On 29.6.2013 09:40, Joshua J. Kugler wrote:
We are trying to query an IPA server from a new IPA server (not replication,
just trying to query to recreate accounts).

But, when I run the query, I get this:

[root@ipan ~]# ipa -vvv -e xmlrpc_uri=https://ipa0.lab.whamcloud.com/ipa/xml
user-show jkugler
ipa: INFO: trying https://ipa0.lab.whamcloud.com/ipa/xml
ipa: INFO: Forwarding 'user_show' to server
ipa: ERROR: Service 'h...@ipa0.lab.whamcloud.com' not found in Kerberos

I've done some googling, and what the answers I found had to do with DNS
issues, but I don't believe that is the cause in our case, due to DNS lookups
seeming to work.

[root@ipan ~]# host ipan.lab.whamcloud.com
ipan.lab.whamcloud.com has address
[root@ipan ~]# host ipa0.lab.whamcloud.com
ipa0.lab.whamcloud.com has address
[root@ipan ~]# host domain name pointer ipan.lab.whamcloud.com.
[root@ipan ~]# host domain name pointer ipa0.lab.whamcloud.com.

What config do I need to tweak on the new server to allow it to query the old

I guess that now you have two FreeIPA servers with different host names but with the same FreeIPA domain and Kerberos REALM name, right? Please correct me if I'm wrong.

This configuration can't work with Kerberos authentication. Authentication to only one server will work at one time, because there is no reliable way how to find which KDC (old or new) you should query.

IMHO the simplest way how to work around this situation is to generate list of users etc. on the 'old' server, save the data to a file and transfer files to the new server. (And then decommission the old server.)

This will save you a pain caused by mis-configured Kerberos, but you will have to solve file parsing.

Petr^2 Spacek

Freeipa-users mailing list

Reply via email to