Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4817

[RFE] Using "LOCATIONS" within IPA, roipa-replica-install fails trying to contact wrong master

XMLWordPrintable

    • sst_idm_ipa
    • ssg_idm
    • False
    • Hide

      None

      Show
      None
    • If docs needed, set a value

      2 LOCATIONS defined in IPA, DEV and PROD. 3 current IPA servers - 2 in PROD and 1 in DEV. They are in distinct subnets and firewall off except the masters can talk. When tryin to add a 4th replica in DEV, it fails with 2 issues listed in detail below - both having to do with LOCATIONS feature.

      [root@IPA1 ~]# ipa-replica-install --setup-dns --no-forwarders --setup-ca
      ipaserver.install.server.replicainstall: ERROR Could not resolve hostname IPA1.example.com using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.)
      Continue? [no]:
      Your system may be partly configured.
      Run /usr/sbin/ipa-server-install --uninstall to clean up.

      ipa2ython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

      and review the log (attached ) you will see it is trying to contact ipa2 which is 10.1.x.x and located in PROD location. DEV location is defined as 10.0 network.

      In the second example, the option of --no-host-dns is used to stop the lookup, but instead it fails later as it tries to contact the LDAP server, but again, in PROD and NOT DEV. It is as though the locations are reversed.

      These are locations as defined:
      [root@IPA1 ~]# ipa server-show IPA1.example.com (IP = 10.0.x.X)
      Server name: IPA1.example.com
      Managed suffixes: domain, ca
      Min domain level: 0
      Max domain level: 1
      Location: DEV
      Enabled server roles: CA server, IPA master, DNS server, NTP server

      [root@IPA1 ~]# ipa server-show ipa2.example.com (IP = 10.1.x.x)
      Server name: ipa2.example.com
      Managed suffixes: domain, ca
      Min domain level: 0
      Max domain level: 1
      Location: PROD
      Enabled server roles: CA server, IPA master, DNS server, NTP server

      [root@IPA1 ~]# ipa server-show ipa3.example.com (IP = 10.1.x.x)
      Server name: ipa3.example.com
      Managed suffixes: domain
      Min domain level: 0
      Max domain level: 1
      Location: PROD
      Enabled server roles: IPA master, DNS server, NTP server

      overall current layout

      ipa3 <--> ipa2 <-- | --> IPA1 <--> (trying to create) IPA1
      ^
      Firewall allowing ony IPA servers to talk

      Once IPA1 is created it will be connected to another outside replica then back to ipa3 to complete the ring.

            ipa-maint ipa-maint
            kludhwan Kushal Ludhwani (Inactive)
            ipa-maint ipa-maint
            IPA QE Bot IPA QE Bot
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated: