Brian J. Murrell via FreeIPA-users wrote:
I'm trying to add a replica but it's failing on step "[23/38]: creating DS keytab" with:
[error] CalledProcessError: CalledProcessError(Command ['/usr/sbin/ipa-getkeytab', '-k', '/etc/dirsrv/ds.keytab', '-p', 'ldap/server.example.com@EXAMPLE.COM', '-H', 'ldaps://server-staging.example.com'] returned non-zero exit status 9: 'Failed to parse result: Insufficient access rights\n\nRetrying with pre-4.0 keytab retrieval method…\nFailed to parse result: Insufficient access rights\n\nFailed to get keytab!\nFailed to get keytab\n')
This is trying to add back an ipa server that was previously removed (for O/S major version upgrade per the supported upgrade/migration process). Maybe the previous removal was not complete?
After running the recommended --uninstall and then examining the principals in the master server, I see an ldap/server.example.com@EXAMPLE.COM still remaining. Surely that should not be there, correct?
So I tried to remove it, but that gave yet another error:
missing attribute "krbPrincipalName" required by object class "ipaKrbPrincipal"
and logged the error:
ERR - oc_check_required - Entry "krbprincipalname=ldap/server.example.com@EXAMPLE.COM,cn=services,cn=accounts,dc=interlinx,dc=bc,dc=ca" missing attribute "krbPrincipalName" required by object class "ipaKrbPrincipal"
in the journal.
So how to proceed now?
What is it exactly that you're doing?
Are you trying to preserve the host entry?
ipa server-del <removed-server> should clean things up.
rob