subject:"\[Freeipa\-users\] Re\: ghost replica for radius server"

[Freeipa-users] Re: ghost replica for radius server

2022-11-18 Thread Rob Crittenden via FreeIPA-users

Grant Janssen via FreeIPA-users wrote:
> that was easy - THANX Florence.
> 
> My ghost replica still doesn’t show in ipa_check_consistency.
> Any ideas on that?
> 
> grant@radius01:~[20221118-3:56][#97]$ ipa server-state $HOSTNAME
> --state=enabled
> ipa: WARNING: Automatic update of DNS system records failed. Please
> re-run update of system records manually to get list of missing records.
> 
> Changed server state of "radius01.production.efilm.com
> ".
> 
> grant@radius01:~[20221118-3:57][#98]$ sudo ipa-pkinit-manage status
> PKINIT is disabled
> The ipa-pkinit-manage command was successful
> grant@radius01:~[20221118-3:58][#99]$ sudo ipa-pkinit-manage enable
> Configuring Kerberos KDC (krb5kdc)
>   [1/1]: installing X509 Certificate for PKINIT
> Done configuring Kerberos KDC (krb5kdc).
> The ipa-pkinit-manage command was successful
> grant@radius01:~[20221118-3:58][#100]$ ipa server-state $HOSTNAME
> --state=hidden
> ipa: WARNING: Automatic update of DNS system records failed. Please
> re-run update of system records manually to get list of missing records.
> 
> Changed server state of "radius01.production.efilm.com
> ".
> 
> grant@radius01:~[20221118-3:59][#101]$ ipa_check_consistency -d
> PRODUCTION.EFILM.COM  -W **
> FreeIPA servers:    ef-idm01    ef-idm02    ef-idm03    ef-idm04  
>  STATE
> =
> Active Users        349         349         349         349        
> OK   
> Stage Users         7           7           7           7          
> OK   
> Preserved Users     5           5           5           5          
> OK   
> User Groups         42          42          42          42        
>  OK   
> Hosts               423         423         423         423        
> OK   
> Host Groups         23          23          23          23        
>  OK   
> HBAC Rules          9           9           9           9          
> OK   
> SUDO Rules          35          35          35          35        
>  OK   
> DNS Zones           ERROR       ERROR       ERROR       ERROR      
> OK   
> LDAP Conflicts      NO          NO          NO          NO        
>  OK   
> Ghost Replicas      NO          NO          NO          NO        
>  OK   
> Anonymous BIND      YES         YES         YES         YES        
> OK   
> Replication Status  ef-idm02 0  ef-idm03 0  ef-idm02 0  ef-idm01 0  
>     
>                     ef-idm03 0  ef-idm01 0  ef-idm01 0              
>     
>                     ef-idm04 0                                      
>     
>                     radius01 0                                      
>     
> =
> grant@radius01:~[20221118-4:05][#102]$sudo ipa-pkinit-manage status
> [sudo] password for grant: 
> PKINIT is enabled
> The ipa-pkinit-manage command was successful
> grant@radius01:~[20221118-4:06][#103]$
> 
> 
> When I add the _ldap._tcp and _ldaps._tcp SRV records for the radius
> server, ipa_check_consistency shows the replication is good, but it
> still doesn’t appear as a Ghost.
> 
> grant@radius01:~[20221118-4:47][#106]$ipa_check_consistency -d
> PRODUCTION.EFILM.COM  -W **
> FreeIPA servers:    ef-idm01    ef-idm02    ef-idm03    ef-idm04  
>  radius01    STATE
> 
> =
> Active Users        349         349         349         349        
> 349         OK   
> Stage Users         7           7           7           7          
> 7           OK   
> Preserved Users     5           5           5           5          
> 5           OK   
> User Groups         42          42          42          42        
>  42          OK   
> Hosts               423         423         423         423        
> 423         OK   
> Host Groups         23          23          23          23        
>  23          OK   
> HBAC Rules          9           9           9           9          
> 9           OK   
> SUDO Rules          35          35          35          35        
>  35          OK   
> DNS Zones           ERROR       ERROR       ERROR       ERROR      
> ERROR       OK   
> LDAP Conflicts      NO          NO          NO

[Freeipa-users] Re: ghost replica for radius server

2022-11-18 Thread Grant Janssen via FreeIPA-users

that was easy - THANX Florence.

My ghost replica still doesn’t show in ipa_check_consistency.
Any ideas on that?

grant@radius01:~[20221118-3:56][#97]$ ipa server-state $HOSTNAME --state=enabled
ipa: WARNING: Automatic update of DNS system records failed. Please re-run 
update of system records manually to get list of missing records.

Changed server state of 
"radius01.production.efilm.com".

grant@radius01:~[20221118-3:57][#98]$ sudo ipa-pkinit-manage status
PKINIT is disabled
The ipa-pkinit-manage command was successful
grant@radius01:~[20221118-3:58][#99]$ sudo ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful
grant@radius01:~[20221118-3:58][#100]$ ipa server-state $HOSTNAME --state=hidden
ipa: WARNING: Automatic update of DNS system records failed. Please re-run 
update of system records manually to get list of missing records.

Changed server state of 
"radius01.production.efilm.com".

grant@radius01:~[20221118-3:59][#101]$ ipa_check_consistency -d 
PRODUCTION.EFILM.COM -W **
FreeIPA servers:ef-idm01ef-idm02ef-idm03ef-idm04STATE
=
Active Users349 349 349 349 OK
Stage Users 7   7   7   7   OK
Preserved Users 5   5   5   5   OK
User Groups 42  42  42  42  OK
Hosts   423 423 423 423 OK
Host Groups 23  23  23  23  OK
HBAC Rules  9   9   9   9   OK
SUDO Rules  35  35  35  35  OK
DNS Zones   ERROR   ERROR   ERROR   ERROR   OK
LDAP Conflicts  NO  NO  NO  NO  OK
Ghost Replicas  NO  NO  NO  NO  OK
Anonymous BIND  YES YES YES YES OK
Replication Status  ef-idm02 0  ef-idm03 0  ef-idm02 0  ef-idm01 0
ef-idm03 0  ef-idm01 0  ef-idm01 0
ef-idm04 0
radius01 0
=
grant@radius01:~[20221118-4:05][#102]$ sudo ipa-pkinit-manage status
[sudo] password for grant:
PKINIT is enabled
The ipa-pkinit-manage command was successful
grant@radius01:~[20221118-4:06][#103]$

When I add the _ldap._tcp and _ldaps._tcp SRV records for the radius server, 
ipa_check_consistency shows the replication is good, but it still doesn’t 
appear as a Ghost.

grant@radius01:~[20221118-4:47][#106]$ ipa_check_consistency -d 
PRODUCTION.EFILM.COM -W **
FreeIPA servers:ef-idm01ef-idm02ef-idm03ef-idm04radius01
STATE
=
Active Users349 349 349 349 349 
OK
Stage Users 7   7   7   7   7   
OK
Preserved Users 5   5   5   5   5   
OK
User Groups 42  42  42  42  42  
OK
Hosts   423 423 423 423 423 
OK
Host Groups 23  23  23  23  23  
OK
HBAC Rules  9   9   9   9   9   
OK
SUDO Rules  35  35  35  35  35  
OK
DNS Zones   ERROR   ERROR   ERROR   ERROR   ERROR   
OK
LDAP Conflicts  NO  NO  NO  NO  NO  
OK
Ghost Replicas  NO  NO  NO  NO  NO  
OK
Anonymous BIND  YES YES YES YES YES 
OK
Replication Status  ef-idm02 0  ef-idm03 0  ef-idm02 0  ef-idm01 0  ef-idm01 0
ef-idm03 0  ef-idm01 0  ef-idm01 0
ef-idm04 0
radius01 0
=
grant@radius01:~[20221118-4:52][#107]$

thanx

- grant


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:

[Freeipa-users] Re: ghost replica for radius server

2022-11-18 Thread Florence Blanc-Renaud via FreeIPA-users

Hi,

I believe you are hitting a known issue:
2132047  Check hidden
status for PKINIT certificate creation

The workaround is to set the replica as not hidden (ipa server-state
$HOSTNAME --state=enabled), re-run ipa-pkinit-manage enable on the replica,
then re-hide the replica with ipa server-state $HOSTNAME --state=hidden.
HTH,
flo

On Fri, Nov 18, 2022 at 4:34 AM Grant Janssen via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Building a radius server, and decided this was an ideal application for a
> hidden replica.
> I got some errors in the replica install, and the consistency check does
> not show a ghost replica (but does show my radius host in Replication
> Status.)
> I run external DNS, this radius host has only has A and PTR records.
>
> grant@radius01:~[20221117-13:45][#89]$ sudo ipa-replica-install
> --setup-ca --hidden-replica
> Password for ad...@production.efilm.com: *
>
> WARNING: 376 existing users or groups do not have a SID identifier
> assigned.
> Installer can run a task to have ipa-sidgen Directory Server plugin
> generate
> the SID identifier for all these users. Please note, in case of a high
> number of users and groups, the operation might lead to high replication
> traffic and performance degradation. Refer to ipa-adtrust-install(1) man
> page
> for details.
>
> Do you want to run the ipa-sidgen task? [no]: no
> Run connection check to master
> Connection check OK
> -snip-
>   [28/30]: importing IPA certificate profiles
> Lookup failed: Preferred host radius01.production.efilm.com does not
> provide CA.
> Lookup failed: Preferred host radius01.production.efilm.com does not
> provide CA.
> Failed to import profile 'acmeIPAServerCert': Request failed with status
> 500: Non-2xx response from CA REST API: 500. . Running ipa-server-upgrade
> when installation is completed may resolve this issue.
>   [29/30]: configuring certmonger renewal for lightweight CAs
>   [30/30]: deploying ACME service
> Done configuring certificate server (pki-tomcatd).
> Configuring Kerberos KDC (krb5kdc)
>   [1/1]: installing X509 Certificate for PKINIT
> PKINIT certificate request failed: Certificate issuance failed
> (CA_REJECTED: Server at https://ef-idm01.production.efilm.com/ipa/json
> failed request, will retry: 903 (an internal error has occurred).)
> Failed to configure PKINIT
> Full PKINIT configuration did not succeed
> The setup will only install bits essential to the server functionality
> You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
> Done configuring Kerberos KDC (krb5kdc).
> Applying LDAP updates
> Upgrading IPA:. Estimated time: 1 minute 30 seconds
>   [1/10]: stopping directory server
>   [2/10]: saving configuration
>   [3/10]: disabling listeners
> -snip-
>   [7/7]: adding fallback group
> Fallback group already set, nothing to do
> Done.
> The ipa-replica-install command was successful
> grant@radius01:~[20221117-13:51][#90]$
>
>
> check consistency
>
> grant@radius01:~[20221117-13:53][#92]$ ipa_check_consistency -d
> PRODUCTION.EFILM.COM -W *
> FreeIPA servers:ef-idm01ef-idm02ef-idm03ef-idm04STATE
> =
> Active Users349 349 349 349 OK
> Stage Users 7   7   7   7   OK
> Preserved Users 5   5   5   5   OK
> User Groups 42  42  42  42  OK
> Hosts   423 423 423 423 OK
> Host Groups 23  23  23  23  OK
> HBAC Rules  9   9   9   9   OK
> SUDO Rules  35  35  35  35  OK
> DNS Zones   ERROR   ERROR   ERROR   ERROR   OK
> LDAP Conflicts  NO  NO  NO  NO  OK
> Ghost Replicas  NO  NO  NO  NO  OK
> Anonymous BIND  YES YES YES YES OK
> Replication Status  ef-idm02 0  ef-idm03 0  ef-idm02 0  ef-idm01 0
> ef-idm03 0  ef-idm01 0  ef-idm01 0
> ef-idm04 0
> radius01 0
> =
> grant@radius01:~[20221117-13:53][#93]$
>
>
> I executed ipa-server-upgrade as suggested
>
> grant@radius01:~[20221117-16:09][#88]$ sudo ipa-server-upgrade
> [sudo] password for grant:
> Upgrading IPA:. Estimated time: 1 minute 30 seconds
>   [1/11]: stopping directory server
>   [2/11]: saving configuration
>   [3/11]: disabling listeners
>   [4/11]: enabling DS global lock
>   [5/11]: disabling Schema Compat
>   [6/11]: starting directory server
>   [7/11]: updating schema
>   [8/11]: upgrading server
> Add failure attribute "cn" not allowed
>   [9/11]:

[Freeipa-users] Re: ghost replica for radius server

[Freeipa-users] Re: ghost replica for radius server

[Freeipa-users] Re: ghost replica for radius server

3 matches

Site Navigation

Mail list logo

Footer information