Hi Stuart, Adding the freeipa-users@ mailing list for visibility.
I'd have to work through your scenario to work out why it fails. But it may be some time before I get around to that. I think your idea to first try creating a CA replica on F28 before moving forward to F30 is a sensible thing to try. One question though: are you on Domain Level 0 or 1? (`ipa domainlevel-get`). Cheers, Fraser On Thu, Sep 26, 2019 at 07:35:58PM +0100, Stuart McRobert wrote: > Dear Fraser, > > I've read through lots of posts but I am uncertain about the best way > forward and wonder if I could seek your guidance? I just don't want to break > things. > > Currently we have three freeipa servers (1-3) on Fedora 26 (clearly need > updating) with ipa VERSION: 4.4.4, API_VERSION: 2.215 and one new Fedora 30 > server (#4) which I just started to add with VERSION: 4.8.1, API_VERSION: > 2.233. > > The reason for adding a new server before updating the others is the web > interface warning: > > Warning: Only One CA Server Detected > It is strongly recommended to keep the CA services installed on more > than > one server > > which I fully understand is not good, but it doesn't offer to just fix it! > > I suspect server #4 may be too new, failing with both > > ipa-replica-install --setup-ca > > and > > ipa-ca-install > > in a very similar way, e.g. > > 2019-09-26T16:18:15Z ERROR Unable to log in as > uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca on > ldap://freeipa01.services.nsa.stats.ox.ac.uk:389 > 2019-09-26T16:18:15Z DEBUG Traceback (most recent call last): > File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", > line 603, in start_creation > run_step(full_msg, method) > File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", > line 589, in run_step > method() > File > "/usr/lib/python3.7/site-packages/ipaserver/install/dogtaginstance.py", line > 503, in setup_admin > self.admin_dn, master_conn > ipalib.errors.NotFound: > uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not > replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389 > > 2019-09-26T16:18:15Z DEBUG [error] NotFound: > uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not > replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389 > > > which I think others have also run into. > > Next thought was to confirm what we had: > > [root@freeipa01 ~]# ipa server-find > --------------------- > 4 IPA servers matched > --------------------- > Server name: freeipa01.services.nsa.stats.ox.ac.uk > F26 > > Server name: freeipa02.services.nsa.stats.ox.ac.uk > F26 > > Server name: freeipa03.services.nsa.stats.ox.ac.uk > F26 > > Server name: freeipa04.services.nsa.stats.ox.ac.uk > F30 > ---------------------------- > Number of entries returned 4 > ---------------------------- > [root@freeipa01 ~]# ipa server-role-find --role "CA server" > ---------------------- > 4 server roles matched > ---------------------- > Server name: freeipa01.services.nsa.stats.ox.ac.uk > Role name: CA server > Role status: enabled > > Server name: freeipa02.services.nsa.stats.ox.ac.uk > Role name: CA server > Role status: absent > > Server name: freeipa03.services.nsa.stats.ox.ac.uk > Role name: CA server > Role status: absent > > Server name: freeipa04.services.nsa.stats.ox.ac.uk > Role name: CA server > Role status: absent > ---------------------------- > Number of entries returned 4 > ---------------------------- > > > and then find out how to change the "Role status:" to enabled, starting on > freeipa02 but I am not sure how to achieve this, e.g. > > > [root@freeipa02 ~]# ipa-ca-install > CA is already installed on this host. > > true but doesn't really help. Sorry if this is very easy to do with a > command I have totally missed. > > Currently I know if freeipa01 fails, client logins also fail, and I assume > this is because it is the only CA server enabled. > > Work plan: > > 1. Enable more CA servers > > 2. Update Fedora 26 to 30, perhaps via 28 first if advised not to jump too > far at once, probably updating servers #2, then #3 and finally #1. > > 3. Add more servers for resiliency > > > Any idea how to get more CA servers enabled or any other suggestions? > > Many thanks > > Best wishes > > Stuart _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
