Hey,
I'm trying to create a replica from an older FreeIPA server to a more modern one. The eventual plan being to remove the very old one and use the new one as the primary. Then new replicas would be created off it.
Running into a problem though during the CA Configuration phase when it tries to create the admin user, or rather verify it.
This thread https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/5PHFG7FLA3JZ3Z527BPUDPMMO67XIBUK/#IHIPPVMMIWV2TL7BNLW55XII3OIQ62HK might be related as well as RedHat Bugzilla – Bug 2151071 https://bugzilla.redhat.com/show_bug.cgi?id=2151071.
Details on the issue, environment, and troubleshooting performed so far are posted here https://www.gpmidi.net/node/162 as well as copy/pasted below.
-Paulson
The ProblemOverview
Can't create a new replica of an older FreeIPA server (v4.6.8 on c7) to a new FreeIPA server (v4.9 on f36 and v4.10 on f37). The error is during the `Configuring certificate server (pki-tomcatd)` phase. Example ipa-replica-install error
# kinit <MY PERSONAL ADMIN USERNAME> # ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders --skip-conncheck --add-sids
...
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: creating certificate server db [2/30]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 11 seconds elapsed Update succeeded
[3/30]: creating ACIs for admin [4/30]: creating installation admin user Unable to log in as uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on ldap://ipam.i.gpmidi.net:389 [hint] tune with replication_wait_timeout [error] NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389 The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
From Installer Log
2023-03-01T18:01:02Z DEBUG [4/30]: creating installation admin user 2023-03-01T18:01:02Z DEBUG Waiting 30 seconds for uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca to appear on ldap://ipam.i.gpmidi.net:389 2023-03-01T18:01:32Z ERROR Unable to log in as uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on ldap://ipam.i.gpmidi.net:389 2023-03-01T18:01:32Z INFO [hint] tune with replication_wait_timeout 2023-03-01T18:01:32Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 686, in start_creation run_step(full_msg, method) File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 672, in run_step method() File "/usr/lib/python3.11/site-packages/ipaserver/install/dogtaginstance.py", line 789, in setup_admin raise errors.NotFound( ipalib.errors.NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z DEBUG [error] NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z DEBUG The ipa-replica-install command failed, exception: NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389
While Waiting For User Sync/Validation...
*tl;dr The user seems to exist on both sides!*
[root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b "uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://ipam.i.gpmidi.net:389 Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ldap://ipam.i.gpmidi.net:389 #
# admin-ipa0.i.gpmidi.net, people, ipaca dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b "uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://localhost Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ldap://localhost #
# admin-ipa0.i.gpmidi.net, people, ipaca dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
------------------------------ The EnvironmentSource
Distro: CentOS 7.9.2009 FreeIPA: 4.6.8 TargetOriginally
Distro: Fedora Server 36 FreeIPA: 4.9.11 Later
Distro: Fedora Server 37 FreeIPA: 4.10.1 Install CommandsStep 1 - Client
ipa-client-install --ssh-trust-dns --mkhomedir --realm=I.GPMIDI.NET --ntp-pool=0.pool.ntp.org --force-join --enable-dns-updates --subid --hostname=ipa0.i.gpmidi.net --ntp-server=1.pool.ntp.org
Step 2 - kinit
kinit <MY PERSONAL USER>
Step 3 - Replica Install
ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders --skip-conncheck --add-sids
Sometimes the `--debug` flag was also used.
The installer would ask about trusted domain support - answered "no" via no entry unless noted otherwise.
Enable trusted domains support in slapi-nis? [no]:
Cleanup Commands
Used after a failure to reset the environment. Step 1 - Uninstall
/usr/sbin/ipa-server-install --uninstall
Step 2 - Validated Server Removed
Browsed to https://ipam.i.gpmidi.net/ipa/ui/#/e/server/search and validated that the new server, ipa0, wasn't listed. Deleted if it was. ------------------------------ Related Links
- FreeIPA Users thread https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/5PHFG7FLA3JZ3Z527BPUDPMMO67XIBUK/#IHIPPVMMIWV2TL7BNLW55XII3OIQ62HK - Red Hat Bugzilla – Bug 2151071 https://bugzilla.redhat.com/show_bug.cgi?id=2151071
------------------------------ Attempted Fixes
Changed Replication Wait Time
Created ` /etc/ipa/installer.conf` (see below) and changed the time in seconds.
# cat /etc/ipa/installer.conf [global] replication_wait_timeout=30
Result
30s = No change 300s = No change 600s = No change
*Left at 30s for further testing - keeps it quick - provides more than enough time since my ldap db is small. * Update Source IPA Box From C7 To C8Result
Upgrade from c7 to c8 failed badly. Might try again later. Update Source IPA Box 389 `root` Password Hash Type
# /usr/bin/pwdhash -D /etc/dirsrv/slapd-YOUR-DOMAIN-NET -s PBKDF2_SHA256 '<Current DirSrv Root Password>' {PBKDF2_SHA256}xxxxxxxxxxxxxxxxxxxxxxxx
Result
No change Updated Target IPA Box To Fedora Server 37
Updated target IPA box from f36 to f37. This changed the IPA version from 4.9.11 to 4.10.1. Result
No change Changing Password Storage Scheme On Source
# dsconf -D "cn=Directory Manager" -W ldaps://ipam.i.gpmidi.net config replace passwordStorageScheme=PBKDF2_SHA256 Enter password for cn=Directory Manager on ldaps://ipam.i.gpmidi.net: <ENTERED ROOT PW> Successfully replaced "passwordStorageScheme"
Result
No change Trusted Domains Answer = Yes
Answered 'yes' to trusted domains.
Enable trusted domains support in slapi-nis? [no]: yes
Result
No change Restarted IPA On Source
Since the `dsconf` change above to the password storage scheme the IPA server on the source box hasn't been restarted. Restarted it via...
# ipactl restasrt
Result
No change
Hi,
as you correctly found, the issue is a known problem on 389-ds side (issue #5565 https://github.com/389ds/389-ds-base/issues/5565 / BZ 2170224 https://bugzilla.redhat.com/show_bug.cgi?id=2170224). During the replica installation, the replica locally creates a temporary user, that is then replicated to the master. To ensure that the temporary user has been replicated to the master, the installer waits a bit and tries to perform a ldap bind on the master with the credentials for this temp user. The temp user is created on the replica hence its password is stored using PBKDF2-SHA512. This password storage scheme is not available on the master, and the direct consequence is that the bind fails.
The issue has been fixed on 389-ds side by adding support on the older version for the password storage scheme and will be available soon on RHEL 7.9, but I can't tell when it will reach c7.
HTH, flo
On Wed, Mar 1, 2023 at 9:33 PM Paulson McIntyre via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hey,
I'm trying to create a replica from an older FreeIPA server to a more modern one. The eventual plan being to remove the very old one and use the new one as the primary. Then new replicas would be created off it.
Running into a problem though during the CA Configuration phase when it tries to create the admin user, or rather verify it.
This thread https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/5PHFG7FLA3JZ3Z527BPUDPMMO67XIBUK/#IHIPPVMMIWV2TL7BNLW55XII3OIQ62HK might be related as well as RedHat Bugzilla – Bug 2151071 https://bugzilla.redhat.com/show_bug.cgi?id=2151071.
Details on the issue, environment, and troubleshooting performed so far are posted here https://www.gpmidi.net/node/162 as well as copy/pasted below.
-Paulson
The ProblemOverview
Can't create a new replica of an older FreeIPA server (v4.6.8 on c7) to a new FreeIPA server (v4.9 on f36 and v4.10 on f37). The error is during the `Configuring certificate server (pki-tomcatd)` phase. Example ipa-replica-install error
# kinit <MY PERSONAL ADMIN USERNAME> # ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders --skip-conncheck --add-sids
...
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: creating certificate server db [2/30]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 11 seconds elapsed Update succeeded
[3/30]: creating ACIs for admin [4/30]: creating installation admin user Unable to log in as uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on ldap://ipam.i.gpmidi.net:389 [hint] tune with replication_wait_timeout [error] NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389 The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
From Installer Log
2023-03-01T18:01:02Z DEBUG [4/30]: creating installation admin user 2023-03-01T18:01:02Z DEBUG Waiting 30 seconds for uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca to appear on ldap://ipam.i.gpmidi.net:389 2023-03-01T18:01:32Z ERROR Unable to log in as uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on ldap://ipam.i.gpmidi.net:389 2023-03-01T18:01:32Z INFO [hint] tune with replication_wait_timeout 2023-03-01T18:01:32Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 686, in start_creation run_step(full_msg, method) File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 672, in run_step method() File "/usr/lib/python3.11/site-packages/ipaserver/install/dogtaginstance.py", line 789, in setup_admin raise errors.NotFound( ipalib.errors.NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z DEBUG [error] NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z DEBUG The ipa-replica-install command failed, exception: NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389
While Waiting For User Sync/Validation...
*tl;dr The user seems to exist on both sides!*
[root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b "uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://ipam.i.gpmidi.net:389 Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ldap://ipam.i.gpmidi.net:389 #
# admin-ipa0.i.gpmidi.net, people, ipaca dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b "uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://localhost Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ldap://localhost #
# admin-ipa0.i.gpmidi.net, people, ipaca dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
The EnvironmentSource
Distro: CentOS 7.9.2009 FreeIPA: 4.6.8 TargetOriginally
Distro: Fedora Server 36 FreeIPA: 4.9.11 Later
Distro: Fedora Server 37 FreeIPA: 4.10.1 Install CommandsStep 1 - Client
ipa-client-install --ssh-trust-dns --mkhomedir --realm=I.GPMIDI.NET --ntp-pool=0.pool.ntp.org --force-join --enable-dns-updates --subid --hostname=ipa0.i.gpmidi.net --ntp-server=1.pool.ntp.org
Step 2 - kinit
kinit <MY PERSONAL USER>
Step 3 - Replica Install
ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders --skip-conncheck --add-sids
Sometimes the `--debug` flag was also used.
The installer would ask about trusted domain support - answered "no" via no entry unless noted otherwise.
Enable trusted domains support in slapi-nis? [no]:
Cleanup Commands
Used after a failure to reset the environment. Step 1 - Uninstall
/usr/sbin/ipa-server-install --uninstall
Step 2 - Validated Server Removed
Browsed to https://ipam.i.gpmidi.net/ipa/ui/#/e/server/search and validated that the new server, ipa0, wasn't listed. Deleted if it was.
Related Links
- FreeIPA Users thread
- Red Hat Bugzilla – Bug 2151071
https://bugzilla.redhat.com/show_bug.cgi?id=2151071
Attempted Fixes
Changed Replication Wait Time
Created ` /etc/ipa/installer.conf` (see below) and changed the time in seconds.
# cat /etc/ipa/installer.conf [global] replication_wait_timeout=30
Result
30s = No change 300s = No change 600s = No change
*Left at 30s for further testing - keeps it quick - provides more than enough time since my ldap db is small. * Update Source IPA Box From C7 To C8Result
Upgrade from c7 to c8 failed badly. Might try again later. Update Source IPA Box 389 `root` Password Hash Type
# /usr/bin/pwdhash -D /etc/dirsrv/slapd-YOUR-DOMAIN-NET -s PBKDF2_SHA256 '<Current DirSrv Root Password>' {PBKDF2_SHA256}xxxxxxxxxxxxxxxxxxxxxxxx
Result
No change Updated Target IPA Box To Fedora Server 37
Updated target IPA box from f36 to f37. This changed the IPA version from 4.9.11 to 4.10.1. Result
No change Changing Password Storage Scheme On Source
# dsconf -D "cn=Directory Manager" -W ldaps://ipam.i.gpmidi.net config replace passwordStorageScheme=PBKDF2_SHA256 Enter password for cn=Directory Manager on ldaps://ipam.i.gpmidi.net: <ENTERED ROOT PW> Successfully replaced "passwordStorageScheme"
Result
No change Trusted Domains Answer = Yes
Answered 'yes' to trusted domains.
Enable trusted domains support in slapi-nis? [no]: yes
Result
No change Restarted IPA On Source
Since the `dsconf` change above to the password storage scheme the IPA server on the source box hasn't been restarted. Restarted it via...
# ipactl restasrt
Result
No change _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hey,
Wouldn't the support for the older version of the password storage scheme need to reach Fedora 37 since that's the side with the new version of everything?
-Paulson
On Thu, Mar 2, 2023 at 12:53 AM Florence Blanc-Renaud flo@redhat.com wrote:
Hi,
as you correctly found, the issue is a known problem on 389-ds side (issue #5565 https://github.com/389ds/389-ds-base/issues/5565 / BZ 2170224 https://bugzilla.redhat.com/show_bug.cgi?id=2170224). During the replica installation, the replica locally creates a temporary user, that is then replicated to the master. To ensure that the temporary user has been replicated to the master, the installer waits a bit and tries to perform a ldap bind on the master with the credentials for this temp user. The temp user is created on the replica hence its password is stored using PBKDF2-SHA512. This password storage scheme is not available on the master, and the direct consequence is that the bind fails.
The issue has been fixed on 389-ds side by adding support on the older version for the password storage scheme and will be available soon on RHEL 7.9, but I can't tell when it will reach c7.
HTH, flo
On Wed, Mar 1, 2023 at 9:33 PM Paulson McIntyre via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hey,
I'm trying to create a replica from an older FreeIPA server to a more modern one. The eventual plan being to remove the very old one and use the new one as the primary. Then new replicas would be created off it.
Running into a problem though during the CA Configuration phase when it tries to create the admin user, or rather verify it.
This thread https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/5PHFG7FLA3JZ3Z527BPUDPMMO67XIBUK/#IHIPPVMMIWV2TL7BNLW55XII3OIQ62HK might be related as well as RedHat Bugzilla – Bug 2151071 https://bugzilla.redhat.com/show_bug.cgi?id=2151071.
Details on the issue, environment, and troubleshooting performed so far are posted here https://www.gpmidi.net/node/162 as well as copy/pasted below.
-Paulson
The ProblemOverview
Can't create a new replica of an older FreeIPA server (v4.6.8 on c7) to a new FreeIPA server (v4.9 on f36 and v4.10 on f37). The error is during the `Configuring certificate server (pki-tomcatd)` phase. Example ipa-replica-install error
# kinit <MY PERSONAL ADMIN USERNAME> # ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders --skip-conncheck --add-sids
...
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: creating certificate server db [2/30]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 11 seconds elapsed Update succeeded
[3/30]: creating ACIs for admin [4/30]: creating installation admin user Unable to log in as uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on ldap://ipam.i.gpmidi.net:389 [hint] tune with replication_wait_timeout [error] NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389 The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
From Installer Log
2023-03-01T18:01:02Z DEBUG [4/30]: creating installation admin user 2023-03-01T18:01:02Z DEBUG Waiting 30 seconds for uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca to appear on ldap://ipam.i.gpmidi.net:389 2023-03-01T18:01:32Z ERROR Unable to log in as uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on ldap://ipam.i.gpmidi.net:389 2023-03-01T18:01:32Z INFO [hint] tune with replication_wait_timeout 2023-03-01T18:01:32Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 686, in start_creation run_step(full_msg, method) File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 672, in run_step method() File "/usr/lib/python3.11/site-packages/ipaserver/install/dogtaginstance.py", line 789, in setup_admin raise errors.NotFound( ipalib.errors.NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z DEBUG [error] NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z DEBUG The ipa-replica-install command failed, exception: NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389
While Waiting For User Sync/Validation...
*tl;dr The user seems to exist on both sides!*
[root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b "uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://ipam.i.gpmidi.net:389 Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ldap://ipam.i.gpmidi.net:389 #
# admin-ipa0.i.gpmidi.net, people, ipaca dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b "uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://localhost Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ldap://localhost #
# admin-ipa0.i.gpmidi.net, people, ipaca dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
The EnvironmentSource
Distro: CentOS 7.9.2009 FreeIPA: 4.6.8 TargetOriginally
Distro: Fedora Server 36 FreeIPA: 4.9.11 Later
Distro: Fedora Server 37 FreeIPA: 4.10.1 Install CommandsStep 1 - Client
ipa-client-install --ssh-trust-dns --mkhomedir --realm=I.GPMIDI.NET --ntp-pool=0.pool.ntp.org --force-join --enable-dns-updates --subid --hostname=ipa0.i.gpmidi.net --ntp-server=1.pool.ntp.org
Step 2 - kinit
kinit <MY PERSONAL USER>
Step 3 - Replica Install
ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders --skip-conncheck --add-sids
Sometimes the `--debug` flag was also used.
The installer would ask about trusted domain support - answered "no" via no entry unless noted otherwise.
Enable trusted domains support in slapi-nis? [no]:
Cleanup Commands
Used after a failure to reset the environment. Step 1 - Uninstall
/usr/sbin/ipa-server-install --uninstall
Step 2 - Validated Server Removed
Browsed to https://ipam.i.gpmidi.net/ipa/ui/#/e/server/search and validated that the new server, ipa0, wasn't listed. Deleted if it was.
Related Links
- FreeIPA Users thread
- Red Hat Bugzilla – Bug 2151071
https://bugzilla.redhat.com/show_bug.cgi?id=2151071
Attempted Fixes
Changed Replication Wait Time
Created ` /etc/ipa/installer.conf` (see below) and changed the time in seconds.
# cat /etc/ipa/installer.conf [global] replication_wait_timeout=30
Result
30s = No change 300s = No change 600s = No change
*Left at 30s for further testing - keeps it quick - provides more than enough time since my ldap db is small. * Update Source IPA Box From C7 To C8Result
Upgrade from c7 to c8 failed badly. Might try again later. Update Source IPA Box 389 `root` Password Hash Type
# /usr/bin/pwdhash -D /etc/dirsrv/slapd-YOUR-DOMAIN-NET -s PBKDF2_SHA256 '<Current DirSrv Root Password>' {PBKDF2_SHA256}xxxxxxxxxxxxxxxxxxxxxxxx
Result
No change Updated Target IPA Box To Fedora Server 37
Updated target IPA box from f36 to f37. This changed the IPA version from 4.9.11 to 4.10.1. Result
No change Changing Password Storage Scheme On Source
# dsconf -D "cn=Directory Manager" -W ldaps://ipam.i.gpmidi.net config replace passwordStorageScheme=PBKDF2_SHA256 Enter password for cn=Directory Manager on ldaps://ipam.i.gpmidi.net: <ENTERED ROOT PW> Successfully replaced "passwordStorageScheme"
Result
No change Trusted Domains Answer = Yes
Answered 'yes' to trusted domains.
Enable trusted domains support in slapi-nis? [no]: yes
Result
No change Restarted IPA On Source
Since the `dsconf` change above to the password storage scheme the IPA server on the source box hasn't been restarted. Restarted it via...
# ipactl restasrt
Result
No change _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On to, 02 maalis 2023, Paulson McIntyre via FreeIPA-users wrote:
Hey,
Wouldn't the support for the older version of the password storage scheme need to reach Fedora 37 since that's the side with the new version of everything?
It is the other way around. There is an effort to backport this newer hash type support to 389-ds-base in older releases. I've heard it is close to being pushed out to RHEL customers and after that CentOS 7 would do a rebuild.
One that rebuild is out, you'd be able to update c7 machine and then add a replica.
-Paulson
On Thu, Mar 2, 2023 at 12:53 AM Florence Blanc-Renaud flo@redhat.com wrote:
Hi,
as you correctly found, the issue is a known problem on 389-ds side (issue #5565 https://github.com/389ds/389-ds-base/issues/5565 / BZ 2170224 https://bugzilla.redhat.com/show_bug.cgi?id=2170224). During the replica installation, the replica locally creates a temporary user, that is then replicated to the master. To ensure that the temporary user has been replicated to the master, the installer waits a bit and tries to perform a ldap bind on the master with the credentials for this temp user. The temp user is created on the replica hence its password is stored using PBKDF2-SHA512. This password storage scheme is not available on the master, and the direct consequence is that the bind fails.
The issue has been fixed on 389-ds side by adding support on the older version for the password storage scheme and will be available soon on RHEL 7.9, but I can't tell when it will reach c7.
HTH, flo
On Wed, Mar 1, 2023 at 9:33 PM Paulson McIntyre via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hey,
I'm trying to create a replica from an older FreeIPA server to a more modern one. The eventual plan being to remove the very old one and use the new one as the primary. Then new replicas would be created off it.
Running into a problem though during the CA Configuration phase when it tries to create the admin user, or rather verify it.
This thread https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/5PHFG7FLA3JZ3Z527BPUDPMMO67XIBUK/#IHIPPVMMIWV2TL7BNLW55XII3OIQ62HK might be related as well as RedHat Bugzilla – Bug 2151071 https://bugzilla.redhat.com/show_bug.cgi?id=2151071.
Details on the issue, environment, and troubleshooting performed so far are posted here https://www.gpmidi.net/node/162 as well as copy/pasted below.
-Paulson
The ProblemOverview
Can't create a new replica of an older FreeIPA server (v4.6.8 on c7) to a new FreeIPA server (v4.9 on f36 and v4.10 on f37). The error is during the `Configuring certificate server (pki-tomcatd)` phase. Example ipa-replica-install error
# kinit <MY PERSONAL ADMIN USERNAME> # ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders --skip-conncheck --add-sids
...
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: creating certificate server db [2/30]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 11 seconds elapsed Update succeeded
[3/30]: creating ACIs for admin [4/30]: creating installation admin user Unable to log in as uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on ldap://ipam.i.gpmidi.net:389 [hint] tune with replication_wait_timeout [error] NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389 The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
From Installer Log
2023-03-01T18:01:02Z DEBUG [4/30]: creating installation admin user 2023-03-01T18:01:02Z DEBUG Waiting 30 seconds for uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca to appear on ldap://ipam.i.gpmidi.net:389 2023-03-01T18:01:32Z ERROR Unable to log in as uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca on ldap://ipam.i.gpmidi.net:389 2023-03-01T18:01:32Z INFO [hint] tune with replication_wait_timeout 2023-03-01T18:01:32Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 686, in start_creation run_step(full_msg, method) File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 672, in run_step method() File "/usr/lib/python3.11/site-packages/ipaserver/install/dogtaginstance.py", line 789, in setup_admin raise errors.NotFound( ipalib.errors.NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z DEBUG [error] NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389
2023-03-01T18:01:32Z DEBUG The ipa-replica-install command failed, exception: NotFound: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca did not replicate to ldap://ipam.i.gpmidi.net:389
While Waiting For User Sync/Validation...
*tl;dr The user seems to exist on both sides!*
[root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b "uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://ipam.i.gpmidi.net:389 Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ldap://ipam.i.gpmidi.net:389 #
# admin-ipa0.i.gpmidi.net, people, ipaca dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@ipa0 ~]# ldapsearch -x -D "cn=Directory Manager" -W -b "uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca" ldap://localhost Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ldap://localhost #
# admin-ipa0.i.gpmidi.net, people, ipaca dn: uid=admin-ipa0.i.gpmidi.net,ou=people,o=ipaca
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
The EnvironmentSource
Distro: CentOS 7.9.2009 FreeIPA: 4.6.8 TargetOriginally
Distro: Fedora Server 36 FreeIPA: 4.9.11 Later
Distro: Fedora Server 37 FreeIPA: 4.10.1 Install CommandsStep 1 - Client
ipa-client-install --ssh-trust-dns --mkhomedir --realm=I.GPMIDI.NET --ntp-pool=0.pool.ntp.org --force-join --enable-dns-updates --subid --hostname=ipa0.i.gpmidi.net --ntp-server=1.pool.ntp.org
Step 2 - kinit
kinit <MY PERSONAL USER>
Step 3 - Replica Install
ipa-replica-install --setup-adtrust --setup-ca --setup-dns --no-forwarders --skip-conncheck --add-sids
Sometimes the `--debug` flag was also used.
The installer would ask about trusted domain support - answered "no" via no entry unless noted otherwise.
Enable trusted domains support in slapi-nis? [no]:
Cleanup Commands
Used after a failure to reset the environment. Step 1 - Uninstall
/usr/sbin/ipa-server-install --uninstall
Step 2 - Validated Server Removed
Browsed to https://ipam.i.gpmidi.net/ipa/ui/#/e/server/search and validated that the new server, ipa0, wasn't listed. Deleted if it was.
Related Links
- FreeIPA Users thread
- Red Hat Bugzilla – Bug 2151071
https://bugzilla.redhat.com/show_bug.cgi?id=2151071
Attempted Fixes
Changed Replication Wait Time
Created ` /etc/ipa/installer.conf` (see below) and changed the time in seconds.
# cat /etc/ipa/installer.conf [global] replication_wait_timeout=30
Result
30s = No change 300s = No change 600s = No change
*Left at 30s for further testing - keeps it quick - provides more than enough time since my ldap db is small. * Update Source IPA Box From C7 To C8Result
Upgrade from c7 to c8 failed badly. Might try again later. Update Source IPA Box 389 `root` Password Hash Type
# /usr/bin/pwdhash -D /etc/dirsrv/slapd-YOUR-DOMAIN-NET -s PBKDF2_SHA256 '<Current DirSrv Root Password>' {PBKDF2_SHA256}xxxxxxxxxxxxxxxxxxxxxxxx
Result
No change Updated Target IPA Box To Fedora Server 37
Updated target IPA box from f36 to f37. This changed the IPA version from 4.9.11 to 4.10.1. Result
No change Changing Password Storage Scheme On Source
# dsconf -D "cn=Directory Manager" -W ldaps://ipam.i.gpmidi.net config replace passwordStorageScheme=PBKDF2_SHA256 Enter password for cn=Directory Manager on ldaps://ipam.i.gpmidi.net: <ENTERED ROOT PW> Successfully replaced "passwordStorageScheme"
Result
No change Trusted Domains Answer = Yes
Answered 'yes' to trusted domains.
Enable trusted domains support in slapi-nis? [no]: yes
Result
No change Restarted IPA On Source
Since the `dsconf` change above to the password storage scheme the IPA server on the source box hasn't been restarted. Restarted it via...
# ipactl restasrt
Result
No change _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org