I've been trying to rebuild my FreeIPA server that I run on CentOS 7.3.
Previously, I was running FreeIPA 4.2.x and upgraded over time to 4.4.0
now, but somewhere along the lines, it totally broke and failed. For me
it's not a big deal because it serves very little in a home cluster
lab, but I wanted to take this time to update my chef cookbooks to
accomodate the new way to auto-configure FreeIPA.
The Server installation portion was pretty much the same as before.
It's the replica that's mostly changed.
Using the install method with ipa-replica-install, I'm using these
arguments:
ipa-replica-install --unattended \
--no-ntp --mkhomedir --skip-conncheck \
--ip-address 172.17.0.102 \
--principal admin \
--admin-password "redacted" \
--server ipa1.home.ld \
--domain home.ld \
--realm HOME.LD
And it's failing with the following results:
Configuring directory server (dirsrv). Estimated time: 1 minute
[1/44]: creating directory server user
[2/44]: creating directory server instance
[3/44]: updating configuration in dse.ldif
[4/44]: restarting directory server
[5/44]: adding default schema
[6/44]: enabling memberof plugin
[7/44]: enabling winsync plugin
[8/44]: configuring replication version plugin
[9/44]: enabling IPA enrollment plugin
[10/44]: enabling ldapi
[11/44]: configuring uniqueness plugin
[12/44]: configuring uuid plugin
[13/44]: configuring modrdn plugin
[14/44]: configuring DNS plugin
[15/44]: enabling entryUSN plugin
[16/44]: configuring lockout plugin
[17/44]: configuring topology plugin
[18/44]: creating indices
[19/44]: enabling referential integrity plugin
[20/44]: configuring certmap.conf
[21/44]: configure autobind for root
[22/44]: configure new location for managed entries
[23/44]: configure dirsrv ccache
[24/44]: enabling SASL mapping fallback
[25/44]: restarting directory server
[26/44]: creating DS keytab
[27/44]: retrieving DS Certificate
[28/44]: restarting directory server
[29/44]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 15 seconds elapsed
[ipa1.home.ld] reports: Update failed! Status: [49 - LDAP error:
Invalid credentials]
[error] RuntimeError: Failed to start replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
STDERR: Client hostname: ipa2.home.ld
Realm: HOME.LD
DNS Domain: home.ld
IPA Server: ipa1.home.ld
BaseDN: dc=home,dc=ld
Skipping synchronizing time with NTP server.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=HOME.LD
Issuer: CN=Certificate Authority,O=HOME.LD
Valid From: Sun Jun 11 14:31:12 2017 UTC
Valid Until: Thu Jun 11 14:31:12 2037 UTC
Enrolled in IPA realm HOME.LD
Created /etc/ipa/default.conf
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm HOME.LD
trying
https://ipa1.home.ld/ipa/json
Forwarding 'schema' to json server 'https://ipa1.home.ld/ipa/json'
trying
https://ipa1.home.ld/ipa/session/json
Forwarding 'ping' to json server 'https://ipa1.home.ld/ipa/session/json
'
Forwarding 'ca_is_enabled' to json server 'https://ipa1.home.ld/ipa/ses
sion/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://ipa1.home.ld/ipa/session/
json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring home.ld as NIS domain.
Client configuration complete.
ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to
start replication
ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-
replica-install command failed. See /var/log/ipareplica-install.log for
more information
Attached is the full logs from ipareplica-install.log
Any help on this would be greatly appreciated. I had tried all weekend
long trying to get this to work all to the same basic failure.
Eric