[Freeipa-users] Re: v4.6.8->v4.10.1 Replica Install | CA Configuration Section | Admin Login Failing

Thu, 02 Mar 2023 06:23:00 -0800 

On to, 02 maalis 2023, Paulson McIntyre via FreeIPA-users wrote:

Hey,

Wouldn't the support for the older version of the password storage scheme
need to reach Fedora 37 since that's the side with the new version of
everything?


It is the other way around. There is an effort to backport this newer
hash type support to 389-ds-base in older releases. I've heard it is
close to being pushed out to RHEL customers and after that CentOS 7
would do a rebuild.

One that rebuild is out, you'd be able to update c7 machine and then add
a replica.



-Paulson

On Thu, Mar 2, 2023 at 12:53 AM Florence Blanc-Renaud <[email protected]>
wrote:


Hi,

as you correctly found, the issue is a known problem on 389-ds side (issue
#5565 <https://github.com/389ds/389-ds-base/issues/5565> / BZ 2170224
<https://bugzilla.redhat.com/show_bug.cgi?id=2170224>). During the
replica installation, the replica locally creates a temporary user, that is
then replicated to the master. To ensure that the temporary user has been
replicated to the master, the installer waits a bit and tries to perform a
ldap bind on the master with the credentials for this temp user.
The temp user is created on the replica hence its password is stored using
PBKDF2-SHA512. This password storage scheme is not available on the master,
and the direct consequence is that the bind fails.

The issue has been fixed on 389-ds side by adding support on the older
version for the password storage scheme and will be available soon on RHEL
7.9, but I can't tell when it will reach c7.

HTH,
flo


On Wed, Mar 1, 2023 at 9:33 PM Paulson McIntyre via FreeIPA-users <
[email protected]> wrote:


Hey,

I'm trying to create a replica from an older FreeIPA server to a more
modern one. The eventual plan being to remove the very old one and use the
new one as the primary. Then new replicas would be created off it.

Running into a problem though during the CA Configuration phase when it
tries to create the admin user, or rather verify it.

This thread
<https://lists.fedoraproject.org/archives/list/[email protected]/thread/5PHFG7FLA3JZ3Z527BPUDPMMO67XIBUK/#IHIPPVMMIWV2TL7BNLW55XII3OIQ62HK>
might be related as well as RedHat Bugzilla – Bug 2151071
<https://bugzilla.redhat.com/show_bug.cgi?id=2151071>.

Details on the issue, environment, and troubleshooting performed so far
are posted here <https://www.gpmidi.net/node/162> as well as copy/pasted
below.

-Paulson

The ProblemOverview

Can't create a new replica of an older FreeIPA server (v4.6.8 on c7) to a
new FreeIPA server (v4.9 on f36 and v4.10 on f37). The error is during the
`Configuring certificate server (pki-tomcatd)` phase.
Example ipa-replica-install error

# kinit <MY PERSONAL ADMIN USERNAME>
# ipa-replica-install --setup-adtrust --setup-ca --setup-dns  --no-forwarders  
--skip-conncheck --add-sids

...

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/30]: creating certificate server db
  [2/30]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 11 seconds elapsed
Update succeeded

  [3/30]: creating ACIs for admin
  [4/30]: creating installation admin user
Unable to log in as uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on 
ldap://ipam.i.gpmidi.net:389
[hint] tune with replication_wait_timeout
  [error] NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not 
replicate to ldap://ipam.i.gpmidi.net:389
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to 
ldap://ipam.i.gpmidi.net:389
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for 
more information

From Installer Log

2023-03-01T18:01:02Z DEBUG   [4/30]: creating installation admin user
2023-03-01T18:01:02Z DEBUG Waiting 30 seconds for 
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca to appear on 
ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z ERROR Unable to log in as 
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z INFO [hint] tune with replication_wait_timeout
2023-03-01T18:01:32Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 
686, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 
672, in run_step
    method()
  File "/usr/lib/python3.11/site-packages/ipaserver/install/dogtaginstance.py", 
line 789, in setup_admin
    raise errors.NotFound(
ipalib.errors.NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not 
replicate to ldap://ipam.i.gpmidi.net:389

2023-03-01T18:01:32Z DEBUG   [error] NotFound: 
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to 
ldap://ipam.i.gpmidi.net:389

2023-03-01T18:01:32Z DEBUG The ipa-replica-install command failed, exception: 
NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to 
ldap://ipam.i.gpmidi.net:389

While Waiting For User Sync/Validation...

*tl;dr The user seems to exist on both sides!*

[root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b 
"uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://ipam.i.gpmidi.net:389
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ldap://ipam.i.gpmidi.net:389
#

# admin-ipa0.i.gpmidi.net, people, ipaca
dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b 
"uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://localhost
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ldap://localhost
#

# admin-ipa0.i.gpmidi.net, people, ipaca
dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

------------------------------
The EnvironmentSource

Distro: CentOS 7.9.2009
FreeIPA: 4.6.8
TargetOriginally

Distro: Fedora Server 36
FreeIPA: 4.9.11
Later

Distro: Fedora Server 37
FreeIPA: 4.10.1
Install CommandsStep 1 - Client

ipa-client-install --ssh-trust-dns --mkhomedir --realm=I.GPMIDI.NET 
--ntp-pool=0.pool.ntp.org --force-join --enable-dns-updates --subid 
--hostname=ipa0.i.gpmidi.net --ntp-server=1.pool.ntp.org

Step 2 - kinit

kinit <MY PERSONAL USER>

Step 3 - Replica Install

ipa-replica-install --setup-adtrust --setup-ca --setup-dns  --no-forwarders  
--skip-conncheck --add-sids

Sometimes the `--debug` flag was also used.

The installer would ask about trusted domain support - answered "no" via
no entry unless noted otherwise.

Enable trusted domains support in slapi-nis? [no]:

Cleanup Commands

Used after a failure to reset the environment.
Step 1 - Uninstall

/usr/sbin/ipa-server-install --uninstall

Step 2 - Validated Server Removed

Browsed to https://ipam.i.gpmidi.net/ipa/ui/#/e/server/search and
validated that the new server, ipa0, wasn't listed. Deleted if it was.
------------------------------
Related Links

   - FreeIPA Users thread
   
<https://lists.fedoraproject.org/archives/list/[email protected]/thread/5PHFG7FLA3JZ3Z527BPUDPMMO67XIBUK/#IHIPPVMMIWV2TL7BNLW55XII3OIQ62HK>
   - Red Hat Bugzilla – Bug 2151071
   <https://bugzilla.redhat.com/show_bug.cgi?id=2151071>

------------------------------
Attempted Fixes

Changed Replication Wait Time

Created ` /etc/ipa/installer.conf` (see below) and changed the time in
seconds.

# cat /etc/ipa/installer.conf
[global]
replication_wait_timeout=30

Result

30s = No change
300s = No change
600s = No change

*Left at 30s for further testing - keeps it quick - provides more than
enough time since my ldap db is small. *
Update Source IPA Box From C7 To C8Result

Upgrade from c7 to c8 failed badly. Might try again later.
Update Source IPA Box 389 `root` Password Hash Type

# /usr/bin/pwdhash -D /etc/dirsrv/slapd-YOUR-DOMAIN-NET -s PBKDF2_SHA256 '<Current 
DirSrv Root Password>'
{PBKDF2_SHA256}xxxxxxxxxxxxxxxxxxxxxxxx

Result

No change
Updated Target IPA Box To Fedora Server 37

Updated target IPA box from f36 to f37. This changed the IPA version from
4.9.11 to 4.10.1.
Result

No change
Changing Password Storage Scheme On Source

# dsconf -D "cn=Directory Manager" -W ldaps://ipam.i.gpmidi.net config replace 
passwordStorageScheme=PBKDF2_SHA256
Enter password for cn=Directory Manager on ldaps://ipam.i.gpmidi.net: <ENTERED 
ROOT PW>
Successfully replaced "passwordStorageScheme"

Result

No change
Trusted Domains Answer = Yes

Answered 'yes' to trusted domains.

Enable trusted domains support in slapi-nis? [no]: yes

Result

No change
Restarted IPA On Source

Since the `dsconf` change above to the password storage scheme the IPA
server on the source box hasn't been restarted. Restarted it via...

# ipactl restasrt

Result

No change
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to
[email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue








--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to