我正在尝试创建单个 FreeIPA 服务器的副本以帮助迁移并移动到集群环境。
我启动了一台 CentOS 主机,将其注册为 ipa 服务器的客户端,并将其添加到组中ipaservers。然后我ipa-replica-install运行kinit并以管理员身份登录。
Run connection check to master
Connection check OK
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
[2/41]: configure autobind for root
[3/41]: stopping directory server
[4/41]: updating configuration in dse.ldif
[5/41]: starting directory server
[6/41]: adding default schema
[7/41]: enabling memberof plugin
[8/41]: enabling winsync plugin
[9/41]: configure password logging
[10/41]: configuring replication version plugin
[11/41]: enabling IPA enrollment plugin
[12/41]: configuring uniqueness plugin
[13/41]: configuring uuid plugin
[14/41]: configuring modrdn plugin
[15/41]: configuring DNS plugin
[16/41]: enabling entryUSN plugin
[17/41]: configuring lockout plugin
[18/41]: configuring topology plugin
[19/41]: creating indices
[20/41]: enabling referential integrity plugin
[21/41]: configuring certmap.conf
[22/41]: configure new location for managed entries
[23/41]: configure dirsrv ccache and keytab
[24/41]: enabling SASL mapping fallback
[25/41]: restarting directory server
[26/41]: creating DS keytab
[error] CalledProcessError: CalledProcessError(Command ['/usr/sbin/ipa-getkeytab', '-k', '/etc/dirsrv/ds.keytab', '-p', 'ldap/[email protected]', '-H', 'ldaps://ipa.whitefamilyserver.com'] returned non-zero exit status 9: 'Failed to parse result: Failed to decode GetKeytab Control.\n\nRetrying with pre-4.0 keytab retrieval method...\nFailed to parse result: Insufficient access rights\n\nFailed to get keytab!\nFailed to get keytab\n')
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
CalledProcessError(Command ['/usr/sbin/ipa-getkeytab', '-k', '/etc/dirsrv/ds.keytab', '-p', 'ldap/[email protected]', '-H', 'ldaps://ipa.whitefamilyserver.com'] returned non-zero exit status 9: 'Failed to parse result: Failed to decode GetKeytab Control.\n\nRetrying with pre-4.0 keytab retrieval method...\nFailed to parse result: Insufficient access rights\n\nFailed to get keytab!\nFailed to get keytab\n')
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
如您所见,命令失败。它说权限不足,但我不知道要添加哪些权限才能使此命令正常工作。
但是当我手动运行失败的命令时,它会成功。那么为什么它在安装过程中会失败,而我手动运行时却不会失败呢?
[root@ipa-apollo mendicant]# ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/[email protected] -H ldaps://ipa.whitefamilyserver.com
Failed to parse result: Failed to decode GetKeytab Control.
Retrying with pre-4.0 keytab retrieval method...
Failed to retrieve encryption type AES-128 CTS mode with 128-bit SHA-256 HMAC (#19)
Failed to retrieve encryption type Camellia-128 CTS mode with CMAC (#25)
Keytab successfully retrieved and stored in: /etc/dirsrv/ds.keytab
延长停机时间不会成为尝试解决此问题的问题。
答案1
这对我有用。
- [在主服务器上]# ipa-replica-manage del --clean --force
- [在副本上] 卸载 ipa-server-install --uninstall
- [在副本上] 确保在 ipa-replica-install 之前调用“kdestroy -A”。
答案2
因此,您已截取了显示如何调用安装的输出部分,但安装副本需要很长时间,如果您使用 sudo 来运行安装,则 sudo 的典型超时时间为 5 分钟。如果安装时间超过 5 分钟(确实如此),那么您将在安装过程中的该点失去权限。因此,您的选择是更改 sudo 超时/要求,或使用 root 帐户进行安装,这样就不需要 sudo 了。