After being unable to rescue my old freeipa installation, I installed a new machine from scratch and imported the user data from the old installation (so I could get rid of the separate PKI dirserv, too). That worked fine.

Then I prepared a replica, and installed the replica on the old machine (after first running ipa-server-install --uninstall). The installation completed without error message.

The replica however has a few issues:

- GSSAPI authentication to the directory service doesn't work:

# ldapsearch -D "cn=Directory Manager" -W \*
returns a few hundred records, however
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@xxxx.com

Valid starting       Expires              Service principal
01/16/2014 14:14:51  01/17/2014 14:14:47  krbtgt/xxxx....@xxxx.com
01/16/2014 14:14:54  01/17/2014 14:14:47 HTTP/replica.xxxx....@xxxx.com
01/16/2014 14:15:22  01/17/2014 14:14:47 ldap/replica.xxxx....@xxxx.com

# ldapsearch -Y GSSAPI \*
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/localdom...@xxxx.com not found in Kerberos database)

The localdomain apparently comes from /etc/hosts:
127.0.0.1       localhost.localdomain   localhost       localhost4
::1     localhost6.localdomain6 localhost6
192.168.1.2             replica.xxxx.com replica
192.168.1.3             master.xxxx.com master

I tried to comment out the first two entries, which made it want to use ldap/localh...@xxxx.com, which failed too.

krb5.keytab looks the same on both the master and the replica, with the exception that the replica lacks the host key for the camellia*-cts-cmac cypher.

- When I use the web server of the replica and click on Identity->Certificates, I get: IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS ([Errno 113] No route to host)

This same operation on the master works. Is this supposed to be like this?

- Is there a more up to date description of how to make a replica a master? The fedora15 documentation seems to have gathered some dust...

Thanks,
Tom

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to