[Freeipa-users] Replica install fails due nonexisting RID ranges
Hello, I didint enable adrust or installed related packages, I dont use samba shares either on existing installation. I wanted to create additional replica, during install it asked what is NETBIOS name and if I want to generate SID identifiers for users (answered no) then process failed with errors below. Should I update my ID ranges? or there is replica install option to skip this setup. (I dont use cross AD trusts, or similar features) Configuring SID generation [1/7]: creating samba domain object Samba domain object already exists [2/7]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [3/7]: adding RID bases Found more than one local domain ID range with no RID base set. [error] RuntimeError: Too many ID ranges Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Too many ID ranges 2021-12-27T17:56:04Z DEBUG [2/7]: adding admin(group) SIDs 2021-12-27T17:56:04Z DEBUG Admin SID already set, nothing to do 2021-12-27T17:56:04Z DEBUG Admin group SID already set, nothing to do 2021-12-27T17:56:04Z DEBUG step duration: SID generation __add_admin_sids 0.00 sec 2021-12-27T17:56:04Z DEBUG [3/7]: adding RID bases 2021-12-27T17:56:04Z CRITICAL Found more than one local domain ID range with no RID base set. 2021-12-27T17:56:04Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 380, in __add_rid_bases raise RuntimeError("Too many ID ranges\n") RuntimeError: Too many ID ranges 2021-12-27T17:56:04Z DEBUG [error] RuntimeError: Too many ID ranges 2021-12-27T17:56:04Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 342, in run return cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", l
[Freeipa-users] replica install fails
Hi all I have two centos 8 servers. One is installed and configured as master and AD trust controller. The second one, I'm trying to configure it as a replica, but what ever I do, the replica server fails to start. Environment : OS - CentOS Linux release 8.1.1911 (Core) ipa-server: ipa-server-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64 Replica install is started with : #ipa-replica-install -v --principal admin -p X --domain ipamaster01.example.com --server ipamaster01.example.com --setup-ca --setup-adtrust The client install goes well, but the server stops at : Starting replication, please wait until this has completed. Update in progress, 15 seconds elapsed [ldap://ipamaster01.example.com:389] reports: Update failed! Status: [Error (-2) - LDAP error: Local error - no response received] On the ipareplica-install.log, last entries are: 2020-04-14T08:29:13Z DEBUG Created connection context.ldap2_139862275887680 2020-04-14T08:29:13Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2020-04-14T08:29:13Z DEBUG retrieving schema for SchemaCache url=ldap://ipamaster01.example.com:389 conn= 2020-04-14T08:29:13Z DEBUG Successfully updated nsDS5ReplicaId. 2020-04-14T08:29:13Z DEBUG Add or update replica config cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config 2020-04-14T08:29:13Z DEBUG Added replica config cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config 2020-04-14T08:29:13Z DEBUG Add or update replica config cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config 2020-04-14T08:29:13Z DEBUG No update to cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config necessary 2020-04-14T08:29:13Z DEBUG Waiting for replication (ldapi://%2Fvar%2Frun%2Fslapd-IPAMASTER01-EXAMPLE-COM.socket) cn=meToipamaster01.example.com,cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree ,cn=config (objectclass=*) 2020-04-14T08:29:13Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn=meToipamaster01.example.com,cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config'), {'objectClass': [b'nsds5replicat ionagreement', b'top'], 'cn': [b'meToipamaster01.example.com'], 'nsDS5ReplicaHost': [b'ipamaster01.example.com'], 'nsDS5ReplicaPort': [b'389'], 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': [b'dc=ipamaste r01,dc=example,dc=com'], 'description': [b'me to ipamaster01.example.com'], 'nsDS5ReplicatedAttributeList': [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth kr bloginfailedcount'], 'nsDS5ReplicaTransportInfo': [b'LDAP'], 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs': [b'modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp'] , 'nsDS5ReplicatedAttributeListTotal': [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': [b'197 0010100Z'], 'nsds5replicaLastUpdateEnd': [b'1970010100Z'], 'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions started since server startup' ], 'nsds5replicaLastUpdateStatusJSON': [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", "repl_rc": "0", "repl_rc_text": "replica acquired", "date": "2020-04-14T08:29:13Z", "message": "Error (0) N o replication sessions started since server startup"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'], 'nsds5replicaLastInitStart': [b'1970010100Z'], 'nsds5replicaLastInitEnd': [b'1970010100Z']})] 2020-04-14T08:29:29Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 603, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 589, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 427, in __setup_replica cacert=self.ca_file File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py", line 1860, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication I can query both ldap servers on the master and replica with : ldapsearch -h ldap://ipamaster01.example.com -p 389 -Y GSSAPI -b "" -s base -W ldapsearch -h ldap://ipareplica01.example.com -p 389 -Y GSSAPI -b "" -s base -W in this point, I'm really run out of options. Could someone tell me what I'm doing wrong? Cheers Alex ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Arch
[Freeipa-users] replica - install fails with CA issue
Thanks for the reply. I tried the workaround but still getting the CA_UNREACHABLE error. The umask on the master was already at 0022. Is there a way to check the health of the CA master? Maybe the issue is with the CA and not with the replica install? Here is a little more information. The CA master is pci-mgmt-ipa01. the new client to be promoted is ipa-nyc-pci02. On the client: [root@ipa-nyc-pci02 ~]# getcert list Number of certificates and requests being tracked: 1. Request ID '20180424223129': status: CA_UNREACHABLE ca-error: Server at https://ipa-nyc-pci02.pci.xxx.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to ipa-nyc-pci02.pci.xxx.com:443; Connection refused). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PCI-xxx-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PCI-xxx-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PCI-xxx-COM',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv PCI-xxx-COM track: yes auto-renew: yes On the master: pki-tomcat is running. I see a cert_request in /var/log/httpd/error_log. [Tue Apr 24 22:31:31.490598 2018] [:error] [pid 1133] ipa: INFO: [xmlserver] host/ipa-nyc-pci02.pci.xxx@pci.xxx.com: cert_request(u'MIID8jCCAtoCAQAwQjEYMBYGA1UEChMPUENJLk1BU0NPUlAuQ09NMSYwJAYDVQQDEx1pc ... /QLxsLD7VWO7fGuSHpGnUayuTKi1Em9BdPtMNoD75G4SJ', profile_id=u'caIPAserviceCert', principal=u'ldap/ipa-nyc-pci02.pci.xxx@pci.xxx.com', add=True, version=u'2.51'): NotFound I don't see any request in /var/log/pki/pki-tomcat/ca/debug. Does this indicate a problem with the Dogtag server? Thanks, Ross ___________ From: Ross Infinger Sent: Tuesday, April 24, 2018 1:39 PM To: Florence Blanc-Renaud Subject: RE: [Freeipa-users] replica - install fails with CA issue Thanks for the reply. I tried the workaround but still getting the CA_UNREACHABLE error. The umask on the master was already at 0022. Is there a way to check the health of the CA master? Maybe the issue is with the CA and not with the replica install? Thanks, Ross From: Florence Blanc-Renaud [f...@redhat.com] Sent: Tuesday, April 24, 2018 1:37 AM To: FreeIPA users list Cc: Ross Infinger Subject: Re: [Freeipa-users] replica - install fails with CA issue On 04/23/2018 10:37 PM, Ross Infinger via FreeIPA-users wrote: > I'm trying to promote a new client to a replica. I install the client > first then run ipa-replica-install. The client install goes OK but the > ipa-replica-install command fails with > > RuntimeError: Certificate issuance failed (CA_UNREACHABLE) > > Seems the client was able to reach the CA so I'm puzzled why the replica > cannot. > > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Hi, other users also hit this issue #7193 [1], and the root cause was that the root's umask on the master was too restrictive. Can you check if it's your case? The workaround is to do: chmod 644 /etc/ipa/ca.crt chmod 440 /var/lib/ipa/ra-agent.{key|pem} but the best is to install the master with umask 022. HTH, Flo [1] https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_freeipa_issue_7193&d=DwID-g&c=laiMAACGcvAxeLF9-K5nZ1uCTN9kBzTH8fWOxFTVLgs&r=BQGu7HO1KZWnnHq93CzOO0obebVE6FvfNGVnSYC75ic&m=a8hif8z7P2YL758xGO4yaROq33AOiOjrmAzs4WNaEtM&s=X9JOGxC1Dlqf_7WPi-C953HdBoN9swEyeDI7RvMDY34&e= ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] replica - install fails with CA issue
I'm trying to promote a new client to a replica. I install the client first then run ipa-replica-install. The client install goes OK but the ipa-replica-install command fails with RuntimeError: Certificate issuance failed (CA_UNREACHABLE) Seems the client was able to reach the CA so I'm puzzled why the replica cannot. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] replica install fails: CA_UNREACHABLE
hi I'm trying to install replica, process fails: .. [3/5]: creating anonymous principal [4/5]: starting the KDC [5/5]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) Your system may be partly configured. .. -- end and in intall log file: .. 2018-01-06T13:50:29Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/ -A -n PRIVATE.xx.xx.PRIVATE.xx.xx.x IPA CA -t CT,C,C -a -f /etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/pwdfile.txt 2018-01-06T13:50:29Z DEBUG Process finished, return code=0 2018-01-06T13:50:29Z DEBUG stdout= 2018-01-06T13:50:29Z DEBUG stderr= 2018-01-06T13:50:30Z DEBUG certmonger request is in state dbus.String(u'NEWLY_ADDED_READING_CERT', variant_level=1) 2018-01-06T13:50:35Z DEBUG certmonger request is in state dbus.String(u'CA_UNREACHABLE', variant_level=1) 2018-01-06T13:50:35Z DEBUG Traxx.ck (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 824, in __enable_ssl post_command=cmd) File "/usr/lib/python2.7/site-packages/ipalib/install/certmonger.py", line 317, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2018-01-06T13:50:35Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2018-01-06T13:50:35Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run cfgr.run() File "/usr/lib/python2.7/site- ... -- end Would this be that new candidate's problem or some communication issues with existing server? Client installed (kind of)okey though. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] replica-install fails
Trying to promote a client to a replica and it's failing with: Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory serverDone.Restarting the KDCYour system may be partly configured.Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Decryption failed.',)]"]ipa.ipapython.install.cli.install_tool(CompatServerReplica Install): ERRORThe ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information The replica-install log: 2017-10-04T07:22:06Z DEBUG Restarting the KDC2017-10-04T07:22:06Z DEBUG Starting external process2017-10-04T07:22:06Z DEBUG args=/bin/systemctl restart krb5kdc.service2017-10-04T07:22:06Z DEBUG Process finished, return code=02017-10-04T07:22:06Z DEBUG stdout=2017-10-04T07:22:06Z DEBUG stderr=2017-10-04T07:22:06Z DEBUG Starting external process2017- 10-04T07:22:06Z DEBUG args=/bin/systemctl is-active krb5kdc.service2017-10-04T07:22:06Z DEBUG Process finished, return code=02017-10-04T07:22:06Z DEBUG stdout=active 2017-10-04T07:22:06Z DEBUG stderr=2017-10-04T07:22:06Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in executereturn_value = self.run() File "/usr/lib/python2.7/site- packages/ipapython/install/cli.py", line 333, in runcfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in runself.execute() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 392, in executefor _nothing in self._executor(): File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 434, in __runnerexc_handler(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 463, in _handle_execute_exceptionself._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exceptionsix.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runnerstep() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 421, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 81, in run_generator_with_yield_fromsix.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_fromvalue = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configurenext(executor) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 434, in __runnerexc_handler(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 463, in _handle_execute_exceptionself._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exceptionself.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exceptionsix.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exceptionsuper(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 453, in _handle_exceptionsix.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runnerstep() File "/usr/lib/python2.7/site- packages/ipapython/install/core.py", line 421, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site- packages/ipapython/install/util.py", line 81, in run_generator_with_yield_fromsix.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_fromvalue = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _installfor _nothing in self._installer(self.parent): File "/usr/lib/python2.7/site- packages/ipaserver/install/server/__init__.py", line 617, in mainreplica_install(self) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 386, in decoratedfunc(installer) File "/usr/lib/python2.7/site- packages/ipaserver/install/server/replicainstall.py", line 1477, in installcustodia.import_dm_password(config.master_host_name) File "/usr/lib/python2.7/site- packages/ipaserver/install/custodiainstance.py", line 124, in import_dm_passwordcli.fetch_key('dm/DMHash') File "/usr/lib/python2.7/site-packages/ipaserver/secret