I'm trying to add a replica but it's failing on step "[23/38]: creating DS keytab" with:
[error] CalledProcessError: CalledProcessError(Command ['/usr/sbin/ipa-getkeytab', '-k', '/etc/dirsrv/ds.keytab', '-p', 'ldap/server.example.com@EXAMPLE.COM', '-H', 'ldaps://server-staging.example.com'] returned non-zero exit status 9: 'Failed to parse result: Insufficient access rights\n\nRetrying with pre-4.0 keytab retrieval method…\nFailed to parse result: Insufficient access rights\n\nFailed to get keytab!\nFailed to get keytab\n')
This is trying to add back an ipa server that was previously removed (for O/S major version upgrade per the supported upgrade/migration process). Maybe the previous removal was not complete?
After running the recommended --uninstall and then examining the principals in the master server, I see an ldap/server.example.com@EXAMPLE.COM still remaining. Surely that should not be there, correct?
So I tried to remove it, but that gave yet another error:
missing attribute "krbPrincipalName" required by object class "ipaKrbPrincipal"
and logged the error:
ERR - oc_check_required - Entry "krbprincipalname=ldap/server.example.com@EXAMPLE.COM,cn=services,cn=accounts,dc=interlinx,dc=bc,dc=ca" missing attribute "krbPrincipalName" required by object class "ipaKrbPrincipal"
in the journal.
So how to proceed now?
Brian J. Murrell via FreeIPA-users wrote:
I'm trying to add a replica but it's failing on step "[23/38]: creating DS keytab" with:
[error] CalledProcessError: CalledProcessError(Command ['/usr/sbin/ipa-getkeytab', '-k', '/etc/dirsrv/ds.keytab', '-p', 'ldap/server.example.com@EXAMPLE.COM', '-H', 'ldaps://server-staging.example.com'] returned non-zero exit status 9: 'Failed to parse result: Insufficient access rights\n\nRetrying with pre-4.0 keytab retrieval method…\nFailed to parse result: Insufficient access rights\n\nFailed to get keytab!\nFailed to get keytab\n')
This is trying to add back an ipa server that was previously removed (for O/S major version upgrade per the supported upgrade/migration process). Maybe the previous removal was not complete?
After running the recommended --uninstall and then examining the principals in the master server, I see an ldap/server.example.com@EXAMPLE.COM still remaining. Surely that should not be there, correct?
So I tried to remove it, but that gave yet another error:
missing attribute "krbPrincipalName" required by object class "ipaKrbPrincipal"
and logged the error:
ERR - oc_check_required - Entry "krbprincipalname=ldap/server.example.com@EXAMPLE.COM,cn=services,cn=accounts,dc=interlinx,dc=bc,dc=ca" missing attribute "krbPrincipalName" required by object class "ipaKrbPrincipal"
in the journal.
So how to proceed now?
What is it exactly that you're doing?
Are you trying to preserve the host entry?
ipa server-del <removed-server> should clean things up.
rob
Brian J. Murrell via FreeIPA-users wrote:
What is it exactly that you're doing?
I am trying to re-add the previously (perhaps incompletely, as it may seem) deleted ipa server on "server.example.com":
# ipa-replica-install --setup-ca --ip-address 10.75.22.247 --setup-dns --no-forwarders
Are you trying to preserve the host entry?
Well "server.example.com" is currently just a client, that being a prerequisite to it becoming a replica/server.
ipa server-del <removed-server> should clean things up.
But won't touch any of it's currently-a-client config, correct?
Cheers, b.
Brian J. Murrell via FreeIPA-users wrote:
Brian J. Murrell via FreeIPA-users wrote:
What is it exactly that you're doing?
I am trying to re-add the previously (perhaps incompletely, as it may seem) deleted ipa server on "server.example.com":
# ipa-replica-install --setup-ca --ip-address 10.75.22.247 --setup-dns --no-forwarders
Are you trying to preserve the host entry?
Well "server.example.com" is currently just a client, that being a prerequisite to it becoming a replica/server.
ipa server-del <removed-server> should clean things up.
But won't touch any of it's currently-a-client config, correct?
What I'm missing is the history.
So this was formerly a server and you ran ipa-server-install --uninstall. Did you also run ipa server-del? I assume not. Was this server running additional, non-IPA services?
Then you ran ipa-client-install? You didn't have any issues with this host is already enrolled?
How are you trying to remove the ldap service principal?
Is there something special about the client config that you can't uninstall the client to ensure the host and service entries for it are cleaned up?
rob
On Tue, 2022-01-25 at 09:18 -0500, Rob Crittenden wrote:
So this was formerly a server and you ran ipa-server-install --uninstall.
Correct.
Did you also run ipa server-del?
No. I thought ipa-server-install --uninstall would do all of the work.
Was this server running additional, non-IPA services?
Yes.
Then you ran ipa-client-install?
Correct, as a prerequisite for running ipa-replica-install.
You didn't have any issues with this host is already enrolled?
No, it's enrolled right now and happily providing gssapi-authenticated services.
How are you trying to remove the ldap service principal?
In the GUI. Clicking on ldap/server.example.com@EXAMPLE.COM and then clicking the delete button there.
Is there something special about the client config that you can't uninstall the client to ensure the host and service entries for it are cleaned up?
The client has been uninstalled (as a result of ipa-replica-install -- or maybe it's ipa-server-install you are told to do when ipa-replica- install fails) --uninstall and re-installed (as a prerequisite to ipa- replica-install, per https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm..., but I am also now seeing https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... but the first link was how I set up the server I am now trying to replicate from).
Honestly though, I don't care which process I use. I was just using what had worked before.
Cheers, b.
On ti, 25 tammi 2022, Brian J. Murrell via FreeIPA-users wrote:
On Tue, 2022-01-25 at 09:18 -0500, Rob Crittenden wrote:
So this was formerly a server and you ran ipa-server-install --uninstall.
Correct.
Did you also run ipa server-del?
No. I thought ipa-server-install --uninstall would do all of the work.
So that's the issue. It is documented in RHEL documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
------------------------------------------- To uninstall server.example.com:
On another server, use the ipa server-del command to delete server.example.com from the topology:
[root@another_server ~]# ipa server-del server.example.com
On server.example.com, use the ipa-server-install --uninstall command:
[root@server ~]# ipa-server-install --uninstall
Make sure all name server (NS) DNS records pointing to server.example.com are deleted from your DNS zones. This applies regardless of whether you use integrated DNS managed by IdM or external DNS.
-------------------------------------------
Was this server running additional, non-IPA services?
Yes.
Then you ran ipa-client-install?
Correct, as a prerequisite for running ipa-replica-install.
You didn't have any issues with this host is already enrolled?
No, it's enrolled right now and happily providing gssapi-authenticated services.
How are you trying to remove the ldap service principal?
In the GUI. Clicking on ldap/server.example.com@EXAMPLE.COM and then clicking the delete button there.
Does using a raw LDAP delete help?
ldapdelete -D cn=directory\ manager -W krbprincipalname=ldap/server.example.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
?
If not, you might need to temporarily fix the LDAP entry schema consistency before deleting the object. It means you'd need to add krbPrincipalName attribute back.
Is there something special about the client config that you can't uninstall the client to ensure the host and service entries for it are cleaned up?
The client has been uninstalled (as a result of ipa-replica-install -- or maybe it's ipa-server-install you are told to do when ipa-replica- install fails) --uninstall and re-installed (as a prerequisite to ipa- replica-install, per https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm..., but I am also now seeing https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... but the first link was how I set up the server I am now trying to replicate from).
Honestly though, I don't care which process I use. I was just using what had worked before.
Cheers, b. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Tue, 2022-01-25 at 16:45 +0200, Alexander Bokovoy wrote:
On another server, use the ipa server-del command to delete server.example.com from the topology:
Indeed, I missed this part. :-( I suppose this cannot be done now that the machine has been redployed as a client correct?
# ipa host-show server.example.com Host name: server.example.com Platform: x86_64 Operating system: 4.18.0-305.25.1.el8_4.x86_64 Principal name: host/server.example.com@EXAMPLE.COM Principal alias: host/server.example.com@EXAMPLE.COM SSH public key fingerprint: [redacted] Password: False Member of host-groups: ipaservers Member of HBAC rule: all_allow_mail_services Keytab: True Managed by: server.example.com # ipa server-show server.example.com ipa: ERROR: server.example.com: server not found # ipa server-find -------------------- 1 IPA server matched -------------------- Server name: server-staging.example.com Min domain level: 1 Max domain level: 1 ---------------------------- Number of entries returned 1 ----------------------------
Could I attempt to add as a replica again, have it fail and then would I be able to do the "ipa server-del"?
Does using a raw LDAP delete help?
ldapdelete -D cn=directory\ manager -W krbprincipalname=ldap/server.example.com@EXAMPLE.COM,cn=services,cn=a ccounts,dc=example,dc=com
I have not tried yet, pending the answer to the above questions. I don't want to much around too much under the hood before I have to.
If not, you might need to temporarily fix the LDAP entry schema consistency before deleting the object. It means you'd need to add krbPrincipalName attribute back.
I have no idea how to do that. I have not mucked around with LDAP directly.
Cheers, b.
Hi, you can do (on another server) $ ipa server-del --force server.example.com This should clean up all references to server.example.com
(on server.example.com) $ ipa-client-install --uninstall -U $ kdestroy -A $ ipa-client-install ... $ kinit admin $ ipa-replica-install ...
HTH, flo
On Fri, Jan 28, 2022 at 2:56 PM Brian J. Murrell via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Tue, 2022-01-25 at 16:45 +0200, Alexander Bokovoy wrote:
On another server, use the ipa server-del command to delete server.example.com from the topology:
Indeed, I missed this part. :-( I suppose this cannot be done now that the machine has been redployed as a client correct?
# ipa host-show server.example.com Host name: server.example.com Platform: x86_64 Operating system: 4.18.0-305.25.1.el8_4.x86_64 Principal name: host/server.example.com@EXAMPLE.COM Principal alias: host/server.example.com@EXAMPLE.COM SSH public key fingerprint: [redacted] Password: False Member of host-groups: ipaservers Member of HBAC rule: all_allow_mail_services Keytab: True Managed by: server.example.com # ipa server-show server.example.com ipa: ERROR: server.example.com: server not found
# ipa server-find
1 IPA server matched
Server name: server-staging.example.com Min domain level: 1 Max domain level: 1
Number of entries returned 1
Could I attempt to add as a replica again, have it fail and then would I be able to do the "ipa server-del"?
Does using a raw LDAP delete help?
ldapdelete -D cn=directory\ manager -W krbprincipalname=ldap/server.example.com@EXAMPLE.COM,cn=services,cn=a ccounts,dc=example,dc=com
I have not tried yet, pending the answer to the above questions. I don't want to much around too much under the hood before I have to.
If not, you might need to temporarily fix the LDAP entry schema consistency before deleting the object. It means you'd need to add krbPrincipalName attribute back.
I have no idea how to do that. I have not mucked around with LDAP directly.
Cheers, b.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Fri, 2022-01-28 at 16:02 +0100, Florence Blanc-Renaud wrote:
Hi, you can do (on another server) $ ipa server-del --force server.example.com
# ipa server-del --force server.example.com Removing server.example.com from replication topology, please wait... ipa: WARNING: Forcing removal of server.example.com ipa: WARNING: Failed to cleanup server.example.com DNS entries: no matching entry found ipa: WARNING: You may need to manually remove them from the tree ipa: WARNING: Server has already been deleted ------------------------------------------- Deleted IPA server "server.example.com" -------------------------------------------
This should clean up all references to server.example.com
Hopefully it did. :-)
(on server.example.com) $ ipa-client-install --uninstall -U $ kdestroy -A $ ipa-client-install ... $ kinit admin $ ipa-replica-install ...
This has now gotten as far as:
# ipa-replica-install --setup-ca --ip-address 10.75.22.247 --setup-dns --no-forwarders ... Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/29]: creating certificate server db [2/29]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 12 seconds elapsed Update succeeded
[3/29]: creating ACIs for admin [4/29]: creating installation admin user [5/29]: configuring certificate server instance Failed to configure CA instance See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
CA configuration failed. The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
At the end of /var/log/ipareplica-install.log is the error:
com.netscape.certsrv.base.ConflictingOperationException: Entry already exists. at com.netscape.certsrv.ldap.LDAPExceptionConverter.toPKIException(LDAPExceptionConverter.java:45) at com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:720) at org.dogtagpki.server.cli.SubsystemUserAddCLI.execute(SubsystemUserAddCLI.java:180) at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58) at org.dogtagpki.cli.CLI.execute(CLI.java:357) at org.dogtagpki.cli.CLI.execute(CLI.java:357) at org.dogtagpki.cli.CLI.execute(CLI.java:357) at org.dogtagpki.server.cli.PKIServerCLI.execute(PKIServerCLI.java:93) at org.dogtagpki.server.cli.PKIServerCLI.main(PKIServerCLI.java:123) Caused by: netscape.ldap.LDAPException: error result (68); Already exists at netscape.ldap.LDAPConnection.checkMsg(Unknown Source) at netscape.ldap.LDAPConnection.add(Unknown Source) at netscape.ldap.LDAPConnection.add(Unknown Source) at netscape.ldap.LDAPConnection.add(Unknown Source) at com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:717) ... 7 more CalledProcessError: Command '['/usr/sbin/runuser', '-u', 'pkiuser', '--', '/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-classpath', '/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*', '-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory', '-Dcatalina.base=/var/lib/pki/pki-tomcat', '-Dcatalina.home=/usr/share/tomcat', '-Djava.endorsed.dirs=', '-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp', '-Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties', '-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager', '-Dcom.redhat.fips=false', 'org.dogtagpki.server.cli.PKIServerCLI', 'ca-user-add', '--full-name', 'CA-server.example.com-8443', '--type', 'agentType', '--state', '1', '--debug', 'CA-server.example.com-8443']' returned non-zero exit status 255. File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main scriptlet.spawn(deployer) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 740, in spawn deployer.setup_subsystem_user(instance, subsystem, system_certs['subsystem']) File "/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", line 1040, in setup_subsystem_user state='1') File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line 1521, in add_user capture_output=True) File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line 1653, in run check=True) File "/usr/lib64/python3.6/subprocess.py", line 438, in run output=stdout, stderr=stderr)
2022-01-28T17:44:16Z CRITICAL Failed to configure CA instance
So while a lot further than before, it still fails, but much later in the install.
Any ideas on this new development?
Cheers, b.
Hi
this error is also a known issue, #8865 https://pagure.io/freeipa/issue/8865 [Tracker] ipa-replica-install fails on 2nd run (f35+) / #3544 https://github.com/dogtagpki/pki/issues/3544 ipa-replica-install fails to reinstall a replica (rawhide) It's been fixed with pki updates 11.1.0-0.1.alpha1 and 11.0.2-1.fc35 on fedora.
The workaround is to manually delete the entry uid=CA-<replica fqdn>-8443,ou=People,o=ipaca before calling ipa-replica-install, for instance with: # ldapdelete -D "cn=Directory Manager" -w $PWD uid=CA-replica1.ipa.test-8443,ou=People,o=ipaca
You will need to do the whole process with ipa server-del / ipa-server-install --uninstall etc... HTH, flo
On Fri, Jan 28, 2022 at 7:07 PM Brian J. Murrell brian@interlinx.bc.ca wrote:
On Fri, 2022-01-28 at 16:02 +0100, Florence Blanc-Renaud wrote:
Hi, you can do (on another server) $ ipa server-del --force server.example.com
# ipa server-del --force server.example.com Removing server.example.com from replication topology, please wait... ipa: WARNING: Forcing removal of server.example.com ipa: WARNING: Failed to cleanup server.example.com DNS entries: no matching entry found ipa: WARNING: You may need to manually remove them from the tree ipa: WARNING: Server has already been deleted
Deleted IPA server "server.example.com"
This should clean up all references to server.example.com
Hopefully it did. :-)
(on server.example.com) $ ipa-client-install --uninstall -U $ kdestroy -A $ ipa-client-install ... $ kinit admin $ ipa-replica-install ...
This has now gotten as far as:
# ipa-replica-install --setup-ca --ip-address 10.75.22.247 --setup-dns --no-forwarders ... Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/29]: creating certificate server db [2/29]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 12 seconds elapsed Update succeeded
[3/29]: creating ACIs for admin [4/29]: creating installation admin user [5/29]: configuring certificate server instance Failed to configure CA instance See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
CA configuration failed. The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
At the end of /var/log/ipareplica-install.log is the error:
com.netscape.certsrv.base.ConflictingOperationException: Entry already exists. at com.netscape.certsrv.ldap.LDAPExceptionConverter.toPKIException(LDAPExceptionConverter.java:45) at com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:720) at org.dogtagpki.server.cli.SubsystemUserAddCLI.execute(SubsystemUserAddCLI.java:180) at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58) at org.dogtagpki.cli.CLI.execute(CLI.java:357) at org.dogtagpki.cli.CLI.execute(CLI.java:357) at org.dogtagpki.cli.CLI.execute(CLI.java:357) at org.dogtagpki.server.cli.PKIServerCLI.execute(PKIServerCLI.java:93) at org.dogtagpki.server.cli.PKIServerCLI.main(PKIServerCLI.java:123) Caused by: netscape.ldap.LDAPException: error result (68); Already exists at netscape.ldap.LDAPConnection.checkMsg(Unknown Source) at netscape.ldap.LDAPConnection.add(Unknown Source) at netscape.ldap.LDAPConnection.add(Unknown Source) at netscape.ldap.LDAPConnection.add(Unknown Source) at com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:717) ... 7 more CalledProcessError: Command '['/usr/sbin/runuser', '-u', 'pkiuser', '--', '/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-classpath', '/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*', '-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory', '-Dcatalina.base=/var/lib/pki/pki-tomcat', '-Dcatalina.home=/usr/share/tomcat', '-Djava.endorsed.dirs=', '-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp', '-Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties', '-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager', '-Dcom.redhat.fips=false', 'org.dogtagpki.server.cli.PKIServerCLI', 'ca-user-add', '--full-name', 'CA-server.example.com-8443', '--type', 'agentType', '--state', '1', '--debug', 'CA-server.example.com-8443']' returned non-zero exit status 255. File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main scriptlet.spawn(deployer) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 740, in spawn deployer.setup_subsystem_user(instance, subsystem, system_certs['subsystem']) File "/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", line 1040, in setup_subsystem_user state='1') File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line 1521, in add_user capture_output=True) File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line 1653, in run check=True) File "/usr/lib64/python3.6/subprocess.py", line 438, in run output=stdout, stderr=stderr)
2022-01-28T17:44:16Z CRITICAL Failed to configure CA instance
So while a lot further than before, it still fails, but much later in the install.
Any ideas on this new development?
Cheers, b.
freeipa-users@lists.fedorahosted.org