On 11.2.2014 23:53, Shree wrote:
Following ports are opened between the
1) Between the master and the replica (bi directional)
2) client machine and the ipa replica (unidirectional).
When the replica was up it worked fine as far as syncing was concerned.
80 tcp
443 tcp
389 tcp
636 tcp
88 tcp
464 tcp
88 udp
464 udp
123 udp
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal <[email protected]> wrote:
On 02/11/2014 05:05 PM, Shree wrote:
Dimitri
Sorry some the mail landed in my SPAM folder. Let answer your questions (thanks
for your help man)
Please republish it on the list.
Do not reply to me directly.
Did you set your first server with the CA? Does all ports that need
to be open in the firewall between primary or server are actually
open?
What I have done so far is uninstalled the replica and tried to install it again using the
"--setup-ca" option. Previously I had failures and when I removed the
"--setup-ca" option the installation succeeded (in a way). I understand now that I really
need to fix the CA installation errors first.
1)The workaround helped me go forward a bit but I got stuck at this point see
below
===========
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
ipa : ERROR certmonger failed starting to track certificate: Command
'/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-PKI-IPA -n
Server-Cert -p /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C
/usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit status
1
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
[1/17]: creating certificate server user
[2/17]: creating pki-ca instance
[3/17]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl
/usr/bin/pkisilent ConfigureCA -cs_hostname ldap2.macosforge.org -cs_port 9445
-client_certdb_dir /tmp/tmp-ipJSsT -client_certdb_pwd XXXXXXXX -preop_pin
OlGXcjPVXoQcuuQkGgoG -
===========
2) No we do not use IPA for a DNS server.
3)The reason for this could be that I had installed the replica without the
"--setup-ca".
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Monday, February 10, 2014 12:43 PM, Dmitri Pal <[email protected]> wrote:
On 02/09/2014 07:44 AM, Rob Crittenden wrote:
Shree wrote:
Lukas
Perhaps I should explain the design a bit and
see if FreeIPA even
supports this.Our replica is in a separate
network and all the
appropriate ports are opened between the master
and the replica. The
"replica" got created successfully and is in
sync with the master
(except the CA services which I mentioned
earlier)
Now,when I try to run ipa-client-install on
hosts in the new network
using the replica, it complains that about
"Cannot contact any KDC for
realm".
I am wondering it my hosts in the new network
are trying to access the
"master" for certificates since the replica
does not have any CA
services running? I couldn't find any obvious
proof of this even running
the install in a debug mode. Do I need to open
ports between the new
hosts and the master for CA services?
At this point I cannot disable or move the
master, it needs to function
in its location but I need
No, the clients don't directly talk to the CA.
You'd need to look in
/var/log/ipaclient-install.log to see what KDC
was found and we were trying to use. If you have
SRV records for both
but we try to contact the hidden master this will
happen. You can try
specifying the server on the command-line with
--server but this will
be hardcoding things and make it less flexible
later.
rob
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Saturday, February 8, 2014 1:29 AM, Lukas
Slebodnik
<[email protected]> wrote:
On (06/02/14 18:33), Shree wrote:
First of all, the ipa-replica-install did
not allow me to use
the --setup-ca
option complaining that a cert already
exists, replicate creation was
successful after I skipped the option.
Seems like the replica is one except
1) There is no CA Service running on the
replica (which I guess is
expected)
and
2) I am unable to run ipa-client-install
successfully on any clients
using
the replica. (I don't have the option of
using the primary master as
it is
configured in a segregated environment.
Only the master and replica
are
allowed to sync.
Debug shows it fails at
ipa : DEBUG stderr=kinit: Cannot
contact any KDC for realm
'mydomainname.com' while getting initial
credentials
I was not able to install replica witch CA on
fedora 20,
Bug is already reported https://fedorahosted.org/pki/ticket/816
Guys from dogtag found a workaround
https://fedorahosted.org/pki/ticket/816#comment:12
Does it work for you?
LS
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
What server provides DNS capabilities to the clients?
Do you use IPA DNS or some other DNS?
Clients seem to not be able to see replica KDC and try
to access hidden
master but they can know about this master only via DNS.
Shree, make sure that command
$ dig -t SRV _kerberos._udp.ipa.example
on the client returns both IPA servers (in ANSWER section).
--
Petr^2 Spacek
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
