Hi Leonardo, Thanks for your feedback. What you did to ntlm-auth-api on-cluster is correct.
Since v14, we changed the structure of the `domain.conf`, putting an extra hostname prefix to each domain identifier in order to allow a dedicated machine account and password to be used by each cluster member. So each member of a PacketFence cluster will have to have all the other node's settings to keep consistency but only cares about their own one. For example, a cluster of 3 node (named node1, node2 and node3) are expected to have a configuration file like this: # example config file structure for a PF cluster with 3 node and multiple domains (domain X and domain Y) [node1 domainID-X] domainID-X settings for node1 [node2 domainID-X] domainID-X settings for node2 [node3 domainID-X] domainID-X settings for node3 [node1 domainID-Y] domainID-Y settings for node1 [node2 domainID-Y] domainID-Y settings for node2 [node3 domainID-Y] domainID-Y settings for node3 After an upgrade from v13.2 and prior, each node will be able to update their own domain.conf, adding their hostnames as a prefix and should be able to start properly (without the updated domain.conf being overwritten by a forced-sync) However, the nodes in a cluster will not be able to know other nodes' configurations or merge them together just by running upgrade script on their own. the administrator will have to 1. run the upgrade script on each of the members, it will modify the current domain.conf structure to a new structure that matches the pattern [hostname domainID] 2. copy the modified sections from non-master nodes and manually paste it to master node's domain.conf file so everything is merged to the master copy. 3. do step 2 on another non-master node until everything needed gets merged. 4. do a double-check to make sure the domain.conf changes are correct. then write the config file changes to disk 5. reload configuration on master node and sync the modified domain.conf to other nodes. 6. reload configuration on other nodes when sync is done, and restart ntlm-auth-api on all nodes. 7. on each node, make sure ntlm-auth-api is functioning properly by checking machine joining status - if the domain join status is a green on each of the nodes, then everything is fine. BTW, you'll have to go through / login into all the nodes or, using API redirect to node2 then node3 ... > > > Dear PacketFence Community, > > On a cluster with two nodes and an arbitrator, I upgraded PacketFence from > version 13.2 to 14.0. > > Following the procedures provided for clusters documented in the manuals, > I > started the installation process using the script /usr/local/pf/addons/ > upgrade/do-upgrade.sh, choosing to perform operating system upgrades as > well. > > I immediately encountered an initial problem with the netdata dependency > (I > had redone the same procedure in late September and everything had gone > smoothly), which, probably due to a recent RPM update on the EPEL > repository, > causes packetfence to be uninstalled without a reported error. > > Not giving up, I manually installed the packetfence 14 RPM having first > taken > care to uninstall netdata, put the configuration files back in and fixed > the > permissions and re-enabled the pervised systemd target for the cluster. > > All services restarted without errors and it would appear that the systems > are > fully operational, I noticed, however, that the ntlm-auth-api service was > only > active on one node in the cluster. > > I realized that with the upgrade the domain.conf file had been modified in > which > the Active Directory domain section name prefix the hostname of the first > upgraded node (and from which I did the sync with the command > /usr/local/pf/ > bin/cluster/sync) had been altered and this was causing only on that node > the > service had started and the domain was visible in the GUI. > > Upon investigating, I saw that the same fact was present in the old test > VMs > that had been updated with the procedure and had had no problems. > > To solve this I duplicated the domain section in the domain.conf file with > the > same data except for the prefix in which I changed the hostname to that of > the > node not included but present in the cluster. > > Having done this, on the node where it was needed, I sequentially executed > the > commands: > /usr/local/pf/bin/pfcmd configreload hard > /usr/local/pf/bin/pfcmd service ntlm-auth-api updatesystemd > > and did the reboot. > > I resynchronized the nodes and also did the same on the node that had the > service active. > > Have you also experienced the same problems recently? > Is the procedure I followed correct? > > Best regards > > > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > <https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Xg5a5t5VTX8eBGo5t5JDXuSwU48j5ZPebcrkn62Xjus6DfSPjHqKoW_F2CJ3fKqm76Zt_34jyavw$> >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
