On 17.1.2014 12:44, Thomas Sailer wrote:
After being unable to rescue my old freeipa installation, I installed a new
machine from scratch and imported the user data from the old installation (so
I could get rid of the separate PKI dirserv, too). That worked fine.

Then I prepared a replica, and installed the replica on the old machine (after
first running ipa-server-install --uninstall). The installation completed
without error message.

The replica however has a few issues:

- GSSAPI authentication to the directory service doesn't work:

# ldapsearch -D "cn=Directory Manager" -W \*
returns a few hundred records, however
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@xxxx.com

Valid starting       Expires              Service principal
01/16/2014 14:14:51  01/17/2014 14:14:47  krbtgt/xxxx....@xxxx.com
01/16/2014 14:14:54  01/17/2014 14:14:47 HTTP/replica.xxxx....@xxxx.com
01/16/2014 14:15:22  01/17/2014 14:14:47 ldap/replica.xxxx....@xxxx.com

# ldapsearch -Y GSSAPI \*
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
         additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (Server
krbtgt/localdom...@xxxx.com not found in Kerberos database)

The LOCALDOMAIN part should equal to the REALM (after @). Is it the same and the difference came from your obfuscation or not?

Does kdestroy && kinit work?

Anyway, I would double check DNS (including reverse records for all involved machines) and the data in /etc/krb5.conf.

The localdomain apparently comes from /etc/hosts:
127.0.0.1       localhost.localdomain   localhost       localhost4
::1     localhost6.localdomain6 localhost6
192.168.1.2             replica.xxxx.com replica
192.168.1.3             master.xxxx.com master

I tried to comment out the first two entries, which made it want to use
ldap/localh...@xxxx.com, which failed too.

krb5.keytab looks the same on both the master and the replica, with the
exception that the replica lacks the host key for the camellia*-cts-cmac cypher.

- When I use the web server of the replica and click on
Identity->Certificates, I get:
IPA Error 4301: Certificate operation cannot be completed: Unable to
communicate with CMS ([Errno 113] No route to host)

This same operation on the master works. Is this supposed to be like this?
I suspect firewall on the replica. Did you opened all the ports in the same was as on the first server?

See
http://adam.younglogic.com/2013/03/iptables-rules-for-freeipa/

- Is there a more up to date description of how to make a replica a master?
The fedora15 documentation seems to have gathered some dust...

Replicas will be equal if you install CA to all servers. The only difference is that one of them generates CRL and renews CA certificates.

You can move CRL generation from one server to another, see:
http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

Have a nice day!

--
Petr^2 Spacek

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to