After being unable to rescue my old freeipa installation, I installed a new machine from scratch and imported the user data from the old installation (so I could get rid of the separate PKI dirserv, too). That worked fine.

Then I prepared a replica, and installed the replica on the old machine (after first running ipa-server-install --uninstall). The installation completed without error message.

The replica however has a few issues:

- GSSAPI authentication to the directory service doesn't work:

# ldapsearch -D "cn=Directory Manager" -W \*
returns a few hundred records, however
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal:

Valid starting       Expires              Service principal
01/16/2014 14:14:51  01/17/2014 14:14:47  krbtgt/
01/16/2014 14:14:54  01/17/2014 14:14:47 HTTP/
01/16/2014 14:15:22  01/17/2014 14:14:47 ldap/

# ldapsearch -Y GSSAPI \*
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/ not found in Kerberos database)

The localdomain apparently comes from /etc/hosts:       localhost.localdomain   localhost       localhost4
::1     localhost6.localdomain6 localhost6    replica    master

I tried to comment out the first two entries, which made it want to use ldap/, which failed too.

krb5.keytab looks the same on both the master and the replica, with the exception that the replica lacks the host key for the camellia*-cts-cmac cypher.

- When I use the web server of the replica and click on Identity->Certificates, I get: IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS ([Errno 113] No route to host)

This same operation on the master works. Is this supposed to be like this?

- Is there a more up to date description of how to make a replica a master? The fedora15 documentation seems to have gathered some dust...


Freeipa-users mailing list

Reply via email to