Hi, another user recently had the same issue, see https://lists.fedoraproject.org/archives/list/[email protected]/thread/VCARE7OOXWBEB5UXF75AQVFQXNOA43XM/#VFPHENT3PPWTY6W5L42FKQJFQ5GBWKOR
We are not sure how the situation got solved, but he cleaned the security domain from ghost servers. Maybe it could help? flo On Tue, Jun 27, 2023 at 5:50 PM Arne Verheyden via FreeIPA-users < [email protected]> wrote: > I'm facing a problem while trying to set up a replica of our main FreeIPA > server. We're planning to migrate from an old server to a new one. > ipa-replica-install and ipa-dns-install runs without issue but the problem > arises when I try to use the ipa-ca-install command. The command fails at > the connection check phase with this output: > $ ipa-ca-install > Directory Manager (existing master) password: > > Run connection check to master > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Connection check failed! > See /var/log/ipareplica-conncheck.log for more information. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > > Logs of /var/log/ipa-replica-conncheck.log > 2023-06-27T14:25:28Z DEBUG Ports opened, notify original thread > 2023-06-27T14:25:28Z DEBUG Original thread resumed > 2023-06-27T14:25:28Z INFO Get credentials to log in to remote master > 2023-06-27T14:25:28Z DEBUG KRB5CCNAME set to /tmp/krbcc2_1ny8e1/ccache > 2023-06-27T14:25:28Z INFO Check RPC connection to remote master > 2023-06-27T14:25:28Z DEBUG Starting external process > 2023-06-27T14:25:28Z DEBUG args=['/usr/bin/certutil', '-d', > '/tmp/tmp66e_2bfv', '-N', '-f', '/tmp/tmp66e_2bfv/pwdfile.txt', '-@', > '/tmp/tmp66e_2bfv/pwdfile.txt'] > 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 > 2023-06-27T14:25:29Z DEBUG stdout= > 2023-06-27T14:25:29Z DEBUG stderr= > 2023-06-27T14:25:29Z DEBUG Starting external process > 2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled'] > 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 > 2023-06-27T14:25:29Z DEBUG stdout= > 2023-06-27T14:25:29Z DEBUG stderr= > 2023-06-27T14:25:29Z DEBUG Starting external process > 2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', > '/tmp/tmp66e_2bfv'] > 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 > 2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for > /tmp/tmp66e_2bfv > > 2023-06-27T14:25:29Z DEBUG stderr= > 2023-06-27T14:25:29Z DEBUG Starting external process > 2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled'] > 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 > 2023-06-27T14:25:29Z DEBUG stdout= > 2023-06-27T14:25:29Z DEBUG stderr= > 2023-06-27T14:25:29Z DEBUG Starting external process > 2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', > '/tmp/tmp66e_2bfv/cert9.db'] > 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 > 2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for > /tmp/tmp66e_2bfv/cert9.db > > 2023-06-27T14:25:29Z DEBUG stderr= > 2023-06-27T14:25:29Z DEBUG Starting external process > 2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled'] > 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 > 2023-06-27T14:25:29Z DEBUG stdout= > 2023-06-27T14:25:29Z DEBUG stderr= > 2023-06-27T14:25:29Z DEBUG Starting external process > 2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', > '/tmp/tmp66e_2bfv/key4.db'] > 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 > 2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for > /tmp/tmp66e_2bfv/key4.db > > 2023-06-27T14:25:29Z DEBUG stderr= > 2023-06-27T14:25:29Z DEBUG Starting external process > 2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled'] > 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 > 2023-06-27T14:25:29Z DEBUG stdout= > 2023-06-27T14:25:29Z DEBUG stderr= > 2023-06-27T14:25:29Z DEBUG Starting external process > 2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', > '/tmp/tmp66e_2bfv/pkcs11.txt'] > 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 > 2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for > /tmp/tmp66e_2bfv/pkcs11.txt > > 2023-06-27T14:25:29Z DEBUG stderr= > 2023-06-27T14:25:29Z DEBUG Starting external process > 2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled'] > 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 > 2023-06-27T14:25:29Z DEBUG stdout= > 2023-06-27T14:25:29Z DEBUG stderr= > 2023-06-27T14:25:29Z DEBUG Starting external process > 2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', > '/tmp/tmp66e_2bfv/pwdfile.txt'] > 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 > 2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for > /tmp/tmp66e_2bfv/pwdfile.txt > > 2023-06-27T14:25:29Z DEBUG stderr= > 2023-06-27T14:25:29Z DEBUG Starting external process > 2023-06-27T14:25:29Z DEBUG args=['/usr/bin/certutil', '-d', > 'sql:/tmp/tmp66e_2bfv', '-A', '-n', 'CN=Certificate Authority,O= > EXAMPLE.COM', '-t', 'C,,', '-a', '-f', '/tmp/tmp66e_2bfv/pwdfile.txt'] > 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 > 2023-06-27T14:25:29Z DEBUG stdout= > 2023-06-27T14:25:29Z DEBUG stderr= > 2023-06-27T14:25:29Z DEBUG importing all plugin modules in > ipaclient.remote_plugins.schema$8182589c... > 2023-06-27T14:25:29Z DEBUG importing plugin module > ipaclient.remote_plugins.schema$8182589c.plugins > 2023-06-27T14:25:29Z DEBUG importing all plugin modules in > ipaclient.plugins... > 2023-06-27T14:25:29Z DEBUG importing plugin module > ipaclient.plugins.automember > 2023-06-27T14:25:29Z DEBUG importing plugin module > ipaclient.plugins.automount > 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.ca > 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.cert > 2023-06-27T14:25:29Z DEBUG importing plugin module > ipaclient.plugins.certmap > 2023-06-27T14:25:29Z DEBUG importing plugin module > ipaclient.plugins.certprofile > 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.dns > 2023-06-27T14:25:29Z DEBUG importing plugin module > ipaclient.plugins.hbacrule > 2023-06-27T14:25:29Z DEBUG importing plugin module > ipaclient.plugins.hbactest > 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.host > 2023-06-27T14:25:29Z DEBUG importing plugin module > ipaclient.plugins.idrange > 2023-06-27T14:25:29Z DEBUG importing plugin module > ipaclient.plugins.internal > 2023-06-27T14:25:29Z DEBUG importing plugin module > ipaclient.plugins.location > 2023-06-27T14:25:29Z DEBUG importing plugin module > ipaclient.plugins.migration > 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.misc > 2023-06-27T14:25:29Z DEBUG importing plugin module > ipaclient.plugins.otptoken > 2023-06-27T14:25:29Z DEBUG importing plugin module > ipaclient.plugins.otptoken_yubikey > 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.passwd > 2023-06-27T14:25:29Z DEBUG importing plugin module > ipaclient.plugins.permission > 2023-06-27T14:25:29Z DEBUG importing plugin module > ipaclient.plugins.rpcclient > 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.server > 2023-06-27T14:25:29Z DEBUG importing plugin module > ipaclient.plugins.service > 2023-06-27T14:25:29Z DEBUG importing plugin module > ipaclient.plugins.sudorule > 2023-06-27T14:25:29Z DEBUG importing plugin module > ipaclient.plugins.topology > 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.trust > 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.user > 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.vault > 2023-06-27T14:25:30Z DEBUG failed to find session_cookie in persistent > storage for principal 'host/[email protected]' > > 2023-06-27T14:25:30Z DEBUG trying https://ipa01.example.com/ipa/json > 2023-06-27T14:25:30Z > <https://ipa01.example.com/ipa/json2023-06-27T14:25:30Z> DEBUG New HTTP > connection (ipa01.example.com) > 2023-06-27T14:25:31Z DEBUG [details redacted for brevity] > 2023-06-27T14:25:31Z INFO Connection to https://ipa01.example.com/ipa/json > failed with Insufficient access: SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information > (Credential cache is empty) > 2023-06-27T14:25:31Z DEBUG trying https://replica1.example.com/ipa/json > 2023-06-27T14:25:31Z > <https://replica1.example.com/ipa/json2023-06-27T14:25:31Z> DEBUG New > HTTP connection (replica1.example.com) > 2023-06-27T14:25:31Z DEBUG [details redacted for brevity] > 2023-06-27T14:25:31Z DEBUG Created connection > context.rpcclient_140381866522064 > 2023-06-27T14:25:31Z DEBUG raw: ping(version='2.251') > 2023-06-27T14:25:31Z DEBUG ping(version='2.251') > 2023-06-27T14:25:31Z DEBUG [try 1]: Forwarding 'ping/1' to json server ' > https://replica1.example.com/ipa/json' > 2023-06-27T14:25:31Z DEBUG HTTP connection keep-alive ( > replica1.example.com) > 2023-06-27T14:25:31Z DEBUG [details redacted for brevity] > 2023-06-27T14:25:31Z INFO Execute check on remote master > 2023-06-27T14:25:31Z DEBUG [try 1]: Forwarding 'server_conncheck' to json > server 'https://replica1.example.com/ipa/json' > 2023-06-27T14:25:31Z DEBUG HTTP connection keep-alive ( > replica1.example.com) > 2023-06-27T14:25:31Z DEBUG [details redacted for brevity] > 2023-06-27T14:25:31Z DEBUG Destroyed connection > context.rpcclient_140381866522064 > 2023-06-27T14:25:31Z ERROR ERROR: Remote master check failed with > following error message(s): > invalid 'cn': must be "replica1.example.com" > > I don't know how to debug this, i have searched the web for similar issue > and the only one i have managed to find is this one: > https://lists.fedoraproject.org/archives/list/[email protected]/thread/OWPUGD7OLDGXMRCKWZUH6U3TJB5HZROX/ > . The problem is similar but not the same as the one i have, so it did not > help me much. > > I would greatly appreciate any suggestions or advice on how to resolve > this problem. > > Sincerely, > Arne > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
