subject:"Re\: \[Freeipa\-users\] New install, unsupported format\?"

Re: [Freeipa-users] New install, unsupported format?

2017-02-28 Thread Steve Huston

On Tue, Feb 28, 2017 at 4:26 AM, Standa Laznicka  wrote:
> On 02/27/2017 04:51 PM, Steve Huston wrote:
>> It seems there might be two issues here; the one I originally reported
>> was that the ipa-server packages installed on a client machine are
>> unable to talk to the server, even though it obviously knows what the
>> server is (the "unsupported format" error I originally shared).  The
>> second is with setting up a replica in general.
>
> The server rpm packages should have no impact on client settings if neither
> server nor replica are installed on the given machine. IIRC client only uses
> the NSS database in /etc/ipa/nssdb, you may want to check the permissions
> there (should be o+xr for the folder, o+r for the *.db files there).

I'll look into this more later, since it's less of an issue (I don't
plan on having the server packages installed on a machine that isn't a
server, and once it's a server it works fine).

> I believe your machine might have been in some kind of undecided state when
> you tried to promote a client to a replica. What happens during replica
> installation on domain level 1 is that client installation is checked first.
> If client is installed the installation continues with other steps, if it's
> not, it tries to install the client.
> In your case, you probably had your client installed at first and tried to
> install replica. Something bad happened, can't be sure what, the
> installation failed and tried to uninstall the client but that might have
> failed, too. Eventually, you uninstalled the client yourself successfully,
> all files were removed and its records were also removed from the server.
> This made it possible to eventually successfully install a replica.
> I wouldn't bet my life on it but I'd think the installation could have gone
> successfully even if you installed a client and tried to promote it again :)

Quite possible - I thought I accounted for everything, but I'll admit
that when a client gets installed and provisioned it's not with
ipa-client-install but via puppet.  I did this because I needed a
programmatic way to determine if a host was already provisioned
(preferably locally) and execute the proper commands to do so, and in
my experimenting I found following the instructions for provisioning
manually worked well and use the presence of /etc/krb5.keytab as an
indicator of "has this host been provisioned" (its absence is a
negative).  It's likely that ipa-client-install does something else
that I never noticed, which ipa-replica-install relies on to know
what's going on - especially since when I run on a client, it first
uninstalls the client and then tries to reinstall it, and that's where
it fails.  I may experiment with that a bit too since it won't take
long to do.

> Anyway, I am sorry to hear you had such troubles, the replica installation
> is not usually such a painful process, I hope you will have more luck with
> FreeIPA in the future.

While it has been frustrating, it has definitely been a learning
experience.  I grow more confident in the system's abilities as I
discover more about it, and that means should something break in the
future I'm already in a position of knowledge of some of the internals
and less afraid to poke gently to fix it.  The support on this mailing
list has also been wonderful, so thank you all for that!

-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |ICBM Address: 40.346344   -74.652242
345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852  | headlong into mystery."  -Rush, 'Cygnus X-1'

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] New install, unsupported format?

2017-02-28 Thread Standa Laznicka


On 02/27/2017 04:51 PM, Steve Huston wrote:

On Mon, Feb 27, 2017 at 5:56 AM, Standa Laznicka  wrote:

Sorry for the hold up. Two questions - is this domain level 1 or 0 (you can
run `ipa domainlevel-get` on the master if you don't know)? Did you have a
client installed prior to ipa-replica-install?

It's level 1.  I did have a couple clients installed, and the machine
I was trying to promote to a replica was one of them.  This whole
instance is a testing instance, with live data but not in production,
while I make sure everything works as expected before I deploy it, so
the servers and their data are new as of a couple weeks ago and began
life as a RHEL7.3 install.

It seems there might be two issues here; the one I originally reported
was that the ipa-server packages installed on a client machine are
unable to talk to the server, even though it obviously knows what the
server is (the "unsupported format" error I originally shared).  The
second is with setting up a replica in general.
The server rpm packages should have no impact on client settings if 
neither server nor replica are installed on the given machine. IIRC 
client only uses the NSS database in /etc/ipa/nssdb, you may want to 
check the permissions there (should be o+xr for the folder, o+r for the 
*.db files there).

I had tried the various methods outlined in the RedHat IdM
documentation, including promoting a client via an administrators TGT,
adding the client to the ipaservers group on the server, etc.  What
did finally work was unprovisioning the client, setting a one-time
password, and running "ipa-replica-install -v
--domain=astro.princeton.edu --server=ipa.astro.princeton.edu
--realm=ASTRO.PRINCETON.EDU --hostname=syrinx.astro.princeton.edu
--setup-ca -p foobar" - this yielded a fully working replica when it
finished.  All of the previous failures happened in the same way as
mentioned before - it seems to unprovision the client for some reason,
then fail in reprovisioning it.
I believe your machine might have been in some kind of undecided state 
when you tried to promote a client to a replica. What happens during 
replica installation on domain level 1 is that client installation is 
checked first. If client is installed the installation continues with 
other steps, if it's not, it tries to install the client.
In your case, you probably had your client installed at first and tried 
to install replica. Something bad happened, can't be sure what, the 
installation failed and tried to uninstall the client but that might 
have failed, too. Eventually, you uninstalled the client yourself 
successfully, all files were removed and its records were also removed 
from the server. This made it possible to eventually successfully 
install a replica.
I wouldn't bet my life on it but I'd think the installation could have 
gone successfully even if you installed a client and tried to promote it 
again :)


Anyway, I am sorry to hear you had such troubles, the replica 
installation is not usually such a painful process, I hope you will have 
more luck with FreeIPA in the future.

One problem which has cropped up before and caused problems is with
DNS capitalization.  DNS reports the domain name of "Princeton.EDU"
for hosts here, which means in order to do just about anything with a
FreeIPA server I have to manually add the host to /etc/hosts with all
lowercase letters.  I also have to force all of the host names via
command line switches so that DNS is not consulted for lookups, which
will return the StudlyCaps names and fail.  I suppose I should raise
that as a separate issue, because my understanding is that
hostnames/domainnames should be case insensitive so I'm not sure why
FreeIPA cares (and it may be easier to steer the entire project to not
care than convince those in control of DNS here to change it :D )



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] New install, unsupported format?

2017-02-27 Thread Steve Huston

On Mon, Feb 27, 2017 at 5:56 AM, Standa Laznicka  wrote:
> Sorry for the hold up. Two questions - is this domain level 1 or 0 (you can
> run `ipa domainlevel-get` on the master if you don't know)? Did you have a
> client installed prior to ipa-replica-install?

It's level 1.  I did have a couple clients installed, and the machine
I was trying to promote to a replica was one of them.  This whole
instance is a testing instance, with live data but not in production,
while I make sure everything works as expected before I deploy it, so
the servers and their data are new as of a couple weeks ago and began
life as a RHEL7.3 install.

It seems there might be two issues here; the one I originally reported
was that the ipa-server packages installed on a client machine are
unable to talk to the server, even though it obviously knows what the
server is (the "unsupported format" error I originally shared).  The
second is with setting up a replica in general.

I had tried the various methods outlined in the RedHat IdM
documentation, including promoting a client via an administrators TGT,
adding the client to the ipaservers group on the server, etc.  What
did finally work was unprovisioning the client, setting a one-time
password, and running "ipa-replica-install -v
--domain=astro.princeton.edu --server=ipa.astro.princeton.edu
--realm=ASTRO.PRINCETON.EDU --hostname=syrinx.astro.princeton.edu
--setup-ca -p foobar" - this yielded a fully working replica when it
finished.  All of the previous failures happened in the same way as
mentioned before - it seems to unprovision the client for some reason,
then fail in reprovisioning it.

One problem which has cropped up before and caused problems is with
DNS capitalization.  DNS reports the domain name of "Princeton.EDU"
for hosts here, which means in order to do just about anything with a
FreeIPA server I have to manually add the host to /etc/hosts with all
lowercase letters.  I also have to force all of the host names via
command line switches so that DNS is not consulted for lookups, which
will return the StudlyCaps names and fail.  I suppose I should raise
that as a separate issue, because my understanding is that
hostnames/domainnames should be case insensitive so I'm not sure why
FreeIPA cares (and it may be easier to steer the entire project to not
care than convince those in control of DNS here to change it :D )

-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |ICBM Address: 40.346344   -74.652242
345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852  | headlong into mystery."  -Rush, 'Cygnus X-1'

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] New install, unsupported format?

2017-02-27 Thread Standa Laznicka


On 02/24/2017 08:38 PM, Steve Huston wrote:

So, I tried a different tack.  Took my bare VM configured as an IPA
client, did a 'yum install ipa-server' and edited the cainstance.py
file to fix the IPv6 issue.  Then, without adding the host to
ipaservers in the webui, I simply tried to promote it:

# kinit admin
Password for ad...@astro.princeton.edu:
# ipa-replica-install --verbose
ipa.ipapython.install.cli.install_tool(Replica): DEBUGLogging to
/var/log/ipareplica-install.log
ipa.ipapython.install.cli.install_tool(Replica): DEBUG
ipa-replica-install was invoked with arguments [] and options:
{'no_dns_sshfp': None, 'skip_schema_check': None, 'setup_kra': None,
'ip_addresses': None
, 'mkhomedir': None, 'http_cert_files': None, 'ssh_trust_dns': None,
'reverse_zones': None, 'no_forwarders': None, 'keytab': None,
'no_ntp': None, 'domain_name': None, 'http_cert_name': None,
'dirsrv_cert_files
': None, 'no_dnssec_validation': None, 'no_reverse': None,
'unattended': False, 'auto_reverse': None, 'auto_forwarders': None,
'no_host_dns': None, 'no_sshd': None, 'no_ui_redirect': None,
'dirsrv_config_file':
  None, 'forwarders': None, 'verbose': True, 'setup_ca': None,
'realm_name': None, 'skip_conncheck': None, 'no_ssh': None,
'forward_policy': None, 'dirsrv_cert_name': None, 'quiet': False,
'server': None, 'setup_dns': None, 'host_name': None, 'log_file':
None, 'allow_zone_overlap': None}
ipa.ipapython.install.cli.install_tool(Replica): DEBUGIPA version
4.4.0-14.el7_3.4
ipa : DEBUGStarting external process
ipa : DEBUGargs=/usr/sbin/selinuxenabled
ipa : DEBUGProcess finished, return code=0
ipa : DEBUGstdout=
ipa : DEBUGstderr=
ipa : DEBUGLoading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
ipa : DEBUGLoading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
ipa : DEBUGhttpd is not configured
ipa : DEBUGkadmin is not configured
ipa : DEBUGdirsrv is not configured
ipa : DEBUGpki-tomcatd is not configured
ipa : DEBUGinstall is not configured
ipa : DEBUGkrb5kdc is not configured
ipa : DEBUGntpd is not configured
ipa : DEBUGnamed is not configured
ipa : DEBUGipa_memcached is not configured
ipa : DEBUGfilestore is tracking no files
ipa : DEBUGLoading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa : DEBUGConfiguring client side components
Configuring client side components
ipa : DEBUGStarting external process
ipa : DEBUGargs=/usr/sbin/ipa-client-install --unattended --no-ntp
IPA client is already configured on this system.
If you want to reinstall the IPA client, uninstall it first using
'ipa-client-install --uninstall'.
ipa : DEBUGProcess finished, return code=3
Removing client side components
ipa : DEBUGStarting external process
ipa : DEBUGargs=/usr/sbin/ipa-client-install --unattended
--uninstall
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted
nslcd daemon is not installed, skip configuration
Client uninstall complete.
ipa : DEBUGProcess finished, return code=0

ipa.ipapython.install.cli.install_tool(Replica): DEBUG  File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171,
in execute
 return_value = self.run()
   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 318, in run
 cfgr.run()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 308, in run
 self.validate()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 317, in validate
 for nothing in self._validator():
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 372, in __runner
 self._handle_exception(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 394, in _handle_exception
 six.reraise(*exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 362, in __runner
 step()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 359, in 
 step = lambda: next(self.__gen)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from
 six.reraise(*exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from
 value = gen.send(prev_value)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 564, in _configure
 next(validator)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 372, in __runner
 self._handle_exception(exc_info)
   File

Re: [Freeipa-users] New install, unsupported format?

2017-02-24 Thread Steve Huston

So, I tried a different tack.  Took my bare VM configured as an IPA
client, did a 'yum install ipa-server' and edited the cainstance.py
file to fix the IPv6 issue.  Then, without adding the host to
ipaservers in the webui, I simply tried to promote it:

# kinit admin
Password for ad...@astro.princeton.edu:
# ipa-replica-install --verbose
ipa.ipapython.install.cli.install_tool(Replica): DEBUGLogging to
/var/log/ipareplica-install.log
ipa.ipapython.install.cli.install_tool(Replica): DEBUG
ipa-replica-install was invoked with arguments [] and options:
{'no_dns_sshfp': None, 'skip_schema_check': None, 'setup_kra': None,
'ip_addresses': None
, 'mkhomedir': None, 'http_cert_files': None, 'ssh_trust_dns': None,
'reverse_zones': None, 'no_forwarders': None, 'keytab': None,
'no_ntp': None, 'domain_name': None, 'http_cert_name': None,
'dirsrv_cert_files
': None, 'no_dnssec_validation': None, 'no_reverse': None,
'unattended': False, 'auto_reverse': None, 'auto_forwarders': None,
'no_host_dns': None, 'no_sshd': None, 'no_ui_redirect': None,
'dirsrv_config_file':
 None, 'forwarders': None, 'verbose': True, 'setup_ca': None,
'realm_name': None, 'skip_conncheck': None, 'no_ssh': None,
'forward_policy': None, 'dirsrv_cert_name': None, 'quiet': False,
'server': None, 'setup_dns': None, 'host_name': None, 'log_file':
None, 'allow_zone_overlap': None}
ipa.ipapython.install.cli.install_tool(Replica): DEBUGIPA version
4.4.0-14.el7_3.4
ipa : DEBUGStarting external process
ipa : DEBUGargs=/usr/sbin/selinuxenabled
ipa : DEBUGProcess finished, return code=0
ipa : DEBUGstdout=
ipa : DEBUGstderr=
ipa : DEBUGLoading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
ipa : DEBUGLoading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
ipa : DEBUGhttpd is not configured
ipa : DEBUGkadmin is not configured
ipa : DEBUGdirsrv is not configured
ipa : DEBUGpki-tomcatd is not configured
ipa : DEBUGinstall is not configured
ipa : DEBUGkrb5kdc is not configured
ipa : DEBUGntpd is not configured
ipa : DEBUGnamed is not configured
ipa : DEBUGipa_memcached is not configured
ipa : DEBUGfilestore is tracking no files
ipa : DEBUGLoading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa : DEBUGConfiguring client side components
Configuring client side components
ipa : DEBUGStarting external process
ipa : DEBUGargs=/usr/sbin/ipa-client-install --unattended --no-ntp
IPA client is already configured on this system.
If you want to reinstall the IPA client, uninstall it first using
'ipa-client-install --uninstall'.
ipa : DEBUGProcess finished, return code=3
Removing client side components
ipa : DEBUGStarting external process
ipa : DEBUGargs=/usr/sbin/ipa-client-install --unattended
--uninstall
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted
nslcd daemon is not installed, skip configuration
Client uninstall complete.
ipa : DEBUGProcess finished, return code=0

ipa.ipapython.install.cli.install_tool(Replica): DEBUG  File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171,
in execute
return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 318, in run
cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 308, in run
self.validate()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 317, in validate
for nothing in self._validator():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 372, in __runner
self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 394, in _handle_exception
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 362, in __runner
step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 359, in 
step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 564, in _configure
next(validator)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 372, in __runner
self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 449, in

Re: [Freeipa-users] New install, unsupported format?

2017-02-24 Thread Steve Huston

On Fri, Feb 24, 2017 at 2:31 AM, Standa Laznicka  wrote:
> Hello,
> I don't quite understand your situation - have the error happened during an
> addition of the host to the "ipaservers" group or during replica
> installation?

It was during the addition of the host.  In fact, any 'ipa' command
fails with the same error, even 'ipa help'.  I could understand if the
CA needs to be setup before these commands work, but then I'm pretty
sure I followed the order of the instructions for creating a replica
and this was the result.

Interestingly, when I first started to do this, I had other failures
related to the directory level.  I later realized that it's because I
was trying to create the replica on the test VM that I hadn't yet
upgraded from RHEL6 to RHEL7 so was trying to use IPA 3.x.  In that
instance, the command to add the soon-to-be replica to ipaservers
succeeded, but the command to create the replica failed with needing
the replica file (which I later realized what was going on and
reinstalled the VM as I intended originally).

> Certutil is a wonderful piece of software that returns
> "(SEC_ERROR_LEGACY_DATABASE)" in about 90% of most common cases but I have
> never seen an actual legacy database. Usually, this error means that the
> directory you're pointing the certutil tool to either does not exist or you
> don't have the permissions to read/write in this exact directory.

Everything else on the server seems to be working fine, and the error
containing the URL to the running server leads me to believe it's a
problem with communication between the two.  However there is no
firewalling on either host (yet) so I'm not sure why they wouldn't be
able to communicate.  I did run an strace of the process and didn't
see anything highly useful, in fact the only connect syscall I saw was
to the socket of the local nscd.

Debug output of 'ipa -d help':
ipa: DEBUG: Starting external process
ipa: DEBUG: args=keyctl search @s user
ipa_session_cookie:ad...@astro.princeton.edu
ipa: DEBUG: Process finished, return code=1
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=keyctl_search: Required key not available

ipa: DEBUG: failed to find session_cookie in persistent storage for
principal 'ad...@astro.princeton.edu'
ipa: INFO: trying https://ipa.astro.princeton.edu/ipa/json
ipa: DEBUG: Created connection context.rpcclient_49093200
ipa: INFO: Forwarding 'schema' to json server
'https://ipa.astro.princeton.edu/ipa/json'
ipa: DEBUG: NSSConnection init ipa.astro.princeton.edu
ipa: DEBUG: Destroyed connection context.rpcclient_49093200
ipa: ERROR: cannot connect to
'https://ipa.astro.princeton.edu/ipa/json':
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
unsupported format.

> Cheers,
> Standa
>
> P.S.: I might have sent you this email twice because I am a bad person when
> it comes to the "Send" button, please reply to the email which has
> "freeipa-users" in CC :)

No worries :D

> On 02/23/2017 10:38 PM, Steve Huston wrote:
>>
>> I already had to do that previously to get other things to work; I had
>> solved it by changing line 582 of
>> /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py from
>> "::1" to "localhost" before installing the server.  I did do this on
>> the to-be-promoted client as well, to no avail.
>>
>> On Thu, Feb 23, 2017 at 4:25 PM, Rob Crittenden 
>> wrote:
>>>
>>> Steve Huston wrote:

 Next stage of my testing was to make a replica of the FreeIPA server,
 and I started by doing a 'yum install ipa-server' and then moved on to
 adding the host to the ipaservers group.  This fails every time
 however, with the error:

 ipa: ERROR: cannot connect to
 'https://ipa.astro.princeton.edu/ipa/json':
 (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
 unsupported format.

 Searches on this seem to turn up things like expired certificates, or
 "reboot httpd" (I went ahead and rebooted the whole ipa server), but
 nothing concrete.  Suggestions?  Everything (server and soon-to-be
 replica) running RHEL7.3 with all updates.

>>> See the workaround in
>>> https://fedorahosted.org/freeipa/ticket/6575#comment:9
>>>
>>> rob
>>
>>
>>
>

-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |ICBM Address: 40.346344   -74.652242
345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852  | headlong into mystery."  -Rush, 'Cygnus X-1'

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] New install, unsupported format?

2017-02-23 Thread Standa Laznicka


Hello,
I don't quite understand your situation - have the error happened during 
an addition of the host to the "ipaservers" group or during replica 
installation?


Certutil is a wonderful piece of software that returns 
"(SEC_ERROR_LEGACY_DATABASE)" in about 90% of most common cases but I 
have never seen an actual legacy database. Usually, this error means 
that the directory you're pointing the certutil tool to either does not 
exist or you don't have the permissions to read/write in this exact 
directory.


Cheers,
Standa

P.S.: I might have sent you this email twice because I am a bad person 
when it comes to the "Send" button, please reply to the email which has 
"freeipa-users" in CC :)


On 02/23/2017 10:38 PM, Steve Huston wrote:

I already had to do that previously to get other things to work; I had
solved it by changing line 582 of
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py from
"::1" to "localhost" before installing the server.  I did do this on
the to-be-promoted client as well, to no avail.

On Thu, Feb 23, 2017 at 4:25 PM, Rob Crittenden  wrote:

Steve Huston wrote:

Next stage of my testing was to make a replica of the FreeIPA server,
and I started by doing a 'yum install ipa-server' and then moved on to
adding the host to the ipaservers group.  This fails every time
however, with the error:

ipa: ERROR: cannot connect to
'https://ipa.astro.princeton.edu/ipa/json':
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
unsupported format.

Searches on this seem to turn up things like expired certificates, or
"reboot httpd" (I went ahead and rebooted the whole ipa server), but
nothing concrete.  Suggestions?  Everything (server and soon-to-be
replica) running RHEL7.3 with all updates.


See the workaround in https://fedorahosted.org/freeipa/ticket/6575#comment:9

rob





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] New install, unsupported format?

2017-02-23 Thread Steve Huston

I already had to do that previously to get other things to work; I had
solved it by changing line 582 of
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py from
"::1" to "localhost" before installing the server.  I did do this on
the to-be-promoted client as well, to no avail.

On Thu, Feb 23, 2017 at 4:25 PM, Rob Crittenden  wrote:
> Steve Huston wrote:
>> Next stage of my testing was to make a replica of the FreeIPA server,
>> and I started by doing a 'yum install ipa-server' and then moved on to
>> adding the host to the ipaservers group.  This fails every time
>> however, with the error:
>>
>> ipa: ERROR: cannot connect to
>> 'https://ipa.astro.princeton.edu/ipa/json':
>> (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
>> unsupported format.
>>
>> Searches on this seem to turn up things like expired certificates, or
>> "reboot httpd" (I went ahead and rebooted the whole ipa server), but
>> nothing concrete.  Suggestions?  Everything (server and soon-to-be
>> replica) running RHEL7.3 with all updates.
>>
>
> See the workaround in https://fedorahosted.org/freeipa/ticket/6575#comment:9
>
> rob



-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |ICBM Address: 40.346344   -74.652242
345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852  | headlong into mystery."  -Rush, 'Cygnus X-1'

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] New install, unsupported format?

2017-02-23 Thread Rob Crittenden

Steve Huston wrote:
> Next stage of my testing was to make a replica of the FreeIPA server,
> and I started by doing a 'yum install ipa-server' and then moved on to
> adding the host to the ipaservers group.  This fails every time
> however, with the error:
> 
> ipa: ERROR: cannot connect to
> 'https://ipa.astro.princeton.edu/ipa/json':
> (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
> unsupported format.
> 
> Searches on this seem to turn up things like expired certificates, or
> "reboot httpd" (I went ahead and rebooted the whole ipa server), but
> nothing concrete.  Suggestions?  Everything (server and soon-to-be
> replica) running RHEL7.3 with all updates.
> 

See the workaround in https://fedorahosted.org/freeipa/ticket/6575#comment:9

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] New install, unsupported format?

Re: [Freeipa-users] New install, unsupported format?

Re: [Freeipa-users] New install, unsupported format?

Re: [Freeipa-users] New install, unsupported format?

Re: [Freeipa-users] New install, unsupported format?

Re: [Freeipa-users] New install, unsupported format?

Re: [Freeipa-users] New install, unsupported format?

Re: [Freeipa-users] New install, unsupported format?

Re: [Freeipa-users] New install, unsupported format?

9 matches

Site Navigation

Mail list logo

Footer information