Hi Stuart,
Adding the freeipa-users@ mailing list for visibility.
I'd have to work through your scenario to work out why it fails. But it may be some time before I get around to that.
I think your idea to first try creating a CA replica on F28 before moving forward to F30 is a sensible thing to try.
One question though: are you on Domain Level 0 or 1? (`ipa domainlevel-get`).
Cheers, Fraser
On Thu, Sep 26, 2019 at 07:35:58PM +0100, Stuart McRobert wrote:
Dear Fraser,
I've read through lots of posts but I am uncertain about the best way forward and wonder if I could seek your guidance? I just don't want to break things.
Currently we have three freeipa servers (1-3) on Fedora 26 (clearly need updating) with ipa VERSION: 4.4.4, API_VERSION: 2.215 and one new Fedora 30 server (#4) which I just started to add with VERSION: 4.8.1, API_VERSION: 2.233.
The reason for adding a new server before updating the others is the web interface warning:
Warning: Only One CA Server Detected It is strongly recommended to keep the CA services installed on more than one server
which I fully understand is not good, but it doesn't offer to just fix it!
I suspect server #4 may be too new, failing with both
ipa-replica-install --setup-ca
and
ipa-ca-install
in a very similar way, e.g.
2019-09-26T16:18:15Z ERROR Unable to log in as uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca on ldap://freeipa01.services.nsa.stats.ox.ac.uk:389 2019-09-26T16:18:15Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 603, in start_creation run_step(full_msg, method) File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 589, in run_step method() File "/usr/lib/python3.7/site-packages/ipaserver/install/dogtaginstance.py", line 503, in setup_admin self.admin_dn, master_conn ipalib.errors.NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
2019-09-26T16:18:15Z DEBUG [error] NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
which I think others have also run into.
Next thought was to confirm what we had:
[root@freeipa01 ~]# ipa server-find
4 IPA servers matched
Server name: freeipa01.services.nsa.stats.ox.ac.uk F26 Server name: freeipa02.services.nsa.stats.ox.ac.uk F26 Server name: freeipa03.services.nsa.stats.ox.ac.uk F26 Server name: freeipa04.services.nsa.stats.ox.ac.uk F30
Number of entries returned 4
[root@freeipa01 ~]# ipa server-role-find --role "CA server"
4 server roles matched
Server name: freeipa01.services.nsa.stats.ox.ac.uk Role name: CA server Role status: enabled Server name: freeipa02.services.nsa.stats.ox.ac.uk Role name: CA server Role status: absent Server name: freeipa03.services.nsa.stats.ox.ac.uk Role name: CA server Role status: absent Server name: freeipa04.services.nsa.stats.ox.ac.uk Role name: CA server Role status: absent
Number of entries returned 4
and then find out how to change the "Role status:" to enabled, starting on freeipa02 but I am not sure how to achieve this, e.g.
[root@freeipa02 ~]# ipa-ca-install CA is already installed on this host.
true but doesn't really help. Sorry if this is very easy to do with a command I have totally missed.
Currently I know if freeipa01 fails, client logins also fail, and I assume this is because it is the only CA server enabled.
Work plan:
Enable more CA servers
Update Fedora 26 to 30, perhaps via 28 first if advised not to jump too far at once, probably updating servers #2, then #3 and finally #1.
Add more servers for resiliency
Any idea how to get more CA servers enabled or any other suggestions?
Many thanks
Best wishes
Stuart