Hi Stuart,
Adding the freeipa-users@ mailing list for visibility.
I'd have to work through your scenario to work out why it fails.
But it may be some time before I get around to that.
I think your idea to first try creating a CA replica on F28 before
moving forward to F30 is a sensible thing to try.
One question though: are you on Domain Level 0 or 1?
(`ipa domainlevel-get`).
Cheers,
Fraser
On Thu, Sep 26, 2019 at 07:35:58PM +0100, Stuart McRobert wrote:
> Dear Fraser,
>
> I've read through lots of posts but I am uncertain about the best way
> forward and wonder if I could seek your guidance? I just don't want to break
> things.
>
> Currently we have three freeipa servers (1-3) on Fedora 26 (clearly need
> updating) with ipa VERSION: 4.4.4, API_VERSION: 2.215 and one new Fedora 30
> server (#4) which I just started to add with VERSION: 4.8.1, API_VERSION:
> 2.233.
>
> The reason for adding a new server before updating the others is the web
> interface warning:
>
> Warning: Only One CA Server Detected
> It is strongly recommended to keep the CA services installed on more than
> one server
>
> which I fully understand is not good, but it doesn't offer to just fix it!
>
> I suspect server #4 may be too new, failing with both
>
> ipa-replica-install --setup-ca
>
> and
>
> ipa-ca-install
>
> in a very similar way, e.g.
>
> 2019-09-26T16:18:15Z ERROR Unable to log in as uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca on ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
> 2019-09-26T16:18:15Z DEBUG Traceback (most recent call last):
> File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 603, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 589, in run_step
> method()
> File "/usr/lib/python3.7/site-packages/ipaserver/install/dogtaginstance.py", line 503, in setup_admin
> self.admin_dn, master_conn
> ipalib.errors.NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
>
> 2019-09-26T16:18:15Z DEBUG [error] NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
>
>
> which I think others have also run into.
>
> Next thought was to confirm what we had:
>
> [root@freeipa01 ~]# ipa server-find
> ---------------------
> 4 IPA servers matched
> ---------------------
> Server name: freeipa01.services.nsa.stats.ox.ac.uk F26
>
> Server name: freeipa02.services.nsa.stats.ox.ac.uk F26
>
> Server name: freeipa03.services.nsa.stats.ox.ac.uk F26
>
> Server name: freeipa04.services.nsa.stats.ox.ac.uk F30
> ----------------------------
> Number of entries returned 4
> ----------------------------
> [root@freeipa01 ~]# ipa server-role-find --role "CA server"
> ----------------------
> 4 server roles matched
> ----------------------
> Server name: freeipa01.services.nsa.stats.ox.ac.uk
> Role name: CA server
> Role status: enabled
>
> Server name: freeipa02.services.nsa.stats.ox.ac.uk
> Role name: CA server
> Role status: absent
>
> Server name: freeipa03.services.nsa.stats.ox.ac.uk
> Role name: CA server
> Role status: absent
>
> Server name: freeipa04.services.nsa.stats.ox.ac.uk
> Role name: CA server
> Role status: absent
> ----------------------------
> Number of entries returned 4
> ----------------------------
>
>
> and then find out how to change the "Role status:" to enabled, starting on
> freeipa02 but I am not sure how to achieve this, e.g.
>
>
> [root@freeipa02 ~]# ipa-ca-install
> CA is already installed on this host.
>
> true but doesn't really help. Sorry if this is very easy to do with a
> command I have totally missed.
>
> Currently I know if freeipa01 fails, client logins also fail, and I assume
> this is because it is the only CA server enabled.
>
> Work plan:
>
> 1. Enable more CA servers
>
> 2. Update Fedora 26 to 30, perhaps via 28 first if advised not to jump too
> far at once, probably updating servers #2, then #3 and finally #1.
>
> 3. Add more servers for resiliency
>
>
> Any idea how to get more CA servers enabled or any other suggestions?
>
> Many thanks
>
> Best wishes
>
> Stuart