On Tue, Feb 28, 2017 at 4:26 AM, Standa Laznicka <slazn...@redhat.com> wrote:
> On 02/27/2017 04:51 PM, Steve Huston wrote:
>> It seems there might be two issues here; the one I originally reported
>> was that the ipa-server packages installed on a client machine are
>> unable to talk to the server, even though it obviously knows what the
>> server is (the "unsupported format" error I originally shared).  The
>> second is with setting up a replica in general.
> The server rpm packages should have no impact on client settings if neither
> server nor replica are installed on the given machine. IIRC client only uses
> the NSS database in /etc/ipa/nssdb, you may want to check the permissions
> there (should be o+xr for the folder, o+r for the *.db files there).

I'll look into this more later, since it's less of an issue (I don't
plan on having the server packages installed on a machine that isn't a
server, and once it's a server it works fine).

> I believe your machine might have been in some kind of undecided state when
> you tried to promote a client to a replica. What happens during replica
> installation on domain level 1 is that client installation is checked first.
> If client is installed the installation continues with other steps, if it's
> not, it tries to install the client.
> In your case, you probably had your client installed at first and tried to
> install replica. Something bad happened, can't be sure what, the
> installation failed and tried to uninstall the client but that might have
> failed, too. Eventually, you uninstalled the client yourself successfully,
> all files were removed and its records were also removed from the server.
> This made it possible to eventually successfully install a replica.
> I wouldn't bet my life on it but I'd think the installation could have gone
> successfully even if you installed a client and tried to promote it again :)

Quite possible - I thought I accounted for everything, but I'll admit
that when a client gets installed and provisioned it's not with
ipa-client-install but via puppet.  I did this because I needed a
programmatic way to determine if a host was already provisioned
(preferably locally) and execute the proper commands to do so, and in
my experimenting I found following the instructions for provisioning
manually worked well and use the presence of /etc/krb5.keytab as an
indicator of "has this host been provisioned" (its absence is a
negative).  It's likely that ipa-client-install does something else
that I never noticed, which ipa-replica-install relies on to know
what's going on - especially since when I run on a client, it first
uninstalls the client and then tries to reinstall it, and that's where
it fails.  I may experiment with that a bit too since it won't take
long to do.

> Anyway, I am sorry to hear you had such troubles, the replica installation
> is not usually such a painful process, I hope you will have more luck with
> FreeIPA in the future.

While it has been frustrating, it has definitely been a learning
experience.  I grow more confident in the system's abilities as I
discover more about it, and that means should something break in the
future I'm already in a position of knowledge of some of the internals
and less afraid to poke gently to fix it.  The support on this mailing
list has also been wonderful, so thank you all for that!

Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |    ICBM Address: 40.346344   -74.652242
    345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
    (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to