hello people. -> this is already posted here, maybe check there for better formatting? https://www.reddit.com/r/FreeIPA/comments/yzcln7/broken_installation_how_to_...
i broke my ipa installation on a centos 7 somehow... can't root cause it anymore. but since i basically use only ldap i managed to have it running in a crutch manner...
i run into two problems:
- when i try to uninstall & install same ipa on that vm (but snapshot clone) then i get an error that it cant connect to ldapi:///var/run/slapd*sock -> i gave up at some point.
- cant join new machines via ipa-client-install
- problem with kerberos keys i guess, see below.
anyway, i found exporting a backup, importing it on a rockylinux 9 does import the same problems... so i am kinda lost and guess am seeking some help here... at this point i start hating the fullfeatureset of ipa which brings lots of complexity... anyways here we're....
dont be surprised about the date+timestamps, i got my shells PS settings that way.
old system centos7 mgmt01:
root@mgmt01 14:29:28 ~$ kinit admin Password for admin@REALM: root@mgmt01 14:29:51 ~$ ipa user-find ERROR: No valid Negotiate header in server response new system rocky9 mgmt02 after completely fresh install.
14:32:46-root@mgmt02:RC0:~ ↳ kinit admin 19.11.2022 14:32:48 Password for admin@REALM: 14:32:52-root@mgmt02:RC0:~ ↳ ipa user-find 19.11.2022 14:32:55 --------------1 user matched-------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Principal alias: admin@REALM, root@REALM UID: 1037800000 GID: 1037800000 Account disabled: False ----------------------------Number of entries returned 1---------------------------- i do export backup on mgmt01:
ipa-backup --data --online
on mgmt02:
go login to webinterface of new server, find default/empty user list
↳ ipa-restore --data --online --backend userRoot /home/sshadmin/ipa-data-2022-11-18-19-40-45/ 19.11.2022 14:48:14
Directory Manager (existing master) password:
Preparing restore from /home/sshadmin/ipa-data-2022-11-18-19-40-45/ on mgmt01 Performing DATA restore from DATA backup Restoring data from a different release of IPA. Data is version 4.6.8. Server is running 4.9.8. Continue to restore? [no]: yes Temporary setting umask to 022 Restoring data will overwrite existing live data. Continue to restore? [no]: yes Each master will individually need to be re-initialized or re-created from this one. The replication agreements on masters running IPA 3.1 or earlier will need to be manually re-enabled. See the man page for details. Disabling all replication. Starting Directory Server Restoring from userRoot in REALM Waiting for LDIF to finish Restoring umask to 18 The ipa-restore command was successful ↳ ipa user-find ->
can find users
↳ refresh website ->
i can see my ldap users.
↳ logout of website, relogin with admin user gives me:
Login failed due to an unknown reason (same on old system)
↳ reboot and ipa user-find will give me this one:
ipa: ERROR: No valid Negotiate header in server response
At this point again i cant join new machines to the new server via ipa-client-install
I am pretty lost.
I also tried exporting ldap data with db2ldif -> and added to new server with ldapmodify -ac -f ldiffile and seeeeem to run into pretty similar issues.
luckily i can read the ldif file and connect to old and new server with apache studio, that might help in more manual efforts to restore the service.
I tried something else now...
I've exported LDIFs from cn=groups,cn=accounts and cn=users,cn=accounts seperately.
Tried to import groups first (did work).
Tried to import users then -> only a feeeew users are imported in the end. must of them are declined with this error:
#!ERROR [LDAP result code 53 - unwillingToPerform] Managed Entry Plugin rejected add operation (see errors log).
i have no damn clue...
Nov 19 16:59:37 mgmt.doma.in ns-slapd[1257]: [19/Nov/2022:16:59:37.145273724 +0100] - ERR - managed-entries-plugin - mep_add_managed_entry - Unable to add pointer to managed entry "cn=user,cn=groups,cn=accounts,dc=doma,dc=in" in origin entry "uid=user,cn=users,cn=accounts,dc=doma,dc=in" (Type or value exists).
freeipa-users@lists.fedorahosted.org