On Mon, Sep 30, 2019 at 10:20:16AM -0400, Satish Patel via FreeIPA-users wrote:

Stuart,

All i would say please run multiple CA servers in your ldap infrastructure, otherwise you will be in very big trouble like i was in, I had no idea about role of CA and was running single CA which we lost and then we totally screwed and won't able to create any replica or anything totally dead end.

FreeIPA document is really huge and sometime you get lost of what components are mandatory no blaming to anyone but that was i felt. I wish they add this CA verification feature in " ipa-replica-install" command which won't let you move forward until you have minimum two CA (and force you to use --setup-ca option)

We now have a warning at end of ipa-replica-install if there is only one CA replica in the topology.

The freeipa-healthcheck project will also analyse the topology and warn of insufficient redundancy of CA/KRA, DNS, etc.

Cheers, Fraser

On Mon, Sep 30, 2019 at 12:35 AM Fraser Tweedale via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:

...

Hi Stuart,

Adding the freeipa-users@ mailing list for visibility.

I'd have to work through your scenario to work out why it fails. But it may be some time before I get around to that.

I think your idea to first try creating a CA replica on F28 before moving forward to F30 is a sensible thing to try.

One question though: are you on Domain Level 0 or 1? (`ipa domainlevel-get`).

Cheers, Fraser

On Thu, Sep 26, 2019 at 07:35:58PM +0100, Stuart McRobert wrote:

...

Dear Fraser,

I've read through lots of posts but I am uncertain about the best way forward and wonder if I could seek your guidance? I just don't want to break things.

Currently we have three freeipa servers (1-3) on Fedora 26 (clearly need updating) with ipa VERSION: 4.4.4, API_VERSION: 2.215 and one new Fedora 30 server (#4) which I just started to add with VERSION: 4.8.1, API_VERSION: 2.233.

The reason for adding a new server before updating the others is the web interface warning:

  Warning: Only One CA Server Detected
  It is strongly recommended to keep the CA services installed on more than
  one server

which I fully understand is not good, but it doesn't offer to just fix it!

I suspect server #4 may be too new, failing with both

  ipa-replica-install --setup-ca

and

  ipa-ca-install

in a very similar way, e.g.

  2019-09-26T16:18:15Z ERROR Unable to log in as uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca on ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
  2019-09-26T16:18:15Z DEBUG Traceback (most recent call last):
    File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 603, in start_creation
      run_step(full_msg, method)
    File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 589, in run_step
      method()
    File "/usr/lib/python3.7/site-packages/ipaserver/install/dogtaginstance.py", line 503, in setup_admin
      self.admin_dn, master_conn
  ipalib.errors.NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389

  2019-09-26T16:18:15Z DEBUG   [error] NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389

which I think others have also run into.

Next thought was to confirm what we had:

  [root@freeipa01 ~]# ipa server-find
  ---------------------
  4 IPA servers matched
  ---------------------
    Server name: freeipa01.services.nsa.stats.ox.ac.uk                    F26

    Server name: freeipa02.services.nsa.stats.ox.ac.uk                    F26

    Server name: freeipa03.services.nsa.stats.ox.ac.uk                    F26

    Server name: freeipa04.services.nsa.stats.ox.ac.uk                    F30
  ----------------------------
  Number of entries returned 4
  ----------------------------
  [root@freeipa01 ~]# ipa server-role-find --role "CA server"
  ----------------------
  4 server roles matched
  ----------------------
    Server name: freeipa01.services.nsa.stats.ox.ac.uk
    Role name: CA server
    Role status: enabled

    Server name: freeipa02.services.nsa.stats.ox.ac.uk
    Role name: CA server
    Role status: absent

    Server name: freeipa03.services.nsa.stats.ox.ac.uk
    Role name: CA server
    Role status: absent

    Server name: freeipa04.services.nsa.stats.ox.ac.uk
    Role name: CA server
    Role status: absent
  ----------------------------
  Number of entries returned 4
  ----------------------------

and then find out how to change the "Role status:" to enabled, starting on freeipa02 but I am not sure how to achieve this, e.g.

  [root@freeipa02 ~]# ipa-ca-install
  CA is already installed on this host.

true but doesn't really help. Sorry if this is very easy to do with a command I have totally missed.

Currently I know if freeipa01 fails, client logins also fail, and I assume this is because it is the only CA server enabled.

Work plan:

1. Enable more CA servers

2. Update Fedora 26 to 30, perhaps via 28 first if advised not to jump too far at once, probably updating servers #2, then #3 and finally #1.

3. Add more servers for resiliency

Any idea how to get more CA servers enabled or any other suggestions?

Many thanks

Best wishes

Stuart

---

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

---

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

Satish Patel via FreeIPA-users wrote:

Thank you Fraser,

Why not throw warning before it start running ipa-replica-install ( I would say put human interaction there and without that it won't let you move forward)

something like following example:

WARNING!!!!!!! you are running singel CA Master, Do you want to install CA Replica on this server [Yes/No]:

Not seeing any point in end if it remind you and then you have to re-install again with --setup-ca

You can run ipa-ca-install at any time to add a CA to an existing master.

rob

This is just me feeling that way because i went through this pain :( and had lots of alcohol to wash that pain away :)

On Mon, Sep 30, 2019 at 9:09 PM Fraser Tweedale ftweedal@redhat.com wrote:

...

On Mon, Sep 30, 2019 at 10:20:16AM -0400, Satish Patel via FreeIPA-users wrote:

...

Stuart,

All i would say please run multiple CA servers in your ldap infrastructure, otherwise you will be in very big trouble like i was in, I had no idea about role of CA and was running single CA which we lost and then we totally screwed and won't able to create any replica or anything totally dead end.

FreeIPA document is really huge and sometime you get lost of what components are mandatory no blaming to anyone but that was i felt. I wish they add this CA verification feature in " ipa-replica-install" command which won't let you move forward until you have minimum two CA (and force you to use --setup-ca option)

We now have a warning at end of ipa-replica-install if there is only one CA replica in the topology.

The freeipa-healthcheck project will also analyse the topology and warn of insufficient redundancy of CA/KRA, DNS, etc.

Cheers, Fraser

...

On Mon, Sep 30, 2019 at 12:35 AM Fraser Tweedale via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:

...

Hi Stuart,

Adding the freeipa-users@ mailing list for visibility.

I'd have to work through your scenario to work out why it fails. But it may be some time before I get around to that.

I think your idea to first try creating a CA replica on F28 before moving forward to F30 is a sensible thing to try.

One question though: are you on Domain Level 0 or 1? (`ipa domainlevel-get`).

Cheers, Fraser

On Thu, Sep 26, 2019 at 07:35:58PM +0100, Stuart McRobert wrote:

...

Dear Fraser,

I've read through lots of posts but I am uncertain about the best way forward and wonder if I could seek your guidance? I just don't want to break things.

Currently we have three freeipa servers (1-3) on Fedora 26 (clearly need updating) with ipa VERSION: 4.4.4, API_VERSION: 2.215 and one new Fedora 30 server (#4) which I just started to add with VERSION: 4.8.1, API_VERSION: 2.233.

The reason for adding a new server before updating the others is the web interface warning:

  Warning: Only One CA Server Detected
  It is strongly recommended to keep the CA services installed on more than
  one server

which I fully understand is not good, but it doesn't offer to just fix it!

I suspect server #4 may be too new, failing with both

  ipa-replica-install --setup-ca

and

  ipa-ca-install

in a very similar way, e.g.

  2019-09-26T16:18:15Z ERROR Unable to log in as uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca on ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
  2019-09-26T16:18:15Z DEBUG Traceback (most recent call last):
    File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 603, in start_creation
      run_step(full_msg, method)
    File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 589, in run_step
      method()
    File "/usr/lib/python3.7/site-packages/ipaserver/install/dogtaginstance.py", line 503, in setup_admin
      self.admin_dn, master_conn
  ipalib.errors.NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389

  2019-09-26T16:18:15Z DEBUG   [error] NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389

which I think others have also run into.

Next thought was to confirm what we had:

  [root@freeipa01 ~]# ipa server-find
  ---------------------
  4 IPA servers matched
  ---------------------
    Server name: freeipa01.services.nsa.stats.ox.ac.uk                    F26

    Server name: freeipa02.services.nsa.stats.ox.ac.uk                    F26

    Server name: freeipa03.services.nsa.stats.ox.ac.uk                    F26

    Server name: freeipa04.services.nsa.stats.ox.ac.uk                    F30
  ----------------------------
  Number of entries returned 4
  ----------------------------
  [root@freeipa01 ~]# ipa server-role-find --role "CA server"
  ----------------------
  4 server roles matched
  ----------------------
    Server name: freeipa01.services.nsa.stats.ox.ac.uk
    Role name: CA server
    Role status: enabled

    Server name: freeipa02.services.nsa.stats.ox.ac.uk
    Role name: CA server
    Role status: absent

    Server name: freeipa03.services.nsa.stats.ox.ac.uk
    Role name: CA server
    Role status: absent

    Server name: freeipa04.services.nsa.stats.ox.ac.uk
    Role name: CA server
    Role status: absent
  ----------------------------
  Number of entries returned 4
  ----------------------------

and then find out how to change the "Role status:" to enabled, starting on freeipa02 but I am not sure how to achieve this, e.g.

  [root@freeipa02 ~]# ipa-ca-install
  CA is already installed on this host.

true but doesn't really help. Sorry if this is very easy to do with a command I have totally missed.

Currently I know if freeipa01 fails, client logins also fail, and I assume this is because it is the only CA server enabled.

Work plan:

1. Enable more CA servers

2. Update Fedora 26 to 30, perhaps via 28 first if advised not to jump too far at once, probably updating servers #2, then #3 and finally #1.

3. Add more servers for resiliency

Any idea how to get more CA servers enabled or any other suggestions?

Many thanks

Best wishes

Stuart

---

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

---

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

---

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...