[Freeipa-users] Re: ipa-ca-install - second password?

[Alexander Bokovoy via FreeIPA-users]

On Суб, 22 ліс 2025, ether bunny via FreeIPA-users wrote:

When I run this command from a replica Im asked for two passwords. The
first appears to be the admin account on the primary host but I don't
know what the second one is or how to set it.

# ipa-ca-install
Directory Manager (existing master) password:  <-- I know this one

Running ipa-certupdate...done
Run connection check to master
host/replica.domain....@domain.edu@primary.domain.edu's password:   <--- I 
don't know this one

ipa-ca-install needs to ensure that a replica can reach the CA master it
will be using for replication purposes. To do so, it attempts to connect
to that master over SSH using a Kerberos principal it is configured to
use. ipa-ca-install uses host keytab to authenticate but wouldn't pass
any particular principal, which means host/replica... principal from the
keytab would be used.

If you cannot authenticate with this service principal, it most likely
means your master and replica do not have up to date replcation yet, so
the keys known to replica aren't the same as keys known to master's KDC,
thus they cannot be used.

I went to the host entry for the replica and tried to set a OTP but was
unable. "IPA Error 3009: ValidationError"

OTP on host entries is only used before the Kerberos keys are generated for
the host principal. You should never have OTP defined on the host
principal after the host has been enrolled.

Not sure where to look for other errors.

Make sure IPA replication is correctly functioning before
adding any new feature such as a CA replica.

The following Directory Server chapter covers common replication
problems:
https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/configuring_and_managing_replication/assembly_solving-common-replication-problems_configuring-and-managing-replication


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue