On Tue, Apr 29, 2025 at 7:15 PM Florence Blanc-Renaud <f...@redhat.com> wrote: > > Hi, > > On Tue, Apr 29, 2025 at 4:39 PM Ian Kumlien via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: >> >> On Tue, Apr 29, 2025 at 4:30 PM Rob Crittenden <rcrit...@redhat.com> wrote: >> > >> > Ian Kumlien wrote: >> > > This and changing the permissions on certs pkiuser:pkiuser fixed it on >> > > that machine, what remains is: >> > > Error: Local roles CA, DNS, DNSKeySync do not match globally used >> > > roles CA, DNS, DNSKeySync, KRA. A backup done on this host would not >> > > be complete enough to restore a fully functional, identical cluster. >> > > The ipa-backup command failed. See /var/log/ipabackup.log for more >> > > information >> > >> > What is unclear about the message? >> >> Alot - it broke by running ipa-cert-fix >> >> > An IPA backup is a disaster recovery tool. There is no need to use it to >> > back up every single host in a cluster for the reason outlined. >> > ipa-restore is used when things are completely hosed. It requires that >> > any existing replicas need to be force re-initialized. >> >> It used to work, it worked until i ran ipa-cert-fix >> >> To me it sounds more like ipa-cert-fix did something that broke the >> state of that node. > > ipa-cert-fix does one change related to roles: it sets the host where it is > executed as CA renewal master. It does not remove CA/DNS/DNSkeySync/KRA > instance. > Can you show the output of ipa config-show on your 2 nodes?
Node-1 - where ipa-backup doesn't work anymore: ipa config-show Maximum username length: 32 Maximum hostname length: 64 Home directory base: /home Default shell: /bin/bash Default users group: ipausers Default e-mail domain: virt.demius.net Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: False Certificate Subject base: O=VIRT.DEMIUS.NET Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: freeipa1.virt.demius.net, freeipa2.virt.demius.net IPA master capable of PKINIT: freeipa1.virt.demius.net, freeipa2.virt.demius.net IPA CA servers: freeipa1.virt.demius.net, freeipa2.virt.demius.net IPA CA renewal master: freeipa2.virt.demius.net IPA KRA servers: freeipa2.virt.demius.net IPA DNS servers: freeipa1.virt.demius.net, freeipa2.virt.demius.net Node 2 - works after the modifications and some workarounds: ipa config-show Maximum username length: 32 Maximum hostname length: 64 Home directory base: /home Default shell: /bin/bash Default users group: ipausers Default e-mail domain: virt.demius.net Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: False Certificate Subject base: O=VIRT.DEMIUS.NET Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: freeipa1.virt.demius.net, freeipa2.virt.demius.net IPA master capable of PKINIT: freeipa1.virt.demius.net, freeipa2.virt.demius.net IPA CA servers: freeipa1.virt.demius.net, freeipa2.virt.demius.net IPA CA renewal master: freeipa2.virt.demius.net IPA KRA servers: freeipa2.virt.demius.net IPA DNS servers: freeipa1.virt.demius.net, freeipa2.virt.demius.net -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
