https://bugzilla.redhat.com/show_bug.cgi?id=824519 (Red Hat Enterprise Linux 6)
Description of problem: Server has 2 NICs and each NIC resolves to a different hostname. Installing IPA Replica server using the secondary hostname which is bound to the 2nd NIC fails Version-Release number of selected component (if applicable): ipa-server-2.2.0-14.el6.x86_64 How reproducible: Always Steps to Reproduce: Note: We need to uninstall IPA before moving on to the next case # ipa-server-install --uninstall Verify # netstat -ntlp | egrep '389|636' Case 1: Without --ip-address option. Not using /etc/hosts file 1. Prepare replica file from the master server # ipa-replica-prepare options <secondary FQDN> 2. Copy replica file over to Replica Server 3. Make sure the both hostnames resolve through DNS with respective PTR 4. Install Replica first without any options # ipa-replica-install REPLICA_FILE Case 2: With --ip-address option. Not using /etc/hosts file 5. Install Replica with giving the IP address option # ipa-replica-install REPLICA_FILE --ip-address=<Second NIC IP> Case 3: Using /etc/hosts file for Hostname resolution without --ip-address option 6. # ipa-replica-install REPLICA_FILE Case 4: Using /etc/hosts file for Hostname resolution with --ip-address option 7. ipa-replica-install REPLICA_FILE --ip-address=<Second NIC IP> Actual results: For Case 1 and 3 creation of replica failed: {'info': 'TLS: hostname does not match CN in peer certificate', 'desc': "Can't contact LDAP server"} Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. For Case 2 and 4 Error: the hostname resolves to an IP address that is different from the one provided on the command line. Please fix your DNS or /etc/hosts file and restart the installation. [21/30]: setting up initial replication creation of replica failed: {'info': 'TLS: hostname does not match CN in peer certificate', 'desc': "Can't contact LDAP server"} Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Expected results: Replica installation should be successful. Additional info: RFE: To use --hostname to configure binding replica to specific NIC or hostname Eg. * On Master IPA server [root@ratchet ~]# host eywa.lab.eng.pnq.redhat.com ; host 10.65.201.136 eywa.lab.eng.pnq.redhat.com has address 10.65.201.136 136.201.65.10.in-addr.arpa domain name pointer eywa.lab.eng.pnq.redhat.com. [root@ratchet ~]# ipa-replica-prepare eywa.lab.eng.pnq.redhat.com Directory Manager (existing master) password: Preparing replica for eywa.lab.eng.pnq.redhat.com from ratchet.lab.eng.pnq.redhat.com Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-eywa.lab.eng.pnq.redhat.com.gpg [root@ratchet ~]# ipa dnsrecord-find lab.eng.pnq.redhat.com. eywa ---------------------------- Number of entries returned 0 ---------------------------- [root@ratchet ~]# cat /etc/resolv.conf search lab.eng.pnq.redhat.com pnq.redhat.com redhat.com nameserver 10.65.201.245 * On Replica server [root@sideswipe ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 [root@sideswipe ~]# cat /etc/resolv.conf search lab.eng.pnq.redhat.com pnq.redhat.com redhat.com nameserver 10.65.201.245 [root@sideswipe ~]# host sideswipe.lab.eng.pnq.redhat.com ; host 10.65.201.67; host eywa.lab.eng.pnq.redhat.com; host 10.65.201.136 sideswipe.lab.eng.pnq.redhat.com has address 10.65.201.67 67.201.65.10.in-addr.arpa domain name pointer sideswipe.lab.eng.pnq.redhat.com. eywa.lab.eng.pnq.redhat.com has address 10.65.201.136 136.201.65.10.in-addr.arpa domain name pointer eywa.lab.eng.pnq.redhat.com. [root@sideswipe ~]# ipa-replica-install replica-info-eywa.lab.eng.pnq.redhat.com.gpg Directory Manager (existing master) password: This replica was created for 'eywa.lab.eng.pnq.redhat.com' but this machine is named 'sideswipe.lab.eng.pnq.redhat.com' This may cause problems. Continue? [yes]: Run connection check to master Check connection from replica to remote master 'ratchet.lab.eng.pnq.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK . . [20/30]: restarting directory server [21/30]: setting up initial replication creation of replica failed: {'info': 'TLS: hostname does not match CN in peer certificate', 'desc': "Can't contact LDAP server"} Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
Small note: Think carefully about environments with NAT/non-standard DNS (like Amazon EC2).
Metadata Update from @dpal: - Issue assigned to rcritten - Issue set to the milestone: Future Releases
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.