[Freeipa-users] replica installation issue

Fri, 17 Jan 2014 03:48:04 -0800

After being unable to rescue my old freeipa installation, I installed a new machine from scratch and imported the user data from the old installation (so I could get rid of the separate PKI dirserv, too). That worked fine.
Then I prepared a replica, and installed the replica on the old machine (after first running ipa-server-install --uninstall). The installation completed without error message. 

The replica however has a few issues:

- GSSAPI authentication to the directory service doesn't work:

# ldapsearch -D "cn=Directory Manager" -W \*
returns a few hundred records, however
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
01/16/2014 14:14:51  01/17/2014 14:14:47  krbtgt/[email protected]
01/16/2014 14:14:54  01/17/2014 14:14:47 HTTP/[email protected]
01/16/2014 14:15:22  01/17/2014 14:14:47 ldap/[email protected]

# ldapsearch -Y GSSAPI \*
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)

        additional info: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information 
(Server krbtgt/[email protected] not found in Kerberos database)


The localdomain apparently comes from /etc/hosts:
127.0.0.1       localhost.localdomain   localhost       localhost4
::1     localhost6.localdomain6 localhost6
192.168.1.2             replica.xxxx.com replica
192.168.1.3             master.xxxx.com master


I tried to comment out the first two entries, which made it want to use 
ldap/[email protected], which failed too.



krb5.keytab looks the same on both the master and the replica, with the 
exception that the replica lacks the host key for the camellia*-cts-cmac 
cypher.



- When I use the web server of the replica and click on 
Identity->Certificates, I get:
IPA Error 4301: Certificate operation cannot be completed: Unable to 
communicate with CMS ([Errno 113] No route to host)


This same operation on the master works. Is this supposed to be like this?


- Is there a more up to date description of how to make a replica a 
master? The fedora15 documentation seems to have gathered some dust...


Thanks,
Tom

_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users






















					Reply via email to