[Freeipa-users] Re: v4.6.8->v4.10.1 Replica Install | CA Configuration Section | Admin Login Failing

Hi, as you correctly found, the issue is a known problem on 389-ds side (issue #5565 <https://github.com/389ds/389-ds-base/issues/5565> / BZ 2170224 <https://bugzilla.redhat.com/show_bug.cgi?id=2170224>). During the replica installation, the replica locally creates a temporary user, that is then replicated to the master. To ensure that the temporary user has been replicated to the master, the installer waits a bit and tries to perform a ldap bind on the master with the credentials for this temp user. The temp user is created on the replica hence its password is stored using PBKDF2-SHA512. This password storage scheme is not available on the master, and the direct consequence is that the bind fails. The issue has been fixed on 389-ds side by adding support on the older version for the password storage scheme and will be available soon on RHEL 7.9, but I can't tell when it will reach c7. HTH, flo On Wed, Mar 1, 2023 at 9:33 PM Paulson McIntyre via FreeIPA-users < freeipa-users(a)lists.fedorahosted.org&gt; wrote: > Hey, > > I'm trying to create a replica from an older FreeIPA server to a more > modern one. The eventual plan being to remove the very old one and use the > new one as the primary. Then new replicas would be created off it. > > Running into a problem though during the CA Configuration phase when it > tries to create the admin user, or rather verify it. > > This thread > <https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah... > might be related as well as RedHat Bugzilla – Bug 2151071 > <https://bugzilla.redhat.com/show_bug.cgi?id=2151071>;. > > Details on the issue, environment, and troubleshooting performed so far > are posted here <https://www.gpmidi.net/node/162> as well as copy/pasted > below. > > -Paulson > > The ProblemOverview > > Can't create a new replica of an older FreeIPA server (v4.6.8 on c7) to a > new FreeIPA server (v4.9 on f36 and v4.10 on f37). The error is during the > `Configuring certificate server (pki-tomcatd)` phase. > Example ipa-replica-install error > > # kinit <MY PERSONAL ADMIN USERNAME> > # ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders --skip-conncheck --add-sids > > ... > > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes > [1/30]: creating certificate server db > [2/30]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 11 seconds elapsed > Update succeeded > > [3/30]: creating ACIs for admin > [4/30]: creating installation admin user > Unable to log in as uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on ldap://ipam.i.gpmidi.net:389 > [hint] tune with replication_wait_timeout > [error] NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389 > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389 > The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information > > From Installer Log > > 2023-03-01T18:01:02Z DEBUG [4/30]: creating installation admin user > 2023-03-01T18:01:02Z DEBUG Waiting 30 seconds for uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca to appear on ldap://ipam.i.gpmidi.net:389 > 2023-03-01T18:01:32Z ERROR Unable to log in as uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on ldap://ipam.i.gpmidi.net:389 > 2023-03-01T18:01:32Z INFO [hint] tune with replication_wait_timeout > 2023-03-01T18:01:32Z DEBUG Traceback (most recent call last): > File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 686, in start_creation > run_step(full_msg, method) > File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 672, in run_step > method() > File "/usr/lib/python3.11/site-packages/ipaserver/install/dogtaginstance.py", line 789, in setup_admin > raise errors.NotFound( > ipalib.errors.NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389 > > 2023-03-01T18:01:32Z DEBUG [error] NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389 > > 2023-03-01T18:01:32Z DEBUG The ipa-replica-install command failed, exception: NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389 > > While Waiting For User Sync/Validation... > > *tl;dr The user seems to exist on both sides!* > > [root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b "uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://ipam.i.gpmidi.net:389 > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree > # filter: (objectclass=*) > # requesting: ldap://ipam.i.gpmidi.net:389 > # > > # admin-ipa0.i.gpmidi.net, people, ipaca > dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > [root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b "uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://localhost > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree > # filter: (objectclass=*) > # requesting: ldap://localhost > # > > # admin-ipa0.i.gpmidi.net, people, ipaca > dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > ------------------------------ > The EnvironmentSource > > Distro: CentOS 7.9.2009 > FreeIPA: 4.6.8 > TargetOriginally > > Distro: Fedora Server 36 > FreeIPA: 4.9.11 > Later > > Distro: Fedora Server 37 > FreeIPA: 4.10.1 > Install CommandsStep 1 - Client > > ipa-client-install --ssh-trust-dns --mkhomedir --realm=I.GPMIDI.NET --ntp-pool=0.pool.ntp.org --force-join --enable-dns-updates --subid --hostname=ipa0.i.gpmidi.net --ntp-server=1.pool.ntp.org > > Step 2 - kinit > > kinit <MY PERSONAL USER> > > Step 3 - Replica Install > > ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders --skip-conncheck --add-sids > > Sometimes the `--debug` flag was also used. > > The installer would ask about trusted domain support - answered "no" via > no entry unless noted otherwise. > > Enable trusted domains support in slapi-nis? [no]: > > Cleanup Commands > > Used after a failure to reset the environment. > Step 1 - Uninstall > > /usr/sbin/ipa-server-install --uninstall > > Step 2 - Validated Server Removed > > Browsed to https://ipam.i.gpmidi.net/ipa/ui/#/e/server/search and > validated that the new server, ipa0, wasn't listed. Deleted if it was. > ------------------------------ > Related Links > > - FreeIPA Users thread > <https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah... > - Red Hat Bugzilla – Bug 2151071 > <https://bugzilla.redhat.com/show_bug.cgi?id=2151071> > > ------------------------------ > Attempted Fixes > > Changed Replication Wait Time > > Created ` /etc/ipa/installer.conf` (see below) and changed the time in > seconds. > > # cat /etc/ipa/installer.conf > [global] > replication_wait_timeout=30 > > Result > > 30s = No change > 300s = No change > 600s = No change > > *Left at 30s for further testing - keeps it quick - provides more than > enough time since my ldap db is small. * > Update Source IPA Box From C7 To C8Result > > Upgrade from c7 to c8 failed badly. Might try again later. > Update Source IPA Box 389 `root` Password Hash Type > > # /usr/bin/pwdhash -D /etc/dirsrv/slapd-YOUR-DOMAIN-NET -s PBKDF2_SHA256 '<Current DirSrv Root Password>' > {PBKDF2_SHA256}xxxxxxxxxxxxxxxxxxxxxxxx > > Result > > No change > Updated Target IPA Box To Fedora Server 37 > > Updated target IPA box from f36 to f37. This changed the IPA version from > 4.9.11 to 4.10.1. > Result > > No change > Changing Password Storage Scheme On Source > > # dsconf -D "cn=Directory Manager" -W ldaps://ipam.i.gpmidi.net config replace passwordStorageScheme=PBKDF2_SHA256 > Enter password for cn=Directory Manager on ldaps://ipam.i.gpmidi.net: <ENTERED ROOT PW> > Successfully replaced "passwordStorageScheme" > > Result > > No change > Trusted Domains Answer = Yes > > Answered 'yes' to trusted domains. > > Enable trusted domains support in slapi-nis? [no]: yes > > Result > > No change > Restarted IPA On Source > > Since the `dsconf` change above to the password storage scheme the IPA > server on the source box hasn't been restarted. Restarted it via... > > # ipactl restasrt > > Result > > No change > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to > freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >