> Le 4 sept. 2015 à 16:37, Martin Babinsky <[email protected]> a écrit : > > On 08/28/2015 05:46 PM, Alexandre Ellert wrote: >> >>> Le 28 août 2015 à 17:41, Alexander Bokovoy <[email protected]> a écrit : >>> >>> On Fri, 28 Aug 2015, Alexandre Ellert wrote: >>>> >>>>> Le 28 août 2015 à 17:09, Alexander Bokovoy <[email protected]> a écrit : >>>>> >>>>> On Wed, 26 Aug 2015, Alexandre Ellert wrote: >>>>>> >>>>>>> Le 28 juil. 2015 à 05:59, Alexander Bokovoy <[email protected]> a >>>>>>> écrit : >>>>>>>> If the problem is too hard to solve, maybe I should try to deploy >>>>>>>> another >>>>>>>> replica ? >>>>>>> You may try that. Sorry for not responding, I have some other tasks that >>>>>>> occupy my time right now. >>>>>>> >>>>>> >>>>>> >>>>>> Can you please tell me the procedure to decommission and re-create a new >>>>>> replica ? >>>>>> Are "ipa-server-install —uninstall" then "ipa-server-install" the only >>>>>> things to do ? >>>>> No, you need also to remove the server from the replication topology. >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html >>>>> >>>>> -- >>>>> / Alexander Bokovoy >>>> >>>> I can’t remove the node on which I have problem with pki-tomcatd : >>>> >>>> # ipa-replica-manage del xxxx.example.com >>>> Deleting a master is irreversible. >>>> To reconnect to the remote master you will need to prepare a new replica >>>> file >>>> and re-install. >>>> Continue to delete? [no]: yes >>>> Deleting this server is not allowed as it would leave your installation >>>> without a CA >>>> >>>> I seem that it’s the only node where CA is installed. What should I do now >>>> ? >>> Add a replica with CA using ipa-ca-install on existing replica. >>> >>> Read the guide, it has detailed coverage of these situations. >>> -- >>> / Alexander Bokovoy >> >> On the first node (which is working and without pki-tomcatd service) >> # ipa-ca-install >> Directory Manager (existing master) password: >> >> CA is already installed. >> >> How is it possible ? >> >> > You must provide a replica file as an argument to ipa-ca-install if you want > to setup CA on another replica. > > -- > Martin^3 Babinsky
I’m still stuck with the correct command line : [root@inf-ipa ~]# ipa-ca-install /var/lib/ipa/replica-info-inf-ipa.numeezy.fr.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'inf-ipa-2.numeezy.fr': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master [email protected] password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'inf-ipa.numeezy.fr': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 88, 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder. Connection from master to replica is OK. Connection check OK Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp_KIouo'' returned non-zero exit status 1 [error] RuntimeError: Configuration of CA failed Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
