Shree wrote:
Rob
I am giving it a fresh start and I notice similar issues.

1) I wasn't able to use the "--setup-ca" while running the
ipa-replica-install on the replica. It stopped the install after the
ntpd step see below.

Done configuring NTP daemon (ntpd).
A CA is already configured on this system.

This is left over from a previous failed installation. If the CA install fails early enough we don't log the fact that it was installed so the uninstall doesn't clean it up.

2) So I tried my install command again without the --setup-ca option. It
went furthur although it completed it show one error see below.

  MY COMMAND: --> ipa-replica-install
/var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck
the skip-conncheck was needed to complete the install. Connections
checks were manually done.
14/31]: configuring lockout plugin
   [15/31]: creating indices
   [16/31]: enabling referential integrity plugin
   [17/31]: configuring ssl for ds instance
ipa         : ERROR    certmonger failed starting to track certificate:
Command '/usr/bin/ipa-getcert start-tracking -d
/etc/dirsrv/slapd-MYDOMAIN.COM -n Server-Cert -p
/etc/dirsrv/slapd-MYDOMAIN.COM/pwdfile.txt -C
/usr/lib64/ipa/certmonger/restart_dirsrv MYDOMAIN.COM' returned non-zero
exit status 1
   [18/31]: configuring certmap.conf
   [19/31]: configure autobind for root
.........................................

Without logs there is no way to diagnose. This could leave you in a situation where the certificate fails to renew in 2 years and IPA suddenly stops working.

3) The replica installed fine I can access the same database from the
replica's website.

4) I cannot add new clients.
MY COMMAND: --> ipa-client-install --domain=mydomain.com
--server=ldap2.mydomain.com --hostname=test500.mydomain.com -d

ldap.mydomain.com = master
ldap2.mydomain.com = replica

No idea without seeing the logs.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to