Hi, On Wed, Mar 13, 2024 at 10:06 AM Ian Kumlien <[email protected]> wrote:
> On Tue, Mar 12, 2024 at 10:36 PM Florence Blanc-Renaud <[email protected]> > wrote: > > > > Hi, > > > > On Tue, Mar 12, 2024 at 12:54 PM Ian Kumlien via FreeIPA-users < > [email protected]> wrote: > >> > >> Hi, > >> > >> So i have spent quite some time trying to get out of the swamp that is > >> centos stream 8 and back to something with a actual upgrade path, > >> fedora =) > >> > >> Everything works except the ipa-ca-install on the replica - mostly > >> fails at the same step > >> > >> At some point the conncheck failed, dropping me in to a prompt asking > >> for the password of a admin-<machine> account > >> > >> Anyway, I do know about the issue with - vs _ and validated on master, > >> changed on replica as detailed here: > >> > https://lists.fedoraproject.org/archives/list/[email protected]/message/IHIPPVMMIWV2TL7BNLW55XII3OIQ62HK/ > >> > >> But it still fails.. > >> > >> Oh and btw, none of the machines are running any firewalls =) > >> > >> Anyone that has a clue of what to test next? > >> > >> Btw, it's 4.9 to 4.11 if there is other issues with interoperability > >> > >> ipa-ca-install --skip-conncheck > >> Directory Manager (existing master) password: > >> > >> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes > >> [1/28]: creating certificate server db > >> [2/28]: setting up initial replication > >> Starting replication, please wait until this has completed. > >> Update in progress, 7 seconds elapsed > >> Update succeeded > >> > >> [3/28]: creating ACIs for admin > >> [4/28]: creating installation admin user > >> ipaserver.install.dogtaginstance: ERROR Unable to log in as > >> uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca on > >> ldap://freeipa-1.xerces.lan:389 > >> [error] NotFound: uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca > >> did not replicate to ldap://freeipa-1.xerces.lan:389 > >> > >> Your system may be partly configured. > >> Run /usr/sbin/ipa-server-install --uninstall to clean up. > >> > >> Unexpected error - see /var/log/ipareplica-ca-install.log for details: > >> NotFound: uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca did not > >> replicate to ldap://freeipa-1.xerces.lan:389 > >> > > The installation of a CA clone creates this user on the replica, lets > the replication copy the entry on the master and then checks by doing a > ldap bind from the replica to the master that the entry has been properly > replicated. > > When this error happens, it can either mean that the entry was not > replicated or that the bind failed. > > > > In order to know exactly what is happening for you, you can check > > - on the master freeipa-1.xerces.lan, do a ldapsearch for this entry and > check if it exists. If the entry is present, the replication properly > propagated the entry from replica to master and you are probably hitting > the 2nd issue. > > # ldapsearch -D "cn=directory manager" -W -b > uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca > > > > - on the replica, do a ldapsearch for this entry and check the > userpassword attribute. It is base64-encoded, and you can decode it in > order to find the password storage scheme that was used to encrypt the > password. > > For instance on my machine: > > > > dn: uid=admin-replica.ipa.test,ou=people,o=ipaca > > userPassword:: > e1BCS0RGMl9TSEEyNTZ9QUFBSUFCWVMrWHUxVEJzb0VTcjJLQVl4RlZHWGRHWWZ > > > NTmxFN3dCZHRRV1IxUTNxaTdKTXord2duLzIrc1NKMDZJbXhBeng5ZkR2VEIrMCsvQkZyMmRiL1pT > > > dy96YzdhNWlVNGVCYnZHem9FODM0VHpIbHBweS9UeFRhc0Facm81OG1iT05OaUdBbml1c3pVcE5nb > > > 055R3dLYkpqQzZQeEpNeStnUklOa2xaOHJjTHBQSkZLam9jR0UvQ1NoeWFQYWN0b1ZZQlZVWHAzM3 > > > pyeWtZVlBIL0pIUjNQb2pnZnNUb2pRL2w5UWg1UGEwVjVVZ0VyUGpFK0dsNWtLS3FMaWE0d296Rk4 > > > wM3ozZjVwRGZDRnZOSi9CVEdENHhpcmNhcFZSVG5jTTRBZ0xPQlBCa2hoVm1vbEZBZHZ0OVUxY1ZL > > > ZHVDZWRhWVUzZXZrS1hHcWx3alpTbEpPdkQ5SllJb0FHRlBwOXJERlJscU1MWEhUckx2aVoxTWgyM > > 2Roa0hrR0VXM3pna3VuK2FIcnNvYUZMWWQwZi95NjlweDBRMzJvci9vOXBZV1F6S1ppNUFp > > > > > > If I base64 decode the value: > > > > # echo > e1BCS0RGMl9TSEEyNTZ9QUFBSUFCWVMrWHUxVEJzb0VTcjJLQVl4RlZHWGRHWWZNTmxFN3dCZHRRV1IxUTNxaTdKTXord2duLzIrc1NKMDZJbXhBeng5ZkR2VEIrMCsvQkZyMmRiL1pTdy96YzdhNWlVNGVCYnZHem9FODM0VHpIbHBweS9UeFRhc0Facm81OG1iT05OaUdBbml1c3pVcE5nb055R3dLYkpqQzZQeEpNeStnUklOa2xaOHJjTHBQSkZLam9jR0UvQ1NoeWFQYWN0b1ZZQlZVWHAzM3pyeWtZVlBIL0pIUjNQb2pnZnNUb2pRL2w5UWg1UGEwVjVVZ0VyUGpFK0dsNWtLS3FMaWE0d296Rk4wM3ozZjVwRGZDRnZOSi9CVEdENHhpcmNhcFZSVG5jTTRBZ0xPQlBCa2hoVm1vbEZBZHZ0OVUxY1ZLZHVDZWRhWVUzZXZrS1hHcWx3alpTbEpPdkQ5SllJb0FHRlBwOXJERlJscU1MWEhUckx2aVoxTWgyM2Roa0hrR0VXM3pna3VuK2FIcnNvYUZMWWQwZi95NjlweDBRMzJvci9vOXBZV1F6S1ppNUFp > | base64 -d > > > {PBKDF2_SHA256}AAAIABYS+Xu1TBsoESr2KAYxFVGXdGYfMNlE7wBdtQWR1Q3qi7JMz+wgn/2+sSJ06ImxAzx9fDvTB+0+/BFr2db/ZSw/zc7a5iU4eBbvGzoE834TzHlppy/TxTasAZro58mbONNiGAniuszUpNgoNyGwKbJjC6PxJMy+gRINklZ8rcLpPJFKjocGE/CShyaPactoVYBVUXp33zrykYVPH/JHR3PojgfsTojQ/l9Qh5Pa0V5UgErPjE+Gl5kKKqLia4wozFN03z3f5pDfCFvNJ/BTGD4xircapVRTncM4AgLOBPBkhhVmolFAdvt9U1cVKduCedaYU3evkKXGqlwjZSlJOvD9JYIoAGFPp9rDFRlqMLXHTrLviZ1Mh23dhkHkGEW3zgkun+aHrsoaFLYd0f/y69px0Q32or/o9pYWQzKZi5Ai > > Yes, and the value is the same on both replicas, both the encoded > base64 and the password scheme: {PBKDF2_SHA256}AAAIAGIHopZZSHY8..... > > Since I changed it as described in the link i included... > > > which means that the replica used PBKDF2_SHA256 as password storage > scheme. > > You need to check if this password storage scheme is supported on the > master (we had issues in the past with a password storage scheme used by > the replica that was not supported on the master and caused the bind to > fail, https://bugzilla.redhat.com/show_bug.cgi?id=2151071). The list of > supported password storage schemes is available with the following command: > > # ldapsearch -D "cn=directory manager" -W -LLL -o ldif-wrap=no -b > "cn=Password Storage Schemes,cn=plugins,cn=config" -s one dn > > Yes, and they both support PBKDF2_SHA256 both as plugin and password > storage scheme > > > If the replica is using a password scheme not supported on the master, > you are probably hitting the above BZ. There were fixes for multiple > versions of 389-ds, we would need to know your exact versions on the > replica and the master to point you to the right advisory. > > 4.9.10 and 4.11.1 > > (fedora is just now updating it to 4.11.1-2 will look at the changes) > > Anyway, thanks for the help so far, i can now see the account > replicated but i don't quite understand why it doesn't work... > Your ipa-ca-install command failed at 2024-03-11T15:05:24Z. Can you check on the master around this date if there is a connection from replica to master with a BIND attempt that would be failing? The logs are in /var/log/dirsrv/slapd-YOURDOMAIN/access. Look for something similar to BIND dn="uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca". Then note the conn number and op number and look for the RESULT with the same conn and op, for instance: [13/Mar/2024:09:10:01.331583308 +0000] conn=106 op=2 BIND dn="uid=admin-replica0.ipa.test,ou=people,o=ipaca" method=128 version=3 [13/Mar/2024:09:10:01.355201520 +0000] conn=106 op=2 RESULT err=0 tag=97 nentries=0 wtime=0.000106547 optime=0.023642452 etime=0.023744831 dn="uid=admin-replica0.ipa.test,ou=people,o=ipaca" The lines may be separated by other logs, and the err=xxx will show if the bind is successful or failed. err=0 means success, err=49 means invalid credentials. flo > > flo > >> > >> And the log says: > >> 2024-03-11T15:00:24Z DEBUG [4/28]: creating installation admin user > >> 2024-03-11T15:00:24Z DEBUG Waiting 300 seconds for > >> uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca to appear on > >> ldap://freeipa-1.xerces.lan:389 > >> 2024-03-11T15:05:24Z ERROR Unable to log in as > >> uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca on > >> ldap://freeipa-1.xerces.lan:389 > >> 2024-03-11T15:05:24Z INFO [hint] tune with replication_wait_timeout > >> 2024-03-11T15:05:24Z DEBUG Traceback (most recent call last): > >> File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", > >> line 686, in start_creation > >> run_step(full_msg, method) > >> File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", > >> line 672, in run_step > >> method() > >> File > "/usr/lib/python3.12/site-packages/ipaserver/install/dogtaginstance.py", > >> line 789, in setup_admin > >> raise errors.NotFound( > >> ipalib.errors.NotFound: > >> uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca did not replicate to > >> ldap://freeipa-1.xerces.lan:389 > >> > >> 2024-03-11T15:05:24Z DEBUG [error] NotFound: > >> uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca did not replicate to > >> ldap://freeipa-1.xerces.lan:389 > >> 2024-03-11T15:05:24Z DEBUG Removing /root/.dogtag/pki-tomcat/ca > >> 2024-03-11T15:05:24Z DEBUG File > >> "/usr/lib/python3.12/site-packages/ipaserver/install/installutils.py", > >> line 781, in run_script > >> return_value = main_function() > >> ^^^^^^^^^^^^^^^ > >> > >> File "/usr/sbin/ipa-ca-install", line 320, in main > >> install(safe_options, options) > >> > >> File "/usr/sbin/ipa-ca-install", line 286, in install > >> install_replica(safe_options, options) > >> > >> File "/usr/sbin/ipa-ca-install", line 214, in install_replica > >> ca.install(True, config, options, custodia=custodia) > >> > >> File "/usr/lib/python3.12/site-packages/ipaserver/install/ca.py", > >> line 354, in install > >> install_step_0(standalone, replica_config, options, > custodia=custodia) > >> > >> File "/usr/lib/python3.12/site-packages/ipaserver/install/ca.py", > >> line 422, in install_step_0 > >> ca.configure_instance( > >> > >> File > "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py", > >> line 505, in configure_instance > >> self.start_creation(runtime=runtime) > >> > >> File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", > >> line 686, in start_creation > >> run_step(full_msg, method) > >> > >> File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", > >> line 672, in run_step > >> method() > >> > >> File > "/usr/lib/python3.12/site-packages/ipaserver/install/dogtaginstance.py", > >> line 789, in setup_admin > >> raise errors.NotFound( > >> > >> 2024-03-11T15:05:24Z DEBUG The ipa-ca-install command failed, > >> exception: NotFound: uid=admin-freeipa-4.xerces.lan,ou=people,o=ipaca > >> did not replicate to ldap://freeipa-1.xerces.lan:389 > >> -- > >> _______________________________________________ > >> FreeIPA-users mailing list -- [email protected] > >> To unsubscribe send an email to > [email protected] > >> Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > >> Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
