Hi Stuart,
Adding the freeipa-users@ mailing list for visibility.
I'd have to work through your scenario to work out why it fails. But it may be some time before I get around to that.
I think your idea to first try creating a CA replica on F28 before moving forward to F30 is a sensible thing to try.
One question though: are you on Domain Level 0 or 1? (`ipa domainlevel-get`).
Cheers, Fraser
On Thu, Sep 26, 2019 at 07:35:58PM +0100, Stuart McRobert wrote:
Dear Fraser,
I've read through lots of posts but I am uncertain about the best way forward and wonder if I could seek your guidance? I just don't want to break things.
Currently we have three freeipa servers (1-3) on Fedora 26 (clearly need updating) with ipa VERSION: 4.4.4, API_VERSION: 2.215 and one new Fedora 30 server (#4) which I just started to add with VERSION: 4.8.1, API_VERSION: 2.233.
The reason for adding a new server before updating the others is the web interface warning:
Warning: Only One CA Server Detected It is strongly recommended to keep the CA services installed on more than one server
which I fully understand is not good, but it doesn't offer to just fix it!
I suspect server #4 may be too new, failing with both
ipa-replica-install --setup-ca
and
ipa-ca-install
in a very similar way, e.g.
2019-09-26T16:18:15Z ERROR Unable to log in as uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca on ldap://freeipa01.services.nsa.stats.ox.ac.uk:389 2019-09-26T16:18:15Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 603, in start_creation run_step(full_msg, method) File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 589, in run_step method() File "/usr/lib/python3.7/site-packages/ipaserver/install/dogtaginstance.py", line 503, in setup_admin self.admin_dn, master_conn ipalib.errors.NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
2019-09-26T16:18:15Z DEBUG [error] NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
which I think others have also run into.
Next thought was to confirm what we had:
[root@freeipa01 ~]# ipa server-find
4 IPA servers matched
Server name: freeipa01.services.nsa.stats.ox.ac.uk F26 Server name: freeipa02.services.nsa.stats.ox.ac.uk F26 Server name: freeipa03.services.nsa.stats.ox.ac.uk F26 Server name: freeipa04.services.nsa.stats.ox.ac.uk F30
Number of entries returned 4
[root@freeipa01 ~]# ipa server-role-find --role "CA server"
4 server roles matched
Server name: freeipa01.services.nsa.stats.ox.ac.uk Role name: CA server Role status: enabled Server name: freeipa02.services.nsa.stats.ox.ac.uk Role name: CA server Role status: absent Server name: freeipa03.services.nsa.stats.ox.ac.uk Role name: CA server Role status: absent Server name: freeipa04.services.nsa.stats.ox.ac.uk Role name: CA server Role status: absent
Number of entries returned 4
and then find out how to change the "Role status:" to enabled, starting on freeipa02 but I am not sure how to achieve this, e.g.
[root@freeipa02 ~]# ipa-ca-install CA is already installed on this host.
true but doesn't really help. Sorry if this is very easy to do with a command I have totally missed.
Currently I know if freeipa01 fails, client logins also fail, and I assume this is because it is the only CA server enabled.
Work plan:
Enable more CA servers
Update Fedora 26 to 30, perhaps via 28 first if advised not to jump too far at once, probably updating servers #2, then #3 and finally #1.
Add more servers for resiliency
Any idea how to get more CA servers enabled or any other suggestions?
Many thanks
Best wishes
Stuart
Stuart,
All i would say please run multiple CA servers in your ldap infrastructure, otherwise you will be in very big trouble like i was in, I had no idea about role of CA and was running single CA which we lost and then we totally screwed and won't able to create any replica or anything totally dead end.
FreeIPA document is really huge and sometime you get lost of what components are mandatory no blaming to anyone but that was i felt. I wish they add this CA verification feature in " ipa-replica-install" command which won't let you move forward until you have minimum two CA (and force you to use --setup-ca option)
On Mon, Sep 30, 2019 at 12:35 AM Fraser Tweedale via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi Stuart,
Adding the freeipa-users@ mailing list for visibility.
I'd have to work through your scenario to work out why it fails. But it may be some time before I get around to that.
I think your idea to first try creating a CA replica on F28 before moving forward to F30 is a sensible thing to try.
One question though: are you on Domain Level 0 or 1? (`ipa domainlevel-get`).
Cheers, Fraser
On Thu, Sep 26, 2019 at 07:35:58PM +0100, Stuart McRobert wrote:
Dear Fraser,
I've read through lots of posts but I am uncertain about the best way forward and wonder if I could seek your guidance? I just don't want to break things.
Currently we have three freeipa servers (1-3) on Fedora 26 (clearly need updating) with ipa VERSION: 4.4.4, API_VERSION: 2.215 and one new Fedora 30 server (#4) which I just started to add with VERSION: 4.8.1, API_VERSION: 2.233.
The reason for adding a new server before updating the others is the web interface warning:
Warning: Only One CA Server Detected It is strongly recommended to keep the CA services installed on more than one server
which I fully understand is not good, but it doesn't offer to just fix it!
I suspect server #4 may be too new, failing with both
ipa-replica-install --setup-ca
and
ipa-ca-install
in a very similar way, e.g.
2019-09-26T16:18:15Z ERROR Unable to log in as uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca on ldap://freeipa01.services.nsa.stats.ox.ac.uk:389 2019-09-26T16:18:15Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 603, in start_creation run_step(full_msg, method) File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 589, in run_step method() File "/usr/lib/python3.7/site-packages/ipaserver/install/dogtaginstance.py", line 503, in setup_admin self.admin_dn, master_conn ipalib.errors.NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389 2019-09-26T16:18:15Z DEBUG [error] NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
which I think others have also run into.
Next thought was to confirm what we had:
[root@freeipa01 ~]# ipa server-find --------------------- 4 IPA servers matched --------------------- Server name: freeipa01.services.nsa.stats.ox.ac.uk F26 Server name: freeipa02.services.nsa.stats.ox.ac.uk F26 Server name: freeipa03.services.nsa.stats.ox.ac.uk F26 Server name: freeipa04.services.nsa.stats.ox.ac.uk F30 ---------------------------- Number of entries returned 4 ---------------------------- [root@freeipa01 ~]# ipa server-role-find --role "CA server" ---------------------- 4 server roles matched ---------------------- Server name: freeipa01.services.nsa.stats.ox.ac.uk Role name: CA server Role status: enabled Server name: freeipa02.services.nsa.stats.ox.ac.uk Role name: CA server Role status: absent Server name: freeipa03.services.nsa.stats.ox.ac.uk Role name: CA server Role status: absent Server name: freeipa04.services.nsa.stats.ox.ac.uk Role name: CA server Role status: absent ---------------------------- Number of entries returned 4 ----------------------------
and then find out how to change the "Role status:" to enabled, starting on freeipa02 but I am not sure how to achieve this, e.g.
[root@freeipa02 ~]# ipa-ca-install CA is already installed on this host.
true but doesn't really help. Sorry if this is very easy to do with a command I have totally missed.
Currently I know if freeipa01 fails, client logins also fail, and I assume this is because it is the only CA server enabled.
Work plan:
Enable more CA servers
Update Fedora 26 to 30, perhaps via 28 first if advised not to jump too far at once, probably updating servers #2, then #3 and finally #1.
Add more servers for resiliency
Any idea how to get more CA servers enabled or any other suggestions?
Many thanks
Best wishes
Stuart
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Mon, Sep 30, 2019 at 10:20:16AM -0400, Satish Patel via FreeIPA-users wrote:
Stuart,
All i would say please run multiple CA servers in your ldap infrastructure, otherwise you will be in very big trouble like i was in, I had no idea about role of CA and was running single CA which we lost and then we totally screwed and won't able to create any replica or anything totally dead end.
FreeIPA document is really huge and sometime you get lost of what components are mandatory no blaming to anyone but that was i felt. I wish they add this CA verification feature in " ipa-replica-install" command which won't let you move forward until you have minimum two CA (and force you to use --setup-ca option)
We now have a warning at end of ipa-replica-install if there is only one CA replica in the topology.
The freeipa-healthcheck project will also analyse the topology and warn of insufficient redundancy of CA/KRA, DNS, etc.
Cheers, Fraser
On Mon, Sep 30, 2019 at 12:35 AM Fraser Tweedale via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi Stuart,
Adding the freeipa-users@ mailing list for visibility.
I'd have to work through your scenario to work out why it fails. But it may be some time before I get around to that.
I think your idea to first try creating a CA replica on F28 before moving forward to F30 is a sensible thing to try.
One question though: are you on Domain Level 0 or 1? (`ipa domainlevel-get`).
Cheers, Fraser
On Thu, Sep 26, 2019 at 07:35:58PM +0100, Stuart McRobert wrote:
Dear Fraser,
I've read through lots of posts but I am uncertain about the best way forward and wonder if I could seek your guidance? I just don't want to break things.
Currently we have three freeipa servers (1-3) on Fedora 26 (clearly need updating) with ipa VERSION: 4.4.4, API_VERSION: 2.215 and one new Fedora 30 server (#4) which I just started to add with VERSION: 4.8.1, API_VERSION: 2.233.
The reason for adding a new server before updating the others is the web interface warning:
Warning: Only One CA Server Detected It is strongly recommended to keep the CA services installed on more than one server
which I fully understand is not good, but it doesn't offer to just fix it!
I suspect server #4 may be too new, failing with both
ipa-replica-install --setup-ca
and
ipa-ca-install
in a very similar way, e.g.
2019-09-26T16:18:15Z ERROR Unable to log in as uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca on ldap://freeipa01.services.nsa.stats.ox.ac.uk:389 2019-09-26T16:18:15Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 603, in start_creation run_step(full_msg, method) File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 589, in run_step method() File "/usr/lib/python3.7/site-packages/ipaserver/install/dogtaginstance.py", line 503, in setup_admin self.admin_dn, master_conn ipalib.errors.NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389 2019-09-26T16:18:15Z DEBUG [error] NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
which I think others have also run into.
Next thought was to confirm what we had:
[root@freeipa01 ~]# ipa server-find --------------------- 4 IPA servers matched --------------------- Server name: freeipa01.services.nsa.stats.ox.ac.uk F26 Server name: freeipa02.services.nsa.stats.ox.ac.uk F26 Server name: freeipa03.services.nsa.stats.ox.ac.uk F26 Server name: freeipa04.services.nsa.stats.ox.ac.uk F30 ---------------------------- Number of entries returned 4 ---------------------------- [root@freeipa01 ~]# ipa server-role-find --role "CA server" ---------------------- 4 server roles matched ---------------------- Server name: freeipa01.services.nsa.stats.ox.ac.uk Role name: CA server Role status: enabled Server name: freeipa02.services.nsa.stats.ox.ac.uk Role name: CA server Role status: absent Server name: freeipa03.services.nsa.stats.ox.ac.uk Role name: CA server Role status: absent Server name: freeipa04.services.nsa.stats.ox.ac.uk Role name: CA server Role status: absent ---------------------------- Number of entries returned 4 ----------------------------
and then find out how to change the "Role status:" to enabled, starting on freeipa02 but I am not sure how to achieve this, e.g.
[root@freeipa02 ~]# ipa-ca-install CA is already installed on this host.
true but doesn't really help. Sorry if this is very easy to do with a command I have totally missed.
Currently I know if freeipa01 fails, client logins also fail, and I assume this is because it is the only CA server enabled.
Work plan:
Enable more CA servers
Update Fedora 26 to 30, perhaps via 28 first if advised not to jump too far at once, probably updating servers #2, then #3 and finally #1.
Add more servers for resiliency
Any idea how to get more CA servers enabled or any other suggestions?
Many thanks
Best wishes
Stuart
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thank you Fraser,
Why not throw warning before it start running ipa-replica-install ( I would say put human interaction there and without that it won't let you move forward)
something like following example:
WARNING!!!!!!! you are running singel CA Master, Do you want to install CA Replica on this server [Yes/No]:
Not seeing any point in end if it remind you and then you have to re-install again with --setup-ca
This is just me feeling that way because i went through this pain :( and had lots of alcohol to wash that pain away :)
On Mon, Sep 30, 2019 at 9:09 PM Fraser Tweedale ftweedal@redhat.com wrote:
On Mon, Sep 30, 2019 at 10:20:16AM -0400, Satish Patel via FreeIPA-users wrote:
Stuart,
All i would say please run multiple CA servers in your ldap infrastructure, otherwise you will be in very big trouble like i was in, I had no idea about role of CA and was running single CA which we lost and then we totally screwed and won't able to create any replica or anything totally dead end.
FreeIPA document is really huge and sometime you get lost of what components are mandatory no blaming to anyone but that was i felt. I wish they add this CA verification feature in " ipa-replica-install" command which won't let you move forward until you have minimum two CA (and force you to use --setup-ca option)
We now have a warning at end of ipa-replica-install if there is only one CA replica in the topology.
The freeipa-healthcheck project will also analyse the topology and warn of insufficient redundancy of CA/KRA, DNS, etc.
Cheers, Fraser
On Mon, Sep 30, 2019 at 12:35 AM Fraser Tweedale via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi Stuart,
Adding the freeipa-users@ mailing list for visibility.
I'd have to work through your scenario to work out why it fails. But it may be some time before I get around to that.
I think your idea to first try creating a CA replica on F28 before moving forward to F30 is a sensible thing to try.
One question though: are you on Domain Level 0 or 1? (`ipa domainlevel-get`).
Cheers, Fraser
On Thu, Sep 26, 2019 at 07:35:58PM +0100, Stuart McRobert wrote:
Dear Fraser,
I've read through lots of posts but I am uncertain about the best way forward and wonder if I could seek your guidance? I just don't want to break things.
Currently we have three freeipa servers (1-3) on Fedora 26 (clearly need updating) with ipa VERSION: 4.4.4, API_VERSION: 2.215 and one new Fedora 30 server (#4) which I just started to add with VERSION: 4.8.1, API_VERSION: 2.233.
The reason for adding a new server before updating the others is the web interface warning:
Warning: Only One CA Server Detected It is strongly recommended to keep the CA services installed on more than one server
which I fully understand is not good, but it doesn't offer to just fix it!
I suspect server #4 may be too new, failing with both
ipa-replica-install --setup-ca
and
ipa-ca-install
in a very similar way, e.g.
2019-09-26T16:18:15Z ERROR Unable to log in as uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca on ldap://freeipa01.services.nsa.stats.ox.ac.uk:389 2019-09-26T16:18:15Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 603, in start_creation run_step(full_msg, method) File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 589, in run_step method() File "/usr/lib/python3.7/site-packages/ipaserver/install/dogtaginstance.py", line 503, in setup_admin self.admin_dn, master_conn ipalib.errors.NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389 2019-09-26T16:18:15Z DEBUG [error] NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
which I think others have also run into.
Next thought was to confirm what we had:
[root@freeipa01 ~]# ipa server-find --------------------- 4 IPA servers matched --------------------- Server name: freeipa01.services.nsa.stats.ox.ac.uk F26 Server name: freeipa02.services.nsa.stats.ox.ac.uk F26 Server name: freeipa03.services.nsa.stats.ox.ac.uk F26 Server name: freeipa04.services.nsa.stats.ox.ac.uk F30 ---------------------------- Number of entries returned 4 ---------------------------- [root@freeipa01 ~]# ipa server-role-find --role "CA server" ---------------------- 4 server roles matched ---------------------- Server name: freeipa01.services.nsa.stats.ox.ac.uk Role name: CA server Role status: enabled Server name: freeipa02.services.nsa.stats.ox.ac.uk Role name: CA server Role status: absent Server name: freeipa03.services.nsa.stats.ox.ac.uk Role name: CA server Role status: absent Server name: freeipa04.services.nsa.stats.ox.ac.uk Role name: CA server Role status: absent ---------------------------- Number of entries returned 4 ----------------------------
and then find out how to change the "Role status:" to enabled, starting on freeipa02 but I am not sure how to achieve this, e.g.
[root@freeipa02 ~]# ipa-ca-install CA is already installed on this host.
true but doesn't really help. Sorry if this is very easy to do with a command I have totally missed.
Currently I know if freeipa01 fails, client logins also fail, and I assume this is because it is the only CA server enabled.
Work plan:
Enable more CA servers
Update Fedora 26 to 30, perhaps via 28 first if advised not to jump too far at once, probably updating servers #2, then #3 and finally #1.
Add more servers for resiliency
Any idea how to get more CA servers enabled or any other suggestions?
Many thanks
Best wishes
Stuart
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Satish Patel via FreeIPA-users wrote:
Thank you Fraser,
Why not throw warning before it start running ipa-replica-install ( I would say put human interaction there and without that it won't let you move forward)
something like following example:
WARNING!!!!!!! you are running singel CA Master, Do you want to install CA Replica on this server [Yes/No]:
Not seeing any point in end if it remind you and then you have to re-install again with --setup-ca
You can run ipa-ca-install at any time to add a CA to an existing master.
rob
This is just me feeling that way because i went through this pain :( and had lots of alcohol to wash that pain away :)
On Mon, Sep 30, 2019 at 9:09 PM Fraser Tweedale ftweedal@redhat.com wrote:
On Mon, Sep 30, 2019 at 10:20:16AM -0400, Satish Patel via FreeIPA-users wrote:
Stuart,
All i would say please run multiple CA servers in your ldap infrastructure, otherwise you will be in very big trouble like i was in, I had no idea about role of CA and was running single CA which we lost and then we totally screwed and won't able to create any replica or anything totally dead end.
FreeIPA document is really huge and sometime you get lost of what components are mandatory no blaming to anyone but that was i felt. I wish they add this CA verification feature in " ipa-replica-install" command which won't let you move forward until you have minimum two CA (and force you to use --setup-ca option)
We now have a warning at end of ipa-replica-install if there is only one CA replica in the topology.
The freeipa-healthcheck project will also analyse the topology and warn of insufficient redundancy of CA/KRA, DNS, etc.
Cheers, Fraser
On Mon, Sep 30, 2019 at 12:35 AM Fraser Tweedale via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi Stuart,
Adding the freeipa-users@ mailing list for visibility.
I'd have to work through your scenario to work out why it fails. But it may be some time before I get around to that.
I think your idea to first try creating a CA replica on F28 before moving forward to F30 is a sensible thing to try.
One question though: are you on Domain Level 0 or 1? (`ipa domainlevel-get`).
Cheers, Fraser
On Thu, Sep 26, 2019 at 07:35:58PM +0100, Stuart McRobert wrote:
Dear Fraser,
I've read through lots of posts but I am uncertain about the best way forward and wonder if I could seek your guidance? I just don't want to break things.
Currently we have three freeipa servers (1-3) on Fedora 26 (clearly need updating) with ipa VERSION: 4.4.4, API_VERSION: 2.215 and one new Fedora 30 server (#4) which I just started to add with VERSION: 4.8.1, API_VERSION: 2.233.
The reason for adding a new server before updating the others is the web interface warning:
Warning: Only One CA Server Detected It is strongly recommended to keep the CA services installed on more than one server
which I fully understand is not good, but it doesn't offer to just fix it!
I suspect server #4 may be too new, failing with both
ipa-replica-install --setup-ca
and
ipa-ca-install
in a very similar way, e.g.
2019-09-26T16:18:15Z ERROR Unable to log in as uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca on ldap://freeipa01.services.nsa.stats.ox.ac.uk:389 2019-09-26T16:18:15Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 603, in start_creation run_step(full_msg, method) File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 589, in run_step method() File "/usr/lib/python3.7/site-packages/ipaserver/install/dogtaginstance.py", line 503, in setup_admin self.admin_dn, master_conn ipalib.errors.NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389 2019-09-26T16:18:15Z DEBUG [error] NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
which I think others have also run into.
Next thought was to confirm what we had:
[root@freeipa01 ~]# ipa server-find --------------------- 4 IPA servers matched --------------------- Server name: freeipa01.services.nsa.stats.ox.ac.uk F26 Server name: freeipa02.services.nsa.stats.ox.ac.uk F26 Server name: freeipa03.services.nsa.stats.ox.ac.uk F26 Server name: freeipa04.services.nsa.stats.ox.ac.uk F30 ---------------------------- Number of entries returned 4 ---------------------------- [root@freeipa01 ~]# ipa server-role-find --role "CA server" ---------------------- 4 server roles matched ---------------------- Server name: freeipa01.services.nsa.stats.ox.ac.uk Role name: CA server Role status: enabled Server name: freeipa02.services.nsa.stats.ox.ac.uk Role name: CA server Role status: absent Server name: freeipa03.services.nsa.stats.ox.ac.uk Role name: CA server Role status: absent Server name: freeipa04.services.nsa.stats.ox.ac.uk Role name: CA server Role status: absent ---------------------------- Number of entries returned 4 ----------------------------
and then find out how to change the "Role status:" to enabled, starting on freeipa02 but I am not sure how to achieve this, e.g.
[root@freeipa02 ~]# ipa-ca-install CA is already installed on this host.
true but doesn't really help. Sorry if this is very easy to do with a command I have totally missed.
Currently I know if freeipa01 fails, client logins also fail, and I assume this is because it is the only CA server enabled.
Work plan:
Enable more CA servers
Update Fedora 26 to 30, perhaps via 28 first if advised not to jump too far at once, probably updating servers #2, then #3 and finally #1.
Add more servers for resiliency
Any idea how to get more CA servers enabled or any other suggestions?
Many thanks
Best wishes
Stuart
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org