Hi!
The node 1 is the Renewal Master
--
ldapsearch -D cn=directory\ manager -W -LLL -b cn=masters,cn=ipa,cn=etc,BASEDN
'(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn
Enter LDAP Password:
dn: cn=CA,cn=<<ipa1.fqdn>>,cn=masters,cn=ipa,cn=etc,BASEDN
--
Eemeli
-----Original Message-----
From: Florence Blanc-Renaud [mailto:flo@redhat.com]
Sent: maanantai 25. kesäkuuta 2018 12.53
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Jokinen Eemeli <Eemeli.Jokinen(a)cinia.fi>
Subject: Re: [Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade
doesn't complete, pki-tomcatd won't start
On 06/25/2018 07:48 AM, Jokinen Eemeli via FreeIPA-users wrote:
Hi!
gssproxy up and running
--
systemctl status gssproxy
● gssproxy.service - GSSAPI Proxy Daemon
Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor preset:
disabled)
Active: active (running) since Fri 2018-06-15 12:58:24 EEST; 1 weeks 2 days ago
Process: 3807 ExecStart=/usr/sbin/gssproxy -D (code=exited,
status=0/SUCCESS)
--
Also seems like there's some default configuration of gssproxy, no ipa.conf (googling
said that there should probably be also ipa.conf?).
--
ls /etc/gssproxy/
24-nfs-server.conf 99-nfs-client.conf gssproxy.conf
--
Hi,
you are indeed missing the file /etc/gssproxy/10-ipa.conf, and this file should be created
during ipa-server-upgrade, but after the step restarting pki-tomcat.
So let's go back to our initial goal: finding which master is the renewal master. You
can use a ldapsearch query to find out the renewal
master:
# ldapsearch -D cn=directory\ manager -W -LLL -b cn=masters,cn=ipa,cn=etc,$BASEDN
'(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn Enter LDAP Password:
dn: cn=CA,cn=myrenewalmaster.domain.com,cn=masters,cn=ipa,cn=etc,$BASEDN
(replace BASEDN with your own setting that can be found in
/etc/ipa/default.conf)
Flo