Shree wrote:
Ok, failed at the same stage, would you like the entire
/var/log/ipareplica-install.log. If yes, should I attach to the email?
pa : INFO File
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
line 614, in run_script
return_value = main_function()
File "/usr/sbin/ipa-replica-install", line 467, in main
(CA, cs) = cainstance.install_replica_ca(config)
File
"/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line
1604, in install_replica_ca
subject_base=config.subject_base)
File
"/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line
617, in configure_instance
self.start_creation(runtime=210)
File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
line 358, in start_creation
method()
File
"/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line
879, in __configure_instance
raise RuntimeError('Configuration of CA failed')
ipa : INFO The ipa-replica-install command failed,
exception: RuntimeError: Configuration of CA failed
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Configuration of CA failed
[root@ldap2 ~]#
We need to see the full /var/log/ipareplica-install.log and the debug
log from /var/log/pki-ca.
rob
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Wednesday, February 12, 2014 2:55 PM, Dmitri Pal <d...@redhat.com> wrote:
On 02/12/2014 04:57 PM, Shree wrote:
If there aren't any other tests to perform, can I go ahead and
uninstall the ipa client and configure this Vm as a replica?
Thanks for trying. At least we know that certmonger can run by itself.
When you install replica please collect all the install logs.
Is SELinux on/off?
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Wednesday, February 12, 2014 1:40 PM, Shree
<shreerajkarul...@yahoo.com> <mailto:shreerajkarul...@yahoo.com> wrote:
"getcert list" returned a bunch of info, see below
root@ldap2 ~]# getcert list
Number of certificates and requests being tracked: 2.
Request ID '20140206184920':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,......................
.............................
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Wednesday, February 12, 2014 12:43 PM, Dmitri Pal <d...@redhat.com>
<mailto:d...@redhat.com> wrote:
On 02/12/2014 03:41 PM, Shree wrote:
So I uninstalled the ipa server and installed the client
(ipa-client-install) on the same VM pointing at the master and
everything seems to work OK. All the sudo rules etc. Are there any
tests I can do check connectivity that could be helpful before I
configure this as a "replica" again.
Ask certmonger to get a certificate
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Wednesday, February 12, 2014 11:46 AM, Dmitri Pal
<d...@redhat.com> <mailto:d...@redhat.com> wrote:
On 02/12/2014 02:09 PM, Shree wrote:
Rob
I really appreciate your help, please bear with me. At this point I
need to take you back to my ipa-replica-install and what happened
there.
[1] My command: ipa-replica-install --setup-ca
/var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck
This ended with a
Done configuring NTP daemon (ntpd).
A CA is already configured on this system.
[2] So did a pkiremove with the following command
# pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
[3] Re ran the ipa-replica-install command in step 1
The install went a little further but ended below.
Configuring directory server for the CA (pkids): Estimated time 30
seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
ipa : ERROR certmonger failed starting to track certificate:
Command '/usr/bin/ipa-getcert start-tracking -d
/etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p
/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C
/usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero
exit status 1
Configuring certificate server (pki-cad): Estimated time 3 minutes
30 seconds
[1/17]: creating certificate server user
[2/17]: creating pki-ca instance
[3/17]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
.................
...........................
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Configuration of CA failed
If I skip the "--setup-ca" option then the replica gets created
without any CA services. The "master" and "replica" are in sync but
I am unable to run a ipa-client-install using the replica. Now I
need to fix this to get a replica in place correctly.
Shreeraj
----------------------------------------------------------------------------------------
On Wednesday, February 12, 2014 10:42 AM, Rob Crittenden
<rcrit...@redhat.com> <mailto:rcrit...@redhat.com> wrote:
Shree wrote:
> OK I thought CA is a part of IPA ? Below is from my master IPA server
>
> [root@ldap <mailto:root@ldap> ~]# ipactl status
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> MEMCACHE Service: RUNNING
> HTTP Service: RUNNING
> CA Service: RUNNING
> [root@ldap <mailto:root@ldap> ~]#
>
> I can certainly send you a log if needed.
It is part of IPA but the IPA server talks to it, not the clients
directly.
I can only speculate what the client is doing without seeing the log
files, but I suspect both masters are in DNS and IPA is trying to
enroll
to the initial master which isn't available.
rob
> Shreeraj
>
----------------------------------------------------------------------------------------
>
>
> Change is the only Constant !
>
>
> On Wednesday, February 12, 2014 10:32 AM, Rob Crittenden
> <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote:
> Shree wrote:
> > Peter
> > Actually I mentioned earlier that my clients are in a separate
VLAN and
> > cannot access the master. We have made provisions for the
master and the
> > replica to sync by opening the needed ports in the firewall. We
have
> > also opened up ports between the clients and the replica. I
have tested
> > the connectivity for these ports.
> > Perhaps you can tell me if what I am trying to achieve is even
possible?
> > i.e
> > I seem to get stuck with making the replica with the "--setup-ca"
> > option. Wthout that option I am able to create a replica and
have it in
> > sync with the master. However my ipa-client-install fails from
clients
> > as they try looking for the master for CA part of the install.
>
> Clients don't talk to the CA, they talk to an IPA server which
talks to
> the CA.
>
> I think we need to see /var/log/ipaclient-install.log to see what is
> going on.
>
> rob
>
> > Shreeraj
> >
>
----------------------------------------------------------------------------------------
> >
> >
> > Change is the only Constant !
> >
> >
> > On Wednesday, February 12, 2014 12:45 AM, Petr Spacek
> > <pspa...@redhat.com <mailto:pspa...@redhat.com>
<mailto:pspa...@redhat.com <mailto:pspa...@redhat.com>>> wrote:
> > On 11.2.2014 23:53, Shree wrote:
> >
> > > Following ports are opened between the
> > > 1) Between the master and the replica (bi directional)
> > > 2) client machine and the ipa replica (unidirectional).
> > > When the replica was up it worked fine as far as syncing was
> concerned.
> > >
> > > 80 tcp
> > > 443 tcp
> > > 389 tcp
> > > 636 tcp
> > > 88 tcp
> > > 464 tcp
> > > 88 udp
> > > 464 udp
> > > 123 udp
> > >
> > > Shreeraj
> > >
> >
>
----------------------------------------------------------------------------------------
> > >
> > > Change is the only Constant !
> > >
> > >
> > >
> > > On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal
<d...@redhat.com <mailto:d...@redhat.com>
> <mailto:d...@redhat.com <mailto:d...@redhat.com>>
> > <mailto:d...@redhat.com <mailto:d...@redhat.com>
<mailto:d...@redhat.com <mailto:d...@redhat.com>>>> wrote:
> > >
> > > On 02/11/2014 05:05 PM, Shree wrote:
> > > Dimitri
> > >> Sorry some the mail landed in my SPAM folder. Let answer your
> > questions (thanks for your help man)
> > > Please republish it on the list.
> > > Do not reply to me directly.
> > >
> > > Did you set your first server with the CA? Does all ports
that need
> > > to be open in the firewall between primary or server are
actually
> > > open?
> > >
> > >
> > >
> > >>
> > >> What I have done so far is uninstalled the replica and tried to
> > install it again using the "--setup-ca" option. Previously I had
> > failures and when I removed the "--setup-ca" option the
installation
> > succeeded (in a way). I understand now that I really need to
fix the CA
> > installation errors first.
> > >>
> > >>
> > >> 1)The workaround helped me go forward a bit but I got stuck
at this
> > point see below
> > >> ===========
> > >> [1/3]: creating directory server user
> > >> [2/3]: creating directory server instance
> > >> [3/3]: restarting directory server
> > >> Done configuring directory server for the CA (pkids).
> > >> ipa : ERROR certmonger failed starting to track
> > certificate: Command '/usr/bin/ipa-getcert start-tracking -d
> > /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p
> > /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C
> > /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned
non-zero exit
> > status 1
> > >> Configuring certificate server (pki-cad): Estimated time 3
minutes
> > 30 seconds
> > >> [1/17]: creating certificate server user
> > >> [2/17]: creating pki-ca instance
> > >> [3/17]: configuring certificate server instance
> > >> ipa : CRITICAL failed to configure ca instance Command
> > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> > ldap2.macosforge.org -cs_port 9445 -client_certdb_dir
/tmp/tmp-ipJSsT
> > -client_certdb_pwd XXXXXXXX -preop_pin OlGXcjPVXoQcuuQkGgoG -
> > >> ===========
> > >> 2) No we do not use IPA for a DNS server.
> > >>
> > >>
> > >> 3)The reason for this could be that I had installed the replica
> > without the "--setup-ca".
> > >>
> > >> Shreeraj
> > >>
> >
>
----------------------------------------------------------------------------------------
> > >>
> > >>
> > >>
> > >> Change is the only Constant !
> > >>
> > >>
> > >>
> > >> On Monday, February 10, 2014 12:43 PM, Dmitri Pal
> <d...@redhat.com <mailto:d...@redhat.com> <mailto:d...@redhat.com
<mailto:d...@redhat.com>>
> > <mailto:d...@redhat.com <mailto:d...@redhat.com>
<mailto:d...@redhat.com <mailto:d...@redhat.com>>>> wrote:
> > >>
> > >> On 02/09/2014 07:44 AM, Rob Crittenden wrote:
> > >>> Shree wrote:
> > >>>> Lukas
> > >>>> Perhaps I should explain the design a bit and
> > > see if FreeIPA even
> > >>>> supports this.Our replica is in a separate
> > > network and all the
> > >>>> appropriate ports are opened between the master
> > > and the replica. The
> > >>>> "replica" got created successfully and is in
> > > sync with the master
> > >>>> (except the CA services which I mentioned
> > > earlier)
> > >>>> Now,when I try to run ipa-client-install on
> > > hosts in the new network
> > >>>> using the replica, it complains that about
> > > "Cannot contact any KDC for
> > >>>> realm".
> > >>>> I am wondering it my hosts in the new network
> > > are trying to access the
> > >>>> "master" for certificates since the replica
> > > does not have any CA
> > >>>> services running? I couldn't find any obvious
> > > proof of this even running
> > >>>> the install in a debug mode. Do I need to open
> > > ports between the new
> > >>>> hosts and the master for CA services?
> > >>>> At this point I cannot disable or move the
> > > master, it needs to function
> > >>>> in its location but I need
> > >>>
> > >>> No, the clients don't directly talk to the CA.
> > >>>
> > >>> You'd need to look in
> > > /var/log/ipaclient-install.log to see what KDC
> > >>> was found and we were trying to use. If you have
> > > SRV records for both
> > >>> but we try to contact the hidden master this will
> > > happen. You can try
> > >>> specifying the server on the command-line with
> > > --server but this will
> > >>> be hardcoding things and make it less flexible
> > > later.
> > >>>
> > >>> rob
> > >>>
> > >>>> Shreeraj
> > >>>>
> > >
> >
>
----------------------------------------------------------------------------------------
> > >>>>
> > >>>>
> > >>>>
> > >>>> Change is the only Constant !
> > >>>>
> > >>>>
> > >>>> On Saturday, February 8, 2014 1:29 AM, Lukas
> > > Slebodnik
> > >>>> <lsleb...@redhat.com <mailto:lsleb...@redhat.com>
<mailto:lsleb...@redhat.com <mailto:lsleb...@redhat.com>>
> <mailto:lsleb...@redhat.com <mailto:lsleb...@redhat.com>
<mailto:lsleb...@redhat.com <mailto:lsleb...@redhat.com>>>> wrote:
> > >>>> On (06/02/14 18:33), Shree wrote:
> > >>>>
> > >>>>> First of all, the ipa-replica-install did
> > > not allow me to use
> > >>>> the --setup-ca
> > >>>>> option complaining that a cert already
> > > exists, replicate creation was
> > >>>>> successful after I skipped the option.
> > >>>>> Seems like the replica is one except
> > >>>>> 1) There is no CA Service running on the
> > > replica (which I guess is
> > >>>> expected)
> > >>>>> and
> > >>>>> 2) I am unable to run ipa-client-install
> > > successfully on any clients
> > >>>> using
> > >>>>> the replica. (I don't have the option of
> > > using the primary master as
> > >>>> it is
> > >>>>> configured in a segregated environment.
> > > Only the master and replica
> > >>>> are
> > >>>>> allowed to sync.
> > >>>>> Debug shows it fails at
> > >>>>>
> > >>>>> ipa : DEBUG stderr=kinit: Cannot
> > > contact any KDC for realm
> > >>>> 'mydomainname.com' while getting initial
> > > credentials
> > >>>>
> > >>>>>
> > >>>>>
> > >>>>
> > >>>> I was not able to install replica witch CA on
> > > fedora 20,
> > >>>> Bug is already reported
https://fedorahosted.org/pki/ticket/816
> > >>>>
> > >>>> Guys from dogtag found a workaround
> > >>>> https://fedorahosted.org/pki/ticket/816#comment:12
> > >>>>
> > >>>> Does it work for you?
> > >>>>
> > >>>> LS
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>> _______________________________________________
> > >>>> Freeipa-users mailing list
> > >>>> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
<mailto:Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>>
> <mailto:Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
<mailto:Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>>>
> > >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> > >>>>
> > >>>
> > >>> _______________________________________________
> > >>> Freeipa-users mailing list
> > >>> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
<mailto:Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>>
> <mailto:Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
<mailto:Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>>>
>
> > >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> > >>
> > >> What server provides DNS capabilities to the clients?
> > >> Do you use IPA DNS or some other DNS?
> > >> Clients seem to not be able to see replica KDC and try
> > > to access hidden
> > >> master but they can know about this master only via DNS.
> >
> >
> > Shree, make sure that command
> > $ dig -t SRV _kerberos._udp.ipa.example
> > on the client returns both IPA servers (in ANSWER section).
> >
> > --
> > Petr^2 Spacek
> >
> >
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
<mailto:Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>>
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
>
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
I suggest that you temporarily try to install a client in place of
the replica and see why it does not install.
The log above suggests that certmonger that is a part of the replica
fails to connect to the first master. We need to understand the
reason why it fails. Then we would be able to make your replica be a CA.
I suspect that CA related communication between replica and master is
not going through for some reasons.
The install log would be really helpful.
Please see
http://www.freeipa.org/page/Troubleshooting to collect the right logs.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
