lejeczek via FreeIPA-users wrote:
On 17/01/2022 16:20, Rob Crittenden wrote:
> lejeczek via FreeIPA-users wrote:
>> Hi guys
>>
>> Is it possible on a detached master to setup KRA, as if it was first
>> master?
> What is a detached master and why do you need to "force" install a KRA
> on it? Assuming it's a server from an existing installation you've
> removed all replication with, does the existing install already have a
> KRA?
>
> What's the use-case?
>
> rob
>
box, which master was no 'kra', was physically detached then replication
was removed with 'ipa-x-manage'
now it is:
-> $ ipa config-show
Maximum username length: 32
Maximum hostname length: 64
Home directory base: /home
Default shell: /bin/sh
Default users group: ipausers
Default e-mail domain: abba.xx.priv.yy
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=ABBA.XX.PRIV.YY
Password Expiration Notification (days): 4
Password plugin features: AllowNThash, KDC:Disable Last Success
SELinux user map order:
guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: MS-PAC, nfs:NONE
IPA masters: first.abba.xx.priv.yy
IPA master capable of PKINIT: first.abba.xx.priv.yy
IPA CA servers: first.abba.xx.priv.yy
IPA CA renewal master: first.abba.xx.priv.yy
IPA DNS servers: first.abba.xx.priv.yy
I thought it would work as new first master:
-> $ ipa-kra-install
Directory Manager password:
Failed to find an active KRA server!
to "convince" the master somehow, if possible, to install new KRA on
this "new-first" master, would be neat.
Honestly, "neat" is not exactly a use case.
I'd suggest poking around with the pki securitydomain commands. I'm
guessing a KRA was previously deployed. Ripping that out could be tricky.
But if you tell the securitydomain that there is no KRA maybe that will
help. Or maybe not. The KRA install is failing because one was
previously deployed.
rob