On 05/10/15 09:42, Oleg Fayans wrote:
Hi Jan, Simo
On 10/05/2015 02:15 PM, Jan Pazdziora wrote:
On Thu, Oct 01, 2015 at 04:33:28PM +0200, Oleg Fayans wrote:
1.
Having PTR sync enabled in global DNS configuration and installing
client
with --enable-dns-updates option, ipa master still does not create a PTR
record for the client machine. As a result, ipa-repolica-install
throws the
following error:
ipa : ERROR Reverse DNS resolution of address 192.168.122.171
(f22replica1.pesen.net) failed. Clients may not function properly.
Please
check your DNS setup. (Note that this check queries IPA DNS directly and
ignores /etc/hosts.)
I believe you also need to have the PTR sync enabled in the forward zone
(pesen.net).
Today I was unable to reproduce this issue with just PTR sync enabled in
global dns configuration. I wonder, what might have caused it. Anyway,
today I hit a number of other issues with replica promotion.
1. At one point ipa-replica-install on a configured client has thrown
the following error:
Configuring ipa-custodia
[1/5]: Generating ipa-custodia config file
[2/5]: Generating ipa-custodia keys
[3/5]: Importing RA Key
[error] HTTPError: 502 Server Error: Proxy Error
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR 502 Server
Error: Proxy Error
(corresponding part of the error log of dirsrv attached)
Seem like the peer server was unreachable ?
Was there a networking problem ?
2. The second attempt after re-enrolling client resulted in the error of
CA installation:
Starting replication, please wait until this has completed.
Update in progress, 7 seconds elapsed
Update succeeded
[4/24]: creating installation admin user
[5/24]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpHAJVFG'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR CA
configuration failed.
This is due to the known bug with authentication in Dogtag. Endy fixed
it upstream.
Endy,
do you know when the bug will be released in a package we can use for
testing ?
Weird thing is that mentioned log files were missing in the system.
3. This is probably not related to replica promotions, but anyway:
when I do `ipa host-del --updatedns %client_hostname%` on master, it
does delete the host, but *preserves* dns records (in both zones).
Is --updatedns option not aimed at automatic deletion of dns records?
I do not know that it does help, but I tend to use --force when deleting
a failed replica.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
