If I do a `ipa-replica-manage force-sync` it completes without error. Looking at /var/log/sssd/sssd_<domain>.log I see this message: `[sdap_process_result] (0x0040): ldap_result error: [Can't contact LDAP server]`. I assume its referring to the host Im trying to replicate from.
Im missing some important step. ________________________________ From: Alexander Bokovoy <[email protected]> Sent: Monday, November 24, 2025 8:01 AM To: FreeIPA users list <[email protected]> Cc: ether bunny <[email protected]> Subject: Re: [Freeipa-users] ipa-ca-install - second password? On Суб, 22 ліс 2025, ether bunny via FreeIPA-users wrote: >When I run this command from a replica Im asked for two passwords. The >first appears to be the admin account on the primary host but I don't >know what the second one is or how to set it. > ># ipa-ca-install >Directory Manager (existing master) password: <-- I know this one > >Running ipa-certupdate...done >Run connection check to master >host/[email protected]@primary.domain.edu's password: <--- I >don't know this one ipa-ca-install needs to ensure that a replica can reach the CA master it will be using for replication purposes. To do so, it attempts to connect to that master over SSH using a Kerberos principal it is configured to use. ipa-ca-install uses host keytab to authenticate but wouldn't pass any particular principal, which means host/replica... principal from the keytab would be used. If you cannot authenticate with this service principal, it most likely means your master and replica do not have up to date replcation yet, so the keys known to replica aren't the same as keys known to master's KDC, thus they cannot be used. > >I went to the host entry for the replica and tried to set a OTP but was >unable. "IPA Error 3009: ValidationError" OTP on host entries is only used before the Kerberos keys are generated for the host principal. You should never have OTP defined on the host principal after the host has been enrolled. >Not sure where to look for other errors. Make sure IPA replication is correctly functioning before adding any new feature such as a CA replica. The following Directory Server chapter covers common replication problems: https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/configuring_and_managing_replication/assembly_solving-common-replication-problems_configuring-and-managing-replication -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
