Following ports are opened between the 1) Between the master and the replica (bi directional) 2) client machine and the ipa replica (unidirectional). When the replica was up it worked fine as far as syncing was concerned.
80 tcp 443 tcp 389 tcp 636 tcp 88 tcp 464 tcp 88 udp 464 udp 123 udp Shreeraj ---------------------------------------------------------------------------------------- Change is the only Constant ! On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal <[email protected]> wrote: On 02/11/2014 05:05 PM, Shree wrote: Dimitri >Sorry some the mail landed in my SPAM folder. Let answer your questions >(thanks for your help man) Please republish it on the list. Do not reply to me directly. Did you set your first server with the CA? Does all ports that need to be open in the firewall between primary or server are actually open? > >What I have done so far is uninstalled the replica and tried to install it >again using the "--setup-ca" option. Previously I had failures and when I >removed the "--setup-ca" option the installation succeeded (in a way). I >understand now that I really need to fix the CA installation errors first. > > >1)The workaround helped me go forward a bit but I got stuck at this point see >below >=========== > [1/3]: creating directory server user > [2/3]: creating directory server instance > [3/3]: restarting directory server >Done configuring directory server for the CA (pkids). >ipa : ERROR certmonger failed starting to track certificate: >Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-PKI-IPA -n >Server-Cert -p /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C >/usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit >status 1 >Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds > [1/17]: creating certificate server user > [2/17]: creating pki-ca instance > [3/17]: configuring certificate server instance >ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl >/usr/bin/pkisilent ConfigureCA -cs_hostname ldap2.macosforge.org -cs_port 9445 >-client_certdb_dir /tmp/tmp-ipJSsT -client_certdb_pwd XXXXXXXX -preop_pin >OlGXcjPVXoQcuuQkGgoG - >=========== >2) No we do not use IPA for a DNS server. > > >3)The reason for this could be that I had installed the replica without the >"--setup-ca". > >Shreeraj >---------------------------------------------------------------------------------------- > > > >Change is the only Constant ! > > > >On Monday, February 10, 2014 12:43 PM, Dmitri Pal <[email protected]> wrote: > >On 02/09/2014 07:44 AM, Rob Crittenden wrote: >> Shree wrote: >>> Lukas >>> Perhaps I should explain the design a bit and see if FreeIPA even >>> supports this.Our replica is in a separate network and all the >>> appropriate ports are opened between the master and the replica. The >>> "replica" got created successfully and is in sync with the master >>> (except the CA services which I mentioned earlier) >>> Now,when I try to run ipa-client-install on hosts in the new network >>> using the replica, it complains that about "Cannot contact any KDC for >>> realm". >>> I am wondering it my hosts in the new network are trying to access the >>> "master" for certificates since the replica does not have any CA >>> services running? I couldn't find any obvious proof of this even running >>> the install in a debug mode. Do I need to open ports between the new >>> hosts and the master for CA services? >>> At this point I cannot disable or move the master, it needs to function >>> in its location but I need >> >> No, the clients don't directly talk to the CA. >> >> You'd need to look in /var/log/ipaclient-install.log to see what KDC >> was found and we were trying to use. If you have SRV records for both >> but we try to contact the hidden master this will happen. You can try >> specifying the server on the command-line with --server but this will >> be hardcoding things and make it less flexible later. >> >> rob >> >>> Shreeraj >>> ---------------------------------------------------------------------------------------- >>> >>> >>> >>> Change is the only Constant ! >>> >>> >>> On Saturday, February 8, 2014 1:29 AM, Lukas Slebodnik >>> <[email protected]> wrote: >>> On (06/02/14 18:33), Shree wrote: >>> >>> >First of all, the ipa-replica-install did not allow me to use >>> the --setup-ca >>> > option complaining that a cert already exists, replicate creation was >>> > successful after I skipped the option. >>> >Seems like the replica is one except >>> >1) There is no CA Service running on the replica (which I guess is >>> expected) >>> >and >>> >2) I am unable to run ipa-client-install successfully on any clients >>> using >>> > the replica. (I don't have the option of using the primary master as >>> it is >>> > configured in a segregated environment. Only the master and replica >>> are >>> > allowed to sync. >>> >Debug shows it fails at >>> > >>> >ipa : DEBUG stderr=kinit: Cannot contact any KDC for realm >>> 'mydomainname.com' while getting initial credentials >>> >>> > >>> > >>> >>> I was not able to install replica witch CA on fedora 20, >>> Bug is already reported https://fedorahosted.org/pki/ticket/816 >>> >>> Guys from dogtag found a workaround >>> https://fedorahosted.org/pki/ticket/816#comment:12 >>> >>> Does it work for you? >>> >>> LS >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > >What server provides DNS capabilities to the clients? >Do you use IPA DNS or some other DNS? >Clients seem to not be able to see replica KDC and try to access hidden >master but they can know about this master only via DNS. > > >-- >Thank you, >Dmitri Pal > >Sr. Engineering Manager for IdM portfolio >Red Hat Inc. > > >------------------------------- >Looking to carve out IT costs? >www.redhat.com/carveoutcosts/ > > > > >_______________________________________________ >Freeipa-users mailing list >[email protected] >https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
