On 29.6.2013 09:40, Joshua J. Kugler wrote:
We are trying to query an IPA server from a new IPA server (not replication,
just trying to query to recreate accounts).
But, when I run the query, I get this:
[root@ipan ~]# ipa -vvv -e xmlrpc_uri=https://ipa0.lab.whamcloud.com/ipa/xml
user-show jkugler
ipa: INFO: trying https://ipa0.lab.whamcloud.com/ipa/xml
ipa: INFO: Forwarding 'user_show' to server
u'https://ipa0.lab.whamcloud.com/ipa/xml'
ipa: ERROR: Service 'h...@ipa0.lab.whamcloud.com' not found in Kerberos
database
I've done some googling, and what the answers I found had to do with DNS
issues, but I don't believe that is the cause in our case, due to DNS lookups
seeming to work.
[root@ipan ~]# host ipan.lab.whamcloud.com
ipan.lab.whamcloud.com has address 10.10.0.50
[root@ipan ~]# host ipa0.lab.whamcloud.com
ipa0.lab.whamcloud.com has address 10.10.0.4
[root@ipan ~]# host 10.10.0.50
50.0.10.10.in-addr.arpa domain name pointer ipan.lab.whamcloud.com.
[root@ipan ~]# host 10.10.0.4
4.0.10.10.in-addr.arpa domain name pointer ipa0.lab.whamcloud.com.
What config do I need to tweak on the new server to allow it to query the old
server?
I guess that now you have two FreeIPA servers with different host names but
with the same FreeIPA domain and Kerberos REALM name, right? Please correct me
if I'm wrong.
This configuration can't work with Kerberos authentication. Authentication to
only one server will work at one time, because there is no reliable way how to
find which KDC (old or new) you should query.
IMHO the simplest way how to work around this situation is to generate list of
users etc. on the 'old' server, save the data to a file and transfer files to
the new server. (And then decommission the old server.)
This will save you a pain caused by mis-configured Kerberos, but you will have
to solve file parsing.
--
Petr^2 Spacek
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
