Hey,
I'm trying to create a replica from an older FreeIPA server to a more
modern one. The eventual plan being to remove the very old one and use the
new one as the primary. Then new replicas would be created off it.
Running into a problem though during the CA Configuration phase when it
tries to create the admin user, or rather verify it.
This thread
<
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
might be related as well as RedHat Bugzilla – Bug 2151071
<
https://bugzilla.redhat.com/show_bug.cgi?id=2151071>.
Details on the issue, environment, and troubleshooting performed so
far are posted
here <
https://www.gpmidi.net/node/162> as well as copy/pasted below.
-Paulson
The ProblemOverview
Can't create a new replica of an older FreeIPA server (v4.6.8 on c7) to a
new FreeIPA server (v4.9 on f36 and v4.10 on f37). The error is during the
`Configuring certificate server (pki-tomcatd)` phase.
Example ipa-replica-install error
# kinit <MY PERSONAL ADMIN USERNAME>
# ipa-replica-install --setup-adtrust --setup-ca --setup-dns
--no-forwarders --skip-conncheck --add-sids
...
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/30]: creating certificate server db
[2/30]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 11 seconds elapsed
Update succeeded
[3/30]: creating ACIs for admin
[4/30]: creating installation admin user
Unable to log in as uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on
ldap://ipam.i.gpmidi.net:389
[hint] tune with replication_wait_timeout
[error] NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did
not replicate to ldap://ipam.i.gpmidi.net:389
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to
ldap://ipam.i.gpmidi.net:389
The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
From Installer Log
2023-03-01T18:01:02Z DEBUG [4/30]: creating installation admin user
2023-03-01T18:01:02Z DEBUG Waiting 30 seconds for
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca to appear on
ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z ERROR Unable to log in as
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on
ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z INFO [hint] tune with replication_wait_timeout
2023-03-01T18:01:32Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py",
line 686, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py",
line 672, in run_step
method()
File "/usr/lib/python3.11/site-packages/ipaserver/install/dogtaginstance.py",
line 789, in setup_admin
raise errors.NotFound(
ipalib.errors.NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
did not replicate to ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z DEBUG [error] NotFound:
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to
ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z DEBUG The ipa-replica-install command failed,
exception: NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did
not replicate to ldap://ipam.i.gpmidi.net:389
While Waiting For User Sync/Validation...
*tl;dr The user seems to exist on both sides!*
[root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b
"uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca"
ldap://ipam.i.gpmidi.net:389
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ldap://ipam.i.gpmidi.net:389
#
#
admin-ipa0.i.gpmidi.net, people, ipaca
dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b
"uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://localhost
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ldap://localhost
#
#
admin-ipa0.i.gpmidi.net, people, ipaca
dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
------------------------------
The EnvironmentSource
Distro: CentOS 7.9.2009
FreeIPA: 4.6.8
TargetOriginally
Distro: Fedora Server 36
FreeIPA: 4.9.11
Later
Distro: Fedora Server 37
FreeIPA: 4.10.1
Install CommandsStep 1 - Client
ipa-client-install --ssh-trust-dns --mkhomedir --realm=I.GPMIDI.NET
--ntp-pool=0.pool.ntp.org --force-join --enable-dns-updates --subid
--hostname=ipa0.i.gpmidi.net --ntp-server=1.pool.ntp.org
Step 2 - kinit
kinit <MY PERSONAL USER>
Step 3 - Replica Install
ipa-replica-install --setup-adtrust --setup-ca --setup-dns
--no-forwarders --skip-conncheck --add-sids
Sometimes the `--debug` flag was also used.
The installer would ask about trusted domain support - answered "no" via no
entry unless noted otherwise.
Enable trusted domains support in slapi-nis? [no]:
Cleanup Commands
Used after a failure to reset the environment.
Step 1 - Uninstall
/usr/sbin/ipa-server-install --uninstall
Step 2 - Validated Server Removed
Browsed to
https://ipam.i.gpmidi.net/ipa/ui/#/e/server/search and validated
that the new server, ipa0, wasn't listed. Deleted if it was.
------------------------------
Related Links
- FreeIPA Users thread
<
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
- Red Hat Bugzilla – Bug 2151071
<
https://bugzilla.redhat.com/show_bug.cgi?id=2151071>
------------------------------
Attempted Fixes
Changed Replication Wait Time
Created ` /etc/ipa/installer.conf` (see below) and changed the time in
seconds.
# cat /etc/ipa/installer.conf
[global]
replication_wait_timeout=30
Result
30s = No change
300s = No change
600s = No change
*Left at 30s for further testing - keeps it quick - provides more than
enough time since my ldap db is small. *
Update Source IPA Box From C7 To C8Result
Upgrade from c7 to c8 failed badly. Might try again later.
Update Source IPA Box 389 `root` Password Hash Type
# /usr/bin/pwdhash -D /etc/dirsrv/slapd-YOUR-DOMAIN-NET -s
PBKDF2_SHA256 '<Current DirSrv Root Password>'
{PBKDF2_SHA256}xxxxxxxxxxxxxxxxxxxxxxxx
Result
No change
Updated Target IPA Box To Fedora Server 37
Updated target IPA box from f36 to f37. This changed the IPA version from
4.9.11 to 4.10.1.
Result
No change
Changing Password Storage Scheme On Source
# dsconf -D "cn=Directory Manager" -W
ldaps://ipam.i.gpmidi.net config
replace passwordStorageScheme=PBKDF2_SHA256
Enter password for cn=Directory Manager on
ldaps://ipam.i.gpmidi.net:
<ENTERED ROOT PW>
Successfully replaced "passwordStorageScheme"
Result
No change
Trusted Domains Answer = Yes
Answered 'yes' to trusted domains.
Enable trusted domains support in slapi-nis? [no]: yes
Result
No change
Restarted IPA On Source
Since the `dsconf` change above to the password storage scheme the IPA
server on the source box hasn't been restarted. Restarted it via...
# ipactl restasrt
Result
No change