I'm trying to migrate to new replica servers and have run into a glitch. From some of the clients I can get a ticket but any ipa command results in an error:
[root@host ~]# ipa user-show user1 ipa: ERROR: cannot connect to 'any of the configured servers': https://iparep1.examle.com/ipa/json, https://iparep2.example.com/ipa/json, https://iparep3.example.com/ipa/json, https://iparep4.example.com/ipa/json
All the servers listed in the error have been retired. The ipa_server config in /etc/sssd/sssd.conf has been updated to point to the new servers and sssd has been restarted.
I tried to tweak sssd.conf on one client to only have one of the new replica servers listed, stopped sssd, cleared out /var/lib/sss/db/* and then restarted sssd. It still gets the same error above.
The new servers are all running ipa-server-4.9.6-6 on Rocky Linux 8.5. There is one of previous replicas still running. I will be retiring that one as well but not until I figure out the current problems. I've configured topology segments in a mesh so any of the servers can replicate with any of the others.
On 11/18/2021 6:11 AM, Stephen Berg, Code 7309 via FreeIPA-users wrote:
I'm trying to migrate to new replica servers and have run into a glitch. From some of the clients I can get a ticket but any ipa command results in an error:
[root@host ~]# ipa user-show user1 ipa: ERROR: cannot connect to 'any of the configured servers': https://iparep1.examle.com/ipa/json, https://iparep2.example.com/ipa/json, https://iparep3.example.com/ipa/json, https://iparep4.example.com/ipa/json
All the servers listed in the error have been retired. The ipa_server config in /etc/sssd/sssd.conf has been updated to point to the new servers and sssd has been restarted.
I tried to tweak sssd.conf on one client to only have one of the new replica servers listed, stopped sssd, cleared out /var/lib/sss/db/* and then restarted sssd. It still gets the same error above.
The new servers are all running ipa-server-4.9.6-6 on Rocky Linux 8.5. There is one of previous replicas still running. I will be retiring that one as well but not until I figure out the current problems. I've configured topology segments in a mesh so any of the servers can replicate with any of the others.
I think I've found at least one problem. When I removed old replicas that are getting retired I think removed the CA master by mistake. Now I don't seem to have one and need to modify one of the replicas to be the CA. Can't figure out the right procedure to make that happen though.
freeipa-users@lists.fedorahosted.org
-
Stephen Berg, Code 7309