Hello,
I installed FreeIPA replica on 4.8.4 on CentOS 8 from 4.4.4 from Fedora 25 with `ipa-replica-install --setup-dns --auto-forwarders`, without `--setup-ca` due to errors, which went fine. I do want to install CA though, which failed when I did `--setup-ca` and then later `ipa-ca-install` with the following error:
``` [4/29]: creating installation admin user Unable to log in as uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca on ldap://freeipa.infra.opensuse.org:389 [hint] tune with replication_wait_timeout [error] NotFound: uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca did not replicate to ldap://freeipa.infra.opensuse.org:389 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ```
Obviously I did try try extending the timeout based on that, but I don't think that was helpful in the end, considering the logs produced by the old server:
httpd access_log ``` 192.168.47.90 - - [23/Jul/2020:00:25:36 +0000] "GET /ca/rest/account/login HTTP/1.1" 401 994 ```
server process in journal ``` SSLAuthenticatorWithFallback: Authenticating with BASIC authentication Invalid Credential. at com.netscape.cmscore.authentication.PasswdUserDBAuthentication.authenticate(PasswdUserDBAuthentication.java:167) at com.netscape.cms.realm.PKIRealm.authenticate(PKIRealm.java:63) at com.netscape.cms.tomcat.ProxyRealm.authenticate(ProxyRealm.java:78) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:94) at com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.doSubAuthenticate(SSLAuthenticatorWithFallback.java:37) at com.netscape.cms.tomcat.AbstractPKIAuthenticator.doAuthenticate(AbstractPKIAuthenticator.java:98) at com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.authenticate(SSLAuthenticatorWithFallback.java:47) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:579) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502) at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:877) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) SSLAuthenticatorWithFallback: Fallback auth header: WWW-Authenticate=Basic realm="Certificate Authority" SSLAuthenticatorWithFallback: Fallback auth return code: 401 SSLAuthenticatorWithFallback: Result: false ```
and from pki logs ``` Failed to authenticate as admin UID=admin-freeipa2.infra.opensuse.org. Error: netscape.ldap.LDAPException: error result (49) ```
I don't particularly know how to proceed from here, since those errors don't mean much to me. I see however it's not just me having issues with `ipa-ca-install` at least similar to this one (although by the looks of it, the reason is already different ;)
Thanks in advance for trying, LCP [Stasiek] https://lcp.world/
Stasiek Michalski via FreeIPA-users wrote:
Hello,
I installed FreeIPA replica on 4.8.4 on CentOS 8 from 4.4.4 from Fedora 25 with `ipa-replica-install --setup-dns --auto-forwarders`, without `--setup-ca` due to errors, which went fine. I do want to install CA though, which failed when I did `--setup-ca` and then later `ipa-ca-install` with the following error:
[4/29]: creating installation admin user Unable to log in as uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca on ldap://freeipa.infra.opensuse.org:389 [hint] tune with replication_wait_timeout [error] NotFound: uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca did not replicate to ldap://freeipa.infra.opensuse.org:389 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
Obviously I did try try extending the timeout based on that, but I don't think that was helpful in the end, considering the logs produced by the old server:
httpd access_log
192.168.47.90 - - [23/Jul/2020:00:25:36 +0000] "GET /ca/rest/account/login HTTP/1.1" 401 994
server process in journal
SSLAuthenticatorWithFallback: Authenticating with BASIC authentication Invalid Credential. at com.netscape.cmscore.authentication.PasswdUserDBAuthentication.authenticate(PasswdUserDBAuthentication.java:167) at com.netscape.cms.realm.PKIRealm.authenticate(PKIRealm.java:63) at com.netscape.cms.tomcat.ProxyRealm.authenticate(ProxyRealm.java:78) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:94) at com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.doSubAuthenticate(SSLAuthenticatorWithFallback.java:37) at com.netscape.cms.tomcat.AbstractPKIAuthenticator.doAuthenticate(AbstractPKIAuthenticator.java:98) at com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.authenticate(SSLAuthenticatorWithFallback.java:47) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:579) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502) at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:877) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) SSLAuthenticatorWithFallback: Fallback auth header: WWW-Authenticate=Basic realm="Certificate Authority" SSLAuthenticatorWithFallback: Fallback auth return code: 401 SSLAuthenticatorWithFallback: Result: false
and from pki logs
Failed to authenticate as admin UID=admin-freeipa2.infra.opensuse.org. Error: netscape.ldap.LDAPException: error result (49)
I don't particularly know how to proceed from here, since those errors don't mean much to me. I see however it's not just me having issues with `ipa-ca-install` at least similar to this one (although by the looks of it, the reason is already different ;)
This step creates the admin user on the local LDAP server and tries to authenticate to it on the other side.
I'd look to see if this user exists on both servers and the 389-ds access logs on both to see what is going on.
rob
I'd look to see if this user exists on both servers and the 389-ds access logs on both to see what is going on.
The user exists, and access logs tell me: ``` BIND dn="uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca" method=128 version=3 RESULT err=49 tag=97 nentries=0 etime=0 - Invalid credentials ``` over and over and over again
LCP [Stasiek] https://lcp.world/
Stasiek Michalski via FreeIPA-users wrote:
I'd look to see if this user exists on both servers and the 389-ds access logs on both to see what is going on.
The user exists, and access logs tell me:
BIND dn="uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca" method=128 version=3 RESULT err=49 tag=97 nentries=0 etime=0 - Invalid credentials
over and over and over again
Can we see the logs for the creation of the user? The password is set at that point and then immediately used to authenticate.
rob
Can we see the logs for the creation of the user? The password is set at that point and then immediately used to authenticate.
This seems like the relevant bit ``` BIND dn="" method=sasl version=3 mech=GSSAPI RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress BIND dn="" method=sasl version=3 mech=GSSAPI RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress BIND dn="" method=sasl version=3 mech=GSSAPI RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ldap/freeipa2.infra.opensuse.org@infra.opensuse.org,cn=services,cn=accounts,dc=infra,dc=opensuse,dc=org" SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" RESULT err=0 tag=101 nentries=1 etime=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" RESULT err=0 tag=101 nentries=1 etime=0 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" RESULT err=0 tag=120 nentries=0 etime=0 SRCH base="cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config" scope=0 filter="(objectClass=*)" attrs="nsDS5ReplicaId" RESULT err=0 tag=101 nentries=1 etime=0 DEL dn="uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca" RESULT err=0 tag=107 nentries=0 etime=0 csn=5f18d900000100140000 ADD dn="uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca" RESULT err=0 tag=105 nentries=0 etime=0 csn=5f18d900000300140000 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" RESULT err=0 tag=120 nentries=0 etime=0 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" RESULT err=0 tag=120 nentries=0 etime=0 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" RESULT err=0 tag=120 nentries=0 etime=0 UNBIND ```
LCP [Stasiek] https://lcp.world/
This stays out quite long and I faced absolutely the same behavior adding 4.10.1 replica to 4.8.7.
Fiddled almost a week with that so posting my solution here in order to (hopefully) save someone's time.
Problem was with password encryption scheme: 4.8.7 on an older CentOS did not support PBKDF2-SHA512 used by 4.10.1 on FC37 so password verification on older OS failed simply due to missing mechs. Logs did not help to find the problem.
Switching to PBKDF2_SHA256 (not PBKDF2-SHA256) with
dsconf -D "cn=Directory Manager" -W ldaps://auth01.infra.ipa.local config replace passwordStorageScheme=PBKDF2_SHA256
on FC37 made it work.
Use
dsconf -D "cn=Directory Manager" -W ldaps://auth01.infra.ipa.local plugin list
to compare available mechs on master and new-added replica.
Hi,
On Sun, Dec 18, 2022 at 7:10 PM Oleg Baranov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
This stays out quite long and I faced absolutely the same behavior adding 4.10.1 replica to 4.8.7.
Fiddled almost a week with that so posting my solution here in order to (hopefully) save someone's time.
Problem was with password encryption scheme: 4.8.7 on an older CentOS did not support PBKDF2-SHA512 used by 4.10.1 on FC37 so password verification on older OS failed simply due to missing mechs. Logs did not help to find the problem.
Switching to PBKDF2_SHA256 (not PBKDF2-SHA256) with
dsconf -D "cn=Directory Manager" -W ldaps://auth01.infra.ipa.local config replace passwordStorageScheme=PBKDF2_SHA256
on FC37 made it work.
Use
dsconf -D "cn=Directory Manager" -W ldaps://auth01.infra.ipa.local plugin list
to compare available mechs on master and new-added replica.
Thanks for the report. FYI it's a known 389-ds issue: https://bugzilla.redhat.com/show_bug.cgi?id=2151071 flo
-- BR, Oleg _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org