On Tue, Mar 12, 2024 at 10:36 PM Florence Blanc-Renaud <f...@redhat.com> wrote:
>
> Hi,
>
> On Tue, Mar 12, 2024 at 12:54 PM Ian Kumlien via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org> wrote:
>>
>> Hi,
>>
>> So i have spent quite some time trying to get out of the swamp that is
>> centos stream 8 and back to something with a actual upgrade path,
>> fedora =)
>>
>> Everything works except the ipa-ca-install on the replica - mostly
>> fails at the same step
>>
>> At some point the conncheck failed, dropping me in to a prompt asking
>> for the password of a admin-<machine> account
>>
>> Anyway, I do know about the issue with - vs _ and validated on master,
>> changed on replica as detailed here:
>> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/IHIPPVMMIWV2TL7BNLW55XII3OIQ62HK/
>>
>> But it still fails..
>>
>> Oh and btw, none of the machines are running any firewalls =)
>>
>> Anyone that has a clue of what to test next?
>>
>> Btw, it's 4.9 to 4.11 if there is other issues with interoperability
>>
>> ipa-ca-install --skip-conncheck
>> Directory Manager (existing master) password:
>>
>> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
>> [1/28]: creating certificate server db
>> [2/28]: setting up initial replication
>> Starting replication, please wait until this has completed.
>> Update in progress, 7 seconds elapsed
>> Update succeeded
>>
>> [3/28]: creating ACIs for admin
>> [4/28]: creating installation admin user
>> ipaserver.install.dogtaginstance: ERROR Unable to log in as
>> uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca on
>> ldap://freeipa-1.xerces.lan:389
>> [error] NotFound: uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca
>> did not replicate to ldap://freeipa-1.xerces.lan:389
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> Unexpected error - see /var/log/ipareplica-ca-install.log for details:
>> NotFound: uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca did not
>> replicate to ldap://freeipa-1.xerces.lan:389
>>
> The installation of a CA clone creates this user on the replica, lets the
> replication copy the entry on the master and then checks by doing a ldap bind
> from the replica to the master that the entry has been properly replicated.
> When this error happens, it can either mean that the entry was not replicated
> or that the bind failed.
>
> In order to know exactly what is happening for you, you can check
> - on the master freeipa-1.xerces.lan, do a ldapsearch for this entry and
> check if it exists. If the entry is present, the replication properly
> propagated the entry from replica to master and you are probably hitting the
> 2nd issue.
> # ldapsearch -D "cn=directory manager" -W -b
> uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca
>
> - on the replica, do a ldapsearch for this entry and check the userpassword
> attribute. It is base64-encoded, and you can decode it in order to find the
> password storage scheme that was used to encrypt the password.
> For instance on my machine:
>
> dn: uid=admin-replica.ipa.test,ou=people,o=ipaca
> userPassword:: e1BCS0RGMl9TSEEyNTZ9QUFBSUFCWVMrWHUxVEJzb0VTcjJLQVl4RlZHWGRHWWZ
> NTmxFN3dCZHRRV1IxUTNxaTdKTXord2duLzIrc1NKMDZJbXhBeng5ZkR2VEIrMCsvQkZyMmRiL1pT
> dy96YzdhNWlVNGVCYnZHem9FODM0VHpIbHBweS9UeFRhc0Facm81OG1iT05OaUdBbml1c3pVcE5nb
> 055R3dLYkpqQzZQeEpNeStnUklOa2xaOHJjTHBQSkZLam9jR0UvQ1NoeWFQYWN0b1ZZQlZVWHAzM3
> pyeWtZVlBIL0pIUjNQb2pnZnNUb2pRL2w5UWg1UGEwVjVVZ0VyUGpFK0dsNWtLS3FMaWE0d296Rk4
> wM3ozZjVwRGZDRnZOSi9CVEdENHhpcmNhcFZSVG5jTTRBZ0xPQlBCa2hoVm1vbEZBZHZ0OVUxY1ZL
> ZHVDZWRhWVUzZXZrS1hHcWx3alpTbEpPdkQ5SllJb0FHRlBwOXJERlJscU1MWEhUckx2aVoxTWgyM
> 2Roa0hrR0VXM3pna3VuK2FIcnNvYUZMWWQwZi95NjlweDBRMzJvci9vOXBZV1F6S1ppNUFp
>
>
> If I base64 decode the value:
>
> # echo
> e1BCS0RGMl9TSEEyNTZ9QUFBSUFCWVMrWHUxVEJzb0VTcjJLQVl4RlZHWGRHWWZNTmxFN3dCZHRRV1IxUTNxaTdKTXord2duLzIrc1NKMDZJbXhBeng5ZkR2VEIrMCsvQkZyMmRiL1pTdy96YzdhNWlVNGVCYnZHem9FODM0VHpIbHBweS9UeFRhc0Facm81OG1iT05OaUdBbml1c3pVcE5nb055R3dLYkpqQzZQeEpNeStnUklOa2xaOHJjTHBQSkZLam9jR0UvQ1NoeWFQYWN0b1ZZQlZVWHAzM3pyeWtZVlBIL0pIUjNQb2pnZnNUb2pRL2w5UWg1UGEwVjVVZ0VyUGpFK0dsNWtLS3FMaWE0d296Rk4wM3ozZjVwRGZDRnZOSi9CVEdENHhpcmNhcFZSVG5jTTRBZ0xPQlBCa2hoVm1vbEZBZHZ0OVUxY1ZLZHVDZWRhWVUzZXZrS1hHcWx3alpTbEpPdkQ5SllJb0FHRlBwOXJERlJscU1MWEhUckx2aVoxTWgyM2Roa0hrR0VXM3pna3VuK2FIcnNvYUZMWWQwZi95NjlweDBRMzJvci9vOXBZV1F6S1ppNUFp
> | base64 -d
> {PBKDF2_SHA256}AAAIABYS+Xu1TBsoESr2KAYxFVGXdGYfMNlE7wBdtQWR1Q3qi7JMz+wgn/2+sSJ06ImxAzx9fDvTB+0+/BFr2db/ZSw/zc7a5iU4eBbvGzoE834TzHlppy/TxTasAZro58mbONNiGAniuszUpNgoNyGwKbJjC6PxJMy+gRINklZ8rcLpPJFKjocGE/CShyaPactoVYBVUXp33zrykYVPH/JHR3PojgfsTojQ/l9Qh5Pa0V5UgErPjE+Gl5kKKqLia4wozFN03z3f5pDfCFvNJ/BTGD4xircapVRTncM4AgLOBPBkhhVmolFAdvt9U1cVKduCedaYU3evkKXGqlwjZSlJOvD9JYIoAGFPp9rDFRlqMLXHTrLviZ1Mh23dhkHkGEW3zgkun+aHrsoaFLYd0f/y69px0Q32or/o9pYWQzKZi5Ai
Yes, and the value is the same on both replicas, both the encoded
base64 and the password scheme: {PBKDF2_SHA256}AAAIAGIHopZZSHY8.....
Since I changed it as described in the link i included...
> which means that the replica used PBKDF2_SHA256 as password storage scheme.
> You need to check if this password storage scheme is supported on the master
> (we had issues in the past with a password storage scheme used by the replica
> that was not supported on the master and caused the bind to fail,
> https://bugzilla.redhat.com/show_bug.cgi?id=2151071). The list of supported
> password storage schemes is available with the following command:
> # ldapsearch -D "cn=directory manager" -W -LLL -o ldif-wrap=no -b
> "cn=Password Storage Schemes,cn=plugins,cn=config" -s one dn
Yes, and they both support PBKDF2_SHA256 both as plugin and password
storage scheme
> If the replica is using a password scheme not supported on the master, you
> are probably hitting the above BZ. There were fixes for multiple versions of
> 389-ds, we would need to know your exact versions on the replica and the
> master to point you to the right advisory.
4.9.10 and 4.11.1
(fedora is just now updating it to 4.11.1-2 will look at the changes)
Anyway, thanks for the help so far, i can now see the account
replicated but i don't quite understand why it doesn't work...
> flo
>>
>> And the log says:
>> 2024-03-11T15:00:24Z DEBUG [4/28]: creating installation admin user
>> 2024-03-11T15:00:24Z DEBUG Waiting 300 seconds for
>> uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca to appear on
>> ldap://freeipa-1.xerces.lan:389
>> 2024-03-11T15:05:24Z ERROR Unable to log in as
>> uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca on
>> ldap://freeipa-1.xerces.lan:389
>> 2024-03-11T15:05:24Z INFO [hint] tune with replication_wait_timeout
>> 2024-03-11T15:05:24Z DEBUG Traceback (most recent call last):
>> File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py",
>> line 686, in start_creation
>> run_step(full_msg, method)
>> File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py",
>> line 672, in run_step
>> method()
>> File
>> "/usr/lib/python3.12/site-packages/ipaserver/install/dogtaginstance.py",
>> line 789, in setup_admin
>> raise errors.NotFound(
>> ipalib.errors.NotFound:
>> uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca did not replicate to
>> ldap://freeipa-1.xerces.lan:389
>>
>> 2024-03-11T15:05:24Z DEBUG [error] NotFound:
>> uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca did not replicate to
>> ldap://freeipa-1.xerces.lan:389
>> 2024-03-11T15:05:24Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
>> 2024-03-11T15:05:24Z DEBUG File
>> "/usr/lib/python3.12/site-packages/ipaserver/install/installutils.py",
>> line 781, in run_script
>> return_value = main_function()
>> ^^^^^^^^^^^^^^^
>>
>> File "/usr/sbin/ipa-ca-install", line 320, in main
>> install(safe_options, options)
>>
>> File "/usr/sbin/ipa-ca-install", line 286, in install
>> install_replica(safe_options, options)
>>
>> File "/usr/sbin/ipa-ca-install", line 214, in install_replica
>> ca.install(True, config, options, custodia=custodia)
>>
>> File "/usr/lib/python3.12/site-packages/ipaserver/install/ca.py",
>> line 354, in install
>> install_step_0(standalone, replica_config, options, custodia=custodia)
>>
>> File "/usr/lib/python3.12/site-packages/ipaserver/install/ca.py",
>> line 422, in install_step_0
>> ca.configure_instance(
>>
>> File "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py",
>> line 505, in configure_instance
>> self.start_creation(runtime=runtime)
>>
>> File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py",
>> line 686, in start_creation
>> run_step(full_msg, method)
>>
>> File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py",
>> line 672, in run_step
>> method()
>>
>> File
>> "/usr/lib/python3.12/site-packages/ipaserver/install/dogtaginstance.py",
>> line 789, in setup_admin
>> raise errors.NotFound(
>>
>> 2024-03-11T15:05:24Z DEBUG The ipa-ca-install command failed,
>> exception: NotFound: uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca
>> did not replicate to ldap://freeipa-1.xerces.lan:389
>> --
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
