Petr, I'll try another replica for testing tomorrow, and unfortunately the logs were purged when I reinstalled. The error message was not helpful and said something along the lines of CA installation failed, but did not list any reason. I'll get you the exact message tomorrow. I'll also try some more network tests as I have all of the ports that you listed plus some additional Dogtag ports, which I've come to understand are now proxied through 7389.
> Patches are welcome :-) Yes, you've got me. ;) I'll review the Firewalld packaging in more detail and try to come up with a workable solution. It's not currently possible to do meta-services in firewalld, and I'm sure the FreeIPA developers don't want a hard dependency on firewalld via a hypothetical freeipa-server-firewalld dependency. I'm sure some solution is possible -- maybe even just in the documentation. Thanks, Justin On Thu, Apr 3, 2014 at 2:25 AM, Petr Spacek <pspa...@redhat.com> wrote: > On 3.4.2014 07:55, Justin Brown wrote: >> >> I'm having some trouble determining which ports my servers need open >> to communicate and what ports client servers and users will need. The >> last documentation that I was able to find was included in Fedora 15 >> >> (http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html). > > http://www.freeipa.org/page/Documentation > is the ultimate source of documentation. > > Latest documentation build is on > http://www.freeipa.org/docs/master/html-desktop/index.html > > >> I opened those ports with firewalld, but I encountered errors when >> joining my replica server. (I retried the replica install with >> firewalld, and it succeeded, so it's clearly a problem with the >> firewall settings.) >> >> I'm joining the wave of the future, so please excuse the firewalld >> XML, but it should be pretty obvsious. All of the services are built >> into firewalld, except "dogtag", which I made myself and is defined at >> the end. > > > ipa-replica-conncheck utility should tell you what is missing. > > >> On a side note, it would be nice if the firewalld packagers included a >> freeipa-server service (nudge nudge). > > > Patches are welcome :-) > > -- > Petr^2 Spacek _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users