June 2025 - FreeIPA-users - Fedora mailing-lists

Unable to log into WebUI with AD User
by Heidi Hough 23 Jun '25

23 Jun '25

We have configured a one-way trust from IPA to AD. I can log into IPA Client as an AD user without issue. Within the WebUI as an administrative user I have created ID Overrides for AD users that will need to log in to the WebUI. When I attempt to log in to the WebUI as an AD user, I encounter the following error: The password or username you entered is incorrect I have confirmed the password is correct. What do I need to check or adjust for this to work properly? Sanitized bits of those logs can be found here: https://privatebin.net/?7e9c61c69ec3c3ca#4988JrJob82S4Ywii5e5tkteL7GKwSgjdV… Thanks Heidi

1 0

pki-tomcat won't start after CA certs updated, getcert still shows a lot of expired certs
by Schrier, William (Contractor) 23 Jun '25

23 Jun '25

Our FreeIPA CA cert (externally signed via a Microsoft AD CA) recently expired. Unfortunately, I didn't notice it until after it expired. After jumping through some hoops and some help from Florence's blog, I was able to get new certificates installed successfully (at least according to the ipa-cacert-manage and ipa-certupdate commands). However, at this point, pki-tomcat will not start and ipa-getcert and getcert don't really show what I would expect... Oh - also, I should point out that I'm running on Oracle Linux 7.9 and FreeIPA VERSION: 4.6.8, API_VERSION: 2.237 - yes, I know I'm far from the latest out there, but until I can upgrade this server to a new OS, I'm kind of stuck... and unfortunately, my situation here is making upgrading the OS difficult, so please forgive me that I'm asking for assistance on such an old setup, but know that the goal is to upgrade, but that's not possible at this exact moment, so if I can fix this current setup to see me through until I can upgrade, that would be really good. Any suggestions so we can get these certs installed properly and get pki-tomcat started would be appreciated! When I run ipa-getcert list, I get the following (which is still showing the old cert): # ipa-getcert list Number of certificates and requests being tracked: 7. Request ID '20210201172924': status: NEED_TO_SUBMIT ca-error: Server at https://[hostname]/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://[hostname]:443/ca/rest/account/login': [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1826)). stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=[DOMAIN] subject: CN=[hostname],O=[DOMAIN] expires: 2025-05-31 15:41:32 UTC principal name: krbtgt/[DOMAIN@DOMAIN]<mailto:krbtgt/PEACECORPS.GOV@PEACECORPS.GOV> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes And running getcert list returns mostly the old expired cert, but with one entry with the new cert: # getcert list | egrep "Request ID|status:|CA:|expires:" Request ID '20210201172746': status: CA_UNREACHABLE CA: dogtag-ipa-ca-renew-agent expires: 2025-05-31 15:41:32 UTC Request ID '20210201172819': status: MONITORING CA: dogtag-ipa-ca-renew-agent expires: 2025-05-31 15:41:32 UTC Request ID '20210201172820': status: MONITORING CA: dogtag-ipa-ca-renew-agent expires: 2025-05-31 15:41:32 UTC Request ID '20210201172821': status: MONITORING CA: dogtag-ipa-ca-renew-agent expires: 2025-05-31 15:41:32 UTC Request ID '20210201172822': status: MONITORING CA: dogtag-ipa-ca-renew-agent expires: 2027-06-09 13:26:26 UTC Request ID '20210201172823': status: MONITORING CA: dogtag-ipa-ca-renew-agent expires: 2025-05-31 15:41:32 UTC Request ID '20210201172924': status: CA_UNREACHABLE CA: IPA expires: 2025-05-31 15:41:32 UTC I do see the following in /var/log/pki/pki-tomcat/ca/debug: Could not connect to LDAP server host [hostname] port 636 Error netscape.ldap.LDAPException: Authentication failed (48) Internal Database Error encountered: Could not connect to LDAP server host [hostname] port 636 Error netscape.ldap.LDAPException: Authentication failed (48) And /var/log/pki/pki-tomcat/localhost.[date].log gets tons of these: SEVERE: Exception Processing /ca/admin/ca/getStatus javax.ws.rs.ServiceUnavailableException: Subsystem unavailable at com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:750) SEVERE: Exception Processing /ca/ee/ca/profileSubmit javax.ws.rs.ServiceUnavailableException: Subsystem unavailable at com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:750)

3 11

IPACertRevocation Error reported by ipa-healthcheck
by LHEUREUX Bernard 23 Jun '25

23 Jun '25

Hello to all of you, We have an infrastructure of 4 FreeIPA servers (replicas) and one of them reports this error message in ipa-healthcheck: ra.get_certificate(): Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x3a842545b not found (404) [ { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "a0c94d44-8e26-444d-87d0-ba985250e6d4", "when": "20250623104349Z", "duration": "2.257779", "kw": { "key": "20250613075922", "serial": 15707821147, "error": "Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x3a842545b not found (404)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } } ] No problem apparently on this infrastructure, and this message is only reported on one of the 4 replicas... How could I repair or clear this message ? Thanks for your help... Bernard. ________________________________ 1/Conform?ment ? notre certification ISO 27001, ce message et toute pi?ce jointe sont la propri?t? exclusive de Win. L'information contenue dans cet e- mail peut s'av?rer confidentielle et d?s lors prot?g?e de toute divulgation. Si vous avez re?u cette communication par erreur, veuillez nous en informer imm?diatement en r?pondant ? ce message et en le supprimant de votre ordinateur, sans le copier ni le divulguer. 2/L'acceptation de toute offre commerciale (quel qu'en soit le support) emporte l'adh?sion aux descriptifs (notamment techniques) inh?rents aux solutions offertes, ainsi qu'aux conditions commerciales g?n?rales de Win, consultables via https://www.win.be/cgv DISCLAIMER : https://www.win.be/fr-win/disclaimer.htm

1 3

Cloned VM with New Hostname Still Authenticates with Old FreeIPA Keytab
by Diogène Mutombo 23 Jun '25

23 Jun '25

Dear FreeIPA users, I’m encountering an issue when cloning a virtual machine that is a FreeIPA client. After cloning, I change both the IP address and the system hostname of the new VM. However, I noticed that the system can still authenticate users using the original FreeIPA keytab, even though the hostname has changed. This seems incorrect, as I would expect the hostname in the keytab to match the system hostname. Yet, the new system continues to authenticate FreeIPA users as if it still had the old hostname. My questions: How can I ensure that a cloned VM with a new hostname and IP cannot continue to authenticate using the keytab from the original machine? Is there a way to force a verification between the system hostname and the keytab’s principal? For example, if the hostname doesn't match the principal in the keytab, it should fail to connect or authenticate. What is the recommended process when cloning a FreeIPA-enrolled VM to ensure proper cleanup or re-enrollment? Thanks in advance for your help! Best regards, Diogène.

3 2

Cloned VM with New Hostname Still Authenticates with Old FreeIPA Keytab
by Diogène Mutombo 23 Jun '25

23 Jun '25

Dear FreeIPA users, I’m encountering an issue when cloning a virtual machine that is a FreeIPA client. After cloning, I change both the IP address and the system hostname of the new VM. However, I noticed that the system can still authenticate users using the original FreeIPA keytab, even though the hostname has changed. This seems incorrect, as I would expect the hostname in the keytab to match the system hostname. Yet, the new system continues to authenticate FreeIPA users as if it still had the old hostname. My questions: How can I ensure that a cloned VM with a new hostname and IP cannot continue to authenticate using the keytab from the original machine? Is there a way to force a verification between the system hostname and the keytab’s principal? For example, if the hostname doesn't match the principal in the keytab, it should fail to connect or authenticate. What is the recommended process when cloning a FreeIPA-enrolled VM to ensure proper cleanup or re-enrollment? Thanks in advance for your help! Best regards, Diogène.

1 0

`Job ipa.service/stop running` never completes on shutdown, but `systemctl stop ipa.service` works fine (takes about 15 seconds)
by CoreyLee Hassell 22 Jun '25

22 Jun '25

On shutdown, the job never completes, requiring me to reset the machine. I have two machines running freeipa in replication, the only difference is ipa1 is a dnssec signing master, and when I set that up, this issue started. ipa2 has no issue at all rebooting. I have searched for errors using journalctl for ipa.service, and some of the services it depends on. I didn't spot any shutdown errors, and they all seem to stop just fine, but feel free to ask for logs for more analysis if needed. I'm at a loss at what to do. OS: Fedora 42 Server Edition freeipa-server 4.12.2 [ OK ] Started plymouth-poweroff.service - Show Plymouth Power Off Screen. Starting plymouth-switch-root-initll Plymouth To Jump To initramfs... [ OK ] Stopped user(a)350400003.service - User Manager for UID 350400003. [ OK ] Finished plymouth-switch-root-init…Tell Plymouth To Jump To initramfs. Stopping systemd-user-sessions.service - Permit User Sessions... Stopping user-runtime-dir@35040000…me Directory /run/user/350400003... [ OK ] Unmounted run-user-350400003.mount - /run/user/350400003. [ OK ] Stopped systemd-user-sessions.service - Permit User Sessions. [ OK ] Stopped user-runtime-dir@350400003…time Directory /run/user/350400003. [ OK ] Removed slice user-350400003.slice - User Slice of UID 350400003. Stopping systemd-logind.service - User Login Management... [ OK ] Stopped systemd-logind.service - User Login Management. [ OK ] Stopped target nss-user-lookup.target - User and Group Name Lookups. Stopping sssd.service - System Security Services Daemon... [ OK ] Stopped sssd.service - System Security Services Daemon. [ OK ] Stopped pki-tomcatd(a)pki-tomcat.service - PKI Tomcat Server pki-tomcat. [ OK ] Removed slice system-pki\x2dtomcatd.slice - Slice /system/pki-tomcatd. [ OK ] Stopped ods-enforcerd.service - OpenDNSSEC Enforcer daemon. [ OK ] Stopped httpd.service - The Apache HTTP Server. [ OK ] Stopped target nss-lookup.target - Host and Network Name Lookups. [ OK ] Stopped target remote-fs.target - Remote File Systems. [ OK ] Stopped target remote-fs-pre.targe…reparation for Remote File Systems. [ OK ] Stopped target nfs-client.target - NFS client services. Stopping named.service - Berkeley Internet Name Domain (DNS)... Stopping rpc-gssd.service - RPC se…ervice for NFS client and server... [ OK ] Stopped rpc-gssd.service - RPC sec… service for NFS client and server. [ OK ] Stopped target rpc_pipefs.target. Unmounting var-lib-nfs-rpc_pipefs.mount - RPC Pipe File System... Stopping gssproxy.service - GSSAPI Proxy Daemon... [ OK ] Stopped gssproxy.service - GSSAPI Proxy Daemon. [ OK ] Stopped named.service - Berkeley Internet Name Domain (DNS). [ OK ] Unmounted var-lib-nfs-rpc_pipefs.mount - RPC Pipe File System. [ OK ] Stopped dirsrv@BOOTES-STARRYVERSE-…ry Server BOOTES-STARRYVERSE-LINK.. [ OK ] Removed slice system-dirsrv.slice - Slice /system/dirsrv. [ OK ] Stopped target network-online.target - Network is Online. [ OK ] Stopped NetworkManager-wait-online…vice - Network Manager Wait Online. Stopping chronyd.service - NTP client/server... [ OK ] Stopped chronyd.service - NTP client/server. [*** ] Job ipa.service/stop running (12min 37s / no limit)

2 1

ipalockout_postop - User fqdn=... is locked out. Too many failed authentication attempts.
by Anthony Messina 22 Jun '25

22 Jun '25

With FreeIPA 4.12.2-14.fc42 (and likely before), I have two hosts created in February 2025 that trigger the following: ns-slapd: ALERT - ipalockout_postop - User fqdn=ws1.example.com,cn=computers,cn=accounts,dc=example,dc=com is locked out. Too many failed authentication attempts. They were enrolled using OTP just like my other hosts in the past have been. They are the only two hosts in my dual-master FreeIPA setup with multiple hosts that show krbLastFailedAuth and krbLoginFailedCount: ~]# ipa host-show ws1 --all --raw ... has_password: FALSE has_keytab: TRUE krbLastFailedAuth: 20250217182326Z krbLastPwdChange: 20250216234605Z krbLoginFailedCount: 0 How do they get this way and is there a way to "unlock" these hosts? Thanks. -- Anthony - https://messinet.com

1 0

delete suborinate-id
by alexey safonov 21 Jun '25

21 Jun '25

Hi team, I accidentally created subordinateID and made some random user as an owner. So right now we are not using that function and I'd like to delete it. Could not find how to do that. any suggestions? Alex

3 3

Admin Users cannot change own passwords
by Russ Long 20 Jun '25

20 Jun '25

The subject line here is slightly vague/misleading, I wasn't sure how to say this in 20 words or less. I have a cluster where we have 6 "admin" users who are the only humans logging into the freeipa webui. When these users' passwords expire or are manually reset, they are unable to change the passwords, receiving the error "The password or username you entered is incorrect" on the password reset page during login. These users have OTP tokens, and are set to "Password & OTP" for the login method. We have tested with OTP Tokens disabled, and adding just "Password" to the login methods. If we reset the password, and then manually set "krbPasswordExpiration" to sometime in the future using ipa user-mod, users can login, and then change their passwords from within the UI itself, it appears to only be the change password on login flow that is causing problems. FreeIPA version: 4.12.2-14.el9.noarch Snippet of httpd error log: [Wed Jun 04 10:48:37.846536 2025] [wsgi:error] [pid 2246312:tid 2246543] [remote some_ip_address_here:60648] [Wed Jun 04 10:49:08.336028 2025] [wsgi:error] [pid 2246314:tid 2246540] [remote some_ip_address_here:60651] ipa: INFO: WSGI change_password.__call__: [Wed Jun 04 10:49:08.336201 2025] [wsgi:error] [pid 2246314:tid 2246540] [remote some_ip_address_here:60651] ipa: INFO: WSGI change_password: start password change of user 'admin-username' [Wed Jun 04 10:49:08.434192 2025] [wsgi:error] [pid 2246314:tid 2246540] [remote some_ip_address_here:60651] ipa: INFO: 200 Success: The old password or username is not correct. [Wed Jun 04 11:35:55.156892 2025] [wsgi:error] [pid 2246313:tid 2246537] [remote some_ip_address_here:61518] ipa: INFO: 401 Unauthorized: kinit: Cannot read password while getting initial credentials [Wed Jun 04 11:35:55.156946 2025] [wsgi:error] [pid 2246313:tid 2246537] [remote some_ip_address_here:61518] [Wed Jun 04 11:36:26.803929 2025] [wsgi:error] [pid 2246311:tid 2246534] [remote some_ip_address_here:61553] ipa: INFO: WSGI change_password.__call__: [Wed Jun 04 11:36:26.804148 2025] [wsgi:error] [pid 2246311:tid 2246534] [remote some_ip_address_here:61553] ipa: INFO: WSGI change_password: start password change of user 'admin-username' [Wed Jun 04 11:36:26.902851 2025] [wsgi:error] [pid 2246311:tid 2246534] [remote some_ip_address_here:61553] ipa: INFO: 200 Success: The old password or username is not correct. [Wed Jun 04 11:37:17.224162 2025] [wsgi:error] [pid 2246314:tid 2246540] [remote some_ip_address_here:61690] ipa: INFO: WSGI change_password.__call__: [Wed Jun 04 11:37:17.224380 2025] [wsgi:error] [pid 2246314:tid 2246540] [remote some_ip_address_here:61690] ipa: INFO: WSGI change_password: start password change of user 'admin-username' [Wed Jun 04 11:37:17.326511 2025] [wsgi:error] [pid 2246314:tid 2246540] [remote some_ip_address_here:61690] ipa: INFO: 200 Success: The old password or username is not correct. [Wed Jun 04 11:39:04.879577 2025] [wsgi:error] [pid 2246311:tid 2246534] [remote some_ip_address_here:62300] ipa: INFO: 401 Unauthorized: kinit: Cannot read password while getting initial credentials [Wed Jun 04 11:39:04.879628 2025] [wsgi:error] [pid 2246311:tid 2246534] [remote some_ip_address_here:62300] [Wed Jun 04 11:39:22.247446 2025] [wsgi:error] [pid 2246314:tid 2246540] [remote some_ip_address_here:62300] ipa: INFO: WSGI change_password.__call__: [Wed Jun 04 11:39:22.247637 2025] [wsgi:error] [pid 2246314:tid 2246540] [remote some_ip_address_here:62300] ipa: INFO: WSGI change_password: start password change of user 'admin-username' [Wed Jun 04 11:39:22.341247 2025] [wsgi:error] [pid 2246314:tid 2246540] [remote some_ip_address_here:62300] ipa: INFO: 200 Success: The old password or username is not correct. krb5kdc log snippet: Jun 04 11:39:04 ipa-primary.ipa.domain.com krb5kdc[1301542](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.15.201.129: CLIENT KEY EXPIRED: admin-username(a)IPA.DOMAIN.COM for krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM, Password has expired Jun 04 11:39:04 ipa-primary.ipa.domain.com krb5kdc[1301542](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.15.201.129: NEEDED_PREAUTH: admin-username(a)IPA.DOMAIN.COM for kadmin/changepw(a)IPA.DOMAIN.COM, Additional pre-authentication required Jun 04 11:39:04 ipa-primary.ipa.domain.com krb5kdc[1301542](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.15.201.129: ISSUE: authtime 1749051544, etypes {rep=aes256-cts-hmac-sha384-192(20), tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha384-192(20)}, admin-username(a)IPA.DOMAIN.COM for kadmin/changepw(a)IPA.DOMAIN.COM I can provide other redacted logs if needed.

2 2

Replication issues
by Kroon PC, Peter 19 Jun '25

19 Jun '25

Hello world, I have 3 IPA servers that are supposed to all replicate with each other. For one server this stopped working. On all servers I have ipa-server 4.12.2-14.el9_6 on Rocky Linux 9.6. I'll call my servers A, B, and C. Server A cannot replicate with neither server B nor C. B and C can replicate eachother without issues. My first suspicion was a firewall, but I've already confirmed that that's not the issue. Here's the sanitized CLI outputs, all from server A: ``` $ ipa-healthcheck { "source": "ipahealthcheck.ds.replication", "check": "ReplicationCheck", "result": "CRITICAL", "uuid": "9c96a61a-d917-44de-907a-d5c7a4df667e", "when": "20250606095130Z", "duration": "1.072988", "kw": { "key": "DSREPLLE0001", "items": [ "Replication", "Agreement" ], "msg": "The replication agreement (server-A.example.com-to-server-C.example.com) under \"dc=example,dc=com\" is not in synchronization." } }, { "source": "ipahealthcheck.ds.replication", "check": "ReplicationCheck", "result": "CRITICAL", "uuid": "6c29d38e-a216-414e-b47a-d9302f38da67", "when": "20250606095131Z", "duration": "1.073047", "kw": { "key": "DSREPLLE0001", "items": [ "Replication", "Agreement" ], "msg": "The replication agreement (metoserver-B.example.com) under \"dc=example,dc=com\" is not in synchronization." } }, { "source": "ipahealthcheck.ds.replication", "check": "ReplicationCheck", "result": "CRITICAL", "uuid": "445f686b-27d9-47e0-aaa8-bb8d5f3416d4", "when": "20250606095131Z", "duration": "1.073054", "kw": { "key": "DSREPLLE0001", "items": [ "Replication", "Agreement" ], "msg": "The replication agreement (catoserver-B.example.com) under \"o=ipaca\" is not in synchronization." } }, { "source": "ipahealthcheck.ds.replication", "check": "ReplicationCheck", "result": "CRITICAL", "uuid": "bb6fb4b1-54fc-45dc-bb33-c8c3562f5765", "when": "20250606095131Z", "duration": "1.073058", "kw": { "key": "DSREPLLE0001", "items": [ "Replication", "Agreement" ], "msg": "The replication agreement (server-A.example.com-to-server-C.example.com) under \"o=ipaca\" is not in synchronization." } } ``` ``` $ ipa-replica-manage list ipa-replica-manage list Directory Manager password: server-A.example.com: master server-B.example.com: master server-C.example.com: master ``` Ok, things are broken, let's try force-sync. ``` $ ipa-replica-manage force-sync --from server-B.example.com --verbose --debug <snip imports> ipa: DEBUG: found 1 A records for server-A.example.com.: 192.168.12.58 ipa: DEBUG: The DNS response does not contain an answer to the question: server-A.example.com. IN AAAA Directory Manager password: ipa: DEBUG: Created connection context.ldap2_139632322538896 ipa: DEBUG: found 1 A records for server-A.example.com.: 192.168.12.58 ipa: DEBUG: The DNS response does not contain an answer to the question: server-A.example.com. IN AAAA ipa: DEBUG: found 1 A records for server-B.example.com.: 192.168.13.128 ipa: DEBUG: The DNS response does not contain an answer to the question: server-B.example.com. IN AAAA ipa: DEBUG: retrieving schema for SchemaCache url=ldaps://server-A.example.com:636 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7efeaefd2460> ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-BIN-BIOINF-NL.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7efeaefd2610> ipa: DEBUG: retrieving schema for SchemaCache url=ldaps://server-B.example.com:636 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7efeae1ee1f0> ipa: INFO: Setting agreement cn=meToserver-A.example.com,cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meToserver-A.example.com,cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config ipa: INFO: Replication Update in progress: False: status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error): start: 19700101000000: end: 19700101000000 ipa: DEBUG: Destroyed connection context.ldap2_139632322538896 ``` Maybe I can re-initialize? ``` $ ipa-replica-manage re-initialize --from server-B.example.com --verbose --debug <snip import> <snip DNS responses, same as above> Directory Manager password: ipa: DEBUG: Created connection context.ldap2_140512488991280 ipa: DEBUG: retrieving schema for SchemaCache url=ldaps://server-A.example.com:636 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fcb9c310dc0> ipa: DEBUG: retrieving schema for SchemaCache url=ldaps://server-B.example.com:636 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fcb9c1e10a0> ipa: INFO: Setting agreement cn=meToserver-A.example.com,cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meToserver-A.example.com,cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config Update in progress, 15 seconds elapsed [ldaps://server-B.example.com:636] reports: Update failed! Status: [Error (49) - LDAP error: Invalid credentials - no response received] ipa: DEBUG: Destroyed connection context.ldap2_140512488991280 ``` Is it a firewall or password issue? No: ``` $ ldapwhoami -H ldaps://server-B.example.com -D 'cn=directory manager' -W Enter LDAP Password: dn: cn=directory manager ``` From server-B: ``` server-B $ ldapwhoami -H ldaps://server-A.example.com -D 'cn=directory manager' -W Enter LDAP Password: dn: cn=directory manager ``` I also checked that `ipa-replica-manage list-ruv` produces the same output for all 3 servers. Does anyone have any more ideas I could explore? Many thanks in advance! Peter

3 11

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users June 2025