Building a radius server, and decided this was an ideal application for a hidden replica. I got some errors in the replica install, and the consistency check does not show a ghost replica (but does show my radius host in Replication Status.) I run external DNS, this radius host has only has A and PTR records.
grant@radius01:~[20221117-13:45][#89]$ sudo ipa-replica-install --setup-ca --hidden-replica Password for [email protected]<mailto:[email protected]>: ************* WARNING: 376 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: no Run connection check to master Connection check OK -snip- [28/30]: importing IPA certificate profiles Lookup failed: Preferred host radius01.production.efilm.com<http://radius01.production.efilm.com> does not provide CA. Lookup failed: Preferred host radius01.production.efilm.com<http://radius01.production.efilm.com> does not provide CA. Failed to import profile 'acmeIPAServerCert': Request failed with status 500: Non-2xx response from CA REST API: 500. . Running ipa-server-upgrade when installation is completed may resolve this issue. [29/30]: configuring certmonger renewal for lightweight CAs [30/30]: deploying ACME service Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT PKINIT certificate request failed: Certificate issuance failed (CA_REJECTED: Server at https://ef-idm01.production.efilm.com/ipa/json failed request, will retry: 903 (an internal error has occurred).) Failed to configure PKINIT Full PKINIT configuration did not succeed The setup will only install bits essential to the server functionality You can enable PKINIT after the setup completed using 'ipa-pkinit-manage' Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners -snip- [7/7]: adding fallback group Fallback group already set, nothing to do Done. The ipa-replica-install command was successful grant@radius01:~[20221117-13:51][#90]$ check consistency grant@radius01:~[20221117-13:53][#92]$ ipa_check_consistency -d PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM> -W ************* FreeIPA servers: ef-idm01 ef-idm02 ef-idm03 ef-idm04 STATE ========================================================================= Active Users 349 349 349 349 OK Stage Users 7 7 7 7 OK Preserved Users 5 5 5 5 OK User Groups 42 42 42 42 OK Hosts 423 423 423 423 OK Host Groups 23 23 23 23 OK HBAC Rules 9 9 9 9 OK SUDO Rules 35 35 35 35 OK DNS Zones ERROR ERROR ERROR ERROR OK LDAP Conflicts NO NO NO NO OK Ghost Replicas NO NO NO NO OK Anonymous BIND YES YES YES YES OK Replication Status ef-idm02 0 ef-idm03 0 ef-idm02 0 ef-idm01 0 ef-idm03 0 ef-idm01 0 ef-idm01 0 ef-idm04 0 radius01 0 ========================================================================= grant@radius01:~[20221117-13:53][#93]$ I executed ipa-server-upgrade as suggested grant@radius01:~[20221117-16:09][#88]$ sudo ipa-server-upgrade [sudo] password for grant: Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/11]: stopping directory server [2/11]: saving configuration [3/11]: disabling listeners [4/11]: enabling DS global lock [5/11]: disabling Schema Compat [6/11]: starting directory server [7/11]: updating schema [8/11]: upgrading server Add failure attribute "cn" not allowed [9/11]: stopping directory server [10/11]: restoring configuration [11/11]: starting directory server Done. Update complete Upgrading IPA services -snip- Migrating profile 'caAuditSigningCert' [Ensuring presence of included profiles] [Add default CA ACL] [Updating ACME configuration] [Migrating to authselect profile] [Create systemd-user hbac service and rule] hbac service systemd-user already exists [Add [email protected]<mailto:[email protected]> alias to admin account] Added '[email protected]<mailto:[email protected]>' alias to admin account [Setup SPAKE] [Setup PKINIT] [Enable server krb5.conf snippet] [Setup kpasswd_server] [Adding ipa-ca alias to HTTP certificate] Resubmitting HTTP cert tracking request The IPA services were upgraded The ipa-server-upgrade command was successful grant@radius01:~[20221117-16:11][#89]$ ipa_check_consistency -d PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM> -W ************* FreeIPA servers: ef-idm01 ef-idm02 ef-idm03 ef-idm04 STATE ========================================================================= Active Users 349 349 349 349 OK Stage Users 7 7 7 7 OK Preserved Users 5 5 5 5 OK User Groups 42 42 42 42 OK Hosts 423 423 423 423 OK Host Groups 23 23 23 23 OK HBAC Rules 9 9 9 9 OK SUDO Rules 35 35 35 35 OK DNS Zones ERROR ERROR ERROR ERROR OK LDAP Conflicts NO NO NO NO OK Ghost Replicas NO NO NO NO OK Anonymous BIND YES YES YES YES OK Replication Status ef-idm02 0 ef-idm03 0 ef-idm02 0 ef-idm01 0 ef-idm03 0 ef-idm01 0 ef-idm01 0 ef-idm04 0 radius01 0 ========================================================================= grant@radius01:~[20221117-16:11][#90]$ My version of ipa_check_consistency grant@radius01:~[20221117-16:16][#93]$ grep APP_VER /usr/local/bin/ipa_check_consistency readonly APP_VER="17.2.21a" printf "%s version %s\n" "$APP_NAME" "$APP_VER" grant@radius01:~[20221117-16:16][#94]$ I reviewed the installation again, then executed ipa-pkinit-manage grant@radius01:~[20221117-16:29][#91]$ sudo ipa-pkinit-manage status PKINIT is disabled The ipa-pkinit-manage command was successful grant@radius01:~[20221117-16:29][#92]$ sudo ipa-pkinit-manage enable Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT PKINIT certificate request failed: Certificate issuance failed (CA_REJECTED: Server at https://ef-idm01.production.efilm.com/ipa/json denied our request, giving up: 2100 (Insufficient access: Host 'radius01.production.efilm.com<http://radius01.production.efilm.com>' is not an active KDC).) Failed to configure PKINIT Full PKINIT configuration did not succeed The setup will only install bits essential to the server functionality You can enable PKINIT after the setup completed using 'ipa-pkinit-manage' Done configuring Kerberos KDC (krb5kdc). The ipa-pkinit-manage command was successful grant@radius01:~[20221117-16:30][#93]$ Are SRV records REQUIRED for PKINIT to succeed? thanx - grant
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
