On 2/6/2019 4:12 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
On 2/6/19 6:03 AM, TomK via FreeIPA-users wrote:
> On 2/5/2019 5:12 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
>> On 2/5/19 8:15 AM, TomK via FreeIPA-users wrote:
>>> Hello,
>>>
>>> Would someone please point me to a concise list of steps I can use
>>> here? Running 1.) and 2.) yields various errors and I would like
>>> to try a known set of working commands to get a replica going in
>>> this state before posting with errors:
>>>
>>> # ipa-replica-prepare ipa04.abc.xyz.123 --ip-address 192.168.0.20 -p
>>> "PASS01"
>>>
>>> Replica creation using 'ipa-replica-prepare' to generate replica
file
>>> is supported only in 0-level IPA domain.
>>>
>>> The current IPA domain level is 1 and thus the replica must
>>> be created by promoting an existing IPA client.
>>>
>>> To set up a replica use the following procedure:
>>> 1.) set up a client on the host using 'ipa-client-install'
>>> 2.) promote the client to replica running 'ipa-replica-install'
>>> *without* replica file specified
>>>
>>> 'ipa-replica-prepare' is allowed only in domain level 0
>>> The ipa-replica-prepare command failed.
>>>
>>>
>> Hi,
>>
>> the process to install a replica has evolved since IPA 4.3. If your
>> master was installed with IPA 4.3+, then it is using domain level 1
>> by default (unless you specified ipa-server-install --domain-level 0
>> during the installation).
>>
>> In this case, please refer to this wiki [1] to install a replica.
>> There is no need to create a replica file, and you can either:
>> - install the future replica as a client with:
>> $ ipa-client-install [options]
>> then run ipa-replica-install to promote the machine from client to
>> replica using:
>> $ kinit admin
>> $ ipa-replica-install
>>
>> or
>> - directly install the replica using:
>> $ ipa-replica-install --principal admin --admin-password xx [options]
>
> Thanks Florence! To add some background to the conversation, I ran
> into the following when trying just those commands:
>
> 1) Running ipa-replica-install reported errors if both the master and
> replica DNS entries did not appear in the master's zone / reverse
> files. Had to add them manually. The hosts file did not help, of
> course, as it's running dig if I recall correctly which by passes the
> /etc/hosts file?
>
> ERROR Reverse DNS resolution of address 192.168.0.154
> (ipa02.xyz.abc.zyx) failed. Clients may not function properly. Please
> check your DNS setup. (Note that this check queries IPA DNS directly
> and ignores /etc/hosts.)
>
>
> 2) Missing PTR records. Had to add a reverse zone and skip the
> overlap check as I'm working with a single subnet:
>
> IPA Error 3000: InvocationError
> DNS zone 0.168.192.in-addr.arpa. already exists in DNS and is handled
> by server(s): ad02.abc.zyx., ad01.abc.zyx.
>
> 3) Finally I reran ipa-replica-install which completed fine but
> indicated I only have CA configured for the master. So needed to
> uninstall all and redo this time running:
>
!!!Important!!! you don't need to start over the replica install if you
just want to add a CA instance on the replica. The command
ipa-ca-install can be run on the replica and will configure a clone of
the CA.
> ipa-replica-install --setup-ca --setup-dns --forwarder=192.168.0.<AD
> VIP OCTET>
>
> 4) This time when running the above ipa-replica-install ...... it
> complained that the keytab wasn't working despite uninstalling
> everything earlier using ipa-client-install --uninstall:
>
> ERROR Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p
> ldap/ipa02.xyz.abc.zyx(a)XYZ.ABC.ZYX -H ldaps://ipa01.xyz.abc.zyx'
> returned non-zero exit status 9
>
> So I removed a bunch of further entries from the master UI including
> the SRV records etc.
>
The correct path would be
[master]$ ipa-replica-manage del <replica> --force --clean
to remove all remaining data related to the uninstalled replica.
> 5) Finally I got the following:
>
> Joining realm failed: Host is already joined.
>
> which I took care of by visiting the master then IPA Server ->
> Topology and removing any reference to ipa02.
>
>
>
> This adventure led me to believe that:
>
> 1) Perhaps there's some sort of guide online that I'm not finding,
> outlining all the prep work I needed to do? (Which you've now
> provided, thx.)
>
The official documentation is Red Hat Enterprise Linux "Linux Domain
Identity, Authentication, and Policy Guide" that can be found here [1].
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
Thanks Florence! These are the bits I needed!
> 2) Perhaps I'm doing the right thing but these are potential issues?
>
> Thank you for the wiki. It does address use of the various options.
> Appeared as though ipa-replica-install without any options might pull
> this off the master, but it didn't.
>
> Cheers,
> TK
>
>>
>> HTH,
>> flo
>>
>> [1]
>>
https://www.freeipa.org/page/Releases/4.3.0#New_method_-_domain_level_1
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.