Well, then I will repeat the context...
After completing FreeIPA master (vm200; 192.168.100.200) installation I started setup of
replica (vm201; 192.168.100.201).
This means I first enrolled the replica server as a client successfully and then executed
this command:
ipa-replica-install
The installation log reports this error:
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
Is this an error or normal behavior of replica installation?
This is the full installation output in the console:
Configuring certificate server (pki-tomcatd)
[1/2]: configure certmonger for renewals
[2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
And this is the output of getcert list -f /var/kerberos/krb5kdc/kdc.crt:
[root@ipa-replica ~]# getcert list -f /var/kerberos/krb5kdc/kdc.crt
Number of certificates and requests being tracked: 4.
Request ID '20181206075804':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=ipa-replica.biszumbitterenen.de,O=BISZUMBITTERENEN.DE
subject: CN=ipa-replica.biszumbitterenen.de,O=BISZUMBITTERENEN.DE
expires: 2019-12-06 08:58:04 CET
principal name: krbtgt/BISZUMBITTERENEN.DE(a)BISZUMBITTERENEN.DE
certificate template/profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes