I'm playing around with IPA trying to figure out how to set it up to be
redundant. The problem is that the IPA Replica isn't able to authenticate
AD users if IPA Master is down.
My setup;
One Windows Server set up with Active Direcory Domain Services, Active
Directory Certificate Services and DNS server hosting the ad.labnet.org
domain and the Root CA.
Two Linux servers setup in the labnet.org domain. Both using the Windows
Server DNS server.
The first one is setup as a IPA Master server hosting the domain
ipa.labnet.org and act as a subordinate CA server. It was setup with the
following commands;
sudo ipa-server-install --external-ca --external-ca-type=ms-cs
sudo ipa-server-install --external-cert-file=/home/$USER/ipa.cer
--external-cert-file=/home/$USER/certnew.cer
kinit admin
sudo ipa-adtrust-install
sudo ipa trust-add --type=ad ad.labnet.org --admin Administrator
--password --two-way=true
The second one is setup as a IPA Replica also hosting the domain
ipa.labnet.org It has been setup with the following commands;
sudo ipa-client-install --mkhomedir
sudo ipa-replica-install
sudo ipa-ca-install
kinit admin
sudo ipa-adtrust-install
sudo ipa trust-add --type=ad ad.labnet.org --admin Administrator
--password --two-way=true
All needed DNS records have been created in the DNS server on the Windows
server. At least I hope so.
IPA Healthceck on both IPA servers don't complain about anything missing.
sudo ipa-healthcheck --output-type human
One IPA Client also setup in the labnet.org domain and using the Windows
server DNS, was setup with the following command;
sudo ipa-client-install --domain=ipa.labnet.org --mkhomedir
Testing authentication on the IPA Client as a user in the ad.labnet.org
works out like this;
Both IPA Servers up works OK
Only IPA Master up works OK
Only IPA Replica up doesn't work.
After this check with IPA Healthcheck on the IPA Replica now comes back
with this;
WARNING: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.{}: Look up of ID {}
for ad.labnet.org returned nothing
ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Global Catalog: AD
Global Catalog not found in /usr/sbin/sssctl 'domain-status' output: Active
servers:
IPA: lab003.labnet.org
ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Domain Controller:
AD Domain Controller not found in /usr/sbin/sssctl 'domain-status' output:
Active servers:
IPA: lab003.labnet.org
Can anyone suggest what I have done wrong or missed? As far as I can tell
there are no commands that let me write to the GLobal Catalog?
Thanks!
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
