Ansible FreeIPA Server + Replica
by Finn Fysj
Hi,
I'm new to FreeIPA and the ansible-freeipa collection.
I can successfully install IPA server using the role ipaserver. However, I want to setup a multi-master replication with failover.
As far as I know I need to install ipaserver on all of my masters/replication and then the replica role?
How does the master nodes establish a relationship? Is this done using IPA client?
It might seem weird, but my goal is to setup the IPA server purely as a LDAP server using external CA.
This is because we want to have the ability to have a user interface like the web gui.
1 year, 1 month
Ansible FreeIPA Server + Replica
by Finn Fysj
Hi,
I'm new to FreeIPA and the ansible-freeipa collection.
I can successfully install IPA server using the role ipaserver. However, I want to setup a multi-master replication with failover.
As far as I know I need to install ipaserver on all of my masters/replication and then the replica role?
How does the master nodes establish a relationship? Is this done using IPA client?
It might seem weird, but my goal is to setup the IPA server purely as a LDAP server using external CA.
This is because we want to have the ability to have a user interface like the web gui.
1 year, 1 month
Trouble with resetting caches
by Kevin Vasko
Hello,
Does anyone have any tips for completely refreshing (forcing cleaning) all
kerberos tickets on a client from FreeIPA?
I assumed "$ kdestroy -A" should do it, but it certainly doesn't completely
clear all caches.
What I'm having trouble with is some NFS/NAS servers using kerberos. I'll
set up a new NFS server with Kerberos, the server will have their
appropriate keytab and services created.
I'll make sure and clear my local cache on my client with "$ kdestroy -A",
and then connect to the NFS server. If for some reason I have something
misconfigured (e.g. time is off) I'll obviously get a "stale file handle"
or "mount.nfs4: access denied by server". At that point I'll correct the
issue on the server/client. However, I'll continue getting the error even
though I destroy the cache. I _know_ its a cache issue _somewhere_ because
it will randomly start working (e.g. it will be failing, leave for the day
and next morning it will mount no problem) OR I'll try it on a different
client and it will mount successfully. It seems so sporadic. I've even been
in the situation where I've purposefully removed keytabs, LDAP login access
and reset the cache on the client on systems the and NFS mount has still
worked. It will continue to work when it shouldn't as I've removed keytab
or authentications so obviously something is cached.
Is there a foolproof list of things I need to do to reset the cache(es)?
kdestroy, services on client and server? Is there a potential force 15 min
TTL or something somewhere I'm missing?
Thanks,
-Kevin
1 year, 1 month
KRA installation problem
by Martin Jackson
Greetings,
Some time ago, I installed FreeIPA (since Fedora 32 or so) and have
been using it to manage my homelab environment, without KRA. My FreeIPA
controllers are currently running Fedora 37.
Recently, I learned about KRA and tried to install it - but the
tomcat.conf specified JRE 11 as JAVA_HOME, and ipa-kra-install failed
on a Java bytecode error when running. (I did it on the other
controller to replicate the issue). Now both of my controllers are in a
KRA-half-installed state, and ipa-healthcheck is very angry.
I do not actually need KRA at this time, but I am not sure what
proceedure may exist for removing it from my configuration. Has anyone
else experienced this? I am happy to provide additional information if
needed.
Thanks,
--
Martin Jackson <mhjacks(a)swbell.net>
1 year, 1 month
ipacerts expired
by Omar Pagan
All my certs in IPA are expired and no matter what I do I can't get `getcert` to renew them. I have changed the date back to before they expired but when I try to restart IPA is trying to do an upgrade and fails.
I'm able to start kdc, directory services, http, pki-tomcat and certmonger, but when I try to resubmit a cert for renewal it complains about not connecting to dbus.
Please help, I need to get this IPA service up and running and I can't figure out what's wrong.
1 year, 1 month
