-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-8.0.0
2 LOCATIONS defined in IPA, DEV and PROD. 3 current IPA servers - 2 in PROD and 1 in DEV. They are in distinct subnets and firewall off except the masters can talk. When tryin to add a 4th replica in DEV, it fails with 2 issues listed in detail below - both having to do with LOCATIONS feature.
[root@IPA1 ~]# ipa-replica-install --setup-dns --no-forwarders --setup-ca
ipaserver.install.server.replicainstall: ERROR Could not resolve hostname IPA1.example.com using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.)
Continue? [no]:
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa2ython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
and review the log (attached ) you will see it is trying to contact ipa2 which is 10.1.x.x and located in PROD location. DEV location is defined as 10.0 network.
In the second example, the option of --no-host-dns is used to stop the lookup, but instead it fails later as it tries to contact the LDAP server, but again, in PROD and NOT DEV. It is as though the locations are reversed.
These are locations as defined:
[root@IPA1 ~]# ipa server-show IPA1.example.com (IP = 10.0.x.X)
Server name: IPA1.example.com
Managed suffixes: domain, ca
Min domain level: 0
Max domain level: 1
Location: DEV
Enabled server roles: CA server, IPA master, DNS server, NTP server
[root@IPA1 ~]# ipa server-show ipa2.example.com (IP = 10.1.x.x)
Server name: ipa2.example.com
Managed suffixes: domain, ca
Min domain level: 0
Max domain level: 1
Location: PROD
Enabled server roles: CA server, IPA master, DNS server, NTP server
[root@IPA1 ~]# ipa server-show ipa3.example.com (IP = 10.1.x.x)
Server name: ipa3.example.com
Managed suffixes: domain
Min domain level: 0
Max domain level: 1
Location: PROD
Enabled server roles: IPA master, DNS server, NTP server
overall current layout
ipa3 <--> ipa2 <-- | --> IPA1 <--> (trying to create) IPA1
^
Firewall allowing ony IPA servers to talk
Once IPA1 is created it will be connected to another outside replica then back to ipa3 to complete the ring.