lejeczek via FreeIPA-users wrote: > On 17/01/2022 16:20, Rob Crittenden wrote: >> lejeczek via FreeIPA-users wrote: >>> Hi guys >>> >>> Is it possible on a detached master to setup KRA, as if it was first >>> master? >> What is a detached master and why do you need to "force" install a KRA >> on it? Assuming it's a server from an existing installation you've >> removed all replication with, does the existing install already have a >> KRA? >> >> What's the use-case? >> >> rob >> > box, which master was no 'kra', was physically detached then replication > was removed with 'ipa-x-manage' > > now it is: > > -> $ ipa config-show > > Maximum username length: 32 > Maximum hostname length: 64 > Home directory base: /home > Default shell: /bin/sh > Default users group: ipausers > Default e-mail domain: abba.xx.priv.yy > Search time limit: 2 > Search size limit: 100 > User search fields: uid,givenname,sn,telephonenumber,ou,title > Group search fields: cn,description > Enable migration mode: FALSE > Certificate Subject base: O=ABBA.XX.PRIV.YY > Password Expiration Notification (days): 4 > Password plugin features: AllowNThash, KDC:Disable Last Success > SELinux user map order: > guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 > > Default SELinux user: unconfined_u:s0-s0:c0.c1023 > Default PAC types: MS-PAC, nfs:NONE > IPA masters: first.abba.xx.priv.yy > IPA master capable of PKINIT: first.abba.xx.priv.yy > IPA CA servers: first.abba.xx.priv.yy > IPA CA renewal master: first.abba.xx.priv.yy > IPA DNS servers: first.abba.xx.priv.yy > > I thought it would work as new first master: > > -> $ ipa-kra-install > Directory Manager password: > > Failed to find an active KRA server! > > to "convince" the master somehow, if possible, to install new KRA on > this "new-first" master, would be neat.
Honestly, "neat" is not exactly a use case. I'd suggest poking around with the pki securitydomain commands. I'm guessing a KRA was previously deployed. Ripping that out could be tricky. But if you tell the securitydomain that there is no KRA maybe that will help. Or maybe not. The KRA install is failing because one was previously deployed. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
