Unable to find IPA Server to join

[lessfoobar]

The problem that I'm experiencing

The problem is that the replica doesn't find the master. The master is working fine, however I can't join any clients, so I'm not sure if the problem is only on the replica or in the master server.

System Information

OS: Fedora 37 minimal install server-netinst.iso used only changes to the system were my ansible user and the ssh keys

kernel-version 6.0.12-300.fc37.x86_64

ansible --version ansible [core 2.14.0] config file = /etc/ansible/ansible.cfg configured module search path = ['/home/lessfoobar/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python3.11/site-packages/ansible ansible collection location = /home/lessfoobar/.ansible/collections:/usr/share/ansible/collections executable location = /usr/bin/ansible python version = 3.11.0 (main, Oct 24 2022, 00:00:00) [GCC 12.2.1 20220819 (Red Hat 12.2.1-2)] (/usr/bin/python3) jinja version = 3.0.3 libyaml = True

ansible-galaxy collection list freeipa.ansible_freeipa 1.9.0

Ansible Vars

ipacluster vars:

---
ipadm_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          ...
ipaadmin_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          ...
ipaserver_domain: redacted_domain.com
ipaserver_realm: REDACTED_DOMAIN.COM

ipaserver vars:

---
# Base Variables 
# https://github.com/freeipa/ansible-freeipa/blob/master/roles/ipaserver/README.md
ipaserver: ipaserver
ipaserver_ip_addresses: 172.16.0.21
ipaserver_hostname: master.redacted_domain.com
ipaserver_mem_check: true
# Server Variables 
ipaserver_setup_kra: true
ipaserver_setup_dns: true
# Certificate system Variables 
ipaserver_ca_signing_algorithm: SHA512withRSA
# DNS Variables
ipaserver_allow_zone_overlap: true
ipaserver_auto_reverse: true
ipaserver_auto_forwarders: true
ipaserver_forward_policy: first
# Special Variables
ipaserver_install_packages: true
ipaserver_setup_firewalld: true
ipaserver_firewalld_zone: public
ipaserver_copy_csr_to_controller: true

ipareplicas vars:

---
# Base Variables\
# https://github.com/freeipa/ansible-freeipa/blob/master/roles/ipareplica/README.md
ipaservers: ipaserver
ipreplicas: ipareplicas
ipareplica_ip_addresses: 172.16.0.22
ipareplica_domain: redacted_domain.com
ipaserver_hostname: master.redacted_domain.com
ipareplica_mem_check: true
# Server Variables
# Extra Server vars can be found in the replica ca/dns/kre group_vars
ipareplica_setup_ca: true
ipareplica_setup_kra: true
ipareplica_setup_dns: true
# DNS Variables
# Extra DNS vars can be found in the replica_dns group_vars
ipareplica_allow_zone_overlap: true
ipareplica_auto_reverse: true
ipareplica_auto_forwarders: true
# Cluster Specific Variables
#ipareplica_servers: ca-replica.redacted_domain.com
# Special Variables
ipareplica_install_packages: true
ipareplica_setup_firewalld: true
ipareplica_firewalld_zone: public

Inventory file

---
[ipacluster:children]
ipaserver
ipareplicas
ipaclients
[ipaserver]
master.redacted_domain.com
[ipareplicas]
ca-replica.redacted_domain.com
[ipaclients]
client.redacted_domain.com

Playbook used: https://github.com/freeipa/ansible-freeipa/blob/master/playbooks/install-cluster.yml

Ansible Playbook Logs

ansible_output.log

Ipa Logs Master

/var/log/ipaserver-install.log /var/log/ipaclient-install.log /var/log/ipa-custodia.audit.log Empty /var/log/ipa/ipactl.log

Ipa Logs Replica

/var/log/ipareplica-install.log /var/log/ipaclient-install.log

[rjeffman]

I've made a few tests, and your scenario seems to work with ansible-freeipa version 1.9.0, and a few modifications.

Release 1.9.0 added some variables to the ipaclient role that allow one to setup DNS resolution on the target node when configuring ipaclient and ipareplica. If you add something like the following to your vars files, it might fix the issue:

# Update DNS records.
ipaclient_all_ip_addresses: yes
#  Configure DNS nameservers on target nodes
ipaclient_configure_dns_resolver: yes
ipaclient_dns_servers:
  # Server with embedded DNS
  - 192.168.122.30
  # Replica with embedded DNS
  - 192.168.122.31

These variables are accepted by the ipaclient role, but can be used by ipareplica as it makes use of ipaclient.

With this setup I was able to deploy an IPA cluster without any extra task or role.

One thing to notice is that it will change your name resolution configuration (systemd-resolved, NetworkManager, or plain /etc/resolv.conf). Please, read ipaclient documentation for further information.

[rjeffman]

I've opened issue #1008 which is related to the problem you are facing.

[lessfoobar]

@rjeffman I'll check in a couple of hours and report back to you. So the above variables should be set when you want freeipa to be your main dns server, or am I reading it wrong? Also they are only for the clients correct? Because from my logs I can see that the replica is failing on the client step not the replica instalation. Also can I use fqdns or IPs will be better for that scenarion?

[rjeffman]

A replica is a client that is promoted to replica, and this behavior is copied by ansible-freeipa deployment. So, yes, those variables are for the "client part" (but are needed by both 'ipareplica' and 'ipaclient' roles).

It actually does not matter much if the FreeIPA server is the main DNS server, as you can set any nameserver there, but it is mostly useful if the FreeIPA server(s) will also act as nameserver. As this will configure the nameserver for the hosts, you should use IPs there. Think of this alternative as a "resolv.conf on steroids".

[arozmarin]

hi guys, I have same issues:

│ TASK [ipaclient : Install - IPA client test] │ fatal: [ipa3.s1.test.local]: FAILED! => {"changed": false, "msg": "Unable to find IPA Server to join"} │ fatal: [ipa2.s2.test.local]: FAILED! => {"changed": false, "msg": "Unable to find IPA Server to join"} │ fatal: [ipa4.s2.test.local]: FAILED! => {"changed": false, "msg": "Unable to find IPA Server to join"}

Ipa server install is successful all three replicas fails. I followed your instructions and same results. I can install whole cluster only in two step installation. First ipaserver than add DNS A records for all servers and run second time and will work.

[ipaserver:vars] ipaserver_setup_dns=yes ipaserver_setup_kra=yes ipaserver_auto_forwarders=yes ipaserver_allow_zone_overlap=yes ipaserver_auto_reverse=true ipaserver_forwarders=10.10.0.1 ipaserver_setup_firewalld=yes

[ipareplica:vars] ipadm_password=Somepassword ipareplica_setup_dns=yes ipareplica_setup_ca=yes ipareplica_setup_kra=yes ipaserver_hostname=ipa1.s1.test.local ipaclient_force_join=yes ipareplica_domain=test.local ipaadmin_principal=admin ipaadmin_password=Somepassword ipareplica_allow_zone_overlap=yes ipareplica_auto_reverse=yes ipareplica_forwarders=10.10.0.1 ipareplica_setup_firewalld=yes ipaclient_all_ip_addresses=yes ipaclient_configure_dns_resolver=yes ipaclient_dns_servers=10.30.0.110,10.20.0.110

Any idea what I'm doing wrong?

[t-woerner]

@arozmarin Hi, you are setting two two DNS server IPs 10.30.0.110 and 10.20.0.110. Which machines are these?

BTW, why are you enabling ipaclient_force_join?

[rjeffman]

I'm assuming you want your ipaserver to be the nameserver, so ipaclient_dns_servers=10.30.0.110,10.20.0.110 should contain the server's IP address.

[arozmarin]

yes that correct, both ipaserver (10.30.0.110)and ipareplica(10.20.0.110) I want to be nameservers. Ipaclient_force_join I have just in case that client was already member before and just in case I have to rebuilt cluster will join again. For now my solution is in three steps:

• first install ipaserver
• second add A records to nameserver, instal http and ldap certs and setup topology (4 servers, two different locations)
• third install ipareplicas

For now I'm happy with that but I will try to do all that in one step if possible.

[FF186]

I get IPA join error when I use a dynamic inventory, which is from the cloud provider itself and when a machine is provisioned the cloud DNS is updated. However, this works when it's static, which is not desired:

ERROR:

fatal: [master2.example.com]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"all_ip_addresses": false,
"ca_cert_files": null,
"configure_firefox": false,
"domain": "example.com",
"enable_dns_updates": false,
"firefox_dir": null,
"force_ntpd": false,
"hostname": "master2.example.com",
"ip_addresses": null,
"kinit_attempts": 5,
"nisdomain": null,
"no_nisdomain": false,
"no_ntp": false,
"ntp_pool": null,
"ntp_servers": null,
"on_master": false,
"realm": "EXAMPLE.COM",
"servers": null
}
},
"msg": "Unable to find IPA Server to join"
}

Playbook:

- hosts:
  - master1.example.com
  roles:
    - role: freeipa.ansible_freeipa.ipaserver
      vars:
        ipaserver: "{{ inventory_hostname }}"
        ipaserver_hostname: "{{ inventory_hostname }}"
        ipadm_password: SuperSecret123
        ipaadmin_password: SuperSecret123
        ipaserver_ip_addresses: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
        ipaserver_domain: "example.com"
        ipaserver_realm: "EXAMPLE.COM"
        ipaserver_no_host_dns: true
        ipaserver_mem_check: true
        ipaserver_idstart: 6000
        ipaserver_setup_dns: false
        ipaserver_no_pkinit: true

- hosts:
  - master2.example.com
  become: true
  roles:
    - role: freeipa.ansible_freeipa.ipareplica
       vars:
         ipaservers: master1.example.com
         ipaserver_hostname: master1.example.com
         ipareplicas: master2.example.com
         ipareplica_domain: example.com
         ipaclient_force_join: true
         ipaadmin_principal: admin
         ipareplica_setup_dns: false

Works when using static inventory:

[ipaservers]
master1.example.com

[ipareplicas]
master2.example.com

[FF186]

Also... Including static inventory it also worked using add_host module by adding my master1.example.com to the group ipaservers for in memory inventory.

Does this mean the ipaservers: variable is ignored..?

[lessfoobar]

have you tried using ipaserver_no_host_dns?