Stasiek Michalski via FreeIPA-users wrote: > Hello, > > I installed FreeIPA replica on 4.8.4 on CentOS 8 from 4.4.4 from Fedora > 25 with `ipa-replica-install --setup-dns --auto-forwarders`, without > `--setup-ca` due to errors, which went fine. I do want to install CA > though, which failed when I did `--setup-ca` and then later > `ipa-ca-install` with the following error: > > ``` > [4/29]: creating installation admin user > Unable to log in as uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca > on ldap://freeipa.infra.opensuse.org:389 > [hint] tune with replication_wait_timeout > [error] NotFound: uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca > did not replicate to ldap://freeipa.infra.opensuse.org:389 > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > ``` > > Obviously I did try try extending the timeout based on that, but I don't > think that was helpful in the end, considering the logs produced by the > old server: > > httpd access_log > ``` > 192.168.47.90 - - [23/Jul/2020:00:25:36 +0000] "GET /ca/rest/account/login > HTTP/1.1" 401 994 > ``` > > server process in journal > ``` > SSLAuthenticatorWithFallback: Authenticating with BASIC authentication > Invalid Credential. > at > com.netscape.cmscore.authentication.PasswdUserDBAuthentication.authenticate(PasswdUserDBAuthentication.java:167) > at com.netscape.cms.realm.PKIRealm.authenticate(PKIRealm.java:63) > at com.netscape.cms.tomcat.ProxyRealm.authenticate(ProxyRealm.java:78) > at > org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:94) > at > com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.doSubAuthenticate(SSLAuthenticatorWithFallback.java:37) > at > com.netscape.cms.tomcat.AbstractPKIAuthenticator.doAuthenticate(AbstractPKIAuthenticator.java:98) > at > com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.authenticate(SSLAuthenticatorWithFallback.java:47) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:579) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) > at > org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502) > at > org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:877) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:748) > SSLAuthenticatorWithFallback: Fallback auth header: WWW-Authenticate=Basic > realm="Certificate Authority" > SSLAuthenticatorWithFallback: Fallback auth return code: 401 > SSLAuthenticatorWithFallback: Result: false > ``` > > and from pki logs > ``` > Failed to authenticate as admin UID=admin-freeipa2.infra.opensuse.org. Error: > netscape.ldap.LDAPException: error result (49) > ``` > > I don't particularly know how to proceed from here, since those errors > don't mean much to me. I see however it's not just me having issues with > `ipa-ca-install` at least similar to this one (although by the looks of > it, the reason is already different ;) This step creates the admin user on the local LDAP server and tries to authenticate to it on the other side.
I'd look to see if this user exists on both servers and the 389-ds access logs on both to see what is going on. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
