[Freeipa-users] Re: FreeIPA - Replica - Install

Mark Reynolds via FreeIPA-users Thu, 09 Sep 2021 07:15:44 -0700

Yes this was a problem. Schema replciation was failing because versionof the entryuuid pugin added a new syntax plugin, which can not bereplicated. So it broke replication and would lead to errors like this.


The minimum version of 389-ds-base-2.x you need is:


    389-ds-base-2.0.8

This version will work with older versions of DS.

HTH,

Mark

On 9/9/21 10:00 AM, François Cami wrote:

Hi,

I think this is related to the DS versions being different in f33 and f34.
f33 has 389-ds-base-1.4 and f34 has 2.0.x.
It sounds like:
https://github.com/389ds/389-ds-base/issues/4498#issuecomment-744335466

Could you post the exact versions of DS you are using?

Thank you,
François


On Thu, Sep 9, 2021 at 3:47 PM Mathias Rumbold via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:

Hello Community!

I am trying to add a new Fedora 34 server as secondary master. The idm01 is 
still Fedora 33 but versions are the same as I can see.

The issue I am hitting is by installing the replication (Client works fine).

Configuring the web interface (httpd)
   [1/21]: stopping httpd
   [2/21]: backing up ssl.conf
   [3/21]: disabling nss.conf
   [4/21]: configuring mod_ssl certificate paths
   [5/21]: setting mod_ssl protocol list
   [6/21]: configuring mod_ssl log directory
   [7/21]: disabling mod_ssl OCSP
   [8/21]: adding URL rewriting rules
   [9/21]: configuring httpd
   [10/21]: setting up httpd keytab
   [11/21]: configuring Gssproxy
   [12/21]: setting up ssl
   [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at 
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute 
"entryuuid" not allowed).)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json 
failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for 
more information


Log files:
2021-09-08T11:33:07Z DEBUG   -> Not backing up - '/etc/httpd/conf.d/ipa.conf' 
doesn't exist
2021-09-08T11:33:07Z DEBUG Backing up system configuration file 
'/etc/httpd/conf.d/ipa-rewrite.conf'
2021-09-08T11:33:07Z DEBUG   -> Not backing up - 
'/etc/httpd/conf.d/ipa-rewrite.conf' doesn't exist
2021-09-08T11:33:07Z DEBUG step duration: httpd __configure_http 0.26 sec
2021-09-08T11:33:07Z DEBUG   [10/21]: setting up httpd keytab
2021-09-08T11:33:07Z DEBUG raw: 
service_add('HTTP/idm02.example....@example.com', force=True, version='2.242')
2021-09-08T11:33:07Z DEBUG 
service_add(ipapython.kerberos.Principal('HTTP/idm02.example....@example.com'), 
force=True, skip_host_check=False, all=False, raw=False, version='2.242', 
no_members=False)
2021-09-08T11:33:07Z DEBUG flushing ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket 
from SchemaCache
2021-09-08T11:33:07Z DEBUG retrieving schema for SchemaCache 
url=ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket 
conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fb640f00160>
2021-09-08T11:33:08Z DEBUG raw: host_show('idm02.example.com', version='2.242')
2021-09-08T11:33:08Z DEBUG host_show('idm02.example.com', rights=False, 
all=False, raw=False, version='2.242', no_members=False)
2021-09-08T11:33:08Z DEBUG Backing up system configuration file 
'/var/lib/ipa/gssproxy/http.keytab'
2021-09-08T11:33:08Z DEBUG   -> Not backing up - 
'/var/lib/ipa/gssproxy/http.keytab' doesn't exist
2021-09-08T11:33:08Z DEBUG Starting external process
2021-09-08T11:33:08Z DEBUG args=['/usr/sbin/ipa-getkeytab', '-k', 
'/var/lib/ipa/gssproxy/http.keytab', '-p', 
'HTTP/idm02.example....@example.com', '-H', 
'ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket', '-Y', 'EXTERNAL']
2021-09-08T11:33:08Z DEBUG Process finished, return code=0
2021-09-08T11:33:08Z DEBUG stdout=
2021-09-08T11:33:08Z DEBUG stderr=Keytab successfully retrieved and stored in: 
/var/lib/ipa/gssproxy/http.keytab

2021-09-08T11:33:08Z DEBUG Waiting up to 300 seconds for replication 
(ldap://idm01.example.com:389) 
krbprincipalname=HTTP/idm02.example....@example.com,cn=services,cn=accounts,dc=talheim-it,dc=at
 (objectclass=*)
2021-09-08T11:33:09Z DEBUG Entry found 
[LDAPEntry(ipapython.dn.DN('krbprincipalname=HTTP/idm02.example....@example.com,cn=services,cn=accounts,dc=talheim-it,dc=at'),
 {'krbLastPwdChange': [b'20210908113308Z'], 'krbCanonicalName': 
[b'HTTP/idm02.example....@example.com'], 'objectClass': [b'krbprincipal', 
b'krbprincipalaux', b'krbticketpolicyaux', b'ipaobject', b'ipaservice', 
b'pkiuser', b'ipakrbprincipal', b'top'], 'managedBy': 
[b'fqdn=idm02.example.com,cn=computers,cn=accounts,dc=talheim-it,dc=at'], 
'ipaKrbPrincipalAlias': [b'HTTP/idm02.example....@example.com'], 
'krbPrincipalName': [b'HTTP/idm02.example....@example.com'], 'ipaUniqueID': 
[b'8a3a99ec-1098-11ec-b7a5-860000d9fd13']})]
2021-09-08T11:33:09Z DEBUG step duration: httpd request_service_keytab 1.56 sec
2021-09-08T11:33:09Z DEBUG   [11/21]: configuring Gssproxy
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/usr/sbin/selinuxenabled']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/sbin/restorecon', 
'/etc/gssproxy/10-ipa.conf']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'restart', 
'gssproxy.service']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'is-active', 
'gssproxy.service']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=active

2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Restart of gssproxy.service complete
2021-09-08T11:33:09Z DEBUG step duration: httpd configure_gssproxy 0.09 sec
2021-09-08T11:33:09Z DEBUG   [12/21]: setting up ssl
2021-09-08T11:33:09Z DEBUG certmonger request is in state 'GENERATING_KEY_PAIR'
2021-09-08T11:33:10Z DEBUG certmonger request is in state 'CA_UNREACHABLE'
2021-09-08T11:33:10Z DEBUG Cert request 20210908113309 failed: CA_UNREACHABLE (Server at 
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute 
"entryuuid" not allowed).)
2021-09-08T11:33:10Z DEBUG Giving up on cert request 20210908113309
2021-09-08T11:33:10Z DEBUG certmonger request is in state 'GENERATING_CSR'
2021-09-08T11:33:10Z DEBUG certmonger request is in state 'SUBMITTING'
2021-09-08T11:33:11Z DEBUG certmonger request is in state 'CA_UNREACHABLE'
2021-09-08T11:33:11Z DEBUG Cert request 20210908113310 failed: CA_UNREACHABLE (Server at 
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute 
"entryuuid" not allowed).)
2021-09-08T11:33:11Z DEBUG Giving up on cert request 20210908113310
2021-09-08T11:33:11Z DEBUG Traceback (most recent call last):
   File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", 
line 398, in __setup_ssl
     certmonger.request_and_wait_for_cert(**args)
   File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line 
414, in request_and_wait_for_cert
     raise RuntimeError(
RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at 
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute 
"entryuuid" not allowed).)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
   File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 
635, in start_creation
     run_step(full_msg, method)
   File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 
621, in run_step
     method()
   File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", 
line 402, in __setup_ssl
     certmonger.request_and_wait_for_cert(**args)
   File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line 
414, in request_and_wait_for_cert
     raise RuntimeError(
RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at 
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute 
"entryuuid" not allowed).)

2021-09-08T11:33:11Z DEBUG   [error] RuntimeError: Certificate issuance failed 
(CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 
4205 (attribute "entryuuid" not allowed).)
2021-09-08T11:33:11Z DEBUG   File 
"/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute
     return_value = self.run()
   File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 342, 
in run
     return cfgr.run()
   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 360, 
in run
     return self.execute()
   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 386, 
in execute
     for rval in self._executor():
   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, 
in __runner
     exc_handler(exc_info)
   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460, 
in _handle_execute_exception
     self._handle_exception(exc_info)
   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, 
in _handle_exception
     six.reraise(*exc_info)
   File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
     raise value
   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, 
in __runner
     step()
   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in 
<lambda>
     step = lambda: next(self.__gen)
   File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, 
in run_generator_with_yield_from
     six.reraise(*exc_info)
   File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
     raise value
   File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, 
in run_generator_with_yield_from
     value = gen.send(prev_value)
   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 655, 
in _configure
     next(executor)
   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, 
in __runner
     exc_handler(exc_info)
   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460, 
in _handle_execute_exception
     self._handle_exception(exc_info)
   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 518, 
in _handle_exception
     self.__parent._handle_exception(exc_info)
   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, 
in _handle_exception
     six.reraise(*exc_info)
   File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
     raise value
   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 515, 
in _handle_exception
     super(ComponentBase, self)._handle_exception(exc_info)
   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, 
in _handle_exception
     six.reraise(*exc_info)
   File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
     raise value
   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, 
in __runner
     step()
   File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in 
<lambda>
     step = lambda: next(self.__gen)
   File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, 
in run_generator_with_yield_from
     six.reraise(*exc_info)
   File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
     raise value
   File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, 
in run_generator_with_yield_from
     value = gen.send(prev_value)
   File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 
65, in _install
     for unused in self._installer(self.parent):
   File 
"/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", line 
608, in main
     replica_install(self)
   File 
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", 
line 401, in decorated
     func(installer)
   File 
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", 
line 1301, in install
     install_http(
   File 
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", 
line 163, in install_http
     http.create_instance(
   File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", 
line 151, in create_instance
     self.start_creation()
   File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 
635, in start_creation
     run_step(full_msg, method)
   File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 
621, in run_step
     method()
   File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", 
line 402, in __setup_ssl
     certmonger.request_and_wait_for_cert(**args)
   File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line 
414, in request_and_wait_for_cert
     raise RuntimeError(

2021-09-08T11:33:11Z DEBUG The ipa-replica-install command failed, exception: 
RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at 
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute 
"entryuuid" not allowed).)
2021-09-08T11:33:11Z ERROR Certificate issuance failed (CA_UNREACHABLE: Server at 
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute 
"entryuuid" not allowed).)
2021-09-08T11:33:11Z ERROR The ipa-replica-install command failed. See 
/var/log/ipareplica-install.log for more information

Made on a completely fresh deployed VM.


Yours,
Mathias
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


--
Directory Server Development Team
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: FreeIPA - Replica - Install

Reply via email to