[Freeipa-users] Replica install fails due nonexisting RID ranges
Hello, I didint enable adrust or installed related packages, I dont use samba
shares either on existing installation.
I wanted to create additional replica, during install it asked what is NETBIOS
name and if I want to generate SID identifiers for users (answered no) then
process failed with errors below.
Should I update my ID ranges? or there is replica install option to skip this
setup. (I dont use cross AD trusts, or similar features)
Configuring SID generation
[1/7]: creating samba domain object
Samba domain object already exists
[2/7]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
[3/7]: adding RID bases
Found more than one local domain ID range with no RID base set.
[error] RuntimeError: Too many ID ranges
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Too many ID ranges
2021-12-27T17:56:04Z DEBUG [2/7]: adding admin(group) SIDs
2021-12-27T17:56:04Z DEBUG Admin SID already set, nothing to do
2021-12-27T17:56:04Z DEBUG Admin group SID already set, nothing to do
2021-12-27T17:56:04Z DEBUG step duration: SID generation __add_admin_sids 0.00
sec
2021-12-27T17:56:04Z DEBUG [3/7]: adding RID bases
2021-12-27T17:56:04Z CRITICAL Found more than one local domain ID range with no
RID base set.
2021-12-27T17:56:04Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
621, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py",
line 380, in __add_rid_bases
raise RuntimeError("Too many ID ranges\n")
RuntimeError: Too many ID ranges
2021-12-27T17:56:04Z DEBUG [error] RuntimeError: Too many ID ranges
2021-12-27T17:56:04Z DEBUG File
"/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 342,
in run
return cfgr.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360,
in run
return self.execute()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386,
in execute
for rval in self._executor():
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431,
in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460,
in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421,
in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418,
in
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81,
in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59,
in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655,
in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431,
in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460,
in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518,
in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515,
in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421,
in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418,
in
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81,
in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", l
[Freeipa-users] replica install fails
Hi all
I have two centos 8 servers. One is installed and configured as master and AD
trust controller. The second one, I'm trying to configure it as a replica, but
what ever I do, the replica server fails to start.
Environment :
OS - CentOS Linux release 8.1.1911 (Core)
ipa-server: ipa-server-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64
Replica install is started with :
#ipa-replica-install -v --principal admin -p X --domain
ipamaster01.example.com --server ipamaster01.example.com --setup-ca
--setup-adtrust
The client install goes well, but the server stops at :
Starting replication, please wait until this has completed.
Update in progress, 15 seconds elapsed
[ldap://ipamaster01.example.com:389] reports: Update failed! Status: [Error
(-2) - LDAP error: Local error - no response received]
On the ipareplica-install.log, last entries are:
2020-04-14T08:29:13Z DEBUG Created connection context.ldap2_139862275887680
2020-04-14T08:29:13Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]
2020-04-14T08:29:13Z DEBUG retrieving schema for SchemaCache
url=ldap://ipamaster01.example.com:389 conn=
2020-04-14T08:29:13Z DEBUG Successfully updated nsDS5ReplicaId.
2020-04-14T08:29:13Z DEBUG Add or update replica config
cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config
2020-04-14T08:29:13Z DEBUG Added replica config
cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config
2020-04-14T08:29:13Z DEBUG Add or update replica config
cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config
2020-04-14T08:29:13Z DEBUG No update to
cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config
necessary
2020-04-14T08:29:13Z DEBUG Waiting for replication
(ldapi://%2Fvar%2Frun%2Fslapd-IPAMASTER01-EXAMPLE-COM.socket)
cn=meToipamaster01.example.com,cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping
tree
,cn=config (objectclass=*)
2020-04-14T08:29:13Z DEBUG Entry found
[LDAPEntry(ipapython.dn.DN('cn=meToipamaster01.example.com,cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping
tree,cn=config'), {'objectClass': [b'nsds5replicat
ionagreement', b'top'], 'cn': [b'meToipamaster01.example.com'],
'nsDS5ReplicaHost': [b'ipamaster01.example.com'], 'nsDS5ReplicaPort': [b'389'],
'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': [b'dc=ipamaste
r01,dc=example,dc=com'], 'description': [b'me to ipamaster01.example.com'],
'nsDS5ReplicatedAttributeList': [b'(objectclass=*) $ EXCLUDE memberof
idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth kr
bloginfailedcount'], 'nsDS5ReplicaTransportInfo': [b'LDAP'],
'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs':
[b'modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp']
, 'nsDS5ReplicatedAttributeListTotal': [b'(objectclass=*) $ EXCLUDE entryusn
krblastsuccessfulauth krblastfailedauth krbloginfailedcount'],
'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': [b'197
0010100Z'], 'nsds5replicaLastUpdateEnd': [b'1970010100Z'],
'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateStatus':
[b'Error (0) No replication sessions started since server startup'
], 'nsds5replicaLastUpdateStatusJSON': [b'{"state": "green", "ldap_rc": "0",
"ldap_rc_text": "success", "repl_rc": "0", "repl_rc_text": "replica acquired",
"date": "2020-04-14T08:29:13Z", "message": "Error (0) N
o replication sessions started since server startup"}'],
'nsds5replicaUpdateInProgress': [b'FALSE'], 'nsds5replicaLastInitStart':
[b'1970010100Z'], 'nsds5replicaLastInitEnd': [b'1970010100Z']})]
2020-04-14T08:29:29Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
603, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
589, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line
427, in __setup_replica
cacert=self.ca_file
File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py",
line 1860, in setup_promote_replication
raise RuntimeError("Failed to start replication")
RuntimeError: Failed to start replication
I can query both ldap servers on the master and replica with :
ldapsearch -h ldap://ipamaster01.example.com -p 389 -Y GSSAPI -b "" -s base -W
ldapsearch -h ldap://ipareplica01.example.com -p 389 -Y GSSAPI -b "" -s base -W
in this point, I'm really run out of options. Could someone tell me what I'm
doing wrong?
Cheers
Alex
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Arch
[Freeipa-users] replica - install fails with CA issue
Thanks for the reply. I tried the workaround but still getting the
CA_UNREACHABLE error. The umask on the master was already at 0022.
Is there a way to check the health of the CA master? Maybe the issue is with
the CA and not with the replica install?
Here is a little more information. The CA master is pci-mgmt-ipa01. the new
client to be promoted is ipa-nyc-pci02.
On the client:
[root@ipa-nyc-pci02 ~]# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20180424223129':
status: CA_UNREACHABLE
ca-error: Server at https://ipa-nyc-pci02.pci.xxx.com/ipa/xml
failed request, will retry: -504 (libcurl failed to execute the HTTP POST
transaction, explaining: Failed connect to ipa-nyc-pci02.pci.xxx.com:443;
Connection refused).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PCI-xxx-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PCI-xxx-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PCI-xxx-COM',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
PCI-xxx-COM
track: yes
auto-renew: yes
On the master:
pki-tomcat is running.
I see a cert_request in /var/log/httpd/error_log.
[Tue Apr 24 22:31:31.490598 2018] [:error] [pid 1133] ipa: INFO: [xmlserver]
host/ipa-nyc-pci02.pci.xxx@pci.xxx.com:
cert_request(u'MIID8jCCAtoCAQAwQjEYMBYGA1UEChMPUENJLk1BU0NPUlAuQ09NMSYwJAYDVQQDEx1pc
...
/QLxsLD7VWO7fGuSHpGnUayuTKi1Em9BdPtMNoD75G4SJ', profile_id=u'caIPAserviceCert',
principal=u'ldap/ipa-nyc-pci02.pci.xxx@pci.xxx.com', add=True,
version=u'2.51'): NotFound
I don't see any request in /var/log/pki/pki-tomcat/ca/debug.
Does this indicate a problem with the Dogtag server?
Thanks,
Ross
___________
From: Ross Infinger
Sent: Tuesday, April 24, 2018 1:39 PM
To: Florence Blanc-Renaud
Subject: RE: [Freeipa-users] replica - install fails with CA issue
Thanks for the reply. I tried the workaround but still getting the
CA_UNREACHABLE error. The umask on the master was already at 0022.
Is there a way to check the health of the CA master? Maybe the issue is with
the CA and not with the replica install?
Thanks,
Ross
From: Florence Blanc-Renaud [f...@redhat.com]
Sent: Tuesday, April 24, 2018 1:37 AM
To: FreeIPA users list
Cc: Ross Infinger
Subject: Re: [Freeipa-users] replica - install fails with CA issue
On 04/23/2018 10:37 PM, Ross Infinger via FreeIPA-users wrote:
> I'm trying to promote a new client to a replica. I install the client
> first then run ipa-replica-install. The client install goes OK but the
> ipa-replica-install command fails with
>
> RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
>
> Seems the client was able to reach the CA so I'm puzzled why the replica
> cannot.
>
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
Hi,
other users also hit this issue #7193 [1], and the root cause was that
the root's umask on the master was too restrictive. Can you check if
it's your case?
The workaround is to do:
chmod 644 /etc/ipa/ca.crt
chmod 440 /var/lib/ipa/ra-agent.{key|pem}
but the best is to install the master with umask 022.
HTH,
Flo
[1]
https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_freeipa_issue_7193&d=DwID-g&c=laiMAACGcvAxeLF9-K5nZ1uCTN9kBzTH8fWOxFTVLgs&r=BQGu7HO1KZWnnHq93CzOO0obebVE6FvfNGVnSYC75ic&m=a8hif8z7P2YL758xGO4yaROq33AOiOjrmAzs4WNaEtM&s=X9JOGxC1Dlqf_7WPi-C953HdBoN9swEyeDI7RvMDY34&e=
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] replica - install fails with CA issue
I'm trying to promote a new client to a replica. I install the client first then run ipa-replica-install. The client install goes OK but the ipa-replica-install command fails with RuntimeError: Certificate issuance failed (CA_UNREACHABLE) Seems the client was able to reach the CA so I'm puzzled why the replica cannot. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] replica install fails: CA_UNREACHABLE
hi
I'm trying to install replica, process fails:
..
[3/5]: creating anonymous principal
[4/5]: starting the KDC
[5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[error] RuntimeError: Certificate issuance failed
(CA_UNREACHABLE)
Your system may be partly configured.
..
-- end
and in intall log file:
..
2018-01-06T13:50:29Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/ -A -n
PRIVATE.xx.xx.PRIVATE.xx.xx.x IPA CA -t CT,C,C -a -f
/etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/pwdfile.txt
2018-01-06T13:50:29Z DEBUG Process finished, return code=0
2018-01-06T13:50:29Z DEBUG stdout=
2018-01-06T13:50:29Z DEBUG stderr=
2018-01-06T13:50:30Z DEBUG certmonger request is in state
dbus.String(u'NEWLY_ADDED_READING_CERT', variant_level=1)
2018-01-06T13:50:35Z DEBUG certmonger request is in state
dbus.String(u'CA_UNREACHABLE', variant_level=1)
2018-01-06T13:50:35Z DEBUG Traxx.ck (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 504, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 494, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 824, in __enable_ssl
post_command=cmd)
File
"/usr/lib/python2.7/site-packages/ipalib/install/certmonger.py",
line 317, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed
({})".format(state))
RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
2018-01-06T13:50:35Z DEBUG [error] RuntimeError:
Certificate issuance failed (CA_UNREACHABLE)
2018-01-06T13:50:35Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py",
line 172, in execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 333, in run
cfgr.run()
File "/usr/lib/python2.7/site-
...
-- end
Would this be that new candidate's problem or some
communication issues with existing server? Client installed
(kind of)okey though.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] replica-install fails
Trying to promote a client to a replica and it's failing with:
Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: stopping
directory server [2/9]: saving configuration [3/9]: disabling
listeners [4/9]: enabling DS global lock [5/9]: starting directory
server [6/9]: upgrading server [7/9]: stopping directory server
[8/9]: restoring configuration [9/9]: starting directory
serverDone.Restarting the KDCYour system may be partly configured.Run
/usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR406 Client Error: Failed to validate message: No recipient
matched the provided key["Failed: [ValueError('Decryption
failed.',)]"]ipa.ipapython.install.cli.install_tool(CompatServerReplica
Install): ERRORThe ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
The replica-install log:
2017-10-04T07:22:06Z DEBUG Restarting the KDC2017-10-04T07:22:06Z DEBUG
Starting external process2017-10-04T07:22:06Z DEBUG args=/bin/systemctl
restart krb5kdc.service2017-10-04T07:22:06Z DEBUG Process finished,
return code=02017-10-04T07:22:06Z DEBUG stdout=2017-10-04T07:22:06Z
DEBUG stderr=2017-10-04T07:22:06Z DEBUG Starting external process2017-
10-04T07:22:06Z DEBUG args=/bin/systemctl is-active
krb5kdc.service2017-10-04T07:22:06Z DEBUG Process finished, return
code=02017-10-04T07:22:06Z DEBUG stdout=active
2017-10-04T07:22:06Z DEBUG stderr=2017-10-04T07:22:06Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
executereturn_value = self.run() File "/usr/lib/python2.7/site-
packages/ipapython/install/cli.py", line 333, in runcfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
368, in runself.execute() File "/usr/lib/python2.7/site-
packages/ipapython/install/core.py", line 392, in executefor
_nothing in self._executor(): File "/usr/lib/python2.7/site-
packages/ipapython/install/core.py", line 434, in
__runnerexc_handler(exc_info) File "/usr/lib/python2.7/site-
packages/ipapython/install/core.py", line 463, in
_handle_execute_exceptionself._handle_exception(exc_info) File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453,
in _handle_exceptionsix.reraise(*exc_info) File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424,
in __runnerstep() File "/usr/lib/python2.7/site-
packages/ipapython/install/core.py", line 421, in step =
lambda: next(self.__gen) File "/usr/lib/python2.7/site-
packages/ipapython/install/util.py", line 81, in
run_generator_with_yield_fromsix.reraise(*exc_info) File
"/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59,
in run_generator_with_yield_fromvalue = gen.send(prev_value) File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658,
in _configurenext(executor) File "/usr/lib/python2.7/site-
packages/ipapython/install/core.py", line 434, in
__runnerexc_handler(exc_info) File "/usr/lib/python2.7/site-
packages/ipapython/install/core.py", line 463, in
_handle_execute_exceptionself._handle_exception(exc_info) File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521,
in _handle_exceptionself.__parent._handle_exception(exc_info) File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453,
in _handle_exceptionsix.reraise(*exc_info) File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518,
in _handle_exceptionsuper(ComponentBase,
self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-
packages/ipapython/install/core.py", line 453, in
_handle_exceptionsix.reraise(*exc_info) File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424,
in __runnerstep() File "/usr/lib/python2.7/site-
packages/ipapython/install/core.py", line 421, in step =
lambda: next(self.__gen) File "/usr/lib/python2.7/site-
packages/ipapython/install/util.py", line 81, in
run_generator_with_yield_fromsix.reraise(*exc_info) File
"/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59,
in run_generator_with_yield_fromvalue = gen.send(prev_value) File
"/usr/lib/python2.7/site-packages/ipapython/install/common.py", line
63, in _installfor _nothing in self._installer(self.parent): File
"/usr/lib/python2.7/site-
packages/ipaserver/install/server/__init__.py", line 617, in
mainreplica_install(self) File "/usr/lib/python2.7/site-
packages/ipaserver/install/server/replicainstall.py", line 386, in
decoratedfunc(installer) File "/usr/lib/python2.7/site-
packages/ipaserver/install/server/replicainstall.py", line 1477, in
installcustodia.import_dm_password(config.master_host_name) File
"/usr/lib/python2.7/site-
packages/ipaserver/install/custodiainstance.py", line 124, in
import_dm_passwordcli.fetch_key('dm/DMHash') File
"/usr/lib/python2.7/site-packages/ipaserver/secret
