Hey, Wouldn't the support for the older version of the password storage scheme need to reach Fedora 37 since that's the side with the new version of everything?
-Paulson On Thu, Mar 2, 2023 at 12:53 AM Florence Blanc-Renaud <[email protected]> wrote: > Hi, > > as you correctly found, the issue is a known problem on 389-ds side (issue > #5565 <https://github.com/389ds/389-ds-base/issues/5565> / BZ 2170224 > <https://bugzilla.redhat.com/show_bug.cgi?id=2170224>). During the > replica installation, the replica locally creates a temporary user, that is > then replicated to the master. To ensure that the temporary user has been > replicated to the master, the installer waits a bit and tries to perform a > ldap bind on the master with the credentials for this temp user. > The temp user is created on the replica hence its password is stored using > PBKDF2-SHA512. This password storage scheme is not available on the master, > and the direct consequence is that the bind fails. > > The issue has been fixed on 389-ds side by adding support on the older > version for the password storage scheme and will be available soon on RHEL > 7.9, but I can't tell when it will reach c7. > > HTH, > flo > > > On Wed, Mar 1, 2023 at 9:33 PM Paulson McIntyre via FreeIPA-users < > [email protected]> wrote: > >> Hey, >> >> I'm trying to create a replica from an older FreeIPA server to a more >> modern one. The eventual plan being to remove the very old one and use the >> new one as the primary. Then new replicas would be created off it. >> >> Running into a problem though during the CA Configuration phase when it >> tries to create the admin user, or rather verify it. >> >> This thread >> <https://lists.fedoraproject.org/archives/list/[email protected]/thread/5PHFG7FLA3JZ3Z527BPUDPMMO67XIBUK/#IHIPPVMMIWV2TL7BNLW55XII3OIQ62HK> >> might be related as well as RedHat Bugzilla – Bug 2151071 >> <https://bugzilla.redhat.com/show_bug.cgi?id=2151071>. >> >> Details on the issue, environment, and troubleshooting performed so far >> are posted here <https://www.gpmidi.net/node/162> as well as copy/pasted >> below. >> >> -Paulson >> >> The ProblemOverview >> >> Can't create a new replica of an older FreeIPA server (v4.6.8 on c7) to a >> new FreeIPA server (v4.9 on f36 and v4.10 on f37). The error is during the >> `Configuring certificate server (pki-tomcatd)` phase. >> Example ipa-replica-install error >> >> # kinit <MY PERSONAL ADMIN USERNAME> >> # ipa-replica-install --setup-adtrust --setup-ca --setup-dns >> --no-forwarders --skip-conncheck --add-sids >> >> ... >> >> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes >> [1/30]: creating certificate server db >> [2/30]: setting up initial replication >> Starting replication, please wait until this has completed. >> Update in progress, 11 seconds elapsed >> Update succeeded >> >> [3/30]: creating ACIs for admin >> [4/30]: creating installation admin user >> Unable to log in as uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on >> ldap://ipam.i.gpmidi.net:389 >> [hint] tune with replication_wait_timeout >> [error] NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not >> replicate to ldap://ipam.i.gpmidi.net:389 >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to >> ldap://ipam.i.gpmidi.net:389 >> The ipa-replica-install command failed. See /var/log/ipareplica-install.log >> for more information >> >> From Installer Log >> >> 2023-03-01T18:01:02Z DEBUG [4/30]: creating installation admin user >> 2023-03-01T18:01:02Z DEBUG Waiting 30 seconds for >> uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca to appear on >> ldap://ipam.i.gpmidi.net:389 >> 2023-03-01T18:01:32Z ERROR Unable to log in as >> uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on ldap://ipam.i.gpmidi.net:389 >> 2023-03-01T18:01:32Z INFO [hint] tune with replication_wait_timeout >> 2023-03-01T18:01:32Z DEBUG Traceback (most recent call last): >> File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", >> line 686, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", >> line 672, in run_step >> method() >> File >> "/usr/lib/python3.11/site-packages/ipaserver/install/dogtaginstance.py", >> line 789, in setup_admin >> raise errors.NotFound( >> ipalib.errors.NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did >> not replicate to ldap://ipam.i.gpmidi.net:389 >> >> 2023-03-01T18:01:32Z DEBUG [error] NotFound: >> uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to >> ldap://ipam.i.gpmidi.net:389 >> >> 2023-03-01T18:01:32Z DEBUG The ipa-replica-install command failed, >> exception: NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not >> replicate to ldap://ipam.i.gpmidi.net:389 >> >> While Waiting For User Sync/Validation... >> >> *tl;dr The user seems to exist on both sides!* >> >> [root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b >> "uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://ipam.i.gpmidi.net:389 >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree >> # filter: (objectclass=*) >> # requesting: ldap://ipam.i.gpmidi.net:389 >> # >> >> # admin-ipa0.i.gpmidi.net, people, ipaca >> dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> [root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b >> "uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://localhost >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree >> # filter: (objectclass=*) >> # requesting: ldap://localhost >> # >> >> # admin-ipa0.i.gpmidi.net, people, ipaca >> dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> ------------------------------ >> The EnvironmentSource >> >> Distro: CentOS 7.9.2009 >> FreeIPA: 4.6.8 >> TargetOriginally >> >> Distro: Fedora Server 36 >> FreeIPA: 4.9.11 >> Later >> >> Distro: Fedora Server 37 >> FreeIPA: 4.10.1 >> Install CommandsStep 1 - Client >> >> ipa-client-install --ssh-trust-dns --mkhomedir --realm=I.GPMIDI.NET >> --ntp-pool=0.pool.ntp.org --force-join --enable-dns-updates --subid >> --hostname=ipa0.i.gpmidi.net --ntp-server=1.pool.ntp.org >> >> Step 2 - kinit >> >> kinit <MY PERSONAL USER> >> >> Step 3 - Replica Install >> >> ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders >> --skip-conncheck --add-sids >> >> Sometimes the `--debug` flag was also used. >> >> The installer would ask about trusted domain support - answered "no" via >> no entry unless noted otherwise. >> >> Enable trusted domains support in slapi-nis? [no]: >> >> Cleanup Commands >> >> Used after a failure to reset the environment. >> Step 1 - Uninstall >> >> /usr/sbin/ipa-server-install --uninstall >> >> Step 2 - Validated Server Removed >> >> Browsed to https://ipam.i.gpmidi.net/ipa/ui/#/e/server/search and >> validated that the new server, ipa0, wasn't listed. Deleted if it was. >> ------------------------------ >> Related Links >> >> - FreeIPA Users thread >> >> <https://lists.fedoraproject.org/archives/list/[email protected]/thread/5PHFG7FLA3JZ3Z527BPUDPMMO67XIBUK/#IHIPPVMMIWV2TL7BNLW55XII3OIQ62HK> >> - Red Hat Bugzilla – Bug 2151071 >> <https://bugzilla.redhat.com/show_bug.cgi?id=2151071> >> >> ------------------------------ >> Attempted Fixes >> >> Changed Replication Wait Time >> >> Created ` /etc/ipa/installer.conf` (see below) and changed the time in >> seconds. >> >> # cat /etc/ipa/installer.conf >> [global] >> replication_wait_timeout=30 >> >> Result >> >> 30s = No change >> 300s = No change >> 600s = No change >> >> *Left at 30s for further testing - keeps it quick - provides more than >> enough time since my ldap db is small. * >> Update Source IPA Box From C7 To C8Result >> >> Upgrade from c7 to c8 failed badly. Might try again later. >> Update Source IPA Box 389 `root` Password Hash Type >> >> # /usr/bin/pwdhash -D /etc/dirsrv/slapd-YOUR-DOMAIN-NET -s PBKDF2_SHA256 >> '<Current DirSrv Root Password>' >> {PBKDF2_SHA256}xxxxxxxxxxxxxxxxxxxxxxxx >> >> Result >> >> No change >> Updated Target IPA Box To Fedora Server 37 >> >> Updated target IPA box from f36 to f37. This changed the IPA version from >> 4.9.11 to 4.10.1. >> Result >> >> No change >> Changing Password Storage Scheme On Source >> >> # dsconf -D "cn=Directory Manager" -W ldaps://ipam.i.gpmidi.net config >> replace passwordStorageScheme=PBKDF2_SHA256 >> Enter password for cn=Directory Manager on ldaps://ipam.i.gpmidi.net: >> <ENTERED ROOT PW> >> Successfully replaced "passwordStorageScheme" >> >> Result >> >> No change >> Trusted Domains Answer = Yes >> >> Answered 'yes' to trusted domains. >> >> Enable trusted domains support in slapi-nis? [no]: yes >> >> Result >> >> No change >> Restarted IPA On Source >> >> Since the `dsconf` change above to the password storage scheme the IPA >> server on the source box hasn't been restarted. Restarted it via... >> >> # ipactl restasrt >> >> Result >> >> No change >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
