On 08/06/16 09:23, Martin Kosek wrote:
On 06/07/2016 04:10 PM, Cal Sawyer wrote:
...
I found that installing a replica with firewalld enabled would consistently fail
during initial replication. Disabling firewalld always allowed replication and
later stages to complete
[24/38]: setting up initial replication
Starting replication, please wait until this has completed.
[ipa.localdomain.local] reports: Update failed! Status: [-1 - LDAP error:
Can't contact LDAP server]
This is strange. ipa-replica-install should have run the conncheck to exactly
prevent issues like this. Did you by any chance run ipa-replica-install with
--skip-conncheck option?
Yes, i did. Why i can't recall now but i just started using it. Once
i'd discovered firewalld was causing the connection problem, i neglected
to stop using it
Of course, once a replica is installed and working, there's little cause
to want to redo it to test conncheck's effectiveness. Might throw
together another, though, just to put my mind at ease
The first master and all replicas are all CentOS Linux release 7.2.1511 (Core)
with ipa-server-4.2.0-15.0.1.el7
One other thing. if, during ipa-replica-install,+ you choose the default answer
to the following:
Existing BIND configuration detected, overwrite? [no]:
ipa.ipapython.install.cli.install_tool(Replica): ERROR Aborting installation.
Not sure if that is intended? Which BIND configuration is being detected?
This should be only trigged if you install replica with DNS (--setup-dns)
Sorry - yes, i did use --setup-dns . I might have bothered to include
the ipa-replica-install command line i used. Still, that is what i got
if i answered No to the question.
Seems like it's the wrong default answer to the question in a
--setup-dns scenario?
Anyhow, up and running with 4 replicas, 2 of which will be split off to a
failover instance of ESXi in the future. When it works, it's a joy
Now back to getting these Mac clients to play nicely with IPA ...
thanks for the help and advice
Thanks for sharing the results.
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project