Jhon Torres wrote: > It Works!!! > > You are incredible > > [root@server~]# pki-server sd-subsystem-add --subsystem CA --hostname > ipa.example.test --secure-port 443 "CA ipa.example.test 443" > [root@server~]# pki-server sd-subsystem-find > Subsystem ID: CA ipa.example.test 443 > Hostname: ipa.example.test > Secure Port: 443 > Domain Manager: FALSE > Clone: FALSE > > #ipa-replica-install --setup-dns --forwarder 1.1.1.1 --forwarder 9.9.9.9 > --setup-ca --verbose > Restart of ipa.service complete > Created connection context.ldap2_5646545465456465 > flushing ldapi://%2Frun%2Fslapd-EXAMPLE-TEST.socket from SchemaCache > retrieving schema for SchemaCache > url=ldapi://%2Frun%2Fslapd-EXAMPLE-TEST.socket > conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f4c3860e3d0> > Destroyed connection context.ldap2_55656989899899 > *The ipa-replica-install command was successful > * > Thank you, I appreciate it. > > Last question, Was I doing something wrong?
The issue was in the data: the removal of the securitydomain. You might be able to look back into access logs to detect when it got removed. You'd want to look for changes in cn=CAList,ou=Security Domain,o=ipaca This could be difficult if not impossible to find on a long-running system where the 389-ds access log(s) have been rotated away. So no, you didn't do anything wrong with the commands you were running. rob > > Regards > > > El jue, 29 may 2025 a las 13:50, Rob Crittenden (<[email protected] > <mailto:[email protected]>>) escribió: > > Try this: > $ pki-server sd-subsystem-find > > You should get basically nothing because we know its empty. > > Populate it with your server: > $ pki-server sd-subsystem-add --subsystem CA --hostname ipa.example.test > --secure-port 443 "CA ipa.example.test 443" > > Be sure to replace both instances of 'ipa.example.test' with your CA > hostname. > > Then try your replica install again. > > rob > > John Tor via FreeIPA-users wrote: > > [root@server ~]# ipa server-role-find --status enabled > > ---------------------- > > 2 server roles matched > > ---------------------- > > Server name: ipa.example.test > > Role name: CA server > > Role status: enabled > > > > Server name: ipa.example.test > > Role name: DNS server > > Role status: enabled > > ---------------------------- > > Number of entries returned 2 > > ---------------------------- > > [root@server ~]# ldapsearch -x -D 'cn=directory manager' -W -b > "ou=Security Domain,o=ipaca" > > Enter LDAP Password: > > # extended LDIF > > # > > # LDAPv3 > > # base <ou=Security Domain,o=ipaca> with scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > > > # Security Domain, ipaca > > dn: ou=Security Domain,o=ipaca > > objectClass: top > > objectClass: pkiSecurityDomain > > name: IPA > > ou: Security Domain > > > > # CAList, Security Domain, ipaca > > dn: cn=CAList,ou=Security Domain,o=ipaca > > objectClass: top > > objectClass: pkiSecurityGroup > > cn: CAList > > > > # OCSPList, Security Domain, ipaca > > dn: cn=OCSPList,ou=Security Domain,o=ipaca > > objectClass: top > > objectClass: pkiSecurityGroup > > cn: OCSPList > > > > # KRAList, Security Domain, ipaca > > dn: cn=KRAList,ou=Security Domain,o=ipaca > > objectClass: top > > objectClass: pkiSecurityGroup > > cn: KRAList > > > > # RAList, Security Domain, ipaca > > dn: cn=RAList,ou=Security Domain,o=ipaca > > objectClass: top > > objectClass: pkiSecurityGroup > > cn: RAList > > > > # TKSList, Security Domain, ipaca > > dn: cn=TKSList,ou=Security Domain,o=ipaca > > objectClass: top > > objectClass: pkiSecurityGroup > > cn: TKSList > > > > # TPSList, Security Domain, ipaca > > dn: cn=TPSList,ou=Security Domain,o=ipaca > > objectClass: top > > objectClass: pkiSecurityGroup > > cn: TPSList > > > > # search result > > search: 2 > > result: 0 Success > > > > # numResponses: 8 > > # numEntries: 7 > > [root@srvad01 ~]# > > > > > > -- > Jhon Albert Torres H. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
