On 06/08/2016 11:05 AM, Cal Sawyer wrote: > > On 08/06/16 09:23, Martin Kosek wrote: >> On 06/07/2016 04:10 PM, Cal Sawyer wrote: >> ... >>> I found that installing a replica with firewalld enabled would consistently >>> fail >>> during initial replication. Disabling firewalld always allowed replication >>> and >>> later stages to complete >>> >>> [24/38]: setting up initial replication >>> Starting replication, please wait until this has completed. >>> >>> [ipa.localdomain.local] reports: Update failed! Status: [-1 - LDAP >>> error: >>> Can't contact LDAP server] >> This is strange. ipa-replica-install should have run the conncheck to exactly >> prevent issues like this. Did you by any chance run ipa-replica-install with >> --skip-conncheck option? >> > Yes, i did.
There you go - pure PEBKAC :-) > Why i can't recall now but i just started using it. Once i'd > discovered firewalld was causing the connection problem, i neglected to stop > using it > Of course, once a replica is installed and working, there's little cause to > want to redo it to test conncheck's effectiveness. Might throw together > another, though, just to put my mind at ease For the record, you can also run ipa-replica-conncheck outside ipa-replica-install. > >>> The first master and all replicas are all CentOS Linux release 7.2.1511 >>> (Core) >>> with ipa-server-4.2.0-15.0.1.el7 >>> >>> >>> One other thing. if, during ipa-replica-install,+ you choose the default >>> answer >>> to the following: >>> >>> Existing BIND configuration detected, overwrite? [no]: >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR Aborting >>> installation. >>> >>> Not sure if that is intended? Which BIND configuration is being detected? >> This should be only trigged if you install replica with DNS (--setup-dns) >> > Sorry - yes, i did use --setup-dns . I might have bothered to include the > ipa-replica-install command line i used. Still, that is what i got if i > answered No to the question. > Seems like it's the wrong default answer to the question in a --setup-dns > scenario? Yes. This means you do not want installer to modify and update named.conf for FreeIPA, i.e. it cannot install FreeIPA DNS module and has to abort. >>> Anyhow, up and running with 4 replicas, 2 of which will be split off to a >>> failover instance of ESXi in the future. When it works, it's a joy >>> >>> Now back to getting these Mac clients to play nicely with IPA ... >>> >>> thanks for the help and advice >> Thanks for sharing the results. >> Martin >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
