a detached master and why do you need to "force" install a KRA
on it? Assuming it's a server from an existing installation you've
removed all replication with, does the existing install already have a KRA?

What's the use-case?

rob
box, which master was no 'kra', was physically detached then replication was removed with 'ipa-x-manage' 

now it is:

-> $ ipa config-show

 Maximum username length: 32
  Maximum hostname length: 64
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: abba.xx.priv.yy
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=ABBA.XX.PRIV.YY
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: first.abba.xx.priv.yy
  IPA master capable of PKINIT: first.abba.xx.priv.yy
  IPA CA servers: first.abba.xx.priv.yy
  IPA CA renewal master: first.abba.xx.priv.yy
  IPA DNS servers: first.abba.xx.priv.yy

I thought it would work as new first master:

-> $ ipa-kra-install
Directory Manager password:

Failed to find an active KRA server!
to "convince" the master somehow, if possible, to install new KRA on this "new-first" master, would be neat. 

many thanks, L.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to