Jim Kinney wrote:
> I'm running freeipa 3.0 with multimaster between 3 machines. The first
> system, the original installation machine and thus the keepers of the
> CA, etc, is not replicating with the other two. The other two are fine.
> Additionally, the original machine is no longer using the freeIPA
> running on it for authentication services.
> Examples: I created a new user on the first machine using ipa user-add
> .... and the other two systems didn't pick it up (even after an
> overnight wait). So I thought it was not created. I then tried to create
> the user again but on #2 machine on the web gui. It refused saying the
> private group of that user already existed. It did not error about the
> username. So I went to #1 and deleted the user. Back to #2 to create the
> user and #3 picked it up within a minute. But #1 picked it up this time.
>>From #1, running id on any user in the system returns a "No such
> user". But when I go to the gui on #1, I can find users. The #1 system
> has files sss in nsswitch for passwd, shadow, group, services, netgroup
> as do #2 and #3.
> When I setup #2, I ran the ipa-ca-install on the generated file from the
> #1 machine. So I think #2 now has the CA for my department. When I tried
> to setup #3 by using #1 as the master, it would not connect/complete
> back to #1. I replicated from #2 and it worked.
> It's been several months (10+ or so) since I set up the #1 machine and
> #2 was about 2 days after it. I don't know if #1 always didn't use
> freeIPA for authentication or not.
> #1 and #2 are CentOS 6.5. #3 is CentOS 7 and freeIPA 3.3. I was
> concerned that the version mismatch would be an issue but it seems to
> work well between #2 and #3.
> Clearly, if I add a user now, I use #2 or #3. I can get by with not
> messing around with #1 and it's just for master CA needs.
> Oh. I have all three in DNS and #1 and #2 are DNS servers. #3 is in a
> separate network segment and exists to provide auth services in the
> (likely) event a network link goes down between that location and the
> main stack.
On each master I'd run:
# ipa-replica-manage list -v `hostname`
This will give you the replication status on each.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project