Hello
We've failed to deploy a replica in a remote DC, initially the CA Master
(ipa_server1) was in a location that this remote DC could not reach so I
moved the CA to a contactable IPA server in another location (ipa_server2.)
I still receive CA_REJECTED however and I suspect we may have hit
https://bugzilla.redhat.com/show_bug.cgi?id=1498523 as the previous week, a
colleague of mine rebuilt all of our existing IPA deployment using the
Damascus Group export/import scripts (his task was to migrate from SUSE
Linux to Oracle Linux and upgrade IPA to 4.5.0) If we have hit this issue,
I do not feel comfortable carrying out the steps Flo mentions in #c24.
'ipa-getcert list' certainly shows the remote ipa install trying to connect
to itself for certificates.
After moving the CA Master to ipa_server2 (contactable) we get the same
result as before for ipa-getcert list, but also notice an INFO message when
running the ipa-replica-install command in the remote DC.
==
INFO Waiting up to 300 seconds to see our keys appear on host: ipa_server1
(the un-contactable one)
==
I thought connections between IPA servers were only required along
replication agreement paths, this INFO message suggests we might need
connectivity between all nodes - perhaps it's just during the install
process - I'm unsure.
So we've opted to connect the sssd clients in the remote DC to IPA servers
in our 2 main DCs, which goes against best practises of having at least 2
IPA servers per DC. I will connect the clients to an IPA server in DC1 and
another IPA server in DC2 as each DC has a VPN tunnel connecting to the
remote site. The rhel7 documentation does not explain why best practises
requires at least 2 IPAs per DC - any thoughts on this setup and best
practises recommendation?
Thanks for your time.
Regards
Angus