Further testing shows that replication appears to be working. I can create a user on the replica and it shows up on the principal (original) host.
Still no luck getting ipa-ca-install to run though. ________________________________ From: ether bunny via FreeIPA-users <[email protected]> Sent: Tuesday, November 25, 2025 3:46 PM To: Rob Crittenden <[email protected]>; FreeIPA users list <[email protected]>; Alexander Bokovoy <[email protected]> Cc: ether bunny <[email protected]> Subject: [Freeipa-users] Re: ipa-ca-install - second password? Here's what I found: (on replica host) # klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 11/21/2025 18:11:35 host/[email protected] 1 11/21/2025 18:11:35 host/[email protected] (on original server) # kvno host/replica.domain.edu host/[email protected]: kvno = 1 (on replica) # kinit -kt /etc/krb5.keytab (no errors. no password requested) (on original) # ipa host-show --all --raw replica.domain.edu (returned a slew of information) ________________________________ From: Rob Crittenden <[email protected]> Sent: Tuesday, November 25, 2025 3:21 PM To: FreeIPA users list <[email protected]>; Alexander Bokovoy <[email protected]> Cc: ether bunny <[email protected]> Subject: Re: [Freeipa-users] Re: ipa-ca-install - second password? ether bunny via FreeIPA-users wrote: > If I do a `ipa-replica-manage force-sync` it completes without error. It completed without error but did you try the installation again? Did you notice anything in either server error log after running this? > Looking at /var/log/sssd/sssd_<domain>.log I see this message: > `[sdap_process_result] (0x0040): ldap_result error: [Can't contact LDAP > server]`. I assume its referring to the host Im trying to replicate from. SSSD is not involved in replication. You might try this: On the other server run: # kvno host/replica.domain.edu On the replica run: # klist -kt /etc/krb5.keytab The KVNO (or version number) should be the same for both. If the keytab has multiple versions that's ok but the highest value should match that in the other server. You can also try to manually duplicate what the CA installer is doing with: # kinit -kt /etc/krb5.keytab Are you prompted for a password? If so we need to see what the host entry looks like: $ ipa host-show --all --raw host/replica.domain.edu rob > > Im missing some important step. > ------------------------------------------------------------------------ > *From:* Alexander Bokovoy <[email protected]> > *Sent:* Monday, November 24, 2025 8:01 AM > *To:* FreeIPA users list <[email protected]> > *Cc:* ether bunny <[email protected]> > *Subject:* Re: [Freeipa-users] ipa-ca-install - second password? > > On Суб, 22 ліс 2025, ether bunny via FreeIPA-users wrote: >>When I run this command from a replica Im asked for two passwords. The >>first appears to be the admin account on the primary host but I don't >>know what the second one is or how to set it. >> >># ipa-ca-install >>Directory Manager (existing master) password: <-- I know this one >> >>Running ipa-certupdate...done >>Run connection check to master >>host/[email protected]@primary.domain.edu's password: <--- I >>don't know this one > > ipa-ca-install needs to ensure that a replica can reach the CA master it > will be using for replication purposes. To do so, it attempts to connect > to that master over SSH using a Kerberos principal it is configured to > use. ipa-ca-install uses host keytab to authenticate but wouldn't pass > any particular principal, which means host/replica... principal from the > keytab would be used. > > If you cannot authenticate with this service principal, it most likely > means your master and replica do not have up to date replcation yet, so > the keys known to replica aren't the same as keys known to master's KDC, > thus they cannot be used. > > >> >>I went to the host entry for the replica and tried to set a OTP but was >>unable. "IPA Error 3009: ValidationError" > > OTP on host entries is only used before the Kerberos keys are generated for > the host principal. You should never have OTP defined on the host > principal after the host has been enrolled. > >>Not sure where to look for other errors. > > Make sure IPA replication is correctly functioning before > adding any new feature such as a CA replica. > > The following Directory Server chapter covers common replication > problems: > https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/configuring_and_managing_replication/assembly_solving-common-replication-problems_configuring-and-managing-replication > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
