On Mon, Feb 27, 2017 at 5:56 AM, Standa Laznicka <slazn...@redhat.com> wrote: > Sorry for the hold up. Two questions - is this domain level 1 or 0 (you can > run `ipa domainlevel-get` on the master if you don't know)? Did you have a > client installed prior to ipa-replica-install?
It's level 1. I did have a couple clients installed, and the machine I was trying to promote to a replica was one of them. This whole instance is a testing instance, with live data but not in production, while I make sure everything works as expected before I deploy it, so the servers and their data are new as of a couple weeks ago and began life as a RHEL7.3 install. It seems there might be two issues here; the one I originally reported was that the ipa-server packages installed on a client machine are unable to talk to the server, even though it obviously knows what the server is (the "unsupported format" error I originally shared). The second is with setting up a replica in general. I had tried the various methods outlined in the RedHat IdM documentation, including promoting a client via an administrators TGT, adding the client to the ipaservers group on the server, etc. What did finally work was unprovisioning the client, setting a one-time password, and running "ipa-replica-install -v --domain=astro.princeton.edu --server=ipa.astro.princeton.edu --realm=ASTRO.PRINCETON.EDU --hostname=syrinx.astro.princeton.edu --setup-ca -p foobar" - this yielded a fully working replica when it finished. All of the previous failures happened in the same way as mentioned before - it seems to unprovision the client for some reason, then fail in reprovisioning it. One problem which has cropped up before and caused problems is with DNS capitalization. DNS reports the domain name of "Princeton.EDU" for hosts here, which means in order to do just about anything with a FreeIPA server I have to manually add the host to /etc/hosts with all lowercase letters. I also have to force all of the host names via command line switches so that DNS is not consulted for lookups, which will return the StudlyCaps names and fail. I suppose I should raise that as a separate issue, because my understanding is that hostnames/domainnames should be case insensitive so I'm not sure why FreeIPA cares (and it may be easier to steer the entire project to not care than convince those in control of DNS here to change it :D ) -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project