Looks like I missed your answers.
Question: Do I need to run that command on all RHEL6 CA servers or just one of
them? (We currently have 2 RHEL 6 CA servers.)
Thank you for the reply!
___
FreeIPA-users mailing list --
These steps wouldn't be documented somewhere would they? I did find this older
thread:
https://www.redhat.com/archives/freeipa-users/2016-August/msg00035.html
Something similar to those steps?
Thank you for the help very much appreciated!
___
Well now that sounds a daunting endeavor. It would definitely be a last resort
type situation for sure. Thank you both for laying it out and I definitely
didn't expect it to be possible at all so at least its something.
I think the big problem we're having is the fact that we can't seem to
Yeah did not look like the same issue, but just wanted to make sure just in
case. This gives me at least an idea on where to keep looking and I'll do a
little more research and see what else I can find on this as well before I make
any changes.
Thank you very much for the help!
After upping the log levels on sssd on one of the failing servers I saw this in
one of the sssd log files:
from sssd_pamd.log:
(Wed Jun 14 23:16:05 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/USER/domain.tld/jbowman]
(Wed Jun 14 23:16:05 2017)
You'll have to forgive my ignorance here since I'm still fairly new to IPA and
fortunately haven't run in to many issues as of yet.
The three IPA 3.0 servers all have what look to be following conflicts:
$ ldapsearch -D "cn=directory manager" -w secret -b "dc=domain,dc=tld"
After a crash of one of our IPA servers this morning I noticed that two of the
6 IPA servers we use have an old replica listed. It was part of a previous
failed install attempt. Normally in this situation I would use the clean-ruv
but the replica doesn't appear in the list-ruv output. Is
Still looking for any ideas on this one so giving it a bump.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
I've finally had a chance to make this attempt and after running the clean up:
# python /usr/share/pki/scripts/restore-subsystem-user.py -v
Subsystem certificate: 2;4;CN=Certificate Authority,O=DOMAIN.TLD;CN=CA
Subsystem,O=DOMAIN.TLD
-BEGIN CERTIFICATE-
*snip*
-END CERTIFICATE-
I tried a fresh install with the same result. The new replica install process
completes successfully but it does not register as a master. When I look at
the replication status via ipa-replica-manage it shows this:
# ipa-replica-manage list -v ipa8.domain.tld
Directory Manager password:
After some trial and error I was finally able to get a new replica + CA
(RHEL7.4 and ipa-server 4.5) added to our existing mixed (RHEL 6 and ipa server
3.0 - 4.x) and the ipa-replica-install command completed successfully but now
when I run the ipa-manage-replica -v list command I see this:
#
Bump hoping someone can confirm whether or not this is a good next step to try
to resolve the issue. Mainly concerned that the solution only mentions:
Red Hat Identity Management (IPA) 4.3, 4.4
Red Hat Enterprise Linux (RHEL) 7.2 and 7.3
And we have RHEL 6 and IPA 3.x as well in the
As a side question to this issue, might it be possible to use this
non-replicating essentially standalone new replica as a basis to rebuild the
entire IPA environment since it did complete successfully during the replica
install?
The whole drive behind trying to get a new CA server in the
13 matches
Mail list logo
