FreeIPA Upgrade F31 -> F32: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
by Anthony Joseph Messina
After upgrading FreeIPA from F31 to F32, on startup I now see a lot of these errors from certmonger, ns-slapd, java, etc.
May 08 17:57:28 certmonger[38]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:30 ns-slapd[67]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:33 dogtag-ipa-renew-agent-submit[143]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:42 java[640]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
The server seems to come up without issue, but can you point me in the right direction to resolve these errors?
freeipa-server-4.8.6-1.fc32.x86_64
opendnssec-2.1.6-5.fc32.x86_64
opencryptoki-3.13.0-1.fc32.x86_64
I've installed a fresh F32 freeipa-server (on a test domain) and I don't see these errors.
Thanks. -A
--
Anthony - https://messinet.com
F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6
2 years, 9 months
Invalid CA chain after ca chain renewal
by Philipp Leusmann
Hi,
I have just renewed freeipas externally signed CA certificate using 'ipa-cacert-manage renew --external-ca'
Given the new CSR contains the same key elements as the previous one, I already had to ignore the duplicate while signing. Maybe that's the cause for the issues following?
After renewing I now have the new and the old CA key in /etc/ipa/ca.crt and also in exported certificate chains which for example nginx cannot handle properly.
1) Did I do anything wrong during renewal?
2) how can I remove the previous CA cert?
Thanks in advance,
Philipp
2 years, 9 months
python3-ipaserver installutils.py missing IPA_MODULES list
by iulian roman
Hello everybody,
I do not know if this is the right place to mentioned, but maybe there will be someone who can redirect me to the right list or support channel.
On RHEL 8.3 , the latest python3-ipaserver package (python3-ipaserver-4.9.2-3.module+el8.4.0+10412+5ecb5b37) does not contain the IPA_MODULES list in the installutils.py package. Due to that, the ansible freeipa role will fail.
Can you please suggest whom I should contact for that or where should it be reported ?
2 years, 9 months
ipa-replica-install failing - operations error: the changelog directory already exists and is not empty
by Sinh Lam
Hi Everyone -
I’m running into this odd issue I can’t seem to find a resolution to. Long
story short, my IPA master was on a system that had a power failure. Upon
bring up, the dirsrv failed to start up due to a zero byte dse.ldif file.
Used a “backup” of the file and my master seemed to have came back up ok
however replication seems to have stopped working.
When I noticed that replication wasn’t working from the replicas to the
master I went digging and found this (which led me to try to recover by
removing the old replicas and trying to do a reinstall) :
replica.domain.net: replica
last update status: Error (6) Replication error acquiring replica: Unable
to acquire replica: there is no replicated area on the consumer server.
Replication is aborting. (no such replica)
last update ended: 2021-05-20 15:29:28+00:00
The above “last update” corresponds with the power outage that took down
the IPA master.
I’m trying to re-initialize the replication by doing a reinstall of the
replica server but I’m failing with the following error :
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/42]: creating directory server instance
[2/42]: configure autobind for root
[3/42]: tune ldbm plugin
[4/42]: stopping directory server
[5/42]: updating configuration in dse.ldif
[6/42]: starting directory server
[7/42]: adding default schema
[8/42]: enabling memberof plugin
[9/42]: enabling winsync plugin
[10/42]: configure password logging
[11/42]: configuring replication version plugin
[12/42]: enabling IPA enrollment plugin
[13/42]: configuring uniqueness plugin
[14/42]: configuring uuid plugin
[15/42]: configuring modrdn plugin
[16/42]: configuring DNS plugin
[17/42]: enabling entryUSN plugin
[18/42]: configuring lockout plugin
[19/42]: configuring topology plugin
[20/42]: creating indices
[21/42]: enabling referential integrity plugin
[22/42]: configuring certmap.conf
[23/42]: configure new location for managed entries
[24/42]: configure dirsrv ccache and keytab
[25/42]: enabling SASL mapping fallback
[26/42]: restarting directory server
[27/42]: creating DS keytab
[28/42]: ignore time skew for initial replication
[29/42]: setting up initial replication
[error] DatabaseError: Operations error: The changelog directory
[/var/lib/dirsrv/slapd-REPLICA-DOMAIN-NET/cldb] already exists and is not
empty. Please choose a directory that does not exist or is empty.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Operations error: The changelog directory
[/var/lib/dirsrv/slapd-REPLICA-DOMAIN-NET/cldb] already exists and is not
empty. Please choose a directory that does not exist or is empty.
The ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information
I’ve since done several uninstalls and verified at each uninstall the
/var/lib/dirsrv directory is empty.
Any pointers on how to get past this issue would be great since I have
about 10 more replicas to get back up.
Thanks.
Sinh
2 years, 9 months
custom tls certtificate for web UI
by iulian roman
Hello everybody,
I tried to change the WEB UI certificate with a custom certificate signed by our internal CA. The custom certificate was provided as a bundle (certificate + intermediates). The root ca which signs the intermediate was added in the truststore with ipa-cacert-manage.
Everything was successful but when I accessed the Web UI I noticed that IPA provides only the certificate, not the full chain, which makes the certificate not trusted by the browsers (they are configured to trust only our internal root ca).
Is there any method to configure IPA/Idm to provide the full certificate chain (certificate + intermediate) to the http clients or is there anything I configured wrong ?
2 years, 10 months
IPA Reinstall
by Robert.Mattson@L3Harris.com
Dear Community,
I'd like to uninstall and reinstall IPA from a CentOS box because its easier than reinstalling the OS completely.
We have a number of replicas, and this host is installed using ipa-client-install and then ipa-replica-install.
To remove it, I backup some data like /var/kerberos/krb5kdc/{cacert.pem,kd*} and /etc/httpd/conf/password.conf
and then run '/usr/sbin/ipa-server-install --uninstall -U --ignore-topology-disconnect'.
I then sed '/Environment=K/d', '/ExecStartPre/d', '/ExecStopPost/d' /etc/systemd/system/httpd.service
I recreate the host-account on another replica using ipa host-add, then ipa hostgroup-add-member.
On the now-removed host, I do some housekeeping like restoring the backed up files and then I run;
/usr/sbin/ipa-client-install \
--password=${otp} \
--mkhomedir \
--no-ntp \
--unattended \
--domain=realm.name \
--realm=REALM.NAME \
--ca-cert-file=/etc/pki/ca-trust/source/ca.crt
then
/usr/sbin/ipa-replica-install \
--dirsrv-cert-file=/etc/pki/tls/private/ipa.pkcs12 \
--http-cert-file=/etc/pki/tls/private/ipa.pkcs12 \
--dirsrv-pin=pwd \
--http-pin=pwd \
--unattended \
--no-pkinit \
--no-ntp
I seem to get the following keytab request problem followed by dirsrv failure. from ipa-replica-install (4.6.4-10.el7.centos.3.x86_64). If I upgrade to 4.6.8-5.el7.centos.4.noarch.rpm, I get the same problem.[1]
On serverb, the host which receives the binding request for the reinstall, I get permission denied the bind dn "" does not have permission in dirsrv error log...?
Does anyone have any thoughts,
Cheers and many thanks in advance,
Rob
[1]
2021-05-26T02:50:56Z DEBUG Backing up system configuration file '/etc/httpd/conf.d/ipa.conf'
2021-05-26T02:50:56Z DEBUG -> Not backing up - '/etc/httpd/conf.d/ipa.conf' doesn't exist
2021-05-26T02:50:56Z DEBUG Backing up system configuration file '/etc/httpd/conf.d/ipa-rewrite.conf'
2021-05-26T02:50:56Z DEBUG -> Not backing up - '/etc/httpd/conf.d/ipa-rewrite.conf' doesn't exist
2021-05-26T02:50:56Z DEBUG duration: 0 seconds
2021-05-26T02:50:56Z DEBUG [10/21]: setting up httpd keytab
2021-05-26T02:50:56Z DEBUG raw: service_add(u'HTTP/servera.system(a)REALM.NAME', force=True, version=u'2.230')
2021-05-26T02:50:56Z DEBUG service_add(ipapython.kerberos.Principal('HTTP/servera.system(a)REALM.NAME'), force=True, all=False, raw=False, version=u'2.230', no_members=False)
2021-05-26T02:50:56Z DEBUG flushing ldapi://%2Fvar%2Frun%2Fslapd-REALM-NAME.socket from SchemaCache
2021-05-26T02:50:56Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-REALM-NAME.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f0d29f50368>
2021-05-26T02:50:57Z DEBUG raw: host_show(u'servera.system', version=u'2.230')
2021-05-26T02:50:57Z DEBUG host_show(u'servera.system', rights=False, all=False, raw=False, version=u'2.230', no_members=False)
2021-05-26T02:50:57Z DEBUG Backing up system configuration file '/var/lib/ipa/gssproxy/http.keytab'
2021-05-26T02:50:57Z DEBUG -> Not backing up - '/var/lib/ipa/gssproxy/http.keytab' doesn't exist
2021-05-26T02:50:57Z DEBUG Starting external process
2021-05-26T02:50:57Z DEBUG args=/usr/sbin/ipa-getkeytab -k /var/lib/ipa/gssproxy/http.keytab -p HTTP/servera.system(a)REALM.NAME<mailto:HTTP/servera.system@REALM.NAME> -H ldapi://%2Fvar%2Frun%2Fslapd-REALM-NAME.socket -Y EXTERNAL
2021-05-26T02:50:57Z DEBUG Process finished, return code=9
2021-05-26T02:50:57Z DEBUG stdout=
2021-05-26T02:50:57Z DEBUG stderr=Failed to parse result: unsupported extended operation
Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: unsupported extended operation
Failed to get keytab!
Failed to get keytab
2021-05-26T02:50:57Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 637, in request_service_keytab
super(HTTPInstance, self).request_service_keytab()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 742, in request_service_keytab
self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 732, in run_getkeytab
ipautil.run(args, nolog=nolog)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run
raise CalledProcessError(p.returncode, arg_string, str(output))
CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /var/lib/ipa/gssproxy/http.keytab -p HTTP/servera.system(a)REALM.NAME<mailto:HTTP/servera.system@REALM.NAME> -H ldapi://%2Fvar%2Frun%2Fslapd-REALM-NAME.socket -Y EXTERNAL' returned non-zero exit status 9
2021-05-26T02:50:57Z DEBUG [error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /var/lib/ipa/gssproxy/http.keytab -p HTTP/servera.system(a)REALM.NAME<mailto:HTTP/servera.system@REALM.NAME> -H ldapi://%2Fvar%2Frun%2Fslapd-REALM-NAME.socket -Y EXTERNAL' returned non-zero exit status 9
2021-05-26T02:50:57Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run
return cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in run
return self.execute()
exc_handler(exc_info)
<snip />
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 622, in main
replica_install(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 406, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1487, in install
fstore=fstore)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 173, in install_http
subject_base=config.subject_base, master_fqdn=config.master_host_name)
File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 188, in create_instance
self.start_creation()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 637, in request_service_keytab
super(HTTPInstance, self).request_service_keytab()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 742, in request_service_keytab
self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 732, in run_getkeytab
ipautil.run(args, nolog=nolog)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run
raise CalledProcessError(p.returncode, arg_string, str(output))
2021-05-26T02:50:57Z DEBUG The ipa-replica-install command failed, exception: CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /var/lib/ipa/gssproxy/http.keytab -p HTTP/servera.system(a)REALM.NAME<mailto:HTTP/servera.system@REALM.NAME> -H ldapi://%2Fvar%2Frun%2Fslapd-REALM-NAME.socket -Y EXTERNAL' returned non-zero exit status 9
2021-05-26T02:50:57Z ERROR Command '/usr/sbin/ipa-getkeytab -k /var/lib/ipa/gssproxy/http.keytab -p HTTP/servera.system(a)REALM.NAME<mailto:HTTP/servera.system@REALM.NAME> -H ldapi://%2Fvar%2Frun%2Fslapd-REALM-NAME.socket -Y EXTERNAL' returned non-zero exit status 9
2021-05-26T02:50:57Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
[2]
[26/May/2021:12:50:47.240285166 +1000] - WARN - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=meToservera.system" (servera:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica.
[26/May/2021:12:50:47.858057379 +1000] - INFO - NSMMReplicationPlugin - repl5_tot_run - Beginning total update of replica "agmt="cn=meToservera.system" (servera:389)".
[26/May/2021:12:50:50.679652092 +1000] - INFO - NSMMReplicationPlugin - repl5_tot_run - Finished total update of replica "agmt="cn=meToservera.system" (servera:389)". Sent 582 entries.
[26/May/2021:12:50:52.158394667 +1000] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToservera.system" (servera:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later.
[26/May/2021:12:50:55.079367688 +1000] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToservera.system" (servera:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later.
[26/May/2021:12:50:58.084381230 +1000] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToservera.system" (servera:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later.
[26/May/2021:12:51:01.092727541 +1000] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToservera.system" (servera:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later.
CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
2 years, 10 months
Kerberos Issues
by Mark Potter
Long story short, we had to redeploy part of our FreeIPA cluster. As far as
I know I followed all of the proper procedures and everything seems to be
working from the client side however we are getting a TON of these messages
in krb5kdc.log
ipa3.example.com krb5kdc[31232](info): TGS_REQ (8 etypes {18 17 20 19 16 23
25 26}) 10.6.21.19: LOOKING_UP_SERVER: authtime 0, host/
client100.example.com(a)EXAMPLE.COM for nfs/nfs1.example.com(a)EXAMPLE.COM,
Server not found in Kerberos database
client100.example.com has working forward and reverse DNS entries that
resolve from all FreeIPA servers and from itself.
nfs1.example.com has working forward and reverse entries that resolve from
all FreeIPA servers and from itself, it is not part of the FreeIPA domain
at all, it is still using the authentication we are replacing with FreeIPA.
It is used for automount homedirs in FreeIPA but is not kerberized
All of the clients reporting this error still properly automount homedirs
and that is the only thing on nfs1.example.com. There is another
mountpoint, also not kerberized, in the automount setup that is not
throwing any errors and access extremely frequently.
I am happy to provide any logs necessary to track this down.
--
*Mark Potter*
2 years, 10 months
ACME admin replication conflict
by Stijn De Weirdt
hello all,
in our setup ipa-healthcheck reports an issue with a replication
conflict on "dn: cn=Enterprise ACME Administrators,ou=groups,o=ipaca"
the conflict and valid entry are almost identical:
> Valid Entry:
>
> dn: cn=Enterprise ACME Administrators,ou=groups,o=ipaca
> cn: Enterprise ACME Administrators
> description: ACME RA accounts
> objectClass: top
> objectClass: groupOfUniqueNames
> uniqueMember: uid=acme-master2.domain,ou=people,o=ipaca
> uniqueMember: uid=ipara,ou=people,o=ipaca
with the conflicting entry the same, except for the line
> uniqueMember: uid=acme-master1.domain,ou=people,o=ipaca
i would like some guidance what this means and how to proceed: delete
the conflicting entry, swap to the conflicting entry, merge it (somehow)
many thanks,
stijn
2 years, 10 months
broken replication between multi-master nodes
by Amos
We have a mutli-master configuration between two servers, ca-master1, and
rep1. It was discovered that there were some replication failures with
some records. We were instructed to clear these failed replication events
by doing the following.
# ldapdelete -x -h localhost -D 'cn=Directory Manager' -W
'krbprincipalname=HTTP/ca-master1.ipa.xxx.org(a)IPA.XXX.ORG
+nsuniqueid=024ed801-290c11eb-a80f9961-57f7bd5e,cn=services,cn=accounts,dc=ipa,dc=xxx,dc=org'
# ldapdelete -x -h localhost -D 'cn=Directory Manager' -W 'cn=
ca-master1.ipa.xxx.org
+nsuniqueid=f400bc09-290b11eb-a80f9961-57f7bd5e,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=xxx,dc=org'
# ldapdelete -x -h localhost -D 'cn=Directory Manager' -W
'cn=KDC+nsuniqueid=f400bc0e-290b11eb-a80f9961-57f7bd5e,cn=
ca-master1.ipa.xxx.org,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=xxx,dc=org'
# ldapdelete -x -h localhost -D 'cn=Directory Manager' -W
'cn=KPASSWD+nsuniqueid=f400bc0f-290b11eb-a80f9961-57f7bd5e,cn=
ca-master1.ipa.xxx.org,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=xxx,dc=org'
# ldapdelete -x -h localhost -D 'cn=Directory Manager' -W
'cn=HTTP+nsuniqueid=024ed802-290c11eb-a80f9961-57f7bd5e,cn=
ca-master1.ipa.xxx.org,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=xxx,dc=org'
# ldapdelete -x -h localhost -D 'cn=Directory Manager' -W
'cn=OTPD+nsuniqueid=024ed803-290c11eb-a80f9961-57f7bd5e,cn=
ca-master1.ipa.xxx.org,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=xxx,dc=org'
# ldapdelete -x -h localhost -D 'cn=Directory Manager' -W
'cn=KEYS+nsuniqueid=024ed804-290c11eb-a80f9961-57f7bd5e,cn=
ca-master1.ipa.xxx.org,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=xxx,dc=org'
# ldapdelete -x -h localhost -D 'cn=Directory Manager' -W 'fqdn=
oitidpnpdev02.xxx.org
+nsuniqueid=10cf0001-a93e11eb-87aeb044-5694b0fb,cn=computers,cn=accounts,dc=ipa,dc=xxx,dc=org'
Unfortunately, right after performing the above actions, we noticed:
ca-master1:
[19/May/2021:15:27:59.825229655 -0500] - WARN - str2entry_dupcheck -
Duplicate value for attribute type nisNetgroupTriple detected in entry
cn=ir-nfs,cn=ng,cn=compat,dc=ipa,dc=xxx,dc=org. Extra value ignored.
[19/May/2021:15:27:59.861813312 -0500] - WARN - str2entry_dupcheck -
Duplicate value for attribute type nisNetgroupTriple detected in entry
cn=acc-hosts,cn=ng,cn=compat,dc=ipa,dc=xxx,dc=org. Extra value ignored.
[19/May/2021:15:27:59.899343450 -0500] - WARN - str2entry_dupcheck -
Duplicate value for attribute type nisNetgroupTriple detected in entry
cn=irunix,cn=ng,cn=compat,dc=ipa,dc=xxx,dc=org. Extra value ignored.
[19/May/2021:15:27:59.936539800 -0500] - WARN - str2entry_dupcheck -
Duplicate value for attribute type nisNetgroupTriple detected in entry
cn=nfs-hosts,cn=ng,cn=compat,dc=ipa,dc=xxx,dc=org. Extra value ignored.
[19/May/2021:15:27:59.983973594 -0500] - WARN - str2entry_dupcheck -
Duplicate value for attribute type nisNetgroupTriple detected in entry
cn=ir-nfs,cn=ng,cn=compat,dc=ipa,dc=xxx,dc=org. Extra value ignored.
[19/May/2021:15:28:00.020404656 -0500] - WARN - str2entry_dupcheck -
Duplicate value for attribute type nisNetgroupTriple detected in entry
cn=acc-hosts,cn=ng,cn=compat,dc=ipa,dc=xxx,dc=org. Extra value ignored.
[19/May/2021:18:32:35.566302057 -0500] - ERR - cos-plugin -
cos_cache_entry_is_cos_related - Modified entry is NULL--updating cache
just in case
[19/May/2021:18:32:35.570114071 -0500] - ERR - cos-plugin - cos_dn_defs_cb
- Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ipa,dc=xxx,dc=org--no CoS Templates found, which
should be added before the CoS Definition.
[19/May/2021:18:34:32.674161356 -0500] - ERR - NSMMReplicationPlugin -
acquire_replica - agmt="cn=ca-master1.ipa.xxx.org-to-rep1.ipa.xxx.org"
(rep1:389): Unable to acquire replica: permission denied. The bind dn ""
does not have permission to supply replication updates to the replica. Will
retry later.
[19/May/2021:18:34:35.681799169 -0500] - ERR - NSMMReplicationPlugin -
acquire_replica - agmt="cn=ca-master1.ipa.xxx.org-to-rep1.ipa.xxx.org"
(rep1:389): Unable to acquire replica: permission denied. The bind dn ""
does not have permission to supply replication updates to the replica. Will
retry later.
[19/May/2021:18:34:41.689490330 -0500] - ERR - NSMMReplicationPlugin -
acquire_replica - agmt="cn=ca-master1.ipa.xxx.org-to-rep1.ipa.xxx.org"
(rep1:389): Unable to acquire replica: permission denied. The bind dn ""
does not have permission to supply replication updates to the replica. Will
retry later.
[19/May/2021:18:34:53.711905379 -0500] - ERR - NSMMReplicationPlugin -
acquire_replica - agmt="cn=ca-master1.ipa.xxx.org-to-rep1.ipa.xxx.org"
(rep1:389): Unable to acquire replica: permission denied. The bind dn ""
does not have permission to supply replication updates to the replica. Will
retry later.
[19/May/2021:18:35:17.719796394 -0500] - ERR - NSMMReplicationPlugin -
acquire_replica - agmt="cn=ca-master1.ipa.xxx.org-to-rep1.ipa.xxx.org"
(rep1:389): Unable to acquire replica: permission denied. The bind dn ""
does not have permission to supply replication updates to the replica. Will
retry later.
rep1:
[19/May/2021:15:28:39.324345375 -0500] - WARN - str2entry_dupcheck -
Duplicate value for attribute type nisNetgroupTriple detected in entry
cn=iamshibnonprod,cn=ng,cn=compat,dc=ipa,dc=xxx,dc=org. Extra value ignored.
[19/May/2021:15:28:39.331127354 -0500] - WARN - str2entry_dupcheck -
Duplicate value for attribute type nisNetgroupTriple detected in entry
cn=iamshibnonprod,cn=ng,cn=compat,dc=ipa,dc=xxx,dc=org. Extra value ignored.
[19/May/2021:18:32:35.294020328 -0500] - ERR - ipa-topology-plugin -
ipa_topo_util_modify: failed to modify entry
(cn=replica,cn=dc\3Dipa\2Cdc\3Dxxx\2Cdc\3Dorg,cn=mapping tree,cn=config):
error 16
[19/May/2021:18:32:35.310416977 -0500] - ERR - ipa-topology-plugin -
ipa_topo_agmt_del: cn=rep1.ipa.xxx.org-to-ca-master1.ipa.xxx.org
[19/May/2021:18:32:36.592724176 -0500] - ERR - ipa-topology-plugin -
ipa_topo_agmt_del: cn=rep1.ipa.xxx.org-to-ca-master1.ipa.xxx.org
[19/May/2021:18:32:36.705929392 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 11): Initiating CleanAllRUV Task...
[19/May/2021:18:32:36.706688135 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 11): Retrieving maxcsn...
[19/May/2021:18:32:36.707404944 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 11): Found maxcsn (60a574f60003000b0000)
[19/May/2021:18:32:36.717663920 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 12): Initiating CleanAllRUV Task...
[19/May/2021:18:32:36.718617493 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 12): Retrieving maxcsn...
[19/May/2021:18:32:36.721014950 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 12): Found maxcsn (60a59d050000000c0000)
[19/May/2021:18:32:36.739433329 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 12): Cleaning rid (12)...
[19/May/2021:18:32:36.742689695 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 12): Waiting to process all the updates from the
deleted replica...
[19/May/2021:18:32:36.744353200 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 12): Waiting for all the replicas to be online...
[19/May/2021:18:32:36.746343965 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 12): Waiting for all the replicas to receive all the
deleted replica updates...
[19/May/2021:18:32:36.748234565 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 12): Sending cleanAllRUV task to all the replicas...
[19/May/2021:18:32:36.750036702 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 12): Cleaning local ruv's...
[19/May/2021:18:32:37.720908584 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 11): Cleaning rid (11)...
[19/May/2021:18:32:37.723446365 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 11): Waiting to process all the updates from the
deleted replica...
[19/May/2021:18:32:37.725861245 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 11): Waiting for all the replicas to be online...
[19/May/2021:18:32:37.728834914 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 11): Waiting for all the replicas to receive all the
deleted replica updates...
[19/May/2021:18:32:37.731854881 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 11): Sending cleanAllRUV task to all the replicas...
[19/May/2021:18:32:37.733648087 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 11): Cleaning local ruv's...
[19/May/2021:18:32:37.766056624 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 12): Waiting for all the replicas to be cleaned...
[19/May/2021:18:32:37.776216157 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 12): Waiting for all the replicas to finish
cleaning...
[19/May/2021:18:32:37.778075680 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 12): Original task deletes Keep alive entry (12).
[19/May/2021:18:32:37.830528541 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 12): No Keep-Alive entry to remove (cn=repl keep
alive 12,o=ipaca)
[19/May/2021:18:32:37.833448028 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 12): Successfully cleaned rid(12)
[19/May/2021:18:32:38.746020775 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 11): Waiting for all the replicas to be cleaned...
[19/May/2021:18:32:38.756663129 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 11): Waiting for all the replicas to finish
cleaning...
[19/May/2021:18:32:38.758723096 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 11): Original task deletes Keep alive entry (11).
[19/May/2021:18:32:38.766944696 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 11): Removed Keep-Alive entry (cn=repl keep alive
11,dc=ipa,dc=xxx,dc=org)
[19/May/2021:18:32:38.768635297 -0500] - INFO - NSMMReplicationPlugin -
CleanAllRUV Task (rid 11): Successfully cleaned rid(11)
[19/May/2021:18:34:32.668761455 -0500] - ERR - NSMMReplicationPlugin -
multimaster_extop_StartNSDS50ReplicationRequest - conn=6307648 op=5
replica="o=ipaca": Unable to acquire replica: error: permission denied
[19/May/2021:18:34:35.676187613 -0500] - ERR - NSMMReplicationPlugin -
multimaster_extop_StartNSDS50ReplicationRequest - conn=6307648 op=6
replica="o=ipaca": Unable to acquire replica: error: permission denied
[19/May/2021:18:34:41.684145521 -0500] - ERR - NSMMReplicationPlugin -
multimaster_extop_StartNSDS50ReplicationRequest - conn=6307648 op=7
replica="o=ipaca": Unable to acquire replica: error: permission denied
[19/May/2021:18:34:53.699403689 -0500] - ERR - NSMMReplicationPlugin -
multimaster_extop_StartNSDS50ReplicationRequest - conn=6307648 op=8
replica="o=ipaca": Unable to acquire replica: error: permission denied
Now these two servers cannot sync anything, and are becoming disjoint.
Any tips on how to rectify this?
I'm getting the sinking feeling that I'll need to do the following:
- Take a full ldif dump of both servers and see what differences there
might be.
- Anything in rep1 not in ca-master1 add to ca-master1 via ldapadd.
- Delete rep1 as a replica (which will cause some issue with any clients
currently bound to rep1.)
- Re-initialize rep1 as a multi-master replica.
Is there perhaps a simpler trick to fix things?
Amos
2 years, 10 months
FeeIPA SSL chain
by Andrew Meyer
Hello,
I am trying to find the correct way to get the FreeIPA SSL certificate in pem format.
So far I have the following commands:
kinit $USER_WITH_ADMIN_PRIVS
ipa ca-show
ipa ca-show --certificate-out=/etc/pki/tls/private/server.key
I don't think this is right. I need this to get the private key for FreeIPA for setting up Duo 2FA.
Thanks!
2 years, 10 months