Re: [Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.

[Matt .]

Hi Martin,

Indeed strange as another master where I did the upgrade on went fine.

It is/was a master with CA and Externally Signed CA, which was
perfectly sychned to the other master.

I finally uninstalled the ipa server and did a new replica install on
it with dns and CA and all went smooth and fine. I also had some weird
DNS error and bind didn't want to start anymore because of expecting a
; I thought this had something todo with a forwarder which wasn't.

For now I'm good, but do you want extra info ?

Thanks,

Matt

2016-10-18 7:49 GMT+02:00 Martin Babinsky :
> On 10/18/2016 12:30 AM, Matt . wrote:
>>
>> Hi Guys,
>>
>> I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24
>>
>> I already checked some info and:
>>
>> ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX
>>
>> Gives me TU instead of MII as expected.
>>
>> Any suggestions further ?
>>
>> Thanks,
>>
>> Matt
>>
>>
>> 2016-10-17T22:19:10Z DEBUG Starting external process
>> 2016-10-17T22:19:10Z DEBUG args=/usr/bin/certutil -d
>> /etc/dirsrv/slapd-MY-REALM -L -n Server-Cert -a
>> 2016-10-17T22:19:10Z DEBUG Process finished, return code=255
>> 2016-10-17T22:19:10Z DEBUG stdout=
>> 2016-10-17T22:19:10Z DEBUG stderr=certutil: Could not find cert:
>> Server-Cert
>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>
>> 2016-10-17T22:19:10Z ERROR IPA server upgrade failed: Inspect
>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>> 2016-10-17T22:19:11Z DEBUG   File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172,
>> in execute
>> return_value = self.run()
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
>> line 46, in run
>> server.upgrade()
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1867, in upgrade
>> upgrade_configuration()
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1770, in upgrade_configuration
>> certificate_renewal_update(ca, ds, http),
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1027, in certificate_renewal_update
>> ds.start_tracking_certificates(serverid)
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
>> line 996, in start_tracking_certificates
>> 'restart_dirsrv %s' % serverid)
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>> line 307, in track_server_cert
>> nsscert = x509.load_certificate(cert, dbdir=self.secdir)
>>   File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 129, in
>> load_certificate
>> return nss.Certificate(buffer(data))  # pylint: disable=buffer-builtin
>>
>>
>> 016-10-17T22:19:11Z DEBUG The ipa-server-upgrade command failed,
>> exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE)
>> security library failure.
>> 2016-10-17T22:19:11Z ERROR Unexpected error - see
>> /var/log/ipaupgrade.log for details:
>> NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>> 2016-10-17T22:19:11Z ERROR The ipa-server-upgrade command failed. See
>> /var/log/ipaupgrade.log for more information
>>
>
> Hmmm strange,
>
> looks like your DS certificate got lost or has some strange nickname in your
> directory server's NSS database.
>
> Is this CA-less install, externally signed CA or 'self-signed' CA? Master or
> replica?
>
> --
> Martin^3 Babinsky
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7

[Martin Basti]

On 18.10.2016 13:52, Deepak Dimri wrote:


Thanks Martin, I had to run ipa-server-install --uninstall -U to get 
rid of IPA client error message on the replica server and then re run 
ipa-replica-install script to run it ok. But it does not look clean 
through - as i understand we do need to run ipa-server-install script 
( same as master) on the replica server but that script by default 
installs the ipa client which then cause replica install to fail.  Is 
there any way i can avoid IPA client installation on replica?





You need to run ipa-replica-install installer and client is required 
part of any server. Can you be more specific what kind of errors are you 
getting? Logs?


Martin^2


Thanks,

Deepak




*From:* Martin Babinsky 
*Sent:* Monday, October 17, 2016 1:29 AM
*To:* Deepak Dimri; Martin Basti; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Not able to pass through 
ipa-replica-install on centos 7

On 10/15/2016 12:41 PM, Deepak Dimri wrote:
> Thanks Martin for the reply.
>
> when i try 'ipa-client-install --uninstall' then i am getting bellow
> message:
>
>
> ipa-client-install --uninstall
> IPA client is configured as a part of IPA server on this system.
> Refer to ipa-server-install for uninstallation.
>
>
> How can i raise domain level to 1 in v4? i tried
>
> ipa *domainlevel-set* 1
>
> but i am getting ipa: ERROR: unknown command 'domainlevel-set'
>
> Thanks again for your help on this.
>
> Best Regards,
> Deepak
>
>

Hi Deepak,

IIRC Centos 7 has FreeIPA 4.2.0-15 that does not support replica
promotion and domain levels other than 0.

The error from ipa-replica-install comes probably from a leftovers of
previous client enrollment.

Just run `ipa-client-install --uninstall -U` and then re-run replica
installation as usual.

> 
> *From:* Martin Basti 
> *Sent:* Saturday, October 15, 2016 4:54 AM
> *To:* Deepak Dimri; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Not able to pass through
> ipa-replica-install on centos 7
>
>
>
>
> On 14.10.2016 18:58, Deepak Dimri wrote:
>>
>> Hi All,
>>
>>
>> I am trying to configure replication between two FreeIPA centos 7
>> servers.  As per the document i need  same FreeIPA version running on
>> both the machines, which i have, and run ipa-replica-prepare on the
>> master and then simply run ipa-replica-install on the replica server
>> along with replica file.  But i am unable to get pass the below error
>> message:
>>
>>
>> [root@ip-172-31-23-230 ipa]# ipa-replica-install
>> /var/lib/ipa/replica-info-replica.ipa.com.gpg
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERRORIPA client
>> is already configured on this system.
>>
>> Please uninstall it first before configuring the replica, using
>> 'ipa-client-install --uninstall'.
>>
>>
>> What should i be doing to get around this error? the error looks
>> missleading as i am trying to install replica and not ipa client
>>
>>
>> Thanks,
>>
>> Deepak
>>
>>
>>
> Hi,
>
> have you tried ipa-client-install --uninstall?
>
> Replica cannot be installed on system where client is already installed
> (with domain level 0, your case)
>
> Martin
>
>


--
Martin^3 Babinsky


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA as domain controller?

[Brian Candler]

On 17/10/2016 15:52, Alexander Bokovoy wrote:

If you set ID range for corresponding AD domain in IPA to be
'ipa-ad-trust-posix' and make sure all users that need to logon to IPA
have POSIX attributes, then it should work.

I think most of this is described in the Windows Integration Guide for
RHEL7.


Thank you.

Final question. Suppose I use just the ipa-client package with sssd-ad 
pointing to Samba4 (or even real Windows AD). Is that likely to be a 
satisfactory solution for managing the *nix boxes, or would I be better 
of with two separate domains?


For example, would I lose the features that FreeIPA gives me like 
host-based access controls, sudo controls, central storage of ssh public 
keys?


Thanks,

Brian.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7

[Deepak Dimri]

Thanks Martin, I had to run ipa-server-install --uninstall -U to get rid of IPA 
client error message on the replica server and then re run ipa-replica-install 
script to run it ok. But it does not look clean through - as i understand we do 
need to run ipa-server-install script ( same as master) on the replica server 
but that script by default installs the ipa client which then cause replica 
install to fail.  Is there any way i can avoid IPA client installation on 
replica?


Thanks,

Deepak



From: Martin Babinsky 
Sent: Monday, October 17, 2016 1:29 AM
To: Deepak Dimri; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Not able to pass through ipa-replica-install on 
centos 7

On 10/15/2016 12:41 PM, Deepak Dimri wrote:
> Thanks Martin for the reply.
>
> when i try 'ipa-client-install --uninstall' then i am getting bellow
> message:
>
>
> ipa-client-install --uninstall
> IPA client is configured as a part of IPA server on this system.
> Refer to ipa-server-install for uninstallation.
>
>
> How can i raise domain level to 1 in v4? i tried
>
> ipa *domainlevel-set* 1
>
> but i am getting ipa: ERROR: unknown command 'domainlevel-set'
>
> Thanks again for your help on this.
>
> Best Regards,
> Deepak
>
>

Hi Deepak,

IIRC Centos 7 has FreeIPA 4.2.0-15 that does not support replica
promotion and domain levels other than 0.

The error from ipa-replica-install comes probably from a leftovers of
previous client enrollment.

Just run `ipa-client-install --uninstall -U` and then re-run replica
installation as usual.

> 
> *From:* Martin Basti 
> *Sent:* Saturday, October 15, 2016 4:54 AM
> *To:* Deepak Dimri; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Not able to pass through
> ipa-replica-install on centos 7
>
>
>
>
> On 14.10.2016 18:58, Deepak Dimri wrote:
>>
>> Hi All,
>>
>>
>> I am trying to configure replication between two FreeIPA centos 7
>> servers.  As per the document i need  same FreeIPA version running on
>> both the machines, which i have, and run ipa-replica-prepare on the
>> master and then simply run ipa-replica-install on the replica server
>> along with replica file.  But i am unable to get pass the below error
>> message:
>>
>>
>> [root@ip-172-31-23-230 ipa]# ipa-replica-install
>> /var/lib/ipa/replica-info-replica.ipa.com.gpg
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERRORIPA client
>> is already configured on this system.
>>
>> Please uninstall it first before configuring the replica, using
>> 'ipa-client-install --uninstall'.
>>
>>
>> What should i be doing to get around this error? the error looks
>> missleading as i am trying to install replica and not ipa client
>>
>>
>> Thanks,
>>
>> Deepak
>>
>>
>>
> Hi,
>
> have you tried ipa-client-install --uninstall?
>
> Replica cannot be installed on system where client is already installed
> (with domain level 0, your case)
>
> Martin
>
>


--
Martin^3 Babinsky
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7

[Martin Babinsky]

On 10/18/2016 04:59 PM, Deepak Dimri wrote:

Hi Martin, Before running ipa-replica-install do i need to run
ipa-server-install script on the replica?


I am installing ipa-server-install script on the replica and  then If i
install ipa-replica-install without uninstalling ipa server then i get
below errors:



No there should be *no* IPa server neither client installed on the 
replica machine, there just needs to be *some* IPA master in some other 
machine to prepare a replica file.


Just run ipa-replica-install on the replica and make sure that *no* 
ipa-server-install/ipa-client-install were run before that.



 [root@ip-172-31-23-230 ipa]#
ipa-replica-install /var/lib/ipa/replica-info-replica.ipa.com.gpg
 ipa.ipapython.install.cli.install_tool(Replica): ERRORIPA
client is already configured on this system.
Please uninstall it first before configuring the replica,
using 'ipa-client-install --uninstall'.

when i try 'ipa-client-install --uninstall' then i am getting bellow

ipa-client-install --uninstall IPA client is configured as a part of
IPA server on this system. Refer to ipa-server-install for uninstallation


Thanks,

Deepak




*From:* Martin Basti 
*Sent:* Tuesday, October 18, 2016 8:40 AM
*To:* Deepak Dimri; Martin Babinsky; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Not able to pass through
ipa-replica-install on centos 7




On 18.10.2016 13:52, Deepak Dimri wrote:


Thanks Martin, I had to run ipa-server-install --uninstall -U to get
rid of IPA client error message on the replica server and then re run
ipa-replica-install script to run it ok. But it does not look clean
through - as i understand we do need to run ipa-server-install script
( same as master) on the replica server but that script by default
installs the ipa client which then cause replica install to fail.  Is
there any way i can avoid IPA client installation on replica?




You need to run ipa-replica-install installer and client is required
part of any server. Can you be more specific what kind of errors are you
getting? Logs?

Martin^2


Thanks,

Deepak




*From:* Martin Babinsky 
*Sent:* Monday, October 17, 2016 1:29 AM
*To:* Deepak Dimri; Martin Basti; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Not able to pass through
ipa-replica-install on centos 7

On 10/15/2016 12:41 PM, Deepak Dimri wrote:
> Thanks Martin for the reply.
>
> when i try 'ipa-client-install --uninstall' then i am getting bellow
> message:
>
>
> ipa-client-install --uninstall
> IPA client is configured as a part of IPA server on this system.
> Refer to ipa-server-install for uninstallation.
>
>
> How can i raise domain level to 1 in v4? i tried
>
> ipa *domainlevel-set* 1
>
> but i am getting ipa: ERROR: unknown command 'domainlevel-set'
>
> Thanks again for your help on this.
>
> Best Regards,
> Deepak
>
>

Hi Deepak,

IIRC Centos 7 has FreeIPA 4.2.0-15 that does not support replica
promotion and domain levels other than 0.

The error from ipa-replica-install comes probably from a leftovers of
previous client enrollment.

Just run `ipa-client-install --uninstall -U` and then re-run replica
installation as usual.

> 
> *From:* Martin Basti 
> *Sent:* Saturday, October 15, 2016 4:54 AM
> *To:* Deepak Dimri; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Not able to pass through
> ipa-replica-install on centos 7
>
>
>
>
> On 14.10.2016 18:58, Deepak Dimri wrote:
>>
>> Hi All,
>>
>>
>> I am trying to configure replication between two FreeIPA centos 7
>> servers.  As per the document i need  same FreeIPA version running on
>> both the machines, which i have, and run ipa-replica-prepare on the
>> master and then simply run ipa-replica-install on the replica server
>> along with replica file.  But i am unable to get pass the below error
>> message:
>>
>>
>> [root@ip-172-31-23-230 ipa]# ipa-replica-install
>> /var/lib/ipa/replica-info-replica.ipa.com.gpg
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERRORIPA client
>> is already configured on this system.
>>
>> Please uninstall it first before configuring the replica, using
>> 'ipa-client-install --uninstall'.
>>
>>
>> What should i be doing to get around this error? the error looks
>> missleading as i am trying to install replica and not ipa client
>>
>>
>> Thanks,
>>
>> Deepak
>>
>>
>>
> Hi,
>
> have you tried ipa-client-install --uninstall?
>
> Replica cannot be installed on system where client is already installed
> (with domain level 0, your case)
>
> Martin
>
>


--
Martin^3 Babinsky





--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7

[Deepak Dimri]

Hi Martin, Before running ipa-replica-install do i need to run 
ipa-server-install script on the replica?


I am installing ipa-server-install script on the replica and  then If i install 
ipa-replica-install without uninstalling ipa server then i get below errors:

 [root@ip-172-31-23-230 ipa]# ipa-replica-install 
/var/lib/ipa/replica-info-replica.ipa.com.gpg
 ipa.ipapython.install.cli.install_tool(Replica): ERRORIPA client is 
already configured on this system.
Please uninstall it first before configuring the replica, using 
'ipa-client-install --uninstall'.

when i try 'ipa-client-install --uninstall' then i am getting bellow

ipa-client-install --uninstall IPA client is configured as a part of IPA server 
on this system. Refer to ipa-server-install for uninstallation


Thanks,

Deepak



From: Martin Basti 
Sent: Tuesday, October 18, 2016 8:40 AM
To: Deepak Dimri; Martin Babinsky; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Not able to pass through ipa-replica-install on 
centos 7



On 18.10.2016 13:52, Deepak Dimri wrote:

Thanks Martin, I had to run ipa-server-install --uninstall -U to get rid of IPA 
client error message on the replica server and then re run ipa-replica-install 
script to run it ok. But it does not look clean through - as i understand we do 
need to run ipa-server-install script ( same as master) on the replica server 
but that script by default installs the ipa client which then cause replica 
install to fail.  Is there any way i can avoid IPA client installation on 
replica?


You need to run ipa-replica-install installer and client is required part of 
any server. Can you be more specific what kind of errors are you getting? Logs?

Martin^2

Thanks,

Deepak



From: Martin Babinsky 
Sent: Monday, October 17, 2016 1:29 AM
To: Deepak Dimri; Martin Basti; 
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Not able to pass through ipa-replica-install on 
centos 7

On 10/15/2016 12:41 PM, Deepak Dimri wrote:
> Thanks Martin for the reply.
>
> when i try 'ipa-client-install --uninstall' then i am getting bellow
> message:
>
>
> ipa-client-install --uninstall
> IPA client is configured as a part of IPA server on this system.
> Refer to ipa-server-install for uninstallation.
>
>
> How can i raise domain level to 1 in v4? i tried
>
> ipa *domainlevel-set* 1
>
> but i am getting ipa: ERROR: unknown command 'domainlevel-set'
>
> Thanks again for your help on this.
>
> Best Regards,
> Deepak
>
>

Hi Deepak,

IIRC Centos 7 has FreeIPA 4.2.0-15 that does not support replica
promotion and domain levels other than 0.

The error from ipa-replica-install comes probably from a leftovers of
previous client enrollment.

Just run `ipa-client-install --uninstall -U` and then re-run replica
installation as usual.

> 
> *From:* Martin Basti 
> *Sent:* Saturday, October 15, 2016 4:54 AM
> *To:* Deepak Dimri; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Not able to pass through
> ipa-replica-install on centos 7
>
>
>
>
> On 14.10.2016 18:58, Deepak Dimri wrote:
>>
>> Hi All,
>>
>>
>> I am trying to configure replication between two FreeIPA centos 7
>> servers.  As per the document i need  same FreeIPA version running on
>> both the machines, which i have, and run ipa-replica-prepare on the
>> master and then simply run ipa-replica-install on the replica server
>> along with replica file.  But i am unable to get pass the below error
>> message:
>>
>>
>> [root@ip-172-31-23-230 ipa]# ipa-replica-install
>> /var/lib/ipa/replica-info-replica.ipa.com.gpg
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERRORIPA client
>> is already configured on this system.
>>
>> Please uninstall it first before configuring the replica, using
>> 'ipa-client-install --uninstall'.
>>
>>
>> What should i be doing to get around this error? the error looks
>> missleading as i am trying to install replica and not ipa client
>>
>>
>> Thanks,
>>
>> Deepak
>>
>>
>>
> Hi,
>
> have you tried ipa-client-install --uninstall?
>
> Replica cannot be installed on system where client is already installed
> (with domain level 0, your case)
>
> Martin
>
>


--
Martin^3 Babinsky

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7

[Martin Basti]

On 18.10.2016 17:02, Martin Babinsky wrote:

On 10/18/2016 04:59 PM, Deepak Dimri wrote:

Hi Martin, Before running ipa-replica-install do i need to run
ipa-server-install script on the replica?


I am installing ipa-server-install script on the replica and then If i
install ipa-replica-install without uninstalling ipa server then i get
below errors:




Please read docs.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#install-replica

No there should be *no* IPa server neither client installed on the 
replica machine, there just needs to be *some* IPA master in some 
other machine to prepare a replica file.


Just run ipa-replica-install on the replica and make sure that *no* 
ipa-server-install/ipa-client-install were run before that.





 [root@ip-172-31-23-230 ipa]#
ipa-replica-install /var/lib/ipa/replica-info-replica.ipa.com.gpg
 ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA
client is already configured on this system.
Please uninstall it first before configuring the replica,
using 'ipa-client-install --uninstall'.

when i try 'ipa-client-install --uninstall' then i am getting bellow

ipa-client-install --uninstall IPA client is configured as a part of
IPA server on this system. Refer to ipa-server-install for 
uninstallation



Thanks,

Deepak




*From:* Martin Basti 
*Sent:* Tuesday, October 18, 2016 8:40 AM
*To:* Deepak Dimri; Martin Babinsky; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Not able to pass through
ipa-replica-install on centos 7




On 18.10.2016 13:52, Deepak Dimri wrote:


Thanks Martin, I had to run ipa-server-install --uninstall -U to get
rid of IPA client error message on the replica server and then re run
ipa-replica-install script to run it ok. But it does not look clean
through - as i understand we do need to run ipa-server-install script
( same as master) on the replica server but that script by default
installs the ipa client which then cause replica install to fail.  Is
there any way i can avoid IPA client installation on replica?




You need to run ipa-replica-install installer and client is required
part of any server. Can you be more specific what kind of errors are you
getting? Logs?

Martin^2


Thanks,

Deepak



 


*From:* Martin Babinsky 
*Sent:* Monday, October 17, 2016 1:29 AM
*To:* Deepak Dimri; Martin Basti; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Not able to pass through
ipa-replica-install on centos 7

On 10/15/2016 12:41 PM, Deepak Dimri wrote:
> Thanks Martin for the reply.
>
> when i try 'ipa-client-install --uninstall' then i am getting bellow
> message:
>
>
> ipa-client-install --uninstall
> IPA client is configured as a part of IPA server on this system.
> Refer to ipa-server-install for uninstallation.
>
>
> How can i raise domain level to 1 in v4? i tried
>
> ipa *domainlevel-set* 1
>
> but i am getting ipa: ERROR: unknown command 'domainlevel-set'
>
> Thanks again for your help on this.
>
> Best Regards,
> Deepak
>
>

Hi Deepak,

IIRC Centos 7 has FreeIPA 4.2.0-15 that does not support replica
promotion and domain levels other than 0.

The error from ipa-replica-install comes probably from a leftovers of
previous client enrollment.

Just run `ipa-client-install --uninstall -U` and then re-run replica
installation as usual.

> 
 


> *From:* Martin Basti 
> *Sent:* Saturday, October 15, 2016 4:54 AM
> *To:* Deepak Dimri; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Not able to pass through
> ipa-replica-install on centos 7
>
>
>
>
> On 14.10.2016 18:58, Deepak Dimri wrote:
>>
>> Hi All,
>>
>>
>> I am trying to configure replication between two FreeIPA centos 7
>> servers.  As per the document i need  same FreeIPA version 
running on

>> both the machines, which i have, and run ipa-replica-prepare on the
>> master and then simply run ipa-replica-install on the replica server
>> along with replica file.  But i am unable to get pass the below 
error

>> message:
>>
>>
>> [root@ip-172-31-23-230 ipa]# ipa-replica-install
>> /var/lib/ipa/replica-info-replica.ipa.com.gpg
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERRORIPA client
>> is already configured on this system.
>>
>> Please uninstall it first before configuring the replica, using
>> 'ipa-client-install --uninstall'.
>>
>>
>> What should i be doing to get around this error? the error looks
>> missleading as i am trying to install replica and not ipa client
>>
>>
>> Thanks,
>>
>> Deepak
>>
>>
>>
> Hi,
>
> have you tried ipa-client-install --uninstall?
>
> Replica cannot be installed on system where client is already 
installed

> (with domain level 0, your 

[Freeipa-users] Lots of error messages in logs after upgrade

[Prashant Bapat]

Hi,

I'm seeing lots of error messages like this in the DS logs.

[18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.
[18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.
[18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.
[18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.
[18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.
[18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.
[18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.
[18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.
[18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
(nsslapd-referral, ldap://
ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed.

We moved from 4.1.4 (FC21) to 4.2.0 (Centos7.2) recently. We have total 8
IPA servers with replication. Below are the steps I followed.

1. Install a new Centos server.
2. Replicated against a Fedora server with CA.
3. Moved the DNA ranges.
4. From the Centos master created replicas.

Is this related to the DS package version ? We
have 389-ds-base-1.3.4.0-33.el7_2.x86_64.

Thanks.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA as domain controller?

[Alexander Bokovoy]

On ti, 18 loka 2016, Brian Candler wrote:

On 17/10/2016 15:52, Alexander Bokovoy wrote:

If you set ID range for corresponding AD domain in IPA to be
'ipa-ad-trust-posix' and make sure all users that need to logon to IPA
have POSIX attributes, then it should work.

I think most of this is described in the Windows Integration Guide for
RHEL7.


Thank you.

Final question. Suppose I use just the ipa-client package with sssd-ad 
pointing to Samba4 (or even real Windows AD). Is that likely to be a 
satisfactory solution for managing the *nix boxes, or would I be 
better of with two separate domains?

No, it is wrong to use this mode. If you made a Linux machine a client
to IPA, it will be set up to use 'ipa' provider in SSSD and that should
support all needed functionality. You don't need to change anything in
the configuration.

Remember, I pointed you to sssd-ad manual page only to make sure you
would read about ID mapping because this is the place in SSSD
documentation which explains what happens there. I did not ask you to
change IPA client setup to use 'ad' provider in SSSD.



For example, would I lose the features that FreeIPA gives me like 
host-based access controls, sudo controls, central storage of ssh 
public keys?

Yes, you will lose all these features.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] replica DS failure deadlock

[Andrew E. Bruno]

We had one of our replicas fail today with the following errors:


[18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" 
(srv-m14-32:389) - Can't locate CSN 58065ef300010003 in the changelog (DB 
rc=-30988). If replication stops, the consumer may need to be reinitialized.
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: retry (49) the transaction (csn=58065f7400050004) 
failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a 
deadlock))
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: failed to write entry with csn (58065f7400050004); 
db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: 
can't add a change for 
uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 
939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 
58065f7400050004
[18/Oct/2016:13:43:07 -0400] - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin 
returned error but did not set SLAPI_RESULT_CODE
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - process_postop: Failed to 
apply update (58065f7400050004) error (1).  Aborting replication 
session(conn=1314106 op=1688559)
[18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: modified entry is 
NULL--updating cache just in case
[18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, 
which should be added before the CoS Definition.
[18/Oct/2016:13:43:20 -0400] - Operation error fetching Null DN 
(4a729f9a-955a11e6-aaffa516-e778e883), error -30993.
[18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get id for 
changenumber=30856302,cn=changelog from entryrdn index (-30993)
[18/Oct/2016:13:43:20 -0400] - Operation error fetching 
changenumber=30856302,cn=changelog (null), error -30993.
[18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an error occured while 
adding change number 30856302, dn = changenumber=30856302,cn=changelog: 
Operations error.
[18/Oct/2016:13:43:20 -0400] retrocl-plugin - retrocl_postob: operation failure 
[1]
[18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - process_postop: Failed to 
apply update (58065f9f0060) error (1).  Aborting replication 
session(conn=1901274 op=5)
[18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 
BDB0062 Successful return: 0
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: retry (49) the transaction (csn=58065f7c000a0004) 
failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a 
deadlock))
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: failed to write entry with csn (58065f7c000a0004); 
db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: 
can't add a change for 
uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 
4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 
58065f7c000a0004


ns-slapd was hung so we restarted and now it's stuck and won't come back up. It
hangs up here:

[18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, 
which should be added before the CoS Definition.
[18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - changelog program - 
_cl5NewDBFile: PR_DeleteSemaphore: 
/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema;
 NSPR error - -5943
[18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - changelog program - 
_cl5NewDBFile: PR_DeleteSemaphore: 
/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema;
 NSPR error - -5943


Tried deleting the semaphore files and restarting but no luck. Attached
is a stacktrace of the stuck ns-slapd process.

Here's the versions were running:

ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
389-ds-base-1.3.4.0-33.el7_2.x86_64

FWIW, we were experimenting with the new life-cycle management features,
specifically "preserved" users and deleted the user "janedoe" when this
happened.  From the errors above looks like this host failed to
replicate the change?  Not sure if this is related or not. 

Is it possible to recover the database? Thanks in advance for any pointers.


--Andrew

GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-80.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as 

[Freeipa-users] Impossible to renew certificate. pki-tomcat issue

[Bertrand Rétif]

Hello, 

I had an issue with pki-tomcat. 
I had serveral certificate that was expired and pki-tomcat did not start 
anymore. 

I set the dateon the server before certificate expiration and then pki-tomcat 
starts properly. 
Then I try to resubmit the certificate, but I get below error: 
"Profile caServerCert Not Found" 

Do you have any idea how I could fix this issue. 

Please find below output of commands: 


# getcert resubmit -i 20160108170324 

# getcert list -i 20160108170324 
Number of certificates and requests being tracked: 7. 
Request ID '20160108170324': 
status: MONITORING 
ca-error: Server at "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit; 
replied: Profile caServerCert Not Found 
stuck: no 
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' 
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB' 
CA: dogtag-ipa-ca-renew-agent 
issuer: CN=Certificate Authority,O=A.SKINFRA.EU 
subject: CN=IPA RA,O=A.SKINFRA.EU 
expires: 2016-06-28 15:25:11 UTC 
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment 
eku: id-kp-serverAuth,id-kp-clientAuth 
pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre 
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert 
track: yes 
auto-renew: yes 


Thanksby advance for your help. 
Bertrand 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] DNS question on named.ca

[Sean Hogan]

Hi all,

   I have a DNS question on how/why my IPA DNS servers are trying to hit
the root DNS internet servers.  My IPA servers are in private networks only
serving DNS for the private domains they manage but recently the network
team
indicated they see my ipa IPs trying to hit the outside world.  After
obtaining the logs I noticed they are trying to hit the internet root DNS
servers.  I then tracked down named.ca on the IPAs which correlates to the
IPs the network
team is showing.  I then found named.conf references named.ca for hints.

This is where I imagine it is coming from in named.conf

zone "." IN {
type hint;
file "named.ca";
};

Question is how can I stop my IPA DNS servers from trying to hit the
internet root DNS servers?  I was thinking commenting out named.ca in
named.conf but imagine bad things happening.
I guess I could also make a new file for named.ca and reference it in
named.conf...then scp it to the other ipas but no idea as to the syntax
(giving it a shot at bottom of email) or if it can be empty.  Any help is
appreciated.


IPA clients resolv.conf are set for search domain and the nameserver IPs of
the IPA servers.

Versions:
ipa-server-3.0.0-50.el6.1.x86_64
bind-9.8.2-0.47.rc1.el6.x86_64

Commands used for server install:
 ipa-server-install --setup-dns



Attempt at correct syntax if I need a file with info in it..file named say
fakenamed.ca
If my IPA servers are named DNS1  10.10.10.1/2001:7fd::1 and DNS2
10.10.10.2/2001:503:c27::2:30 would this work or not even need?

; OPERATED BY ME
;
.360  NSDNS1.
DNS1.  360  A 10.10.10.1
DNS1.  360    2001:7fd::1
;
; OPERATED BY ME
;
.360  NSDNS2.
DNS2.  360  A 10.10.10.2
DNS2.  360    2001:503:c27::2:30



Sean Hogan


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project