Open purefield opened 3 years ago
I am seeing the same error, but I get it with out specifying ipareplica_setup_ca. I have tried with a few different versions of Ansible (2.8, 2.9, 2.10) and nothing works. Anyone else have some insight to what is causing this?
You need to set ipareplica_servers
with the fully-qualified hostname of the server to build from (needs to be in /etc/hosts
for the master and replica):
ipareplica_servers:
- ipamaster.example.local
@jstaf thanks for the info. It has been some time since I last ran it. Now the error shifted to: AttributeError: Env object has no attribute realm Found an article about adding the ipareplica_domain and ipareplica_realm without change.
Unfortunately you need to totally destroy and recreate the replica server before re-running the playbook. I'm guessing there are some config files left around from the first time, which makes it so the second run is not clean, even when things are set correctly. Yes, this is inconvenient, I know.
@jstaf, this helped, thank you. However now I am getting the next error. ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/sbin/ipa-getkeytab', '-k', '/etc/dirsrv/ds.keytab', '-p', 'ldap/xpa-ipa01.ola.example.com@EXAMPLE.COM', '-H', 'ldaps://xpa-ipa00.ola.example.com'] returned non-zero exit status 9: 'Failed to parse result: Insufficient access rights\n\nRetrying with pre-4.0 keytab retrieval method...\nFailed to parse result: Insufficient access rights\n\nFailed to get keytab!\nFailed to get keytab\n')
I'm introducing a new replica server to existing setup, so I get following error when I try to install the new replica:
"realm": "EXAMPLE.COM",
"servers": [
"192.168.1.100",
"192.168.1.101"
]
}
},
"msg": "Cannot obtain CA certificate\nHTTP certificate download requires --force"
What I've done is to add the existing replica together with the master in the variable ipareplica_servers: ["master1.example.com", "replica1.example.com"]
, and I'm trying to install replica2.example.com
. However, if I remove replica1 from the variable this will work, but now I'll be stuck with following topology if I'm not mistaken:
repl;ica1 <---> master <---> replica2
When I want:
replica1 <---> master <---> replica2
^---------------------------^
When trying to install a replica installation succeeds. However with ipareplica_setup_ca (see config below) the install fails with:
TASK [ipaclient : Install - Join IPA] *** fatal: [xpa-ipa01.dc.example.com]: FAILED! => {"changed": false, "msg": "Cannot obtain CA certificate\nHTTP certificate download requires --force"}
[ipaserver] xpa-ipa00.dc.example.com
[ipareplicas] xpa-ipa01.dc.example.com
[ipaserver:vars] ipaserver_domain=example.com ipaserver_realm=EXAMPLE.COM ipaserver_setup_dns=no ipaadmin_password=xxx ipadm_password=xxx
[ipareplicas:vars] ipareplica_domain=example.com ipaadmin_principal=admin ipaadmin_password=xxx ipadm_password=xxx ipaclient_force_join=yes ipareplica_setup_ca=true