Re: [Freeipa-users] Failing to add Fedora 20 replica to Centos6.7 ipa server
Hello, comments inline. On 11.02.2016 10:46, Quasar wrote: Hi, I desperately need your help/advice with our ipa update process. Briefly, we'd like to update our IPA 3.0 installation based on CentOS 6.7 to a newer version, and I read that the way of doing it is to create a new replica with a newer version of IPA server. Before writing this post, I browsed for similar issues (there are many of them with similar outcome) and tried to apply the suggested solutions but no luck. I also tried previous versions of Fedora (18 and 19) but again no luck. It seems I'm stuck and I don't know how to proceed :( Thank you in advance to anyhow who will take the time to read my message :) Let's start! Right now we have a single running on Centos 6.7, and we are planning to create a replica with Fedora 20 which has IPA 3.3 Fedora 20 is end of life, why you use that old fedora? Why not Centos7 or F23 ? Upgrade path from CentOS to Fedora is supported or tested, there might be issues because versions of FreeIPA are different due backporting patches to CentOS I suggest to use new FreeIPA 4.2 on centos 7. Here are the details of the master (CentOS 6.7, hostname ipaserver) [root@ipaserver ~]# uname -a Linux ipaserver.it.fx.lan 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux [root@ipaserver ~]# rpm -qa|grep -E 'freeipa-server|pki-ca' ipa-pki-ca-theme-9.0.3-7.el6.noarch pki-ca-9.0.3-43.el6.noarch And here are the details of the replica (Fedoraa 20, hostname ipaserver-ha2) [root@ipaserver-ha2 ~]# uname -a Linux ipaserver-ha2.it.fx.lan 3.19.8-100.fc20.x86_64 #1 SMP Tue May 12 17:08:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux [root@ipaserver-ha2 ~]# rpm -qa|grep -E 'freeipa-server|pki-ca' pki-ca-10.1.2-7.fc20.noarch freeipa-server-3.3.5-1.fc20.x86_64 Here are the steps I made: Before starting the replica I updated the schema of the master with the copy-schema-to-ca.py script I prepared the replica certificates on the server ("ipa-replica-prepare ipaserver-ha2.it.fx.lan --ip-address 10.0.0.10") and transferred to the replica server on the same folder The I ran the replica install and here's the output: [root@ipaserver-ha2 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders --no-ntp /var/lib/ipa/replica-info-ipaserver-ha2.it.fx.lan.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'ipaserver.it.fx.lan': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@it.fx.lan password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'ipaserver-ha2.it.fx.lan': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK Configuring directory server (dirsrv): Estimated time 1 minute [1/34]: creating directory server user [2/34]: creating directory server instance [3/34]: adding default schema [4/34]: enabling memberof plugin [5/34]: enabling winsync plugin [6/34]: configuring replication version plugin [7/34]: enabling IPA enrollment plugin [8/34]: enabling ldapi [9/34]: configuring uniqueness plugin [10/34]: configuring uuid plugin [11/34]: configuring modrdn plugin [12/34]: configuring DNS plugin [13/34]: enabling entryUSN plugin [14/34]: configuring lockout plugin [15/34]: creating indices [16/34]: enabling referential integrity plugin [17/34]: configuring ssl for ds instance [18/34]: configuring certmap.conf [19/34]: configure autobind for root [20/34]: configure new location for managed entries [21/34]: configure dirsrv ccache [22/34]: enable SASL mapping fallback [23/34]: restarting directory server [24/34]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 3 seconds elapsed Update succeeded [25/34]: updating schema [26/34]: setting Auto Member configuration [27/34]: enabling S4U2Proxy delegation [28/34]: initializing group membership [29/34]: adding master entry [30/34]: configuring Posix uid/gid generation [31/34]: adding replication acis [32/34]: enabling
Re: [Freeipa-users] Failing to add Fedora 20 replica to Centos6.7 ipa server
On 11.02.2016 11:05, Martin Basti wrote: Hello, comments inline. On 11.02.2016 10:46, Quasar wrote: Hi, I desperately need your help/advice with our ipa update process. Briefly, we'd like to update our IPA 3.0 installation based on CentOS 6.7 to a newer version, and I read that the way of doing it is to create a new replica with a newer version of IPA server. Before writing this post, I browsed for similar issues (there are many of them with similar outcome) and tried to apply the suggested solutions but no luck. I also tried previous versions of Fedora (18 and 19) but again no luck. It seems I'm stuck and I don't know how to proceed :( Thank you in advance to anyhow who will take the time to read my message :) Let's start! Right now we have a single running on Centos 6.7, and we are planning to create a replica with Fedora 20 which has IPA 3.3 Fedora 20 is end of life, why you use that old fedora? Why not Centos7 or F23 ? Upgrade path from CentOS to Fedora is supported or tested, there might be issues because versions of FreeIPA are different due backporting patches to CentOS * is NOT supported sorry I suggest to use new FreeIPA 4.2 on centos 7. Here are the details of the master (CentOS 6.7, hostname ipaserver) [root@ipaserver ~]# uname -a Linux ipaserver.it.fx.lan 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux [root@ipaserver ~]# rpm -qa|grep -E 'freeipa-server|pki-ca' ipa-pki-ca-theme-9.0.3-7.el6.noarch pki-ca-9.0.3-43.el6.noarch And here are the details of the replica (Fedoraa 20, hostname ipaserver-ha2) [root@ipaserver-ha2 ~]# uname -a Linux ipaserver-ha2.it.fx.lan 3.19.8-100.fc20.x86_64 #1 SMP Tue May 12 17:08:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux [root@ipaserver-ha2 ~]# rpm -qa|grep -E 'freeipa-server|pki-ca' pki-ca-10.1.2-7.fc20.noarch freeipa-server-3.3.5-1.fc20.x86_64 Here are the steps I made: Before starting the replica I updated the schema of the master with the copy-schema-to-ca.py script I prepared the replica certificates on the server ("ipa-replica-prepare ipaserver-ha2.it.fx.lan --ip-address 10.0.0.10") and transferred to the replica server on the same folder The I ran the replica install and here's the output: [root@ipaserver-ha2 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders --no-ntp /var/lib/ipa/replica-info-ipaserver-ha2.it.fx.lan.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'ipaserver.it.fx.lan': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@it.fx.lan password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'ipaserver-ha2.it.fx.lan': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK Configuring directory server (dirsrv): Estimated time 1 minute [1/34]: creating directory server user [2/34]: creating directory server instance [3/34]: adding default schema [4/34]: enabling memberof plugin [5/34]: enabling winsync plugin [6/34]: configuring replication version plugin [7/34]: enabling IPA enrollment plugin [8/34]: enabling ldapi [9/34]: configuring uniqueness plugin [10/34]: configuring uuid plugin [11/34]: configuring modrdn plugin [12/34]: configuring DNS plugin [13/34]: enabling entryUSN plugin [14/34]: configuring lockout plugin [15/34]: creating indices [16/34]: enabling referential integrity plugin [17/34]: configuring ssl for ds instance [18/34]: configuring certmap.conf [19/34]: configure autobind for root [20/34]: configure new location for managed entries [21/34]: configure dirsrv ccache [22/34]: enable SASL mapping fallback [23/34]: restarting directory server [24/34]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 3 seconds elapsed Update succeeded [25/34]: updating schema [26/34]: setting Auto Member configuration [27/34]: enabling S4U2Proxy delegation [28/34]: initializing group membership [29/34]: adding master entry [30/34]: configuring Posix uid/gid
Re: [Freeipa-users] Failing to add Fedora 20 replica to Centos6.7 ipa server
Please disregard this email, as it was duplicated. Sorry for the incovenience On Tue, Feb 9, 2016 at 4:26 PM,wrote: > Hi, I desperately need your help/advice with our ipa update process. > Briefly, we'd like to update our IPA 3.0 installation based on CentOS 6.7 > to a newer version, and I read that the way of doing it is to create a new > replica with a newer version of IPA server. > Before writing this post, I browsed for similar issues (there are many of > them with similar outcome) and tried to apply the suggested solutions but > no luck. I also tried previous versions of Fedora (18 and 19) but again no > luck. > It seems I'm stuck and I don't know how to proceed :( > > Thank you in advance to anyhow who will take the time to read my message > :) Let's start! > > Right now we have a single running on Centos 6.7, and we are planning to > create a replica with Fedora 20 which has IPA 3.3 > > Here are the details of the master (ipaserver) > [root@ipaserver ~]# uname -a > Linux ipaserver.it.fx.lan 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 > UTC 2012 x86_64 x86_64 x86_64 GNU/Linux > > [root@ipaserver ~]# rpm -qa|grep -E 'freeipa-server|pki-ca' > ipa-pki-ca-theme-9.0.3-7.el6.noarch > pki-ca-9.0.3-43.el6.noarch > > And here are the details of the replica (ipaserver-ha2 > Replica server on Fedora 20: > [root@ipaserver-ha2 ~]# uname -a > Linux ipaserver-ha2.it.fx.lan 3.19.8-100.fc20.x86_64 #1 SMP Tue May 12 > 17:08:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux > > [root@ipaserver-ha2 ~]# rpm -qa|grep -E 'freeipa-server|pki-ca' > pki-ca-10.1.2-7.fc20.noarch > freeipa-server-3.3.5-1.fc20.x86_64 > > Here are the steps I made: > >- Before starting the replica I updated the schema of the master with >the copy-schema-to-ca.py script >- I prepared the replica certificates on the server >("ipa-replica-prepare ipaserver-ha2.it.fx.lan --ip-address 10.0.0.10") and >transferred to the replica server on the same folder >- The I ran the replica install and here's the output: > > [root@ipaserver-ha2 ~]# ipa-replica-install --setup-ca --setup-dns > --no-forwarders --no-ntp > /var/lib/ipa/replica-info-ipaserver-ha2.it.fx.lan.gpg > Directory Manager (existing master) password: > > Run connection check to master > Check connection from replica to remote master 'ipaserver.it.fx.lan': >Directory Service: Unsecure port (389): OK >Directory Service: Secure port (636): OK >Kerberos KDC: TCP (88): OK >Kerberos Kpasswd: TCP (464): OK >HTTP Server: Unsecure port (80): OK >HTTP Server: Secure port (443): OK >PKI-CA: Directory Service port (7389): OK > > The following list of ports use UDP protocol and would need to be > checked manually: >Kerberos KDC: UDP (88): SKIPPED >Kerberos Kpasswd: UDP (464): SKIPPED > > Connection from replica to master is OK. > Start listening on required ports for remote master check > Get credentials to log in to remote master > ad...@it.fx.lan password: > > Check SSH connection to remote master > Execute check on remote master > Check connection from master to remote replica 'ipaserver-ha2.it.fx.lan': >Directory Service: Unsecure port (389): OK >Directory Service: Secure port (636): OK >Kerberos KDC: TCP (88): OK >Kerberos KDC: UDP (88): OK >Kerberos Kpasswd: TCP (464): OK >Kerberos Kpasswd: UDP (464): OK >HTTP Server: Unsecure port (80): OK >HTTP Server: Secure port (443): OK > > Connection from master to replica is OK. > > Connection check OK > Configuring directory server (dirsrv): Estimated time 1 minute > [1/34]: creating directory server user > [2/34]: creating directory server instance > [3/34]: adding default schema > [4/34]: enabling memberof plugin > [5/34]: enabling winsync plugin > [6/34]: configuring replication version plugin > [7/34]: enabling IPA enrollment plugin > [8/34]: enabling ldapi > [9/34]: configuring uniqueness plugin > [10/34]: configuring uuid plugin > [11/34]: configuring modrdn plugin > [12/34]: configuring DNS plugin > [13/34]: enabling entryUSN plugin > [14/34]: configuring lockout plugin > [15/34]: creating indices > [16/34]: enabling referential integrity plugin > [17/34]: configuring ssl for ds instance > [18/34]: configuring certmap.conf > [19/34]: configure autobind for root > [20/34]: configure new location for managed entries > [21/34]: configure dirsrv ccache > [22/34]: enable SASL mapping fallback > [23/34]: restarting directory server > [24/34]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 3 seconds elapsed > Update succeeded > > [25/34]: updating schema > [26/34]: setting Auto Member configuration > [27/34]: enabling S4U2Proxy delegation > [28/34]: initializing group membership > [29/34]: adding master entry > [30/34]: configuring Posix uid/gid generation > [31/34]: adding replication acis > [32/34]:
Re: [Freeipa-users] Failing to add Fedora 20 replica to Centos6.7 ipa server
Hi Martin, first of all thanks for taking some time to read and provide feedback, much appreciated. I firstly tried with CentOS 7.x (build 1511) but got the same errore during CA configuration. Then I supposed I had to upgrade step-by-step, from 3.0 to 3.3 (instead of 3.0 to 4.x) and used Fedora 23, 20, 19 and 18 but with no luck. If you need the exact log from CentOS 7.x migration I can provide them to you. About the debug log file, it was attached and these are the final lines containing the error: [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: getDomainXML: domainInfo=IPAipaserver.it.fx.lan44344344344380FALSEpki-cadTRUEipaserver-ha.it.fx.lan44344344380443TRUETRUEpki-cad20 [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: Cloning a domain master [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML start hostname=ipaserver.it.fx.lan port=443 [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: updateSecurityDomain: failed to update security domain using admin port 443: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: updateSecurityDomain: now trying agent port with client auth [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML start hostname=ipaserver.it.fx.lan port=443 [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: updateDomainXML() nickname=subsystemCert cert-pki-ca [09/Feb/2016:15:31:43][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML: status=1 -- Giuseppe Calignano -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project