FreeIPA Failover with Keepalived
Introduction
For this guide, we shall be looking at how to make use of the FreeIPA replica feature to set up high availability in FreeIPA. We shall then configure Keepalived to facilitate failover between any number of FreeIPA instances. In this guide, only two FreeIPA instances will be used, one being the master server and the other the replica.
This setup procedure is intended for system administrators running a single FreeIPA server and are afraid of a single point of failure.
Therefore, you should have a FreeIPA server already installed and fully functioning – with test accounts.
This guide starts with the setup of a FreeIPA server, followed by the setup of one replica node.
Part 1: Installation of the FreeIPA server
Consider the following FreeIPA minimum requirements:
- Server with 4GB RAM – Installations on 1GB and 2GB were failing
- CentOS server – can be CentOS 7.x
- 2 vCPUs
- Port 443 and 80 not used by another application
- FQDN – resolvable over Public or Private DNS
- 10GB Free disk space
The installation procedure is outlined in the steps below:
Step 1: Update the system
Add the epel-release repository and update all the packages on the system.
sudo yum -y install epel-release
sudo yum -y update
sudo yum install bind-utils vim
Once the system is updated, proceed to install FreeIPA server packages.
Step 2: Install the FreeIPA server packages
The packages you install depend on which services you need IPA to provide. If you don’t need DNS service, just install ipa-server package:
sudo yum -y install ipa-server
Step 3: Set up IPA server
Configuring FreeIPA server is a straightforward process, you only need to answer a few questions and everything will be configured. If you don’t have a DNS server to resolve server hostname, modify the /etc/hosts file to include hostname and IP address.
$ sudo vim /etc/hosts
192.168.0.10 ipa-master.renu.ac.ug
Configure server hostname to match above name:
sudo hostnamectl set-hostname ipa-master.renu.ac.ug
Then run ipa-server-install command to configure the IPA server. You need to execute this as root user:
sudo ipa-server-install
You will be prompted to provide answers to a number of questions:
For questions with default answers in square brackets ([]) e.g. Server host name [ipa-master.renu.ac.ug]:, just press enter to confirm if the value in the brackets is correct. If it’s not, type the correct value and then press enter.
$ sudo ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
WARNING: conflicting time&date synchronization service ‘chronyd’ will be disabled
in favor of ntpd
Do you want to configure integrated DNS (BIND)? [no]: no
Enter the fully qualified domain name of the computer
on which you’re setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [ipa-master.renu.ac.ug]: <Press Enter to confirm>
The domain name has been determined based on the host name.
Please confirm the domain name [renu.ac.ug]: <Press Enter to confirm>
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [RENU.AC.UG]: <Press Enter to confirm>
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named ‘admin’.
This user is a regular system account used for IPA server administration.
IPA admin password:
Password (confirm):
The IPA Master Server will be configured with:
Hostname: ipa-master.renu.ac.ug
IP address(es): 192.168.0.10
Domain name: renu.ac.ug
Realm name: RENU.AC.UG
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
…..
Client configuration complete.
The ipa-server-install command was successful
==============================================================================
Setup complete
Next steps:
- You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
- You can now obtain a kerberos ticket using the command: ‘kinit admin’
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
…
Step 4: Configure Firewalld for FreeIPA
If you have firewall service running – Firewalld for CentOS 7.x, you need to Open some ports required by FreeIPA services. The ports to open are:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
Use the following commands to configure firewalld:
sudo firewall-cmd –add-service={dns,freeipa-ldap,freeipa-ldaps} –permanent
sudo firewall-cmd –reload
Step 5: Access FreeIPA web interface
Having opened firewall ports and configured FreeIPA server, you can access its admin web interface for administering. All IPA tasks can be done on the web interface or using the ipa command line tool. Access admin dashboard using https://ipa-master.renu.ac.ug/. Replace ipa-master.renu.ac.ug with your hostname.
After logging in, you should see an interface like the one below.
To use ipa command, you need to first get a Kerberos ticket.
# kinit admin
Password for admin@RENU.AC.UG:
Check ticket expiry information using klist.
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@RENU.AC.UG
Valid starting Expires Service principal
18/08/2022 18:45:49 18/08/2022 18:43:44 krbtgt/RENU.AC.UG@RENU.AC.UG
Test by adding a user account and listing accounts present:
# ipa user-add jmutai \
–first=Josphat –last=Mutai \
–email=jmutai@renu.ac.ug \
–shell=/bin/bash –password
Password:
Enter Password again to verify:
——————-
Added user “jmutai”
——————-
User login: jmutai
First name: Josphat
Last name: Mutai
Full name: Josphat Mutai
Display name: Josphat Mutai
Initials: JM
Home directory: /home/jmutai
GECOS: Josphat Mutai
Login shell: /bin/bash
Principal name: jmutai@RENU.AC.UG
Principal alias: jmutai@RENU.AC.UG
Email address: jmutai@renu.ac.ug
UID: 839400001
GID: 839400001
Password: True
Member of groups: ipausers
Kerberos keys available: True
Get User Accounts:
# ipa user-find
—————
2 users matched
—————
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: admin@RENU.AC.UG
UID: 839400000
GID: 839400000
Account disabled: False
User login: jmutai
First name: Josphat
Last name: Mutai
Home directory: /home/jmutai
Login shell: /bin/bash
Principal name: jmutai@RENU.AC.UG
Principal alias: jmutai@RENU.AC.UG
Email address: jmutai@renu.ac.ug
UID: 839400001
GID: 839400001
Account disabled: False
—————————-
Number of entries returned 2
—————————-
On your first login using LDAP account, you’ll be asked to change your password:
$ ssh jmutai@localhost
The authenticity of host ‘localhost (<no hostip for proxy command>)’ can’t be established.
ECDSA key fingerprint is SHA256:ZlUOPuCJMftjMABxBWAWX/CXWZEtolp2Mv84nzKDV+4.
ECDSA key fingerprint is MD5:03:61:e8:e5:21:17:98:db:96:d5:75:cb:38:c2:0a:34.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘localhost’ (ECDSA) to the list of known hosts.
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
Could not chdir to home directory /home/jmutai: No such file or directory
Step 6: Secure FreeIPA server with Let’s Encrypt SSL Certificate
After installation, you can secure your FreeIPA Server using SSL. See this link for guidelines.
Part 2: Configuring FreeIPA Replication on CentOS
Once you have FreeIPA server installed and configured, there is no other prerequisite required. You can start FreeIPA Replication.
In this setup, there’s a Primary FreeIPA server with hostname ipa-master.renu.ac.ug (set up in part 1), and the replica will be configured with hostname ipa-rep1.renu.ac.ug.
The IP addresses for the two servers are as below:
ipa-master.renu.ac.ug: 192.168.0.10
ipa-rep1.renu.ac.ug: 192.168.0.11
Step 1: Configure DNS local hosts file
On both servers, ensure you have hostnames for each server configured. This is important if you don’t have active DNS service in your Infrastructure.
sudo vim /etc/hosts
Ensure you have lines like below, replace hostnames with your corresponding IPs.
192.168.0.10 ipa-master.renu.ac.ug ipa-master
192.168.0.11 ipa-rep1.renu.ac.ug ipa-rep1
Ensure hostname is configured correctly:
sudo hostnamectl set-hostname ipa-rep1.renu.ac.ug
Step 2: Install FreeIPA Client on Replica Server
First update the packages on the system before beginning the install.
sudo yum -y update
If you get kernel updates, consider rebooting the server for changes to take place.
FreeIPA client is available on repositories for CentOS Linux. Install it using the command:
$ sudo yum install ipa-client
$ sudo ipa-client-install –hostname=`hostname -f` \
–mkhomedir \
–server=ipa-master.renu.ac.ug \
–domain renu.ac.ug \
–realm RENU.AC.UG
When prompted to provide a Kerberos realm for the server, just skip by pressing the <Enter> key.
Step 3: Install FreeIPA server on Replica
Once the FreeIPA client has been installed and configured, the next step is to install FreeIPA Server on a replica.
sudo yum -y install ipa-server
Test by requesting for a Kerberos ticket on the replica:
[root@ipa-rep1 ~]# kinit admin
Password for admin@RENU.AC.UG:
[root@ipa-rep1 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@RENU.AC.UG
Valid starting Expires Service principal
08/18/2022 11:58:58 08/18/2022 11:58:56 krbtgt/RENU.AC.UG@RENU.AC.UG
Step 4: Add Replica server to the ipaservers group on the FreeIPA master server
Login to FreeIPA Server (ipa-master) and add replica server to the ipaservers group:
[root@ipa-master ~]# kinit admin
Password for admin@RENU.AC.UG
[root@ipa-master ~]# ipa hostgroup-add-member ipaservers –hosts ipa-rep1.renu.ac.ug
Host-group: ipaservers
Description: IPA server hosts
Member hosts: ipa-master.renu.ac.ug, ipa-rep1.renu.ac.ug
————————-
Number of members added 1
————————-
You can see that we now have two member hosts, ipa-master & ipa-rep1.
On the FreeIPA master server, open freeipa-replication on Firewalld if you have an active firewalld service:
sudo firewall-cmd –add-service=freeipa-replication –permanent
sudo firewall-cmd –reload
Step 5: Run the ipa-replica-install on the replica server
To this point, you only have to run ipa-replica-install command on the replica server to sync FreeIPA Server configurations and get the server ready for clients to connect to.
[root@ipa-rep1 ~]# ipa-replica-install
WARNING: conflicting time&date synchronization service ‘chronyd’ will
be disabled in favor of ntpd
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/42]: creating directory server instance
[2/42]: enabling ldapi
[3/42]: configure autobind for root
[4/42]: stopping directory server
[5/42]: updating configuration in dse.ldif
[6/42]: starting directory server
[7/42]: adding default schema
[8/42]: enabling memberof plugin
[9/42]: enabling winsync plugin
[10/42]: configuring replication version plugin
[11/42]: enabling IPA enrollment plugin
[12/42]: configuring uniqueness plugin
[13/42]: configuring uuid plugin
[14/42]: configuring modrdn plugin
[15/42]: configuring DNS plugin
[16/42]: enabling entryUSN plugin
[17/42]: configuring lockout plugin
[18/42]: configuring topology plugin
[19/42]: creating indices
[20/42]: enabling referential integrity plugin
[21/42]: configuring certmap.conf
[22/42]: configure new location for managed entries
[23/42]: configure dirsrv ccache
[24/42]: enabling SASL mapping fallback
[25/42]: restarting directory server
[26/42]: creating DS keytab
[27/42]: ignore time skew for initial replication
[28/42]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded
[29/42]: prevent time skew after initial replication
[30/42]: adding sasl mappings to the directory
[31/42]: updating schema
[32/42]: setting Auto Member configuration
[33/42]: enabling S4U2Proxy delegation
[34/42]: initializing group membership
[35/42]: adding master entry
[36/42]: initializing domain level
[37/42]: configuring Posix uid/gid generation
[38/42]: adding replication acis
[39/42]: activating sidgen plugin
[40/42]: activating extdom plugin
[41/42]: tuning directory server
[42/42]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/5]: configuring KDC
[2/5]: adding the password extension to the directory
[3/5]: creating anonymous principal
[4/5]: starting the KDC
[5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: importing CA certificates from LDAP
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
[1/22]: stopping httpd
[2/22]: setting mod_nss port to 443
[3/22]: setting mod_nss cipher suite
[4/22]: setting mod_nss protocol list to TLSv1.0 – TLSv1.2
[5/22]: setting mod_nss password file
[6/22]: enabling mod_nss renegotiate
[7/22]: disabling mod_nss OCSP
[8/22]: adding URL rewriting rules
[9/22]: configuring httpd
[10/22]: setting up httpd keytab
[11/22]: configuring Gssproxy
[12/22]: setting up ssl
[13/22]: configure certmonger for renewals
[14/22]: importing CA certificates from LDAP
[15/22]: publish CA cert
[16/22]: clean up any existing httpd ccaches
[17/22]: configuring SELinux for httpd
[18/22]: create KDC proxy config
[19/22]: enable KDC proxy
[20/22]: starting httpd
[21/22]: configuring httpd to start on boot
[22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
[1/2]: configure certmonger for renewals
[2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/9]: stopping directory server
[2/9]: saving configuration
[3/9]: disabling listeners
[4/9]: enabling DS global lock
[5/9]: starting directory server
[6/9]: upgrading server
[7/9]: stopping directory server
[8/9]: restoring configuration
[9/9]: starting directory server
Done.
Restarting the KDC
If the setup was successful, you should not encounter any error.
Step 7: Removing FreeIPA Replica
To remove FreeIPA, first, uninstall it on the server using:
[root@ipa-rep1 ~]# ipa-server-install –uninstall
Then delete the server from the ipaservers group:
# ipa-replica-manage del ipa-rep1.renu.ac.ug –force
# ipa hostgroup-remove-member ipaservers –hosts ipa-rep1.renu.ac.ug
Configuring Failover with Keepalived
Keepalived is a software implementation of the Virtual Router Redundancy Protocol (VRRP) in Linux. Keepalived facilitates high availability in simple and advanced failover situations. In this setting, the FreeIPA servers are set up in pairs, with one being active and the other in standby (backup) mode.
VRRP uses the concept of Virtual IP (VIP) addresses. One or more servers participate in an election to determine the host that will control the shared IP (VIP). Only one host (the master) controls the VIP at a time. If the master fails, VRRP provides mechanisms for detecting that failure and quickly failing over to a standby host.
In this guide, ipa-master.renu.ac.ug is the master host and is responsible for the 192.168.0.100 VIP address. If ipa-master fails, then ipa-rep1 takes over this IP address.
Step 1: Installation of Keepalived
Keepalived isavailable within the standard package repositories and is easily installed using yum.
[root@ipa-master ~]# yum install -y keepalived
[root@ipa-master ~]# keepalived –version
Keepalived v2.0.10 (11/12,2018)
[root@ipa-master ~]# systemctl status keepalived
keepalived.service – LVS and VRRP High Availability Monitor
Loaded: loaded (/usr/lib/systemd/system/keepalived.service; disabled; vendor preset: disab
Active: inactive (dead)
You should also know how to compile Keepalived from source code. Keepalived is an actively maintained project, and it regularly receives new features and bug fixes that may not be in the package manager version when you need them. There are usually bugs with the current version in the package repositories, therefore following the procedure of installation from the source can enable you to use the latest version of Keepalived.
As user root:
# Install prerequisites
yum install -y gcc openssl-devel
# Download the latest version of the code. Be sure to check the downloads page for the most recent version:https://www.keepalived.org/download.html
[root@ipa-master ~]# wget https://www.keepalived.org/software/keepalived-2.0.20.tar.gz
# Extract the code
[root@ipa-master ~]# tar -xf keepalived-2.0.20.tar.gz
# Run the configure scripts
[root@ipa-master ~]# cd keepalived-2.0.20
[root@ipa-master keepalived-2.0.20]# ./configure
# Build and install keepalived
[root@ipa-master keepalived-2.0.20]# make
[root@ipa-master keepalived-2.0.20]# make install
# Test your installation
[root@ipa-master keepalived-2.0.20]# keepalived –version
Keepalived v2.0.20 (01/22,2020)
Step 2: Configuration of the master and Backup servers
The configuration file for Keepalived is located at /etc/keepalived/keepalived.conf. The most basic Keepalived configuration enables a shared IP address between two servers.
Keepalived offers a number of useful built-in methods to determine the health and subsequent VRRP priority of a host. For this Freeipa environment, a custom health check script was made to monitor the status of the IPA service.
The Freeipa process, on both the master and the backup server, is monitored to determine the health of the host. This helps to trigger a failover in case the Freeipa service on the master stops running.
In this setup, keepalived runs an arbitrary script called ipa-checker.sh to determine the health of the host. When the Freeipa service is up and running, the script writes a value of 10 to a file (/etc/keepalived/ipa-monitor/vrrp_track_file) which is also continuously monitored by keepalived.
Inside the /etc/keepalived path, create a directory called ‘ipa-monitor’ and with the “touch” command, create the vrrp_track_file inside the created ‘ipa-monitor’ directory. Do this on both the master and the replica nodes.
As user root on the master node, run:
[root@ipa-master]# cd /etc/keepalived
[root@ipa-master keepalived]# mkdir ipa-monitor
[root@ipa-master keepalived]# touch vrrp_track_file
As user root on the replica/backup node, run:
[root@ipa-rep1]# cd /etc/keepalived
[root@ipa-rep1 keepalived]# mkdir ipa-monitor
[root@ipa-rep1 keepalived]# touch vrrp_track_file
The ipa-checker.sh script should be saved in the /usr/local/bin folder and made executable :
#!/bin/bash
service ipa status > /dev/null 2>&1
#/usr/bin/ping -c 1 -W 1 8.8.8.8 > /dev/null 2>&1
#echo $? > /etc/keepalived/ipa-monitor/vrrp_track_file
if [ $? -eq 0 ]
then
echo 10 > /etc/keepalived/ipa-monitor/vrrp_track_file
else
echo 0 > /etc/keepalived/ipa-monitor/vrrp_track_file
fi
#/usr/bin/ping -c 1 -W 1 8.8.8.8
NB: They can be run as a different user besides root. While it was not demonstrated in this guide, take a look at the man page and ensure that you’re using the least privileged user possible to avoid any negative security implications from your check script.
For the master host (ipa-master.renu.ac.ug), this will be the keepalived.conf file.
vrrp_script ipa_check {
script “/usr/local/bin/ipa-checker.sh”
interval 1
timeout 5
rise 3
fall 3
}
vrrp_track_file track_ipa_file {
file /etc/keepalived/ipa-monitor/vrrp_track_file
}
vrrp_instance ipa-master {
track_script {
ipa_check
}
track_file {
track_ipa_file
weight 1
}
state MASTER
interface eth0
virtual_router_id 55
priority 240
advert_int 1
unicast_src_ip 192.168.0.10
unicast_peer {
192.168.0.11
}
authentication {
auth_type PASS
auth_pass clusterpass123
}
virtual_ipaddress {
192.168.0.100/24
}
}
For the backup host (ipa-rep1.renu.ac.ug), this will be the keepalived.conf file.
vrrp_script ipa_check {
script “/usr/local/bin/ipa-checker.sh”
interval 1
timeout 5
rise 3
fall 3
}
vrrp_track_file track_ipa_file {
file /etc/keepalived/ipa-monitor/vrrp_track_file
}
vrrp_instance ipa-rep1 {
track_script {
ipa_check
}
track_file {
track_ipa_file
weight 1
}
state MASTER
interface eth0
virtual_router_id 55
priority 235
advert_int 1
unicast_src_ip 192.168.0.11
unicast_peer {
192.168.0.10
}
authentication {
auth_type PASS
auth_pass clusterpass123
}
virtual_ipaddress {
192.168.0.100/24
}
}
- vrrp_instance defines an individual instance of the VRRP protocol running on an interface. I have arbitrarily named this instance ipa-master and/or ipa-rep1 for each instance.
- vrrp_script defines the script that is to be monitored by keepalived for the health of the application.
- state defines the initial state that the instance should start in.
- interface defines the interface that VRRP runs on.
- virtual_router_id is the unique identifier that you learned about in the first article of this series.
- priority is the advertised priority that you learned about in the first article of this series. As you will learn in the next article, priorities can be adjusted at runtime.
- advert_int specifies the frequency that advertisements are sent at (1 second, in this case).
- authentication specifies the information necessary for servers participating in VRRP to authenticate with each other. In this case, a simple password is defined.
- virtual_ipaddress defines the IP addresses (there can be multiple) that VRRP is responsible for.
- vrrp_track_file: Keepalived also has the ability to make priority decisions based on the contents of a file using this setting, which can be useful if you’re running an application that can write values to this file. For example, in this scenario, there is a background script (ipa_check) that periodically performs a health check on the FreeIPA software (on the master) and writes a value of 10 to a file (/etc/keepalived/ipa-monitor/vrrp_track_file) based on the overall health of the application. This configuration will take the numerical value in the file at /etc/keepalived/ipa-monitor/vrrp_track_file and multiply it by 1 (weight).
- interval: How often the script should be run (1 second).
- timeout: How long to wait for the script to return (5 seconds).
- rise: How many times the script must return successfully in order for the host to be considered “healthy.” In this example, the script must return successfully 3 times. This helps to prevent a “flapping” condition where a single failure (or success) causes the Keepalived state to quickly flip back and forth.
- fall: How many times the script must return unsuccessfully (or time out) in order for the host to be considered “unhealthy.” This functions as the reverse of the rise directive.
Once the above configurations have all been well done, restart keepalived on both instances, and then check the status of the service to ensure that all is well. If the restart was successful, run the ip command to see which host has the VIP.
As user root on master node, run:
[root@ipa-master]# service keepalived restart
[root@ipa-master]# service keepalived status
[root@ipa-master]# ip –brief a
lo UNKNOWN 127.0.0.1/8 ::1/128
eth0 UP 192.168.0.10/32 192.168.0.100/24 fe80::b895:70f0:7d0:b356/64
As user root on replica/backup node, run:
[root@ipa-rep1]# service keepalived restart
[root@ipa-rep1]# service keepalived status
[root@ipa-rep1]# ip –brief a
lo UNKNOWN 127.0.0.1/8 ::1/128
eth0 UP 192.168.0.11/32 fe80::66d3:1b96:d85a:6d51/64
From the results of the ip command, the master node is currently holding the VIP. To test the failover, stop either the keepalived or IPA service on the master and run the ip command again. The expected results should show the VIP now residing on the interface of the replica/backup node.
Errors encountered:
Step 4: Add Replica server to the ipaservers group on the FreeIPA master server:
“kinit: Password incorrect while getting initial credentials” when running “kinit admin” command.
Solution:
kadmin.local
kadmin.local: ktadd -k admin.keytab -norandkey admin@RENU.AC.UG
kadmin.local: exit
Securely move this file to a secure directory on the client.
Then, run:
kinit -k -t admin.keytab admin@RENU.AC.UG