[Freeipa-users] replica installation issue
After being unable to rescue my old freeipa installation, I installed a new machine from scratch and imported the user data from the old installation (so I could get rid of the separate PKI dirserv, too). That worked fine. Then I prepared a replica, and installed the replica on the old machine (after first running ipa-server-install --uninstall). The installation completed without error message. The replica however has a few issues: - GSSAPI authentication to the directory service doesn't work: # ldapsearch -D cn=Directory Manager -W \* returns a few hundred records, however # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@.com Valid starting Expires Service principal 01/16/2014 14:14:51 01/17/2014 14:14:47 krbtgt/@.com 01/16/2014 14:14:54 01/17/2014 14:14:47 HTTP/replica.@.com 01/16/2014 14:15:22 01/17/2014 14:14:47 ldap/replica.@.com # ldapsearch -Y GSSAPI \* SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/localdom...@.com not found in Kerberos database) The localdomain apparently comes from /etc/hosts: 127.0.0.1 localhost.localdomain localhost localhost4 ::1 localhost6.localdomain6 localhost6 192.168.1.2 replica..com replica 192.168.1.3 master..com master I tried to comment out the first two entries, which made it want to use ldap/localh...@.com, which failed too. krb5.keytab looks the same on both the master and the replica, with the exception that the replica lacks the host key for the camellia*-cts-cmac cypher. - When I use the web server of the replica and click on Identity-Certificates, I get: IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS ([Errno 113] No route to host) This same operation on the master works. Is this supposed to be like this? - Is there a more up to date description of how to make a replica a master? The fedora15 documentation seems to have gathered some dust... Thanks, Tom ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] replica installation issue
On 17.1.2014 12:44, Thomas Sailer wrote: After being unable to rescue my old freeipa installation, I installed a new machine from scratch and imported the user data from the old installation (so I could get rid of the separate PKI dirserv, too). That worked fine. Then I prepared a replica, and installed the replica on the old machine (after first running ipa-server-install --uninstall). The installation completed without error message. The replica however has a few issues: - GSSAPI authentication to the directory service doesn't work: # ldapsearch -D cn=Directory Manager -W \* returns a few hundred records, however # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@.com Valid starting Expires Service principal 01/16/2014 14:14:51 01/17/2014 14:14:47 krbtgt/@.com 01/16/2014 14:14:54 01/17/2014 14:14:47 HTTP/replica.@.com 01/16/2014 14:15:22 01/17/2014 14:14:47 ldap/replica.@.com # ldapsearch -Y GSSAPI \* SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/localdom...@.com not found in Kerberos database) The LOCALDOMAIN part should equal to the REALM (after @). Is it the same and the difference came from your obfuscation or not? Does kdestroy kinit work? Anyway, I would double check DNS (including reverse records for all involved machines) and the data in /etc/krb5.conf. The localdomain apparently comes from /etc/hosts: 127.0.0.1 localhost.localdomain localhost localhost4 ::1 localhost6.localdomain6 localhost6 192.168.1.2 replica..com replica 192.168.1.3 master..com master I tried to comment out the first two entries, which made it want to use ldap/localh...@.com, which failed too. krb5.keytab looks the same on both the master and the replica, with the exception that the replica lacks the host key for the camellia*-cts-cmac cypher. - When I use the web server of the replica and click on Identity-Certificates, I get: IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS ([Errno 113] No route to host) This same operation on the master works. Is this supposed to be like this? I suspect firewall on the replica. Did you opened all the ports in the same was as on the first server? See http://adam.younglogic.com/2013/03/iptables-rules-for-freeipa/ - Is there a more up to date description of how to make a replica a master? The fedora15 documentation seems to have gathered some dust... Replicas will be equal if you install CA to all servers. The only difference is that one of them generates CRL and renews CA certificates. You can move CRL generation from one server to another, see: http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master Have a nice day! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] replica installation issue
On 01/17/2014 01:12 PM, Petr Spacek wrote: On 17.1.2014 12:44, Thomas Sailer wrote: # ldapsearch -Y GSSAPI \* SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/localdom...@.com not found in Kerberos database) The LOCALDOMAIN part should equal to the REALM (after @). Is it the same and the difference came from your obfuscation or not? No it's not my obfuscation, it's really LOCALDOMAIN. It turned out that: /etc/openldap/ldap.conf contained: URI ldap://localhost instead of URI ldaps://replica..com See http://adam.younglogic.com/2013/03/iptables-rules-for-freeipa/ Urgh embarassing. Indeed, it turned out that I need to open port 8080 on the master (it is connected by the replica). Port 8080 doesn't feature on the list in the above blog post, so I posted a comment... Replicas will be equal if you install CA to all servers. Great to hear! Have a nice day! Thank you, and same to you! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
