I had an odd performing IPA replica server, it had no knowledge to any other services besides dirsrv, DNS and CA, lots of GSSAPI errors in the dirsrv logs, etc, so I decided to re-configure the IPA replica.

# ipactl status
Directory Service: RUNNING
DNS Service: RUNNING
CA Service: RUNNING


I removed the IPA instance on the host as per the document below.

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/Uninstalling_IPA_Servers.html


I prepared a new replica package for the host using ipa-replica-prepare on ipa01. And started ipa-replica-install on ipa03. This gave unexpected results.

# ipa-replica-install --setup-dns --forwarder=192.168.1.1 --forwarder=192.168.1.2 /var/lib/ipa/replica-info-ipa03.ix.test.com.gpg
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'ipa01.ix.test.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: port 80 (80): OK
   HTTP Server: port 443(https) (443): OK

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@ix.test.com password:

Execute check on remote master
Check connection from master to remote replica 'ipa03.ix.test.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: port 80 (80): OK
   HTTP Server: port 443(https) (443): OK

Connection from master to replica is OK.

Connection check OK
The host ipa03.ix.test.com already exists on the master server. Depending on your configuration, you may perform the following:

Remove the replication agreement, if any:
    % ipa-replica-manage del ipa03.ix.test.com
Remove the host entry:
    % ipa host-del ipa03.ix.test.com

So I went back to ipa01 to remove the replica:

#  ipa-replica-manage del ipa03.ix.test.com
Unable to delete replica ipa03.ix.test.com: {'desc': "Can't contact LDAP server"}

Hm, ok, I tried to force removal.

]#  ipa-replica-manage del -f ipa03.ix.test.com
Unable to connect to replica ipa03.ix.test.com, forcing removal
Failed to get data from 'ipa03.ix.test.com': {'desc': "Can't contact LDAP server"}
Forcing removal on 'ipa01.ix.test.com'
Failed to get data from 'ipa02.ix.test.com': {'info': 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Cannot determine realm for numeric host address)', 'desc': 'Local error'} Failed to get data from 'ipa03.ix.test.com': {'desc': "Can't contact LDAP server"}


Not a complete success? However I was now able to install my replica. But I no now longer have a CA instance on the replica:

# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
HTTP Service: RUNNING


Perhaps an opertunity for improvements here? My suggestions:

* First off, add to the documentation to remove the replica on another IPA server before uninstalling the IPA replica? * Why not automatically delete the replication agreement when uninstalling the replica? * Where did the CA instance go? I see nothing in the documentation about this, but I found a ipa-ca-install command. ipa-ca-install yelded the error below. Same error occour if I attempt to --setup-ca while doing the ipa-replica-install:

Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/11]: creating certificate server user
  [2/11]: creating pki-ca instance
  [3/11]: configuring certificate server instance
root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipa03.ix.test.com' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-GyGkkW' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'BZiIPv9BeXIPIKs7hJrv' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=IX.TEST.COM' '-ldap_host' 'ipa03.ix.test.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=IX.TEST.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=IX.TEST.COM' '-ca_server_cert_subject_name' 'CN=ipa03.ix.test.com,O=IX.TEST.COM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=IX.TEST.COM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=IX.TEST.COM' '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' '-clone_p12_password' XXXXXXXX '-sd_hostname' 'ipa01.ix.test.com' '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true' '-clone_uri' 'https://ipa01.ix.test.com:443'' returned non-zero exit status 255
creation of replica failed: Configuration of CA failed

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


Running ipa-ca-install on a IPv6 enabled host is even worse off:

root : DEBUG stderr=gpg: WARNING: unsafe permissions on homedir `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg'
gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/secring.gpg' created
gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/pubring.gpg' created
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

root : DEBUG args=tar xf /tmp/tmpQ_4Prsipa/files.tar -C /tmp/tmpQ_4Prsipa
root        : DEBUG    stdout=
root        : DEBUG    stderr=
creation of replica failed: The network address 2001:db8:abab:2::21 does not match the DNS lookup 192.168.1.21. Check /etc/hosts and ensure that 2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com root : DEBUG The network address 2001:db8:abab:2::21 does not match the DNS lookup 192.168.1.21. Check /etc/hosts and ensure that 2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com
  File "/usr/sbin/ipa-ca-install", line 156, in <module>
    main()

  File "/usr/sbin/ipa-ca-install", line 121, in main
    host = get_host_name(options.no_host_dns)

File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 540, in get_host_name
    verify_fqdn(hostname, no_host_dns)

File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 201, in verify_fqdn
    verify_dns_records(host_name, rs, resaddr, 'ipv6')

File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 113, in verify_dns_records raise RuntimeError("The network address %s does not match the DNS lookup %s. Check /etc/hosts and ensure that %s is the IP address for %s" % (dns_addr.format(), resaddr, dns_addr.format(), host_name))


Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


Both A and AAAA records are configure for both hosts, as well as ipv4 and ipv6 reverse addresses. All addresses, forward and reverse, are resolvable from both IPA hosts.

As a sidenote: The ipa-replica-install scripts works sucessfully on the IPv6 enabled hosts, and I use IPv6 from Linux and Solaris clients for LDAPS and kerberos without any issues.



Regards,
Siggi



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to