Hi, Not yet, I'm busy with it right now.
I created a bugreport where I'm checking the reference bugs now, but I didn't saw a solution that fast. https://bugzilla.redhat.com/show_bug.cgi?id=1235766 I did do point 3 & 4. Matt 2015-06-27 15:27 GMT+02:00 Dmitri Pal <[email protected]>: > On 06/23/2015 06:15 PM, Matt . wrote: >> >> Anyone some suggestions about this ? >> >> I'm thinking about adding from my second 3.x master where I first need >> to split that cluster to make that happen. > > > > Was that resolved? > > > >> >> >> >> 2015-06-22 22:57 GMT+02:00 Matt . <[email protected]>: >>> >>> OK, >>> >>> I'm on the go here but I have some issue. >>> >>> When I install the replica server I get this error on the new replica: >>> >>> ipa : CRITICAL CA DS schema check failed. Make sure the PKI >>> service on the remote master is operational. >>> >>> >>> When I restart IPA on the old master I get this: >>> >>> PKI-IPA...[22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: >>> the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with >>> the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] >>> [22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: the SUBSTR >>> matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with >>> the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] >>> [ OK ] >>> >>> So the error on the replica is not that strange, but how to fix this >>> on the master ? >>> >>> Matt >>> >>> 2015-06-22 15:59 GMT+02:00 Hendrik Frenzel <[email protected]>: >>>> >>>> Am 22.06.2015 12:10, schrieb Matt .: >>>>> >>>>> Hi Guys, >>>> >>>> >>>> Hi Matt, >>>> >>>>> I found some good information about migrating from 3.3 to 4.x using >>>>> replica's. >>>>> >>>>> It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as >>>>> CentOS doesn't provide 3.3. >>>> >>>> >>>> Could you please share an URL or something? >>>> >>>> Currently I'm here: >>>> >>>> * ipa-6 - CentOS 6.6: >>>> ipa-admintools-3.0.0-42.el6.centos.x86_64 >>>> ipa-client-3.0.0-42.el6.centos.x86_64 >>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>> ipa-python-3.0.0-42.el6.centos.x86_64 >>>> ipa-server-3.0.0-42.el6.centos.x86_64 >>>> ipa-server-selinux-3.0.0-42.el6.centos.x86_64 >>>> sssd-ipa-1.11.6-30.el6_6.4.x86_64 >>>> pki-ca-9.0.3-38.el6_6.noarch >>>> >>>> * ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server, >>>> bind, >>>> bind-dyndb-ldap): >>>> ipa-admintools-4.1.0-18.el7.centos.3.x86_64 >>>> ipa-client-4.1.0-18.el7.centos.3.x86_64 >>>> ipa-python-4.1.0-18.el7.centos.3.x86_64 >>>> ipa-server-4.1.0-18.el7.centos.3.x86_64 >>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >>>> pki-ca-10.1.2-7.el7.noarch >>>> >>>> -1. Update schema >>>> ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py root@ipa-6: >>>> ipa-6# python copy-schema-to-ca.py >>>> >>>> 0. clean up old/stale replication aggreements >>>> ipa-replica-manage del --force ipa-6.example.com >>>> ipa-csreplica-manage del --force ipa-6.example.com >>>> >>>> 1. prepare replication on ipa-6 for ipa-7 >>>> ipa-replica-prepare ipa-7.example.com >>>> >>>> 2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in >>>> /etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s. >>>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) >>>> - <LocationMatch >>>> >>>> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL"> >>>> + <LocationMatch >>>> >>>> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> >>>> >>>> 3. slow down the network a bit >>>> (don't know how effective it is, as we already got 1GBit, but >>>> without >>>> it, a timing bug in 389-ds-base is triggered - s. >>>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) >>>> tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency >>>> 1ms >>>> burst 1540 >>>> >>>> 4. install replication (without CA for the moment) >>>> ipa-replica-install >>>> /var/lib/ipa/replica-info-ipa-7.example.com.gpg >>>> --setup-dns --mkhomedir --no-forwarders >>>> >>>> Up to now, everything works, but we need the CA too: >>>> >>>> 5. install ca >>>> ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg >>>> >>>> But this won't work and I don't have a clue how to fix/proceed from >>>> here. >>>> >>>> # ipa-7: /var/log/ipareplica-ca-install.log >>>> ipa : DEBUG stderr=pkispawn : WARNING ....... unable >>>> to >>>> validate security domain user/password through REST interface. Interface >>>> not >>>> available >>>> pkispawn : ERROR ....... Exception from Java Configuration >>>> Servlet: >>>> Error while updating security domain: java.io.IOException: 2 >>>> >>>> ipa : CRITICAL failed to configure ca instance Command >>>> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmppByBPz'' returned non-zero >>>> exit status 1 >>>> ipa : DEBUG Traceback (most recent call last): >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 382, in start_creation >>>> run_step(full_msg, method) >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 372, in run_step >>>> method() >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line 673, in __spawn_instance >>>> raise RuntimeError('Configuration of CA failed') >>>> RuntimeError: Configuration of CA failed >>>> >>>> # ipa-7: /var/log/pki/pki-tomcat/ca/system >>>> 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [3] [3] Cannot >>>> build >>>> CA chain. Error java.security.cert.CertificateException: Certificate is >>>> not >>>> a PKCS #11 certificate >>>> 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [13] [3] authz >>>> instance DirAclAuthz initialization failed and skipped, error=Property >>>> internaldb.ldapconn.port missing value >>>> >>>> # ipa-7: /var/log/pki/pki-tomcat/ca/debug >>>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: Cloning a domain master >>>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase >>>> updateDomainXML start hostname=ipa-6.example.com port=443 >>>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain: >>>> failed >>>> to update security domain using admin port 443: >>>> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White >>>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain: >>>> now >>>> trying agent port with client auth >>>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase >>>> updateDomainXML start hostname=ipa-6.example.com port=443 >>>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateDomainXML() >>>> nickname=subsystemCert cert-pki-ca >>>> [22/Jun/2015:15:12:32][http-bio-8443-exec-3]: WizardPanelBase >>>> updateDomainXML: status=1 >>>> >>>> # ipa-6: /var/log/httpd/access_log >>>> 10.1.1.2 - - [22/Jun/2015:15:12:59 +0200] "POST >>>> /ca/admin/ca/updateDomainXML HTTP/1.0" 404 309 >>>> 10.1.1.2 - - [22/Jun/2015:15:12:59 +0200] "POST >>>> /ca/agent/ca/updateDomainXML HTTP/1.0" 200 115 >>>> >>>> # ipa-6: /var/log/pki-ca/debug >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet:service() uri = >>>> /ca/agent/ca/updateDomainXML >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='name' value='CA ipa-7.example.com 8443' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='eeclientauthsport' value='443' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='httpport' value='80' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='sport' value='443' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='dm' value='true' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='adminsport' value='443' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='list' value='CAList' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='clone' value='true' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='type' value='CA' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='agentsport' value='443' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='sessionID' value='-4812857165985662682' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param >>>> name='host' value='ipa-7.example.com' >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: caUpdateDomainXML >>>> start >>>> to service. >>>> [22/Jun/2015:15:12:59][TP-Processor5]: UpdateDomainXML: processing... >>>> [22/Jun/2015:15:12:59][TP-Processor5]: UpdateDomainXML process: >>>> authentication starts >>>> [22/Jun/2015:15:12:59][TP-Processor5]: IP: 10.1.1.2 >>>> [22/Jun/2015:15:12:59][TP-Processor5]: AuthMgrName: certUserDBAuthMgr >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: retrieving SSL >>>> certificate >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: certUID=CN=CA >>>> Subsystem,O=EXAMPLE.COM >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: started >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: Retrieving >>>> client >>>> certificate >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: Got client >>>> certificate >>>> [22/Jun/2015:15:12:59][TP-Processor5]: In >>>> LdapBoundConnFactory::getConn() >>>> [22/Jun/2015:15:12:59][TP-Processor5]: masterConn is connected: true >>>> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: conn is connected >>>> true >>>> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: mNumConns now 2 >>>> [22/Jun/2015:15:12:59][TP-Processor5]: returnConn: mNumConns now 3 >>>> [22/Jun/2015:15:12:59][TP-Processor5]: Authentication: client >>>> certificate >>>> found >>>> [22/Jun/2015:15:12:59][TP-Processor5]: In >>>> LdapBoundConnFactory::getConn() >>>> [22/Jun/2015:15:12:59][TP-Processor5]: masterConn is connected: true >>>> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: conn is connected >>>> true >>>> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: mNumConns now 2 >>>> [22/Jun/2015:15:12:59][TP-Processor5]: returnConn: mNumConns now 3 >>>> [22/Jun/2015:15:12:59][TP-Processor5]: SignedAuditEventFactory: >>>> create() >>>> >>>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=CA >>>> Subsystem,O=EXAMPLE.COM] authentication failure >>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: curDate=Mon Jun 22 >>>> 15:12:59 CEST 2015 id=caUpdateDomainXML time=11 >>>> >>>> # ipa-6: /var/log/pki-ca/system >>>> 5651.TP-Processor5 - [22/Jun/2015:15:12:59 MESZ] [6] [3] Cannot >>>> authenticate agent with certificate Serial 0x272 Subject DN CN=CA >>>> Subsystem,O=EXAMPLE.COM. Error: User not found >>>> 5651.TP-Processor5 - [22/Jun/2015:15:12:59 MESZ] [3] [3] Servlet >>>> caUpdateDomainXML: Failed to authorize: Invalid Credential.. >>>> >>>> It would be great if someone could give a hint where to look and what >>>> user >>>> can't authenticate and why. >>>> >>>> @Matt: For renaming the IdM server, see >>>> https://access.redhat.com/solutions/174733 it could possibly help. >>>> >>>> b/r >>>> H. >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project > > > > -- > Thank you, > Dmitri Pal > > Director of Engineering for IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
