Re: [Freeipa-users] Failing to add Fedora 20 replica to Centos6.7 ipa server

2016-02-11 Thread Martin Basti 

Hello,
comments inline.

On 11.02.2016 10:46, Quasar wrote:

Hi, I desperately need your help/advice with our ipa update process.
Briefly, we'd like to update our IPA 3.0 installation based on CentOS 
6.7 to a newer version, and I read that the way of doing it is to 
create a new replica with a newer version of IPA server.
Before writing this post, I browsed for similar issues (there are many 
of them with similar outcome) and tried to apply the suggested 
solutions but no luck. I also tried previous versions of Fedora (18 
and 19) but again no luck.

It seems I'm stuck and I don't know how to proceed :(

Thank you in advance to anyhow who will take the time to read my 
message :) Let's start!


Right now we have a single running on Centos 6.7, and we are planning 
to create a replica with Fedora 20 which has IPA 3.3


Fedora 20 is end of life, why you use that old fedora?
Why not Centos7 or F23 ?

Upgrade path from CentOS to Fedora is supported or tested, there might 
be issues because versions of FreeIPA are different due backporting 
patches to CentOS


I suggest to use new FreeIPA 4.2 on centos 7.


Here are the details of the master (CentOS 6.7, hostname ipaserver)
[root@ipaserver ~]# uname -a
Linux ipaserver.it.fx.lan 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 
12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux


[root@ipaserver ~]# rpm -qa|grep -E 'freeipa-server|pki-ca'
ipa-pki-ca-theme-9.0.3-7.el6.noarch
pki-ca-9.0.3-43.el6.noarch

And here are the details of the replica (Fedoraa 20, hostname 
ipaserver-ha2)

[root@ipaserver-ha2 ~]# uname -a
Linux ipaserver-ha2.it.fx.lan 3.19.8-100.fc20.x86_64 #1 SMP Tue May 12 
17:08:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux


[root@ipaserver-ha2 ~]# rpm -qa|grep -E 'freeipa-server|pki-ca'
pki-ca-10.1.2-7.fc20.noarch
freeipa-server-3.3.5-1.fc20.x86_64

Here are the steps I made:
Before starting the replica I updated the schema of the master with 
the copy-schema-to-ca.py script
I prepared the replica certificates on the server 
("ipa-replica-prepare ipaserver-ha2.it.fx.lan --ip-address 10.0.0.10") 
and transferred to the replica server on the same folder

The I ran the replica install and here's the output:
[root@ipaserver-ha2 ~]# ipa-replica-install --setup-ca --setup-dns 
--no-forwarders --no-ntp 
/var/lib/ipa/replica-info-ipaserver-ha2.it.fx.lan.gpg

Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'ipaserver.it.fx.lan':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@it.fx.lan password:

Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'ipaserver-ha2.it.fx.lan':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

Connection from master to replica is OK.

Connection check OK
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/34]: creating directory server user
  [2/34]: creating directory server instance
  [3/34]: adding default schema
  [4/34]: enabling memberof plugin
  [5/34]: enabling winsync plugin
  [6/34]: configuring replication version plugin
  [7/34]: enabling IPA enrollment plugin
  [8/34]: enabling ldapi
  [9/34]: configuring uniqueness plugin
  [10/34]: configuring uuid plugin
  [11/34]: configuring modrdn plugin
  [12/34]: configuring DNS plugin
  [13/34]: enabling entryUSN plugin
  [14/34]: configuring lockout plugin
  [15/34]: creating indices
  [16/34]: enabling referential integrity plugin
  [17/34]: configuring ssl for ds instance
  [18/34]: configuring certmap.conf
  [19/34]: configure autobind for root
  [20/34]: configure new location for managed entries
  [21/34]: configure dirsrv ccache
  [22/34]: enable SASL mapping fallback
  [23/34]: restarting directory server
  [24/34]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded

  [25/34]: updating schema
  [26/34]: setting Auto Member configuration
  [27/34]: enabling S4U2Proxy delegation
  [28/34]: initializing group membership
  [29/34]: adding master entry
  [30/34]: configuring Posix uid/gid generation
  [31/34]: adding replication acis
  [32/34]: enabling

Re: [Freeipa-users] Failing to add Fedora 20 replica to Centos6.7 ipa server

2016-02-11 Thread Martin Basti 



On 11.02.2016 11:05, Martin Basti wrote:

Hello,
comments inline.

On 11.02.2016 10:46, Quasar wrote:

Hi, I desperately need your help/advice with our ipa update process.
Briefly, we'd like to update our IPA 3.0 installation based on CentOS 
6.7 to a newer version, and I read that the way of doing it is to 
create a new replica with a newer version of IPA server.
Before writing this post, I browsed for similar issues (there are 
many of them with similar outcome) and tried to apply the suggested 
solutions but no luck. I also tried previous versions of Fedora (18 
and 19) but again no luck.

It seems I'm stuck and I don't know how to proceed :(

Thank you in advance to anyhow who will take the time to read my 
message :) Let's start!


Right now we have a single running on Centos 6.7, and we are planning 
to create a replica with Fedora 20 which has IPA 3.3


Fedora 20 is end of life, why you use that old fedora?
Why not Centos7 or F23 ?

Upgrade path from CentOS to Fedora is supported or tested, there might 
be issues because versions of FreeIPA are different due backporting 
patches to CentOS

* is NOT supported

sorry


I suggest to use new FreeIPA 4.2 on centos 7.


Here are the details of the master (CentOS 6.7, hostname ipaserver)
[root@ipaserver ~]# uname -a
Linux ipaserver.it.fx.lan 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 
12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux


[root@ipaserver ~]# rpm -qa|grep -E 'freeipa-server|pki-ca'
ipa-pki-ca-theme-9.0.3-7.el6.noarch
pki-ca-9.0.3-43.el6.noarch

And here are the details of the replica (Fedoraa 20, hostname 
ipaserver-ha2)

[root@ipaserver-ha2 ~]# uname -a
Linux ipaserver-ha2.it.fx.lan 3.19.8-100.fc20.x86_64 #1 SMP Tue May 
12 17:08:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux


[root@ipaserver-ha2 ~]# rpm -qa|grep -E 'freeipa-server|pki-ca'
pki-ca-10.1.2-7.fc20.noarch
freeipa-server-3.3.5-1.fc20.x86_64

Here are the steps I made:
Before starting the replica I updated the schema of the master with 
the copy-schema-to-ca.py script
I prepared the replica certificates on the server 
("ipa-replica-prepare ipaserver-ha2.it.fx.lan --ip-address 
10.0.0.10") and transferred to the replica server on the same folder

The I ran the replica install and here's the output:
[root@ipaserver-ha2 ~]# ipa-replica-install --setup-ca --setup-dns 
--no-forwarders --no-ntp 
/var/lib/ipa/replica-info-ipaserver-ha2.it.fx.lan.gpg

Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'ipaserver.it.fx.lan':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@it.fx.lan password:

Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'ipaserver-ha2.it.fx.lan':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

Connection from master to replica is OK.

Connection check OK
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/34]: creating directory server user
  [2/34]: creating directory server instance
  [3/34]: adding default schema
  [4/34]: enabling memberof plugin
  [5/34]: enabling winsync plugin
  [6/34]: configuring replication version plugin
  [7/34]: enabling IPA enrollment plugin
  [8/34]: enabling ldapi
  [9/34]: configuring uniqueness plugin
  [10/34]: configuring uuid plugin
  [11/34]: configuring modrdn plugin
  [12/34]: configuring DNS plugin
  [13/34]: enabling entryUSN plugin
  [14/34]: configuring lockout plugin
  [15/34]: creating indices
  [16/34]: enabling referential integrity plugin
  [17/34]: configuring ssl for ds instance
  [18/34]: configuring certmap.conf
  [19/34]: configure autobind for root
  [20/34]: configure new location for managed entries
  [21/34]: configure dirsrv ccache
  [22/34]: enable SASL mapping fallback
  [23/34]: restarting directory server
  [24/34]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded

  [25/34]: updating schema
  [26/34]: setting Auto Member configuration
  [27/34]: enabling S4U2Proxy delegation
  [28/34]: initializing group membership
  [29/34]: adding master entry
  [30/34]: configuring Posix uid/gid

Re: [Freeipa-users] Failing to add Fedora 20 replica to Centos6.7 ipa server

2016-02-11 Thread Quasar 
Please disregard this email, as it was duplicated.

Sorry for the incovenience

On Tue, Feb 9, 2016 at 4:26 PM,  wrote:

> Hi, I desperately need your help/advice with our ipa update process.
> Briefly, we'd like to update our IPA 3.0 installation based on CentOS 6.7
> to a newer version, and I read that the way of doing it is to create a new
> replica with a newer version of IPA server.
> Before writing this post, I browsed for similar issues (there are many of
> them with similar outcome) and tried to apply the suggested solutions but
> no luck. I also tried previous versions of Fedora (18 and 19) but again no
> luck.
> It seems I'm stuck and I don't know how to proceed :(
>
> Thank you in advance to anyhow who will take the time to read my message
> :) Let's start!
>
> Right now we have a single running on Centos 6.7, and we are planning to
> create a replica with Fedora 20 which has IPA 3.3
>
> Here are the details of the master (ipaserver)
> [root@ipaserver ~]# uname -a
> Linux ipaserver.it.fx.lan 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21
> UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
>
> [root@ipaserver ~]# rpm -qa|grep -E 'freeipa-server|pki-ca'
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> pki-ca-9.0.3-43.el6.noarch
>
> And here are the details of the replica (ipaserver-ha2
> Replica server on Fedora 20:
> [root@ipaserver-ha2 ~]# uname -a
> Linux ipaserver-ha2.it.fx.lan 3.19.8-100.fc20.x86_64 #1 SMP Tue May 12
> 17:08:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>
> [root@ipaserver-ha2 ~]# rpm -qa|grep -E 'freeipa-server|pki-ca'
> pki-ca-10.1.2-7.fc20.noarch
> freeipa-server-3.3.5-1.fc20.x86_64
>
> Here are the steps I made:
>
>- Before starting the replica I updated the schema of the master with
>the copy-schema-to-ca.py script
>- I prepared the replica certificates on the server
>("ipa-replica-prepare ipaserver-ha2.it.fx.lan --ip-address 10.0.0.10") and
>transferred to the replica server on the same folder
>- The I ran the replica install and here's the output:
>
> [root@ipaserver-ha2 ~]# ipa-replica-install --setup-ca --setup-dns
> --no-forwarders --no-ntp
> /var/lib/ipa/replica-info-ipaserver-ha2.it.fx.lan.gpg
> Directory Manager (existing master) password:
>
> Run connection check to master
> Check connection from replica to remote master 'ipaserver.it.fx.lan':
>Directory Service: Unsecure port (389): OK
>Directory Service: Secure port (636): OK
>Kerberos KDC: TCP (88): OK
>Kerberos Kpasswd: TCP (464): OK
>HTTP Server: Unsecure port (80): OK
>HTTP Server: Secure port (443): OK
>PKI-CA: Directory Service port (7389): OK
>
> The following list of ports use UDP protocol and would need to be
> checked manually:
>Kerberos KDC: UDP (88): SKIPPED
>Kerberos Kpasswd: UDP (464): SKIPPED
>
> Connection from replica to master is OK.
> Start listening on required ports for remote master check
> Get credentials to log in to remote master
> ad...@it.fx.lan password:
>
> Check SSH connection to remote master
> Execute check on remote master
> Check connection from master to remote replica 'ipaserver-ha2.it.fx.lan':
>Directory Service: Unsecure port (389): OK
>Directory Service: Secure port (636): OK
>Kerberos KDC: TCP (88): OK
>Kerberos KDC: UDP (88): OK
>Kerberos Kpasswd: TCP (464): OK
>Kerberos Kpasswd: UDP (464): OK
>HTTP Server: Unsecure port (80): OK
>HTTP Server: Secure port (443): OK
>
> Connection from master to replica is OK.
>
> Connection check OK
> Configuring directory server (dirsrv): Estimated time 1 minute
>   [1/34]: creating directory server user
>   [2/34]: creating directory server instance
>   [3/34]: adding default schema
>   [4/34]: enabling memberof plugin
>   [5/34]: enabling winsync plugin
>   [6/34]: configuring replication version plugin
>   [7/34]: enabling IPA enrollment plugin
>   [8/34]: enabling ldapi
>   [9/34]: configuring uniqueness plugin
>   [10/34]: configuring uuid plugin
>   [11/34]: configuring modrdn plugin
>   [12/34]: configuring DNS plugin
>   [13/34]: enabling entryUSN plugin
>   [14/34]: configuring lockout plugin
>   [15/34]: creating indices
>   [16/34]: enabling referential integrity plugin
>   [17/34]: configuring ssl for ds instance
>   [18/34]: configuring certmap.conf
>   [19/34]: configure autobind for root
>   [20/34]: configure new location for managed entries
>   [21/34]: configure dirsrv ccache
>   [22/34]: enable SASL mapping fallback
>   [23/34]: restarting directory server
>   [24/34]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 3 seconds elapsed
> Update succeeded
>
>   [25/34]: updating schema
>   [26/34]: setting Auto Member configuration
>   [27/34]: enabling S4U2Proxy delegation
>   [28/34]: initializing group membership
>   [29/34]: adding master entry
>   [30/34]: configuring Posix uid/gid generation
>   [31/34]: adding replication acis
>   [32/34]:

Re: [Freeipa-users] Failing to add Fedora 20 replica to Centos6.7 ipa server

2016-02-11 Thread Quasar 
Hi Martin,

first of all thanks for taking some time to read and provide feedback, much
appreciated.

I firstly tried with CentOS 7.x (build 1511) but got the same errore during
CA configuration. Then I supposed I had to upgrade step-by-step, from 3.0
to 3.3 (instead of 3.0 to 4.x) and used Fedora 23, 20, 19 and 18 but with
no luck.
If you need the exact log from CentOS 7.x migration I can provide them to
you.

About the debug log file, it was attached and these are the final lines
containing the error:

[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: getDomainXML:
domainInfo=IPAipaserver.it.fx.lan44344344344380FALSEpki-cadTRUEipaserver-ha.it.fx.lan44344344380443TRUETRUEpki-cad20
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: Cloning a domain master
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML start hostname=ipaserver.it.fx.lan port=443
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: updateSecurityDomain: failed
to update security domain using admin port 443:
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
spaces are required between publicId and systemId.
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: updateSecurityDomain: now
trying agent port with client auth
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML start hostname=ipaserver.it.fx.lan port=443
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: updateDomainXML()
nickname=subsystemCert cert-pki-ca
[09/Feb/2016:15:31:43][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML: status=1



-- 
Giuseppe Calignano
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project