Sigbjorn Lie wrote:
I had an odd performing IPA replica server, it had no knowledge to any
other services besides dirsrv, DNS and CA, lots of GSSAPI errors in the
dirsrv logs, etc, so I decided to re-configure the IPA replica.

# ipactl status
Directory Service: RUNNING
DNS Service: RUNNING
CA Service: RUNNING


I removed the IPA instance on the host as per the document below.

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/Uninstalling_IPA_Servers.html



I prepared a new replica package for the host using ipa-replica-prepare
on ipa01. And started ipa-replica-install on ipa03. This gave unexpected
results.

# ipa-replica-install --setup-dns --forwarder=192.168.1.1
--forwarder=192.168.1.2 /var/lib/ipa/replica-info-ipa03.ix.test.com.gpg
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'ipa01.ix.test.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: port 80 (80): OK
HTTP Server: port 443(https) (443): OK

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@ix.test.com password:

Execute check on remote master
Check connection from master to remote replica 'ipa03.ix.test.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: port 80 (80): OK
HTTP Server: port 443(https) (443): OK

Connection from master to replica is OK.

Connection check OK
The host ipa03.ix.test.com already exists on the master server.
Depending on your configuration, you may perform the following:

Remove the replication agreement, if any:
% ipa-replica-manage del ipa03.ix.test.com
Remove the host entry:
% ipa host-del ipa03.ix.test.com

So I went back to ipa01 to remove the replica:

# ipa-replica-manage del ipa03.ix.test.com
Unable to delete replica ipa03.ix.test.com: {'desc': "Can't contact LDAP
server"}

Hm, ok, I tried to force removal.

]# ipa-replica-manage del -f ipa03.ix.test.com
Unable to connect to replica ipa03.ix.test.com, forcing removal
Failed to get data from 'ipa03.ix.test.com': {'desc': "Can't contact
LDAP server"}
Forcing removal on 'ipa01.ix.test.com'
Failed to get data from 'ipa02.ix.test.com': {'info': 'SASL(-1): generic
failure: GSSAPI Error: An invalid name was supplied (Cannot determine
realm for numeric host address)', 'desc': 'Local error'}
Failed to get data from 'ipa03.ix.test.com': {'desc': "Can't contact
LDAP server"}


Not a complete success? However I was now able to install my replica.
But I no now longer have a CA instance on the replica:

# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
HTTP Service: RUNNING


Perhaps an opertunity for improvements here? My suggestions:

* First off, add to the documentation to remove the replica on another
IPA server before uninstalling the IPA replica?
* Why not automatically delete the replication agreement when
uninstalling the replica?
* Where did the CA instance go? I see nothing in the documentation about
this, but I found a ipa-ca-install command. ipa-ca-install yelded the
error below. Same error occour if I attempt to --setup-ca while doing
the ipa-replica-install:

Configuring certificate server: Estimated time 3 minutes 30 seconds
[1/11]: creating certificate server user
[2/11]: creating pki-ca instance
[3/11]: configuring certificate server instance
root : CRITICAL failed to configure ca instance Command '/usr/bin/perl
/usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipa03.ix.test.com'
'-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-GyGkkW'
'-client_certdb_pwd' XXXXXXXX '-preop_pin' 'BZiIPv9BeXIPIKs7hJrv'
'-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email'
'root@localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent'
'-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject'
'CN=ipa-ca-agent,O=IX.TEST.COM' '-ldap_host' 'ipa03.ix.test.com'
'-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password'
XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048'
'-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true'
'-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name'
'internal' '-ca_subsystem_cert_subject_name' 'CN=CA
Subsystem,O=IX.TEST.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP
Subsystem,O=IX.TEST.COM' '-ca_server_cert_subject_name'
'CN=ipa03.ix.test.com,O=IX.TEST.COM'
'-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=IX.TEST.COM'
'-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=IX.TEST.COM'
'-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
'-clone_p12_password' XXXXXXXX '-sd_hostname' 'ipa01.ix.test.com'
'-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password'
XXXXXXXX '-clone_start_tls' 'true' '-clone_uri'
'https://ipa01.ix.test.com:443'' returned non-zero exit status 255
creation of replica failed: Configuration of CA failed

More details on the install failure may be in /var/log/ipareplica-ca-install.log and /var/log/pki-ca/debug. I wonder if they are related to the DNS errors you are seeing.


Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


Running ipa-ca-install on a IPv6 enabled host is even worse off:

root : DEBUG stderr=gpg: WARNING: unsafe permissions on homedir
`/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg'
gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/secring.gpg' created
gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/pubring.gpg' created
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

root : DEBUG args=tar xf /tmp/tmpQ_4Prsipa/files.tar -C /tmp/tmpQ_4Prsipa
root : DEBUG stdout=
root : DEBUG stderr=
creation of replica failed: The network address 2001:db8:abab:2::21 does
not match the DNS lookup 192.168.1.21. Check /etc/hosts and ensure that
2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com
root : DEBUG The network address 2001:db8:abab:2::21 does not match the
DNS lookup 192.168.1.21. Check /etc/hosts and ensure that
2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com
File "/usr/sbin/ipa-ca-install", line 156, in <module>

Are these IPs pointing to the right hostnames?

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to