Re: [Freeipa-users] replica install - Insufficient 'add' privilege ?

[Martin Babinsky]

On 02/10/2017 01:29 PM, lejeczek wrote:
hi everyone,
I'm trying something mundane(can't think why, how my setup would be
special/different) - replica installation - but I hit this:

 [42/44]: activating extdom plugin
  [43/44]: tuning directory server
  [44/44]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    Insufficient
access: Insufficient 'add' privilege to add the entry
'cn=NTP,cn=work3.whale.private,cn=masters,cn=ipa,cn=etc,dc=whale,dc=private'.
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information

$and logs tail:

2017-02-10T12:20:46Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-WHALE-PRIVATE.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7999290>
2017-02-10T12:20:47Z DEBUG Destroyed connection context.ldap2_84192272
2017-02-10T12:20:47Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
318, in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 310, in run
    self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 332, in execute
    for nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 372, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 362, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 359, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 586, in _configure
    next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 372, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 449, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 446, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 362, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 359, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 63, in _install
    for nothing in self._installer(self.parent):
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1714, in main
    promote(self)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 364, in decorated
    func(installer)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1425, in promote
    remote_api.env.realm)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ntpinstance.py",
line 43, in ntp_ldap_enable
    ntp.ldap_enable('NTP', fqdn, None, base_dn)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 512, in ldap_enable
    self.admin_conn.add_entry(entry)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1492, in add_entry
    self.conn.add_s(str(entry.dn), list(attrs.items()))
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
971, in error_handler
    raise errors.ACIError(info=info)

2017-02-10T12:20:47Z DEBUG The ipa-replica-install command failed,
exception: ACIError: Insufficient access: Insufficient 'add' privilege
to add the entry
'cn=NTP,cn=work3.whale.private,cn=masters,cn=ipa,cn=etc,dc=whale,dc=private'.
2017-02-10T12:20:47Z ERROR Insufficient access: Insufficient 'add'
privilege to add the entry
'cn=NTP,cn=work3.whale.private,cn=masters,cn=ipa,cn=etc,dc=whale,dc=private'.
2017-02-10T12:20:47Z ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information

would you share some thoughts?
many thanks,
L.



We need to know more details about the replica installation, is it 
domain level 0? Domain level 1? In domain level 1, do you enroll as 
admin user or using a privileged host account? Did you re-run the 
installation? Maybe there is some stale ccache present on your system.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project