Hey,
Wouldn't the support for the older version of the password storage scheme
need to reach Fedora 37 since that's the side with the new version of
everything?
It is the other way around. There is an effort to backport this newer
hash type support to 389-ds-base in older releases. I've heard it is
close to being pushed out to RHEL customers and after that CentOS 7
would do a rebuild.
One that rebuild is out, you'd be able to update c7 machine and then add
a replica.
-Paulson
On Thu, Mar 2, 2023 at 12:53 AM Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
> Hi,
>
> as you correctly found, the issue is a known problem on 389-ds side (issue
> #5565 <
https://github.com/389ds/389-ds-base/issues/5565> / BZ 2170224
> <
https://bugzilla.redhat.com/show_bug.cgi?id=2170224>). During the
> replica installation, the replica locally creates a temporary user, that is
> then replicated to the master. To ensure that the temporary user has been
> replicated to the master, the installer waits a bit and tries to perform a
> ldap bind on the master with the credentials for this temp user.
> The temp user is created on the replica hence its password is stored using
> PBKDF2-SHA512. This password storage scheme is not available on the master,
> and the direct consequence is that the bind fails.
>
> The issue has been fixed on 389-ds side by adding support on the older
> version for the password storage scheme and will be available soon on RHEL
> 7.9, but I can't tell when it will reach c7.
>
> HTH,
> flo
>
>
> On Wed, Mar 1, 2023 at 9:33 PM Paulson McIntyre via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org> wrote:
>
>> Hey,
>>
>> I'm trying to create a replica from an older FreeIPA server to a more
>> modern one. The eventual plan being to remove the very old one and use the
>> new one as the primary. Then new replicas would be created off it.
>>
>> Running into a problem though during the CA Configuration phase when it
>> tries to create the admin user, or rather verify it.
>>
>> This thread
>>
<
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>> might be related as well as RedHat Bugzilla – Bug 2151071
>> <
https://bugzilla.redhat.com/show_bug.cgi?id=2151071>.
>>
>> Details on the issue, environment, and troubleshooting performed so far
>> are posted here <
https://www.gpmidi.net/node/162> as well as copy/pasted
>> below.
>>
>> -Paulson
>>
>> The ProblemOverview
>>
>> Can't create a new replica of an older FreeIPA server (v4.6.8 on c7) to a
>> new FreeIPA server (v4.9 on f36 and v4.10 on f37). The error is during the
>> `Configuring certificate server (pki-tomcatd)` phase.
>> Example ipa-replica-install error
>>
>> # kinit <MY PERSONAL ADMIN USERNAME>
>> # ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders
--skip-conncheck --add-sids
>>
>> ...
>>
>> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
>> [1/30]: creating certificate server db
>> [2/30]: setting up initial replication
>> Starting replication, please wait until this has completed.
>> Update in progress, 11 seconds elapsed
>> Update succeeded
>>
>> [3/30]: creating ACIs for admin
>> [4/30]: creating installation admin user
>> Unable to log in as uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on
ldap://ipam.i.gpmidi.net:389
>> [hint] tune with replication_wait_timeout
>> [error] NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not
replicate to ldap://ipam.i.gpmidi.net:389
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to
ldap://ipam.i.gpmidi.net:389
>> The ipa-replica-install command failed. See /var/log/ipareplica-install.log for
more information
>>
>> From Installer Log
>>
>> 2023-03-01T18:01:02Z DEBUG [4/30]: creating installation admin user
>> 2023-03-01T18:01:02Z DEBUG Waiting 30 seconds for
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca to appear on ldap://ipam.i.gpmidi.net:389
>> 2023-03-01T18:01:32Z ERROR Unable to log in as
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on ldap://ipam.i.gpmidi.net:389
>> 2023-03-01T18:01:32Z INFO [hint] tune with replication_wait_timeout
>> 2023-03-01T18:01:32Z DEBUG Traceback (most recent call last):
>> File
"/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 686, in
start_creation
>> run_step(full_msg, method)
>> File
"/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 672, in
run_step
>> method()
>> File
"/usr/lib/python3.11/site-packages/ipaserver/install/dogtaginstance.py", line
789, in setup_admin
>> raise errors.NotFound(
>> ipalib.errors.NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not
replicate to ldap://ipam.i.gpmidi.net:389
>>
>> 2023-03-01T18:01:32Z DEBUG [error] NotFound:
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to
ldap://ipam.i.gpmidi.net:389
>>
>> 2023-03-01T18:01:32Z DEBUG The ipa-replica-install command failed, exception:
NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to
ldap://ipam.i.gpmidi.net:389
>>
>> While Waiting For User Sync/Validation...
>>
>> *tl;dr The user seems to exist on both sides!*
>>
>> [root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b
"uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://ipam.i.gpmidi.net:389
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ldap://ipam.i.gpmidi.net:389
>> #
>>
>> #
admin-ipa0.i.gpmidi.net, people, ipaca
>> dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>> [root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b
"uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://localhost
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ldap://localhost
>> #
>>
>> #
admin-ipa0.i.gpmidi.net, people, ipaca
>> dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> ------------------------------
>> The EnvironmentSource
>>
>> Distro: CentOS 7.9.2009
>> FreeIPA: 4.6.8
>> TargetOriginally
>>
>> Distro: Fedora Server 36
>> FreeIPA: 4.9.11
>> Later
>>
>> Distro: Fedora Server 37
>> FreeIPA: 4.10.1
>> Install CommandsStep 1 - Client
>>
>> ipa-client-install --ssh-trust-dns --mkhomedir --realm=I.GPMIDI.NET
--ntp-pool=0.pool.ntp.org --force-join --enable-dns-updates --subid
--hostname=ipa0.i.gpmidi.net --ntp-server=1.pool.ntp.org
>>
>> Step 2 - kinit
>>
>> kinit <MY PERSONAL USER>
>>
>> Step 3 - Replica Install
>>
>> ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders
--skip-conncheck --add-sids
>>
>> Sometimes the `--debug` flag was also used.
>>
>> The installer would ask about trusted domain support - answered "no"
via
>> no entry unless noted otherwise.
>>
>> Enable trusted domains support in slapi-nis? [no]:
>>
>> Cleanup Commands
>>
>> Used after a failure to reset the environment.
>> Step 1 - Uninstall
>>
>> /usr/sbin/ipa-server-install --uninstall
>>
>> Step 2 - Validated Server Removed
>>
>> Browsed to
https://ipam.i.gpmidi.net/ipa/ui/#/e/server/search and
>> validated that the new server, ipa0, wasn't listed. Deleted if it was.
>> ------------------------------
>> Related Links
>>
>> - FreeIPA Users thread
>>
<
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>> - Red Hat Bugzilla – Bug 2151071
>> <
https://bugzilla.redhat.com/show_bug.cgi?id=2151071>
>>
>> ------------------------------
>> Attempted Fixes
>>
>> Changed Replication Wait Time
>>
>> Created ` /etc/ipa/installer.conf` (see below) and changed the time in
>> seconds.
>>
>> # cat /etc/ipa/installer.conf
>> [global]
>> replication_wait_timeout=30
>>
>> Result
>>
>> 30s = No change
>> 300s = No change
>> 600s = No change
>>
>> *Left at 30s for further testing - keeps it quick - provides more than
>> enough time since my ldap db is small. *
>> Update Source IPA Box From C7 To C8Result
>>
>> Upgrade from c7 to c8 failed badly. Might try again later.
>> Update Source IPA Box 389 `root` Password Hash Type
>>
>> # /usr/bin/pwdhash -D /etc/dirsrv/slapd-YOUR-DOMAIN-NET -s PBKDF2_SHA256
'<Current DirSrv Root Password>'
>> {PBKDF2_SHA256}xxxxxxxxxxxxxxxxxxxxxxxx
>>
>> Result
>>
>> No change
>> Updated Target IPA Box To Fedora Server 37
>>
>> Updated target IPA box from f36 to f37. This changed the IPA version from
>> 4.9.11 to 4.10.1.
>> Result
>>
>> No change
>> Changing Password Storage Scheme On Source
>>
>> # dsconf -D "cn=Directory Manager" -W
ldaps://ipam.i.gpmidi.net config
replace passwordStorageScheme=PBKDF2_SHA256
>> Enter password for cn=Directory Manager on
ldaps://ipam.i.gpmidi.net: <ENTERED
ROOT PW>
>> Successfully replaced "passwordStorageScheme"
>>
>> Result
>>
>> No change
>> Trusted Domains Answer = Yes
>>
>> Answered 'yes' to trusted domains.
>>
>> Enable trusted domains support in slapi-nis? [no]: yes
>>
>> Result
>>
>> No change
>> Restarted IPA On Source
>>
>> Since the `dsconf` change above to the password storage scheme the IPA
>> server on the source box hasn't been restarted. Restarted it via...
>>
>> # ipactl restasrt
>>
>> Result
>>
>> No change
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Do not reply to spam, report it:
>>
https://pagure.io/fedora-infrastructure/new_issue
>>
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland