With current upstream packages when I run ipa-ca-install on a previously installed replica with domain level 1, it complains:
Run connection check to master Connection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter.
Steps to reproduce: 1. Install ipa master with domain level 0 2. Install replica without --setup-ca 3. Raise domain level on master to 1 4. Run ipa-ca-install on replica
From the ticket description is not clear with what options or principal ipa-ca-install was run.
Oleg, is SELinux enabled? Connection check requires update of SELinux policy. So atm. it needs to be tested in permissive mode. See https://bugzilla.redhat.com/show_bug.cgi?id=1289930
I can't reproduce this. Maybe do what the error message says and fix your network settings?
Replying to [comment:1 pvoborni]:
From the ticket description is not clear with what options or principal ipa-ca-install was run. Oleg, is SELinux enabled? Connection check requires update of SELinux policy. So atm. it needs to be tested in permissive mode. See https://bugzilla.redhat.com/show_bug.cgi?id=1289930
SELinux is enabled, of course. These things do look related. However, I am unable to test it again due to #5551(ipatests being broken)
Changing this ticket into a tracker of the SELinux bug.
master:
ipa-4-3:
Metadata Update from @ofayans: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.3.1
Login to comment on this ticket.