Never mind. I just gave up and re-installed my original master from scratch. We're just going to accept the pain of re-enrolling all the clients and resetting all the user passwords. Whatever had gone wrong inside my database was just too much. This gets us clean again.
* * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Sep 9, 2013 at 3:30 AM, Bret Wortman <bret.wort...@damascusgrp.com>wrote: > I've had some great success in the past 48 hours in recovering my system. > Here's where I stand right now: > > 1. I successfully stood up a new replica (ipamaster7) and transferred CA > authority to it from my old master (ipamaster). > 2. I shutdown ipamaster and re-baselined it. > 3. I created a new replica file from ipamaster7 for ipamaster (to transfer > everything back). > 4. I reinstalled the IPA software on ipamaster. I also made a small change > to CS.cfg to work around my earlier CA problem. > 5. I ran "ipa-replica-install --setup-dns --no-forwarders > replica-info-ipamaster.foo.net.gpg", which ran to completion. > 6. I attempted to run "ipa-ca-install replica-info-ipamaster.foo.net.gpg", > which failed due to a 403 error. > > /var/log/ipareplica-ca-install.log showed this: > > 2013-09-09T07:10:30Z DEBUG Starting external process > 2013-09-09T07:10:30Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpyIMTdo > 2013-09-09T07:10:31Z DEBUG Process finished, return code=1 > 2013-09-09T07:10:31Z DEBUG stdout=Loading deployment configuration from > /tmp/tmpyIMTdo. > ERROR: Unable to access security domain: 403 Client Error: Forbidden > > 2013-09-09T07:10:31Z DEBUG stderr= > 2013-09-09T07:10:31Z CRITICAL failed to configure ca instance Command > '/usr/sbin/pkispawn -s CA -f /tmp/tmpyIMTdo' returned non-zero exit status 1 > 2013-09-09T07:10:31Z INFO File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line > 619, in run_script > return_value = main_function() > > File "/usr/sbin/ipa-ca-install", line 182, in main > config, dogtag_master_ds_port, postinstall=True) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 1809, in install_replica_ca > subject_base=config.subject_base) > > File "/usr/ib/python2.7/site-packages/ipaserver/install/cainstance.py", > line625, in configure_instance > self.start_creation(runtime=210) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 358, in start_creation > method() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 744, in __spawn_instance > raise RuntimeError('Configuration of CA failed') > > 2013-09-09T07:10:31Z INFO The ipa-ca-install command failed, exception: > RuntimeError: Configuration of CA failed > > Does this look familiar to anyone? I'd like to complete the transition > back to ipamaster so that I can then finish cleaning up the dead replicas. > Until I can do this, I'll have to leave ipamaster7 in place as my master. > > Thanks! > * > * > *Bret Wortman* > > http://damascusgrp.com/ > http://about.me/wortmanbret >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users