Hi, the replica-conncheck error means that a call to server_conncheck reached the wrong server. ipa-replica-conncheck performs multiple checks: - first from the replica to the existing master (here we seem to be good) - then from the existing master to the replica, by doing a call to the XMLRPC api server_conncheck on the master. If the connection from replica to master fails, another server is tried (in this case, the replica launches server_conncheck on itself), but there is a security that ensures the right server is handling the call. The logs shows that the connection fails because of SASL auth failure: 2023-05-22T18:14:03Z INFO Connection to https://ipa010.ad.companyx.fm/ipa/json failed with Insufficient access: SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible (Credential cache is empty)
Are you able to do kinit -kt /etc/krb5.keytab host/<replicafqdn>@<REALM> on the replica? And then kvno HTTP/<serverfqdn>@<REALM> ? flo On Tue, May 23, 2023 at 9:55 AM Nicholas Cross via FreeIPA-users < [email protected]> wrote: > That was the /var/log/ipareplica-conncheck.log log file > > it does looks like a DNs issue, but im not sure where. > > dns resolves the host fine on the host > > [root@ipa011 ~]# host ipa011 > ipa011.ad.companyx.fm has address 10.32.225.7 > > [root@ipa011 ~]# grep ipa /etc/ipa/default.conf > host = ipa011.ad.companyx.fm > xmlrpc_uri = https://ipa011.ad.companyx.fm/ipa/xml > ca_host = ipa010.ad.companyx.fm > > it's odd as i run the connection check before the start of the install, to > check ports and routes. it works fine. > replica install works. > dns install works. > just the ca installer comes back with this error. > > As an additional test i added the dns record for this host into IPA before > the install. Normally we don't need to, but just as a test, but it made no > difference. > > > We do have new DNS forwarders on the network - these are in front of the > IPA servers. They are there just take the load from the k8s clusters away > from IPA DNS. > Would the CA install break if the DNS lookups are "proxied" by the DNS > forwarders? > All DNS tests i can think of work via the forwarders. The IPA clients > (100s) are all fine with them. > > I will update the client to ignore the forwarders, but if you can think of > anything else to try? > > thanks, Nick > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
