It used to work, and i have never used --disable-role-check in my life...
On Wed, Apr 30, 2025 at 1:07 PM Florence Blanc-Renaud <[email protected]> wrote: > > Hi, > > On Wed, Apr 30, 2025 at 10:31 AM Ian Kumlien <[email protected]> wrote: >> >> On Tue, Apr 29, 2025 at 7:15 PM Florence Blanc-Renaud <[email protected]> >> wrote: >> > >> > Hi, >> > >> > On Tue, Apr 29, 2025 at 4:39 PM Ian Kumlien via FreeIPA-users >> > <[email protected]> wrote: >> >> >> >> On Tue, Apr 29, 2025 at 4:30 PM Rob Crittenden <[email protected]> >> >> wrote: >> >> > >> >> > Ian Kumlien wrote: >> >> > > This and changing the permissions on certs pkiuser:pkiuser fixed it on >> >> > > that machine, what remains is: >> >> > > Error: Local roles CA, DNS, DNSKeySync do not match globally used >> >> > > roles CA, DNS, DNSKeySync, KRA. A backup done on this host would not >> >> > > be complete enough to restore a fully functional, identical cluster. >> >> > > The ipa-backup command failed. See /var/log/ipabackup.log for more >> >> > > information >> >> > >> >> > What is unclear about the message? >> >> >> >> Alot - it broke by running ipa-cert-fix >> >> >> >> > An IPA backup is a disaster recovery tool. There is no need to use it to >> >> > back up every single host in a cluster for the reason outlined. >> >> > ipa-restore is used when things are completely hosed. It requires that >> >> > any existing replicas need to be force re-initialized. >> >> >> >> It used to work, it worked until i ran ipa-cert-fix >> >> >> >> To me it sounds more like ipa-cert-fix did something that broke the >> >> state of that node. >> > >> > ipa-cert-fix does one change related to roles: it sets the host where it >> > is executed as CA renewal master. It does not remove CA/DNS/DNSkeySync/KRA >> > instance. >> > Can you show the output of ipa config-show on your 2 nodes? >> >> Node-1 - where ipa-backup doesn't work anymore: >> ipa config-show >> Maximum username length: 32 >> Maximum hostname length: 64 >> Home directory base: /home >> Default shell: /bin/bash >> Default users group: ipausers >> Default e-mail domain: virt.demius.net >> Search time limit: 2 >> Search size limit: 100 >> User search fields: uid,givenname,sn,telephonenumber,ou,title >> Group search fields: cn,description >> Enable migration mode: False >> Certificate Subject base: O=VIRT.DEMIUS.NET >> Password Expiration Notification (days): 4 >> Password plugin features: AllowNThash >> SELinux user map order: >> guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 >> Default SELinux user: unconfined_u:s0-s0:c0.c1023 >> Default PAC types: MS-PAC, nfs:NONE >> IPA masters: freeipa1.virt.demius.net, freeipa2.virt.demius.net >> IPA master capable of PKINIT: freeipa1.virt.demius.net, >> freeipa2.virt.demius.net >> IPA CA servers: freeipa1.virt.demius.net, freeipa2.virt.demius.net >> IPA CA renewal master: freeipa2.virt.demius.net >> IPA KRA servers: freeipa2.virt.demius.net >> IPA DNS servers: freeipa1.virt.demius.net, freeipa2.virt.demius.net >> >> Node 2 - works after the modifications and some workarounds: >> ipa config-show >> Maximum username length: 32 >> Maximum hostname length: 64 >> Home directory base: /home >> Default shell: /bin/bash >> Default users group: ipausers >> Default e-mail domain: virt.demius.net >> Search time limit: 2 >> Search size limit: 100 >> User search fields: uid,givenname,sn,telephonenumber,ou,title >> Group search fields: cn,description >> Enable migration mode: False >> Certificate Subject base: O=VIRT.DEMIUS.NET >> Password Expiration Notification (days): 4 >> Password plugin features: AllowNThash >> SELinux user map order: >> guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 >> Default SELinux user: unconfined_u:s0-s0:c0.c1023 >> Default PAC types: MS-PAC, nfs:NONE >> IPA masters: freeipa1.virt.demius.net, freeipa2.virt.demius.net >> IPA master capable of PKINIT: freeipa1.virt.demius.net, >> freeipa2.virt.demius.net >> IPA CA servers: freeipa1.virt.demius.net, freeipa2.virt.demius.net >> IPA CA renewal master: freeipa2.virt.demius.net >> IPA KRA servers: freeipa2.virt.demius.net >> IPA DNS servers: freeipa1.virt.demius.net, freeipa2.virt.demius.net >> > IMO it's the missing KRA role on freeipa1 that prevents the backup. Are you > sure the command used to work? Or maybe you were using ipa-backup > --disable-role-check on this specific node? > > flo -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
