On 08/06/16 09:23, Martin Kosek wrote:
On 06/07/2016 04:10 PM, Cal Sawyer wrote:
I found that installing a replica with firewalld enabled would consistently fail
during initial replication.  Disabling firewalld always allowed replication and
later stages to complete

        [24/38]: setting up initial replication
     Starting replication, please wait until this has completed.

     [ipa.localdomain.local] reports: Update failed! Status: [-1  - LDAP error:
     Can't contact LDAP server]
This is strange. ipa-replica-install should have run the conncheck to exactly
prevent issues like this. Did you by any chance run ipa-replica-install with
--skip-conncheck option?

Yes, i did. Why i can't recall now but i just started using it. Once i'd discovered firewalld was causing the connection problem, i neglected to stop using it Of course, once a replica is installed and working, there's little cause to want to redo it to test conncheck's effectiveness. Might throw together another, though, just to put my mind at ease

The first master and all replicas are all CentOS Linux release 7.2.1511 (Core)
with ipa-server-4.2.0-15.0.1.el7

One other thing.  if, during ipa-replica-install,+ you choose the default answer
to the following:

Existing BIND configuration detected, overwrite? [no]:
ipa.ipapython.install.cli.install_tool(Replica): ERROR    Aborting installation.

Not sure if that is intended?  Which BIND configuration is being detected?
This should be only trigged if you install replica with DNS (--setup-dns)

Sorry - yes, i did use --setup-dns . I might have bothered to include the ipa-replica-install command line i used. Still, that is what i got if i answered No to the question. Seems like it's the wrong default answer to the question in a --setup-dns scenario?
Anyhow, up and running with 4 replicas, 2 of which will be split off to a
failover instance of ESXi in the future.  When it works, it's a joy

Now back to getting these Mac clients to play nicely with IPA ...

thanks for the help and advice
Thanks for sharing the results.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to