On Sun, 2018-02-04 at 14:28 -0600, Kat via FreeIPA-users wrote:
> This is a new one I have not seen before.
> 
> Have 4 servers, trying to add a 5th.
> 
> Master A and B (in one location) can talk to C and D (in another location)
> 
> Trying to add E, which is a new location with the master to replicate 
> from being D.
> 
> When I run client install, no issues at all.  Then I try to install E as 
> a replica with DNS and CA setup and it gets almost all the way and ends 
> up failing with (from the logs):
> 
> 2018-02-04T20:00:56Z DEBUG The ipa-replica-install command failed, 
> exception: RuntimeError: Timed out trying to obtain keys.
> 2018-02-04T20:00:56Z ERROR Timed out trying to obtain keys.
> 
> It actually dies at:
> 
> Done configuring ipa-otpd.
> Configuring ipa-custodia
>    [1/4]: Generating ipa-custodia config file
>    [2/4]: Generating ipa-custodia keys
>    [3/4]: starting ipa-custodia
>    [4/4]: configuring ipa-custodia to start on boot
> Done configuring ipa-custodia.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
> What is confusing, the log also shows that it times out waiting for keys 
> to appear on "A", which it cannot get to because of location/firewall 
> settings. What I don't understand, since I am building the replica off 
> "D", why is it trying to communicate with A?
> 
> Any ideas on how to resolve this?

Is D a CA master ?
I think the replica installation code picks the first master it can
find, so it may be picking A (if that's a CA) in your case.

What's the reason to firewall off masters from each other ?

Simo.

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to