Hello, I've encountered several issues while installing freeipa replica. I have freeipa 4.6.8 master and the replica I tried installing is 4.9.12.
During the replica install it seems that the replica is unable to get a CA cert from my master: DEBUG Configuring Kerberos KDC (krb5kdc) DEBUG [1/1]: installing X509 Certificate for PKINIT DEBUG flushing ldapi://%2Frun%2Fslapd-[REDACTED].socket from SchemaCache DEBUG retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-[REDACTED].socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f6ac1b7d6d8> DEBUG certmonger request is in state 'NEWLY_ADDED_READING_KEYINFO' DEBUG certmonger request is in state 'SUBMITTING' DEBUG certmonger request is in state 'CA_UNREACHABLE' DEBUG Cert request 20240312144851 failed: CA_UNREACHABLE (Server at https://[REDACTED]/ipa/json failed request, will retry: 903 (an internal error has occurred).) DEBUG Giving up on cert request 20240312144851 WARNING PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE: Server at https://[REDACTED]/ipa/json failed request, will retry: 903 (an internal error has occurred).) WARNING Failed to configure PKINIT DEBUG Full PKINIT configuration did not succeed DEBUG The setup will only install bits essential to the server functionality DEBUG You can enable PKINIT after the setup completed using 'ipa-pkinit-manage' DEBUG certmonger request is in state 'GENERATING_CSR' DEBUG certmonger request is in state 'MONITORING' DEBUG Cert request 20240312144853 was successful DEBUG step duration: krb5kdc setup_pkinit 2.72 sec DEBUG Done configuring Kerberos KDC (krb5kdc). (However the the installation succeeds with INFO The ipa-replica-install command was successful) On master in /var/log/httpd/error_log: ipa: ERROR: non-public: AttributeError: 'ldap2' object has no attribute 'Object' Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 369, in wsgi_execute result = command(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in __do_call ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run return self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 863, in execute ca_kdc_check(ldap, alt_principal.hostname) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 301, in ca_kdc_check master_dn = api_instance.Object.server.get_dn(unicode(hostname)) AttributeError: 'ldap2' object has no attribute 'Object' ipa: INFO: [jsonserver_kerb] host/ipa-replica01.[REDACTED]@[REDACTED]: cert_request(u'MIID3DCCAsQCAQAwQjEZMBcGA1UECgwQRkxPUkEuTFRGUy5UT09MUzElMCMGA1UEAxMcaXBhLXNsYXZlMDEuZmxvcmEubHRmcy50b29sczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANhiTu7x/3sRCBq0spuBM1M2dkAzfMFEtJRx/BUcDi7PrRhJBa+w2o+XfOjtP9YFYpnOYbqV6eNlslGuYbHYIZX5D4lawvcT+IfqBaeWAz3ZRyK+nFVotMm+BRHNeUFse3OUL2kGPLRgXZQ1wdzE+V17rTRtPHDV9cs0ERjTjMyntM24zYxWicrdsoFfwF/BJQRXVO+GZDdhJcmNvCcxywaUD8C/y9TYYLwhFdIRYFmOHvTHJwabPt5/QM8EkrAfkpCHypwf6oz7xvyiqnRFyx5okWexHqE1xXHbvMS+pjd2eNBl4n38H+hbdb83wJFS64M9zerlhU/u5h4cbY0WdIJtOz2dP7A3NvQL0X5oF10ivWYw5+Rbar8h6nCr07ApVku6m5kXePp6rK3c0f+IORxflJFEdRGBG7zBbE1Dt4Kf5Q+uTwiEjN2wEre1s6CFg8oTipncOwHkyettAplFisitfdxs4HlEZpsN3kxh6NQDFAhx4JE1WNGMPVZNKuBz6tHhMwgpDDXS16UjIXZqYllUDnBaf5GdawCgWr2wbXEaUflgOWje/QyvZkYVsHZzUFw9Bqh8B7jxw7h/4KAM43XBDWN9P6J2+gqp2M3SQ=', profile_id=u'KDCs_PKINIT_Certs', principal=u'krbtgt/[REDACTED]@[REDACTED]', add=True): InternalError That's the issue number one. Number two is that I can't login into web UI of my replica - it gives me "Login failed due to an unknown reason" error. From /var/log/httpd/error_log: [auth_gssapi:error] GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure. Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)] [wsgi:error] ipa: INFO: 401 Unauthorized: No session cookie found Finally, my third issue is that I can't remove replica from my master. ipa-replica-manage del --force --cleanup fails with: Traceback (most recent call last): File "/usr/sbin/ipa-replica-manage", line 1624, in <module> main(options, args) File "/usr/sbin/ipa-replica-manage", line 1524, in main api.finalize() File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 740, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 431, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 620, in load_plugins self.add_package(package) File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 658, in add_package self.add_module(module) File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 675, in add_module self.add_plugin(**kwargs) File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 711, in add_plugin plugin=plugin, PluginOverrideError: unexpected override of BaseCertObject.certreq with <class 'ipaserver.plugins.cert.certreq'> Unexpected error: unexpected override of BaseCertObject.certreq with <class 'ipaserver.plugins.cert.certreq'> -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
