Hi, On Fri, Feb 23, 2024 at 12:38 PM Markus Rexhepi-Lindberg via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> Hi Florence, > > From what I can see it is setup correctly on both the master(s) and > replica. > I now understand the confusion: the logs provided in master ds389 access: https://www.rexhepi-lindberg.com/iparepl/master/access master ds389 errors: https://www.rexhepi-lindberg.com/iparepl/master/errors are taken on the server *se-rhidm02x*.se.example.com, but the replica was using se-rhidm03x.se.example.com as source of data. You can identify which master is used in the ipareplica-install.log file. Can you then share the logs from the corresponding master? > I got the following during `ipa-replica-install`: > ``` > Search DNS server se-rhidm01x.se.example.com (['10.0.13.139', > '10.0.13.139', '10.0.13.139']) for se-rhidm03x.se.example.com > Could not resolve hostname se-rhidm03x.se.example.com using DNS. Clients > may not function properly. Please check your DNS setup. (Note that this > check queries IPA DNS directly and ignores /etc/hosts.) > Continue? [no]: > ``` > > Which I solved by enabling rescursion in the named config on the masters. > `ipa-replica-install` now outputs this instead: > ``` > ... > raw: domainlevel_get(version='2.251') > domainlevel_get(version='2.251') > raw: hostgroup_find(None, cn='ipaservers', version='2.251', host=[' > usidc1-rhidm01x.idc1.us.example.com']) > hostgroup_find(None, cn='ipaservers', all=False, raw=False, > version='2.251', no_members=True, pkey_only=False, host=(' > usidc1-rhidm01x.idc1.us.example.com',)) > Lookup failed: Preferred host usidc1-rhidm01x.idc1.us.example.com does > not provide DNS. > Check forward/reverse DNS resolution > Search DNS server se-rhidm04x.se.example.com (['10.0.11.190', > '10.0.11.190', '10.0.11.190']) for se-rhidm03x.se.example.com > Check reverse address 10.0.13.146 (se-rhidm03x.se.example.com) > Address 10.0.13.146 resolves to: se-rhidm03x.se.example.com.. > Search DNS server se-rhidm04x.se.example.com (['10.0.11.190', > '10.0.11.190', '10.0.11.190']) for usidc1-rhidm01x.idc1.us.example.com > Check reverse address 192.168.224.21 (usidc1-rhidm01x.idc1.us.example.com) > Address 192.168.224.21 resolves to: usidc1-rhidm01x.idc1.us.example.com.. > Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' > raw: dns_is_enabled(version='2.251') > dns_is_enabled(version='2.251') > Name usidc1-rhidm01x.idc1.us.example.com resolved to > {UnsafeIPAddress('192.168.224.21')} > Searching for an interface of IP address: 192.168.224.21 > Testing local IP address: 127.0.0.1/255.0.0.0 (interface: lo) > Testing local IP address: 192.168.224.21/255.255.255.128 (interface: eth0) > IP address 192.168.224.21 belongs to a private range, using forward policy > only > Checking DNS forwarders, please wait ... > Checking DNS server: 10.0.2.200 > DNS server 10.0.2.200 does not support DNSSEC: answer to query '. SOA' is > missing DNSSEC signatures (no RRSIG data) > Please fix forwarder configuration to enable DNSSEC support. > > DNS server 10.0.2.200: answer to query '. SOA' is missing DNSSEC > signatures (no RRSIG data) > Please fix forwarder configuration to enable DNSSEC support. > Checking DNS server: 10.0.2.201 > DNS server 10.0.2.201 does not support DNSSEC: answer to query '. SOA' is > missing DNSSEC signatures (no RRSIG data) > Please fix forwarder configuration to enable DNSSEC support. > > DNS server 10.0.2.201: answer to query '. SOA' is missing DNSSEC > signatures (no RRSIG data) > Please fix forwarder configuration to enable DNSSEC support. > Checking DNS server: 10.0.2.202 > DNS server 10.0.2.202 does not support DNSSEC: answer to query '. SOA' is > missing DNSSEC signatures (no RRSIG data) > Please fix forwarder configuration to enable DNSSEC support. > > DNS server 10.0.2.202: answer to query '. SOA' is missing DNSSEC > signatures (no RRSIG data) > Please fix forwarder configuration to enable DNSSEC support. > WARNING: DNSSEC validation will be disabled > will use DNS forwarders: [CheckedIPAddressLoopback('10.0.2.200'), > CheckedIPAddressLoopback('10.0.2.201'), > CheckedIPAddressLoopback('10.0.2.202')] > The above message is only a warning and should not prevent the installation. If your DNS servers don't support DNSSEC, you can also provide the option --no-dnssec-validation. flo ... > ``` > > -- > Markus > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
