IPA 4.2 hit the Centos 7 mirrors a day or two ago.
It looks like the behaviour of the installer has changed somewhat with
regards to the 2 phase --external-ca install
Previously, we ran:
command => "/sbin/ipa-server-install -U -a '${ipa_admin_pwd}' -p
'${ipa_admin_pwd}' --hostname='${::fqdn}' -r '${ipa_realm}' -n
'${::domain}' --mkhomedir --setup-dns --forwarder=8.8.8.8 --external-ca",
then
command => "/sbin/ipa-server-install -p ${ipa_admin_pwd}
--external-cert-file=/root/ipa.crt
--external-cert-file=/etc/pki/ca-trust/source/anchors/root_ca.crt",
this worked fine.
The behaviour on IPA 4.2 is different - it will leave you without a DNS
server if you use the above commands. It doesn't seem to pass some
options through to the 2nd phase installer, one of which is the DNS
configuration.
We've now switched to this.
$ipa_install_command = "/sbin/ipa-server-install -U -a
'${ipa_admin_pwd}' -p '${ipa_admin_pwd}' -r '${ipa_realm}'"
command => "${ipa_install_command} --hostname='${::fqdn}' -n
'${::domain}' --external-ca",
command => "${ipa_install_command} --external-cert-file=/root/ipa.crt
--external-cert-file=/etc/pki/ca-trust/source/anchors/root_ca.crt
--mkhomedir --setup-dns --forwarder=8.8.8.8 ",
It seems you have to supply more information to the phase2 installer
than in IPA 4.1.
We do more than 10 installs of IPA per day as part of CI, I think now
we're back to a working configuration again.
Hopefully this will help others who come along this path.
James M
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project