On 02/09/2014 07:44 AM, Rob Crittenden wrote:
Shree wrote:
Lukas
Perhaps I should explain the design a bit and see if FreeIPA even
supports this.Our replica is in a separate network and all the
appropriate ports are opened between the master and the replica. The
"replica" got created successfully and is in sync with the master
(except the CA services which I mentioned earlier)
Now,when I try to run ipa-client-install on hosts in the new network
using the replica, it complains that about "Cannot contact any KDC for
realm".
I am wondering it my hosts in the new network are trying to access the
"master" for certificates since the replica does not have any CA
services running? I couldn't find any obvious proof of this even running
the install in a debug mode. Do I need to open ports between the new
hosts and the master for CA services?
At this point I cannot disable or move the master, it needs to function
in its location but I need
No, the clients don't directly talk to the CA.
You'd need to look in /var/log/ipaclient-install.log to see what KDC
was found and we were trying to use. If you have SRV records for both
but we try to contact the hidden master this will happen. You can try
specifying the server on the command-line with --server but this will
be hardcoding things and make it less flexible later.
rob
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Saturday, February 8, 2014 1:29 AM, Lukas Slebodnik
<lsleb...@redhat.com> wrote:
On (06/02/14 18:33), Shree wrote:
>First of all, the ipa-replica-install did not allow me to use
the --setup-ca
> option complaining that a cert already exists, replicate creation was
> successful after I skipped the option.
>Seems like the replica is one except
>1) There is no CA Service running on the replica (which I guess is
expected)
>and
>2) I am unable to run ipa-client-install successfully on any clients
using
> the replica. (I don't have the option of using the primary master as
it is
> configured in a segregated environment. Only the master and replica
are
> allowed to sync.
>Debug shows it fails at
>
>ipa : DEBUG stderr=kinit: Cannot contact any KDC for realm
'mydomainname.com' while getting initial credentials
>
>
I was not able to install replica witch CA on fedora 20,
Bug is already reported https://fedorahosted.org/pki/ticket/816
Guys from dogtag found a workaround
https://fedorahosted.org/pki/ticket/816#comment:12
Does it work for you?
LS
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
What server provides DNS capabilities to the clients?
Do you use IPA DNS or some other DNS?
Clients seem to not be able to see replica KDC and try to access hidden
master but they can know about this master only via DNS.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users