2:33 p.m.
Hey,
I'm trying to create a replica from an older FreeIPA server to a more
modern one. The eventual plan being to remove the very old one and use the
new one as the primary. Then new replicas would be created off it.
Running into a problem though during the CA Configuration phase when it
tries to create the admin user, or rather verify it.
This thread
<https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
might be related as well as RedHat Bugzilla – Bug 2151071
<https://bugzilla.redhat.com/show_bug.cgi?id=2151071>;.
Details on the issue, environment, and troubleshooting performed so
far are posted
here <https://www.gpmidi.net/node/162> as well as copy/pasted below.
-Paulson
The ProblemOverview
Can't create a new replica of an older FreeIPA server (v4.6.8 on c7) to a
new FreeIPA server (v4.9 on f36 and v4.10 on f37). The error is during the
`Configuring certificate server (pki-tomcatd)` phase.
Example ipa-replica-install error
# kinit <MY PERSONAL ADMIN USERNAME>
# ipa-replica-install --setup-adtrust --setup-ca --setup-dns
--no-forwarders --skip-conncheck --add-sids
...
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/30]: creating certificate server db
[2/30]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 11 seconds elapsed
Update succeeded
[3/30]: creating ACIs for admin
[4/30]: creating installation admin user
Unable to log in as uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on
ldap://ipam.i.gpmidi.net:389
[hint] tune with replication_wait_timeout
[error] NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did
not replicate to ldap://ipam.i.gpmidi.net:389
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to
ldap://ipam.i.gpmidi.net:389
The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
From Installer Log
2023-03-01T18:01:02Z DEBUG [4/30]: creating installation admin user
2023-03-01T18:01:02Z DEBUG Waiting 30 seconds for
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca to appear on
ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z ERROR Unable to log in as
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on
ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z INFO [hint] tune with replication_wait_timeout
2023-03-01T18:01:32Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py",
line 686, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py",
line 672, in run_step
method()
File "/usr/lib/python3.11/site-packages/ipaserver/install/dogtaginstance.py",
line 789, in setup_admin
raise errors.NotFound(
ipalib.errors.NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
did not replicate to ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z DEBUG [error] NotFound:
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to
ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z DEBUG The ipa-replica-install command failed,
exception: NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did
not replicate to ldap://ipam.i.gpmidi.net:389
While Waiting For User Sync/Validation...
*tl;dr The user seems to exist on both sides!*
[root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b
"uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca"
ldap://ipam.i.gpmidi.net:389
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ldap://ipam.i.gpmidi.net:389
#
# admin-ipa0.i.gpmidi.net, people, ipaca
dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b
"uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://localhost
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ldap://localhost
#
# admin-ipa0.i.gpmidi.net, people, ipaca
dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
------------------------------
The EnvironmentSource
Distro: CentOS 7.9.2009
FreeIPA: 4.6.8
TargetOriginally
Distro: Fedora Server 36
FreeIPA: 4.9.11
Later
Distro: Fedora Server 37
FreeIPA: 4.10.1
Install CommandsStep 1 - Client
ipa-client-install --ssh-trust-dns --mkhomedir --realm=I.GPMIDI.NET
--ntp-pool=0.pool.ntp.org --force-join --enable-dns-updates --subid
--hostname=ipa0.i.gpmidi.net --ntp-server=1.pool.ntp.org
Step 2 - kinit
kinit <MY PERSONAL USER>
Step 3 - Replica Install
ipa-replica-install --setup-adtrust --setup-ca --setup-dns
--no-forwarders --skip-conncheck --add-sids
Sometimes the `--debug` flag was also used.
The installer would ask about trusted domain support - answered "no" via no
entry unless noted otherwise.
Enable trusted domains support in slapi-nis? [no]:
Cleanup Commands
Used after a failure to reset the environment.
Step 1 - Uninstall
/usr/sbin/ipa-server-install --uninstall
Step 2 - Validated Server Removed
Browsed to https://ipam.i.gpmidi.net/ipa/ui/#/e/server/search and validated
that the new server, ipa0, wasn't listed. Deleted if it was.
------------------------------
Related Links
- FreeIPA Users thread
<https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
- Red Hat Bugzilla – Bug 2151071
<https://bugzilla.redhat.com/show_bug.cgi?id=2151071>
------------------------------
Attempted Fixes
Changed Replication Wait Time
Created ` /etc/ipa/installer.conf` (see below) and changed the time in
seconds.
# cat /etc/ipa/installer.conf
[global]
replication_wait_timeout=30
Result
30s = No change
300s = No change
600s = No change
*Left at 30s for further testing - keeps it quick - provides more than
enough time since my ldap db is small. *
Update Source IPA Box From C7 To C8Result
Upgrade from c7 to c8 failed badly. Might try again later.
Update Source IPA Box 389 `root` Password Hash Type
# /usr/bin/pwdhash -D /etc/dirsrv/slapd-YOUR-DOMAIN-NET -s
PBKDF2_SHA256 '<Current DirSrv Root Password>'
{PBKDF2_SHA256}xxxxxxxxxxxxxxxxxxxxxxxx
Result
No change
Updated Target IPA Box To Fedora Server 37
Updated target IPA box from f36 to f37. This changed the IPA version from
4.9.11 to 4.10.1.
Result
No change
Changing Password Storage Scheme On Source
# dsconf -D "cn=Directory Manager" -W ldaps://ipam.i.gpmidi.net config
replace passwordStorageScheme=PBKDF2_SHA256
Enter password for cn=Directory Manager on ldaps://ipam.i.gpmidi.net:
<ENTERED ROOT PW>
Successfully replaced "passwordStorageScheme"
Result
No change
Trusted Domains Answer = Yes
Answered 'yes' to trusted domains.
Enable trusted domains support in slapi-nis? [no]: yes
Result
No change
Restarted IPA On Source
Since the `dsconf` change above to the password storage scheme the IPA
server on the source box hasn't been restarted. Restarted it via...
# ipactl restasrt
Result
No change
11:53 p.m.
New subject: v4.6.8->v4.10.1 Replica Install | CA Configuration Section | Admin Login Failing
Hi,
as you correctly found, the issue is a known problem on 389-ds side (issue
#5565 <https://github.com/389ds/389-ds-base/issues/5565> / BZ 2170224
<https://bugzilla.redhat.com/show_bug.cgi?id=2170224>). During the replica
installation, the replica locally creates a temporary user, that is then
replicated to the master. To ensure that the temporary user has been
replicated to the master, the installer waits a bit and tries to perform a
ldap bind on the master with the credentials for this temp user.
The temp user is created on the replica hence its password is stored using
PBKDF2-SHA512. This password storage scheme is not available on the master,
and the direct consequence is that the bind fails.
The issue has been fixed on 389-ds side by adding support on the older
version for the password storage scheme and will be available soon on RHEL
7.9, but I can't tell when it will reach c7.
HTH,
flo
On Wed, Mar 1, 2023 at 9:33 PM Paulson McIntyre via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hey,
I'm trying to create a replica from an older FreeIPA server to a more
modern one. The eventual plan being to remove the very old one and use the
new one as the primary. Then new replicas would be created off it.
Running into a problem though during the CA Configuration phase when it
tries to create the admin user, or rather verify it.
This thread
<https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
might be related as well as RedHat Bugzilla – Bug 2151071
<https://bugzilla.redhat.com/show_bug.cgi?id=2151071>;.
Details on the issue, environment, and troubleshooting performed so far
are posted here <https://www.gpmidi.net/node/162> as well as copy/pasted
below.
-Paulson
The ProblemOverview
Can't create a new replica of an older FreeIPA server (v4.6.8 on c7) to a
new FreeIPA server (v4.9 on f36 and v4.10 on f37). The error is during the
`Configuring certificate server (pki-tomcatd)` phase.
Example ipa-replica-install error
# kinit <MY PERSONAL ADMIN USERNAME>
# ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders
--skip-conncheck --add-sids
...
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/30]: creating certificate server db
[2/30]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 11 seconds elapsed
Update succeeded
[3/30]: creating ACIs for admin
[4/30]: creating installation admin user
Unable to log in as uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on
ldap://ipam.i.gpmidi.net:389
[hint] tune with replication_wait_timeout
[error] NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to
ldap://ipam.i.gpmidi.net:389
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to
ldap://ipam.i.gpmidi.net:389
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more
information
From Installer Log
2023-03-01T18:01:02Z DEBUG [4/30]: creating installation admin user
2023-03-01T18:01:02Z DEBUG Waiting 30 seconds for
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca to appear on ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z ERROR Unable to log in as
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z INFO [hint] tune with replication_wait_timeout
2023-03-01T18:01:32Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line
686, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line
672, in run_step
method()
File "/usr/lib/python3.11/site-packages/ipaserver/install/dogtaginstance.py",
line 789, in setup_admin
raise errors.NotFound(
ipalib.errors.NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate
to ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z DEBUG [error] NotFound:
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to
ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z DEBUG The ipa-replica-install command failed, exception: NotFound:
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to
ldap://ipam.i.gpmidi.net:389
While Waiting For User Sync/Validation...
*tl;dr The user seems to exist on both sides!*
[root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b
"uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://ipam.i.gpmidi.net:389
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ldap://ipam.i.gpmidi.net:389
#
# admin-ipa0.i.gpmidi.net, people, ipaca
dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b
"uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://localhost
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ldap://localhost
#
# admin-ipa0.i.gpmidi.net, people, ipaca
dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
------------------------------
The EnvironmentSource
Distro: CentOS 7.9.2009
FreeIPA: 4.6.8
TargetOriginally
Distro: Fedora Server 36
FreeIPA: 4.9.11
Later
Distro: Fedora Server 37
FreeIPA: 4.10.1
Install CommandsStep 1 - Client
ipa-client-install --ssh-trust-dns --mkhomedir --realm=I.GPMIDI.NET
--ntp-pool=0.pool.ntp.org --force-join --enable-dns-updates --subid
--hostname=ipa0.i.gpmidi.net --ntp-server=1.pool.ntp.org
Step 2 - kinit
kinit <MY PERSONAL USER>
Step 3 - Replica Install
ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders
--skip-conncheck --add-sids
Sometimes the `--debug` flag was also used.
The installer would ask about trusted domain support - answered "no" via
no entry unless noted otherwise.
Enable trusted domains support in slapi-nis? [no]:
Cleanup Commands
Used after a failure to reset the environment.
Step 1 - Uninstall
/usr/sbin/ipa-server-install --uninstall
Step 2 - Validated Server Removed
Browsed to https://ipam.i.gpmidi.net/ipa/ui/#/e/server/search and
validated that the new server, ipa0, wasn't listed. Deleted if it was.
------------------------------
Related Links
- FreeIPA Users thread
<https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
- Red Hat Bugzilla – Bug 2151071
<https://bugzilla.redhat.com/show_bug.cgi?id=2151071>
------------------------------
Attempted Fixes
Changed Replication Wait Time
Created ` /etc/ipa/installer.conf` (see below) and changed the time in
seconds.
# cat /etc/ipa/installer.conf
[global]
replication_wait_timeout=30
Result
30s = No change
300s = No change
600s = No change
*Left at 30s for further testing - keeps it quick - provides more than
enough time since my ldap db is small. *
Update Source IPA Box From C7 To C8Result
Upgrade from c7 to c8 failed badly. Might try again later.
Update Source IPA Box 389 `root` Password Hash Type
# /usr/bin/pwdhash -D /etc/dirsrv/slapd-YOUR-DOMAIN-NET -s PBKDF2_SHA256 '<Current
DirSrv Root Password>'
{PBKDF2_SHA256}xxxxxxxxxxxxxxxxxxxxxxxx
Result
No change
Updated Target IPA Box To Fedora Server 37
Updated target IPA box from f36 to f37. This changed the IPA version from
4.9.11 to 4.10.1.
Result
No change
Changing Password Storage Scheme On Source
# dsconf -D "cn=Directory Manager" -W ldaps://ipam.i.gpmidi.net config replace
passwordStorageScheme=PBKDF2_SHA256
Enter password for cn=Directory Manager on ldaps://ipam.i.gpmidi.net: <ENTERED ROOT
PW>
Successfully replaced "passwordStorageScheme"
Result
No change
Trusted Domains Answer = Yes
Answered 'yes' to trusted domains.
Enable trusted domains support in slapi-nis? [no]: yes
Result
No change
Restarted IPA On Source
Since the `dsconf` change above to the password storage scheme the IPA
server on the source box hasn't been restarted. Restarted it via...
# ipactl restasrt
Result
No change
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
5:47 a.m.
New subject: v4.6.8->v4.10.1 Replica Install | CA Configuration Section | Admin Login Failing
Hey,
Wouldn't the support for the older version of the password storage scheme
need to reach Fedora 37 since that's the side with the new version of
everything?
-Paulson
On Thu, Mar 2, 2023 at 12:53 AM Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
Hi,
as you correctly found, the issue is a known problem on 389-ds side (issue
#5565 <https://github.com/389ds/389-ds-base/issues/5565> / BZ 2170224
<https://bugzilla.redhat.com/show_bug.cgi?id=2170224>). During the
replica installation, the replica locally creates a temporary user, that is
then replicated to the master. To ensure that the temporary user has been
replicated to the master, the installer waits a bit and tries to perform a
ldap bind on the master with the credentials for this temp user.
The temp user is created on the replica hence its password is stored using
PBKDF2-SHA512. This password storage scheme is not available on the master,
and the direct consequence is that the bind fails.
The issue has been fixed on 389-ds side by adding support on the older
version for the password storage scheme and will be available soon on RHEL
7.9, but I can't tell when it will reach c7.
HTH,
flo
On Wed, Mar 1, 2023 at 9:33 PM Paulson McIntyre via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> Hey,
>
> I'm trying to create a replica from an older FreeIPA server to a more
> modern one. The eventual plan being to remove the very old one and use the
> new one as the primary. Then new replicas would be created off it.
>
> Running into a problem though during the CA Configuration phase when it
> tries to create the admin user, or rather verify it.
>
> This thread
>
<https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
> might be related as well as RedHat Bugzilla – Bug 2151071
> <https://bugzilla.redhat.com/show_bug.cgi?id=2151071>;.
>
> Details on the issue, environment, and troubleshooting performed so far
> are posted here <https://www.gpmidi.net/node/162> as well as copy/pasted
> below.
>
> -Paulson
>
> The ProblemOverview
>
> Can't create a new replica of an older FreeIPA server (v4.6.8 on c7) to a
> new FreeIPA server (v4.9 on f36 and v4.10 on f37). The error is during the
> `Configuring certificate server (pki-tomcatd)` phase.
> Example ipa-replica-install error
>
> # kinit <MY PERSONAL ADMIN USERNAME>
> # ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders
--skip-conncheck --add-sids
>
> ...
>
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
> [1/30]: creating certificate server db
> [2/30]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 11 seconds elapsed
> Update succeeded
>
> [3/30]: creating ACIs for admin
> [4/30]: creating installation admin user
> Unable to log in as uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on
ldap://ipam.i.gpmidi.net:389
> [hint] tune with replication_wait_timeout
> [error] NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate
to ldap://ipam.i.gpmidi.net:389
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to
ldap://ipam.i.gpmidi.net:389
> The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more
information
>
> From Installer Log
>
> 2023-03-01T18:01:02Z DEBUG [4/30]: creating installation admin user
> 2023-03-01T18:01:02Z DEBUG Waiting 30 seconds for
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca to appear on ldap://ipam.i.gpmidi.net:389
> 2023-03-01T18:01:32Z ERROR Unable to log in as
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on ldap://ipam.i.gpmidi.net:389
> 2023-03-01T18:01:32Z INFO [hint] tune with replication_wait_timeout
> 2023-03-01T18:01:32Z DEBUG Traceback (most recent call last):
> File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py",
line 686, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py",
line 672, in run_step
> method()
> File
"/usr/lib/python3.11/site-packages/ipaserver/install/dogtaginstance.py", line
789, in setup_admin
> raise errors.NotFound(
> ipalib.errors.NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not
replicate to ldap://ipam.i.gpmidi.net:389
>
> 2023-03-01T18:01:32Z DEBUG [error] NotFound:
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to
ldap://ipam.i.gpmidi.net:389
>
> 2023-03-01T18:01:32Z DEBUG The ipa-replica-install command failed, exception:
NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to
ldap://ipam.i.gpmidi.net:389
>
> While Waiting For User Sync/Validation...
>
> *tl;dr The user seems to exist on both sides!*
>
> [root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b
"uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://ipam.i.gpmidi.net:389
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree
> # filter: (objectclass=*)
> # requesting: ldap://ipam.i.gpmidi.net:389
> #
>
> # admin-ipa0.i.gpmidi.net, people, ipaca
> dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> [root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b
"uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://localhost
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree
> # filter: (objectclass=*)
> # requesting: ldap://localhost
> #
>
> # admin-ipa0.i.gpmidi.net, people, ipaca
> dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> ------------------------------
> The EnvironmentSource
>
> Distro: CentOS 7.9.2009
> FreeIPA: 4.6.8
> TargetOriginally
>
> Distro: Fedora Server 36
> FreeIPA: 4.9.11
> Later
>
> Distro: Fedora Server 37
> FreeIPA: 4.10.1
> Install CommandsStep 1 - Client
>
> ipa-client-install --ssh-trust-dns --mkhomedir --realm=I.GPMIDI.NET
--ntp-pool=0.pool.ntp.org --force-join --enable-dns-updates --subid
--hostname=ipa0.i.gpmidi.net --ntp-server=1.pool.ntp.org
>
> Step 2 - kinit
>
> kinit <MY PERSONAL USER>
>
> Step 3 - Replica Install
>
> ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders
--skip-conncheck --add-sids
>
> Sometimes the `--debug` flag was also used.
>
> The installer would ask about trusted domain support - answered "no" via
> no entry unless noted otherwise.
>
> Enable trusted domains support in slapi-nis? [no]:
>
> Cleanup Commands
>
> Used after a failure to reset the environment.
> Step 1 - Uninstall
>
> /usr/sbin/ipa-server-install --uninstall
>
> Step 2 - Validated Server Removed
>
> Browsed to https://ipam.i.gpmidi.net/ipa/ui/#/e/server/search and
> validated that the new server, ipa0, wasn't listed. Deleted if it was.
> ------------------------------
> Related Links
>
> - FreeIPA Users thread
>
<https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
> - Red Hat Bugzilla – Bug 2151071
> <https://bugzilla.redhat.com/show_bug.cgi?id=2151071>
>
> ------------------------------
> Attempted Fixes
>
> Changed Replication Wait Time
>
> Created ` /etc/ipa/installer.conf` (see below) and changed the time in
> seconds.
>
> # cat /etc/ipa/installer.conf
> [global]
> replication_wait_timeout=30
>
> Result
>
> 30s = No change
> 300s = No change
> 600s = No change
>
> *Left at 30s for further testing - keeps it quick - provides more than
> enough time since my ldap db is small. *
> Update Source IPA Box From C7 To C8Result
>
> Upgrade from c7 to c8 failed badly. Might try again later.
> Update Source IPA Box 389 `root` Password Hash Type
>
> # /usr/bin/pwdhash -D /etc/dirsrv/slapd-YOUR-DOMAIN-NET -s PBKDF2_SHA256
'<Current DirSrv Root Password>'
> {PBKDF2_SHA256}xxxxxxxxxxxxxxxxxxxxxxxx
>
> Result
>
> No change
> Updated Target IPA Box To Fedora Server 37
>
> Updated target IPA box from f36 to f37. This changed the IPA version from
> 4.9.11 to 4.10.1.
> Result
>
> No change
> Changing Password Storage Scheme On Source
>
> # dsconf -D "cn=Directory Manager" -W ldaps://ipam.i.gpmidi.net config
replace passwordStorageScheme=PBKDF2_SHA256
> Enter password for cn=Directory Manager on ldaps://ipam.i.gpmidi.net: <ENTERED
ROOT PW>
> Successfully replaced "passwordStorageScheme"
>
> Result
>
> No change
> Trusted Domains Answer = Yes
>
> Answered 'yes' to trusted domains.
>
> Enable trusted domains support in slapi-nis? [no]: yes
>
> Result
>
> No change
> Restarted IPA On Source
>
> Since the `dsconf` change above to the password storage scheme the IPA
> server on the source box hasn't been restarted. Restarted it via...
>
> # ipactl restasrt
>
> Result
>
> No change
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
8:22 a.m.
New subject: v4.6.8->v4.10.1 Replica Install | CA Configuration Section | Admin Login Failing
On to, 02 maalis 2023, Paulson McIntyre via FreeIPA-users wrote:
Hey,
Wouldn't the support for the older version of the password storage scheme
need to reach Fedora 37 since that's the side with the new version of
everything?
It is the other way around. There is an effort to backport this newer
hash type support to 389-ds-base in older releases. I've heard it is
close to being pushed out to RHEL customers and after that CentOS 7
would do a rebuild.
One that rebuild is out, you'd be able to update c7 machine and then add
a replica.
-Paulson
On Thu, Mar 2, 2023 at 12:53 AM Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
> Hi,
>
> as you correctly found, the issue is a known problem on 389-ds side (issue
> #5565 <https://github.com/389ds/389-ds-base/issues/5565> / BZ 2170224
> <https://bugzilla.redhat.com/show_bug.cgi?id=2170224>). During the
> replica installation, the replica locally creates a temporary user, that is
> then replicated to the master. To ensure that the temporary user has been
> replicated to the master, the installer waits a bit and tries to perform a
> ldap bind on the master with the credentials for this temp user.
> The temp user is created on the replica hence its password is stored using
> PBKDF2-SHA512. This password storage scheme is not available on the master,
> and the direct consequence is that the bind fails.
>
> The issue has been fixed on 389-ds side by adding support on the older
> version for the password storage scheme and will be available soon on RHEL
> 7.9, but I can't tell when it will reach c7.
>
> HTH,
> flo
>
>
> On Wed, Mar 1, 2023 at 9:33 PM Paulson McIntyre via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org> wrote:
>
>> Hey,
>>
>> I'm trying to create a replica from an older FreeIPA server to a more
>> modern one. The eventual plan being to remove the very old one and use the
>> new one as the primary. Then new replicas would be created off it.
>>
>> Running into a problem though during the CA Configuration phase when it
>> tries to create the admin user, or rather verify it.
>>
>> This thread
>>
<https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>> might be related as well as RedHat Bugzilla – Bug 2151071
>> <https://bugzilla.redhat.com/show_bug.cgi?id=2151071>;.
>>
>> Details on the issue, environment, and troubleshooting performed so far
>> are posted here <https://www.gpmidi.net/node/162> as well as copy/pasted
>> below.
>>
>> -Paulson
>>
>> The ProblemOverview
>>
>> Can't create a new replica of an older FreeIPA server (v4.6.8 on c7) to a
>> new FreeIPA server (v4.9 on f36 and v4.10 on f37). The error is during the
>> `Configuring certificate server (pki-tomcatd)` phase.
>> Example ipa-replica-install error
>>
>> # kinit <MY PERSONAL ADMIN USERNAME>
>> # ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders
--skip-conncheck --add-sids
>>
>> ...
>>
>> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
>> [1/30]: creating certificate server db
>> [2/30]: setting up initial replication
>> Starting replication, please wait until this has completed.
>> Update in progress, 11 seconds elapsed
>> Update succeeded
>>
>> [3/30]: creating ACIs for admin
>> [4/30]: creating installation admin user
>> Unable to log in as uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on
ldap://ipam.i.gpmidi.net:389
>> [hint] tune with replication_wait_timeout
>> [error] NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not
replicate to ldap://ipam.i.gpmidi.net:389
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to
ldap://ipam.i.gpmidi.net:389
>> The ipa-replica-install command failed. See /var/log/ipareplica-install.log for
more information
>>
>> From Installer Log
>>
>> 2023-03-01T18:01:02Z DEBUG [4/30]: creating installation admin user
>> 2023-03-01T18:01:02Z DEBUG Waiting 30 seconds for
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca to appear on ldap://ipam.i.gpmidi.net:389
>> 2023-03-01T18:01:32Z ERROR Unable to log in as
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on ldap://ipam.i.gpmidi.net:389
>> 2023-03-01T18:01:32Z INFO [hint] tune with replication_wait_timeout
>> 2023-03-01T18:01:32Z DEBUG Traceback (most recent call last):
>> File
"/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 686, in
start_creation
>> run_step(full_msg, method)
>> File
"/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 672, in
run_step
>> method()
>> File
"/usr/lib/python3.11/site-packages/ipaserver/install/dogtaginstance.py", line
789, in setup_admin
>> raise errors.NotFound(
>> ipalib.errors.NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not
replicate to ldap://ipam.i.gpmidi.net:389
>>
>> 2023-03-01T18:01:32Z DEBUG [error] NotFound:
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to
ldap://ipam.i.gpmidi.net:389
>>
>> 2023-03-01T18:01:32Z DEBUG The ipa-replica-install command failed, exception:
NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to
ldap://ipam.i.gpmidi.net:389
>>
>> While Waiting For User Sync/Validation...
>>
>> *tl;dr The user seems to exist on both sides!*
>>
>> [root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b
"uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://ipam.i.gpmidi.net:389
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ldap://ipam.i.gpmidi.net:389
>> #
>>
>> # admin-ipa0.i.gpmidi.net, people, ipaca
>> dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>> [root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b
"uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://localhost
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ldap://localhost
>> #
>>
>> # admin-ipa0.i.gpmidi.net, people, ipaca
>> dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> ------------------------------
>> The EnvironmentSource
>>
>> Distro: CentOS 7.9.2009
>> FreeIPA: 4.6.8
>> TargetOriginally
>>
>> Distro: Fedora Server 36
>> FreeIPA: 4.9.11
>> Later
>>
>> Distro: Fedora Server 37
>> FreeIPA: 4.10.1
>> Install CommandsStep 1 - Client
>>
>> ipa-client-install --ssh-trust-dns --mkhomedir --realm=I.GPMIDI.NET
--ntp-pool=0.pool.ntp.org --force-join --enable-dns-updates --subid
--hostname=ipa0.i.gpmidi.net --ntp-server=1.pool.ntp.org
>>
>> Step 2 - kinit
>>
>> kinit <MY PERSONAL USER>
>>
>> Step 3 - Replica Install
>>
>> ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders
--skip-conncheck --add-sids
>>
>> Sometimes the `--debug` flag was also used.
>>
>> The installer would ask about trusted domain support - answered "no"
via
>> no entry unless noted otherwise.
>>
>> Enable trusted domains support in slapi-nis? [no]:
>>
>> Cleanup Commands
>>
>> Used after a failure to reset the environment.
>> Step 1 - Uninstall
>>
>> /usr/sbin/ipa-server-install --uninstall
>>
>> Step 2 - Validated Server Removed
>>
>> Browsed to https://ipam.i.gpmidi.net/ipa/ui/#/e/server/search and
>> validated that the new server, ipa0, wasn't listed. Deleted if it was.
>> ------------------------------
>> Related Links
>>
>> - FreeIPA Users thread
>>
<https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>> - Red Hat Bugzilla – Bug 2151071
>> <https://bugzilla.redhat.com/show_bug.cgi?id=2151071>
>>
>> ------------------------------
>> Attempted Fixes
>>
>> Changed Replication Wait Time
>>
>> Created ` /etc/ipa/installer.conf` (see below) and changed the time in
>> seconds.
>>
>> # cat /etc/ipa/installer.conf
>> [global]
>> replication_wait_timeout=30
>>
>> Result
>>
>> 30s = No change
>> 300s = No change
>> 600s = No change
>>
>> *Left at 30s for further testing - keeps it quick - provides more than
>> enough time since my ldap db is small. *
>> Update Source IPA Box From C7 To C8Result
>>
>> Upgrade from c7 to c8 failed badly. Might try again later.
>> Update Source IPA Box 389 `root` Password Hash Type
>>
>> # /usr/bin/pwdhash -D /etc/dirsrv/slapd-YOUR-DOMAIN-NET -s PBKDF2_SHA256
'<Current DirSrv Root Password>'
>> {PBKDF2_SHA256}xxxxxxxxxxxxxxxxxxxxxxxx
>>
>> Result
>>
>> No change
>> Updated Target IPA Box To Fedora Server 37
>>
>> Updated target IPA box from f36 to f37. This changed the IPA version from
>> 4.9.11 to 4.10.1.
>> Result
>>
>> No change
>> Changing Password Storage Scheme On Source
>>
>> # dsconf -D "cn=Directory Manager" -W ldaps://ipam.i.gpmidi.net config
replace passwordStorageScheme=PBKDF2_SHA256
>> Enter password for cn=Directory Manager on ldaps://ipam.i.gpmidi.net: <ENTERED
ROOT PW>
>> Successfully replaced "passwordStorageScheme"
>>
>> Result
>>
>> No change
>> Trusted Domains Answer = Yes
>>
>> Answered 'yes' to trusted domains.
>>
>> Enable trusted domains support in slapi-nis? [no]: yes
>>
>> Result
>>
>> No change
>> Restarted IPA On Source
>>
>> Since the `dsconf` change above to the password storage scheme the IPA
>> server on the source box hasn't been restarted. Restarted it via...
>>
>> # ipactl restasrt
>>
>> Result
>>
>> No change
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
428
days inactive
429
days old
freeipa-users@lists.fedorahosted.org
3 comments
3 participants
participants (3)
-
Alexander Bokovoy -
Florence Blanc-Renaud -
Paulson McIntyre