On 02/12/2014 02:09 PM, Shree wrote:
Rob
I really appreciate your help, please bear with me. At this point I need to take you back to my ipa-replica-install and what happened there.

[1] My command: ipa-replica-install --setup-ca /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck
 This ended with a
Done configuring NTP daemon (ntpd).
A CA is already configured on this system.

[2] So did a pkiremove with the following command
# pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force

[3] Re ran the ipa-replica-install command in step 1
The install went a little further but ended below.

Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
ipa : ERROR certmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit status 1 Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/17]: creating certificate server user
  [2/17]: creating pki-ca instance
  [3/17]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname .................
...........................
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed

If I skip the "--setup-ca" option then the replica gets created without any CA services. The "master" and "replica" are in sync but I am unable to run a ipa-client-install using the replica. Now I need to fix this to get a replica in place correctly.


Shreeraj
----------------------------------------------------------------------------------------


On Wednesday, February 12, 2014 10:42 AM, Rob Crittenden <rcrit...@redhat.com> wrote:
Shree wrote:
> OK I thought CA is a part of IPA ? Below is from my master IPA server
>
> [root@ldap <mailto:root@ldap> ~]# ipactl status
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> MEMCACHE Service: RUNNING
> HTTP Service: RUNNING
> CA Service: RUNNING
> [root@ldap <mailto:root@ldap> ~]#
>
> I can certainly send you a log if needed.

It is part of IPA but the IPA server talks to it, not the clients directly.

I can only speculate what the client is doing without seeing the log
files, but I suspect both masters are in DNS and IPA is trying to enroll
to the initial master which isn't available.

rob

> Shreeraj
> ----------------------------------------------------------------------------------------
>
>
> Change is the only Constant !
>
>
> On Wednesday, February 12, 2014 10:32 AM, Rob Crittenden
> <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote:
> Shree wrote:
> > Peter
> > Actually I mentioned earlier that my clients are in a separate VLAN and > > cannot access the master. We have made provisions for the master and the
> > replica to sync by opening the needed ports in the firewall. We have
> > also opened up ports between the clients and the replica. I have tested
> > the connectivity for these ports.
> > Perhaps you can tell me if what I am trying to achieve is even possible?
> > i.e
> > I seem to get stuck with making the replica with the "--setup-ca"
> > option. Wthout that option I am able to create a replica and have it in
> > sync with the master. However my ipa-client-install fails from clients
> > as they try looking for the master for CA part of the install.
>
> Clients don't talk to the CA, they talk to an IPA server which talks to
> the CA.
>
> I think we need to see /var/log/ipaclient-install.log to see what is
> going on.
>
> rob
>
> > Shreeraj
> >
> ----------------------------------------------------------------------------------------
> >
> >
> > Change is the only Constant !
> >
> >
> > On Wednesday, February 12, 2014 12:45 AM, Petr Spacek
> > <pspa...@redhat.com <mailto:pspa...@redhat.com> <mailto:pspa...@redhat.com <mailto:pspa...@redhat.com>>> wrote:
> > On 11.2.2014 23:53, Shree wrote:
> >
> > > Following ports are opened between the
> > > 1) Between the master and the replica (bi directional)
> > > 2) client machine and the ipa replica (unidirectional).
> > > When the replica was up it worked fine as far as syncing was
> concerned.
> > >
> > >  80 tcp
> > >  443 tcp
> > >  389 tcp
> > >  636 tcp
> > >  88 tcp
> > >  464 tcp
> > >  88 udp
> > >  464 udp
> > >  123 udp
> > >
> > > Shreeraj
> > >
> >
> ----------------------------------------------------------------------------------------
> > >
> > > Change is the only Constant !
> > >
> > >
> > >
> > > On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>
> <mailto:d...@redhat.com <mailto:d...@redhat.com>>
> > <mailto:d...@redhat.com <mailto:d...@redhat.com> <mailto:d...@redhat.com <mailto:d...@redhat.com>>>> wrote:
> > >
> > > On 02/11/2014 05:05 PM, Shree wrote:
> > > Dimitri
> > >> Sorry some the mail landed in my SPAM folder. Let answer your
> > questions (thanks for your help man)
> > > Please republish it on the list.
> > > Do not reply to me directly.
> > >
> > > Did you set your first server with the CA? Does all ports that need
> > > to be open in the firewall between primary or server are actually
> > >      open?
> > >
> > >
> > >
> > >>
> > >> What I have done so far is uninstalled the replica and tried to
> > install it again using the "--setup-ca" option. Previously I had
> > failures and when I removed the "--setup-ca" option the installation
> > succeeded (in a way). I understand now that I really need to fix the CA
> > installation errors first.
> > >>
> > >>
> > >> 1)The workaround helped me go forward a bit but I got stuck at this
> > point see below
> > >> ===========
> > >>    [1/3]: creating directory server user
> > >>    [2/3]: creating directory server instance
> > >>    [3/3]: restarting directory server
> > >> Done configuring directory server for the CA (pkids).
> > >> ipa        : ERROR    certmonger failed starting to track
> > certificate: Command '/usr/bin/ipa-getcert start-tracking -d
> > /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p
> > /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C
> > /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit
> > status 1
> > >> Configuring certificate server (pki-cad): Estimated time 3 minutes
> > 30 seconds
> > >>    [1/17]: creating certificate server user
> > >>    [2/17]: creating pki-ca instance
> > >>    [3/17]: configuring certificate server instance
> > >> ipa        : CRITICAL failed to configure ca instance Command
> > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> > ldap2.macosforge.org -cs_port 9445 -client_certdb_dir /tmp/tmp-ipJSsT
> > -client_certdb_pwd XXXXXXXX -preop_pin OlGXcjPVXoQcuuQkGgoG -
> > >> ===========
> > >> 2) No we do not use IPA for a DNS server.
> > >>
> > >>
> > >> 3)The reason for this could be that I had installed the replica
> > without the "--setup-ca".
> > >>
> > >> Shreeraj
> > >>
> >
> ----------------------------------------------------------------------------------------
> > >>
> > >>
> > >>
> > >> Change is the only Constant !
> > >>
> > >>
> > >>
> > >> On Monday, February 10, 2014 12:43 PM, Dmitri Pal
> <d...@redhat.com <mailto:d...@redhat.com> <mailto:d...@redhat.com <mailto:d...@redhat.com>> > > <mailto:d...@redhat.com <mailto:d...@redhat.com> <mailto:d...@redhat.com <mailto:d...@redhat.com>>>> wrote:
> > >>
> > >> On 02/09/2014 07:44 AM, Rob Crittenden wrote:
> > >>> Shree wrote:
> > >>>> Lukas
> > >>>> Perhaps I should explain the design a bit and
> > >                  see if FreeIPA even
> > >>>> supports this.Our replica is in a separate
> > >                  network and all the
> > >>>> appropriate ports are opened between the master
> > >                  and the replica. The
> > >>>> "replica" got created successfully and is in
> > >                  sync with the master
> > >>>> (except the CA services which I mentioned
> > >                  earlier)
> > >>>> Now,when I try to run ipa-client-install on
> > >    hosts in the new network
> > >>>> using the replica, it complains that about
> > >                  "Cannot contact any KDC for
> > >>>> realm".
> > >>>> I am wondering it my hosts in the new network
> > >                  are trying to access the
> > >>>> "master" for certificates since the replica
> > >                  does not have any CA
> > >>>> services running? I couldn't find any obvious
> > >                  proof of this even running
> > >>>> the install in a debug mode. Do I need to open
> > >                  ports between the new
> > >>>> hosts and the master for CA services?
> > >>>> At this point I cannot disable or  move the
> > >                  master, it needs to function
> > >>>> in its location but I need
> > >>>
> > >>> No, the clients don't directly talk to the CA.
> > >>>
> > >>> You'd need to look in
> > >                  /var/log/ipaclient-install.log to see what KDC
> > >>> was found and we were trying to use. If you have
> > >                  SRV records for both
> > >>> but we try to contact the hidden master this will
> > >                  happen. You can try
> > >>> specifying the server on the command-line with
> > >                  --server but this will
> > >>> be hardcoding things and make it less flexible
> > >                  later.
> > >>>
> > >>> rob
> > >>>
> > >>>> Shreeraj
> > >>>>
> > >
> >
> ----------------------------------------------------------------------------------------
> > >>>>
> > >>>>
> > >>>>
> > >>>> Change is the only Constant !
> > >>>>
> > >>>>
> > >>>> On Saturday, February 8, 2014 1:29 AM, Lukas
> > >                  Slebodnik
> > >>>> <lsleb...@redhat.com <mailto:lsleb...@redhat.com> <mailto:lsleb...@redhat.com <mailto:lsleb...@redhat.com>> > <mailto:lsleb...@redhat.com <mailto:lsleb...@redhat.com> <mailto:lsleb...@redhat.com <mailto:lsleb...@redhat.com>>>> wrote:
> > >>>> On (06/02/14 18:33), Shree wrote:
> > >>>>
> > >>>>> First of all, the ipa-replica-install did
> > >                  not allow me to use
> > >>>> the --setup-ca
> > >>>>> option complaining that a cert already
> > >                  exists, replicate creation was
> > >>>>> successful after I skipped the option.
> > >>>>> Seems like the replica is one except
> > >>>>> 1) There is no CA Service running on the
> > >                  replica (which I guess is
> > >>>> expected)
> > >>>>> and
> > >>>>> 2) I am unable to run ipa-client-install
> > >                  successfully on any clients
> > >>>> using
> > >>>>> the replica. (I don't have the option of
> > >                  using the primary master as
> > >>>> it is
> > >>>>> configured in a segregated environment.
> > >                  Only the master and replica
> > >>>> are
> > >>>>> allowed to sync.
> > >>>>> Debug shows it fails at
> > >>>>>
> > >>>>> ipa        : DEBUG    stderr=kinit: Cannot
> > >                  contact any KDC for realm
> > >>>> 'mydomainname.com' while getting initial
> > >                  credentials
> > >>>>
> > >>>>>
> > >>>>>
> > >>>>
> > >>>> I was not able to install replica witch CA on
> > >                  fedora 20,
> > >>>> Bug is already reported https://fedorahosted.org/pki/ticket/816
> > >>>>
> > >>>> Guys from dogtag found a workaround
> > >>>> https://fedorahosted.org/pki/ticket/816#comment:12
> > >>>>
> > >>>> Does it work for you?
> > >>>>
> > >>>> LS
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>> _______________________________________________
> > >>>> Freeipa-users mailing list
> > >>>> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> <mailto:Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>> > <mailto:Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> <mailto:Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>>>
> > >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> > >>>>
> > >>>
> > >>> _______________________________________________
> > >>> Freeipa-users mailing list
> > >>> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> <mailto:Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>> > <mailto:Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> <mailto:Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>>>
>
> > >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> > >>
> > >> What server provides DNS capabilities to the clients?
> > >> Do you use IPA DNS or some other DNS?
> > >> Clients seem to not be able to see replica KDC and try
> > >                  to access hidden
> > >> master but they can know about this master only via DNS.
> >
> >
> > Shree, make sure that command
> > $ dig -t SRV _kerberos._udp.ipa.example
> > on the client returns both IPA servers (in ANSWER section).
> >
> > --
> > Petr^2 Spacek
> >
> >
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> <mailto:Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>>
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
>
>
>





_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
I suggest that you temporarily try to install a client in place of the replica and see why it does not install. The log above suggests that certmonger that is a part of the replica fails to connect to the first master. We need to understand the reason why it fails. Then we would be able to make your replica be a CA. I suspect that CA related communication between replica and master is not going through for some reasons.
The install log would be really helpful.
Please see
http://www.freeipa.org/page/Troubleshooting to collect the right logs.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to