Hi, On Tue, Mar 12, 2024 at 12:54 PM Ian Kumlien via FreeIPA-users < [email protected]> wrote:
> Hi, > > So i have spent quite some time trying to get out of the swamp that is > centos stream 8 and back to something with a actual upgrade path, > fedora =) > > Everything works except the ipa-ca-install on the replica - mostly > fails at the same step > > At some point the conncheck failed, dropping me in to a prompt asking > for the password of a admin-<machine> account > > Anyway, I do know about the issue with - vs _ and validated on master, > changed on replica as detailed here: > > https://lists.fedoraproject.org/archives/list/[email protected]/message/IHIPPVMMIWV2TL7BNLW55XII3OIQ62HK/ > > But it still fails.. > > Oh and btw, none of the machines are running any firewalls =) > > Anyone that has a clue of what to test next? > > Btw, it's 4.9 to 4.11 if there is other issues with interoperability > > ipa-ca-install --skip-conncheck > Directory Manager (existing master) password: > > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes > [1/28]: creating certificate server db > [2/28]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 7 seconds elapsed > Update succeeded > > [3/28]: creating ACIs for admin > [4/28]: creating installation admin user > ipaserver.install.dogtaginstance: ERROR Unable to log in as > uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca on > ldap://freeipa-1.xerces.lan:389 > [error] NotFound: uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca > did not replicate to ldap://freeipa-1.xerces.lan:389 > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Unexpected error - see /var/log/ipareplica-ca-install.log for details: > NotFound: uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca did not > replicate to ldap://freeipa-1.xerces.lan:389 > > The installation of a CA clone creates this user on the replica, lets the replication copy the entry on the master and then checks by doing a ldap bind from the replica to the master that the entry has been properly replicated. When this error happens, it can either mean that the entry was not replicated or that the bind failed. In order to know exactly what is happening for you, you can check - on the master freeipa-1.xerces.lan, do a ldapsearch for this entry and check if it exists. If the entry is present, the replication properly propagated the entry from replica to master and you are probably hitting the 2nd issue. # ldapsearch -D "cn=directory manager" -W -b uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca - on the replica, do a ldapsearch for this entry and check the userpassword attribute. It is base64-encoded, and you can decode it in order to find the password storage scheme that was used to encrypt the password. For instance on my machine: dn: uid=admin-replica.ipa.test,ou=people,o=ipaca userPassword:: e1BCS0RGMl9TSEEyNTZ9QUFBSUFCWVMrWHUxVEJzb0VTcjJLQVl4RlZHWGRHWWZ NTmxFN3dCZHRRV1IxUTNxaTdKTXord2duLzIrc1NKMDZJbXhBeng5ZkR2VEIrMCsvQkZyMmRiL1pT dy96YzdhNWlVNGVCYnZHem9FODM0VHpIbHBweS9UeFRhc0Facm81OG1iT05OaUdBbml1c3pVcE5nb 055R3dLYkpqQzZQeEpNeStnUklOa2xaOHJjTHBQSkZLam9jR0UvQ1NoeWFQYWN0b1ZZQlZVWHAzM3 pyeWtZVlBIL0pIUjNQb2pnZnNUb2pRL2w5UWg1UGEwVjVVZ0VyUGpFK0dsNWtLS3FMaWE0d296Rk4 wM3ozZjVwRGZDRnZOSi9CVEdENHhpcmNhcFZSVG5jTTRBZ0xPQlBCa2hoVm1vbEZBZHZ0OVUxY1ZL ZHVDZWRhWVUzZXZrS1hHcWx3alpTbEpPdkQ5SllJb0FHRlBwOXJERlJscU1MWEhUckx2aVoxTWgyM 2Roa0hrR0VXM3pna3VuK2FIcnNvYUZMWWQwZi95NjlweDBRMzJvci9vOXBZV1F6S1ppNUFp If I base64 decode the value: # echo e1BCS0RGMl9TSEEyNTZ9QUFBSUFCWVMrWHUxVEJzb0VTcjJLQVl4RlZHWGRHWWZNTmxFN3dCZHRRV1IxUTNxaTdKTXord2duLzIrc1NKMDZJbXhBeng5ZkR2VEIrMCsvQkZyMmRiL1pTdy96YzdhNWlVNGVCYnZHem9FODM0VHpIbHBweS9UeFRhc0Facm81OG1iT05OaUdBbml1c3pVcE5nb055R3dLYkpqQzZQeEpNeStnUklOa2xaOHJjTHBQSkZLam9jR0UvQ1NoeWFQYWN0b1ZZQlZVWHAzM3pyeWtZVlBIL0pIUjNQb2pnZnNUb2pRL2w5UWg1UGEwVjVVZ0VyUGpFK0dsNWtLS3FMaWE0d296Rk4wM3ozZjVwRGZDRnZOSi9CVEdENHhpcmNhcFZSVG5jTTRBZ0xPQlBCa2hoVm1vbEZBZHZ0OVUxY1ZLZHVDZWRhWVUzZXZrS1hHcWx3alpTbEpPdkQ5SllJb0FHRlBwOXJERlJscU1MWEhUckx2aVoxTWgyM2Roa0hrR0VXM3pna3VuK2FIcnNvYUZMWWQwZi95NjlweDBRMzJvci9vOXBZV1F6S1ppNUFp | base64 -d*{PBKDF2_SHA256}*AAAIABYS+Xu1TBsoESr2KAYxFVGXdGYfMNlE7wBdtQWR1Q3qi7JMz+wgn/2+sSJ06ImxAzx9fDvTB+0+/BFr2db/ZSw/zc7a5iU4eBbvGzoE834TzHlppy/TxTasAZro58mbONNiGAniuszUpNgoNyGwKbJjC6PxJMy+gRINklZ8rcLpPJFKjocGE/CShyaPactoVYBVUXp33zrykYVPH/JHR3PojgfsTojQ/l9Qh5Pa0V5UgErPjE+Gl5kKKqLia4wozFN03z3f5pDfCFvNJ/BTGD4xircapVRTncM4AgLOBPBkhhVmolFAdvt9U1cVKduCedaYU3evkKXGqlwjZSlJOvD9JYIoAGFPp9rDFRlqMLXHTrLviZ1Mh23dhkHkGEW3zgkun+aHrsoaFLYd0f/y69px0Q32or/o9pYWQzKZi5Ai which means that the replica used PBKDF2_SHA256 as password storage scheme. You need to check if this password storage scheme is supported on the master (we had issues in the past with a password storage scheme used by the replica that was not supported on the master and caused the bind to fail, https://bugzilla.redhat.com/show_bug.cgi?id=2151071). The list of supported password storage schemes is available with the following command: # ldapsearch -D "cn=directory manager" -W -LLL -o ldif-wrap=no -b "cn=Password Storage Schemes,cn=plugins,cn=config" -s one dn If the replica is using a password scheme not supported on the master, you are probably hitting the above BZ. There were fixes for multiple versions of 389-ds, we would need to know your exact versions on the replica and the master to point you to the right advisory. flo > And the log says: > 2024-03-11T15:00:24Z DEBUG [4/28]: creating installation admin user > 2024-03-11T15:00:24Z DEBUG Waiting 300 seconds for > uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca to appear on > ldap://freeipa-1.xerces.lan:389 > 2024-03-11T15:05:24Z ERROR Unable to log in as > uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca on > ldap://freeipa-1.xerces.lan:389 > 2024-03-11T15:05:24Z INFO [hint] tune with replication_wait_timeout > 2024-03-11T15:05:24Z DEBUG Traceback (most recent call last): > File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", > line 686, in start_creation > run_step(full_msg, method) > File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", > line 672, in run_step > method() > File > "/usr/lib/python3.12/site-packages/ipaserver/install/dogtaginstance.py", > line 789, in setup_admin > raise errors.NotFound( > ipalib.errors.NotFound: > uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca did not replicate to > ldap://freeipa-1.xerces.lan:389 > > 2024-03-11T15:05:24Z DEBUG [error] NotFound: > uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca did not replicate to > ldap://freeipa-1.xerces.lan:389 > 2024-03-11T15:05:24Z DEBUG Removing /root/.dogtag/pki-tomcat/ca > 2024-03-11T15:05:24Z DEBUG File > "/usr/lib/python3.12/site-packages/ipaserver/install/installutils.py", > line 781, in run_script > return_value = main_function() > ^^^^^^^^^^^^^^^ > > File "/usr/sbin/ipa-ca-install", line 320, in main > install(safe_options, options) > > File "/usr/sbin/ipa-ca-install", line 286, in install > install_replica(safe_options, options) > > File "/usr/sbin/ipa-ca-install", line 214, in install_replica > ca.install(True, config, options, custodia=custodia) > > File "/usr/lib/python3.12/site-packages/ipaserver/install/ca.py", > line 354, in install > install_step_0(standalone, replica_config, options, custodia=custodia) > > File "/usr/lib/python3.12/site-packages/ipaserver/install/ca.py", > line 422, in install_step_0 > ca.configure_instance( > > File "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py", > line 505, in configure_instance > self.start_creation(runtime=runtime) > > File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", > line 686, in start_creation > run_step(full_msg, method) > > File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", > line 672, in run_step > method() > > File > "/usr/lib/python3.12/site-packages/ipaserver/install/dogtaginstance.py", > line 789, in setup_admin > raise errors.NotFound( > > 2024-03-11T15:05:24Z DEBUG The ipa-ca-install command failed, > exception: NotFound: uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca > did not replicate to ldap://freeipa-1.xerces.lan:389 > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
