Grant Janssen via FreeIPA-users wrote: > a cascade of issues > > • I needed to set the domainlevel to 1 in order to join my client. > > grant@ef-idm01:~[20220601-8:14][#1041]$ipa domainlevel-get > ----------------------- > Current domain level: 0 > ----------------------- > grant@ef-idm01:~[20220601-8:14][#1042]$ipa domainlevel-set 1 > ----------------------- > Current domain level: 1 > ----------------------- > grant@ef-idm01:~[20220601-8:14][#1043]$ > > > • the new client requires the IPA certs have the hostname(s) as Subject > Alternative Name > I did this to the IPA servers > > sudo ipa-getcert resubmit -d /etc/dirsrv/slapd-PRODUCTION-EFILM-COM > -n Server-Cert -D `hostname` > > then restarted IPA > > sudo certutil -L -d /etc/dirsrv/slapd-PRODUCTION-EFILM-COM -n > Server-Cert > > now shows a SAN entry > > Things have changed though, it appears I no longer do a prepare, and > instead promote a client: > > grant@ef-idm03:~[20220601-10:35][#215]$ sudo ipa-replica-prepare > ef-idm04.production.efilm.com <http://ef-idm04.production.efilm.com> > > Replica creation using 'ipa-replica-prepare' to generate replica file > is supported only in 0-level IPA domain. > > The current IPA domain level is 1 and thus the replica must > be created by promoting an existing IPA client. > > To set up a replica use the following procedure: > 1.) set up a client on the host using 'ipa-client-install' > 2.) promote the client to replica running 'ipa-replica-install' > *without* replica file specified > > 'ipa-replica-prepare' is allowed only in domain level 0 > The ipa-replica-prepare command failed. > grant@ef-idm03:~[20220601-10:36][#216]$ > > > But promoting the client fails > > grant@ef-idm04:~[20220601-10:37][#70]$ sudo ipa-replica-install > --setup-ca > [sudo] password for grant: > Password for ad...@production.efilm.com > <mailto:ad...@production.efilm.com>: ************** > Trust is configured but no NetBIOS domain name found, setting it now. > Enter the NetBIOS name for the IPA domain. > Only up to 15 uppercase ASCII letters, digits and dashes are allowed. > Example: EXAMPLE. > > > NetBIOS domain name [PRODUCTION]: > > > WARNING: 340 existing users or groups do not have a SID identifier > assigned. > Installer can run a task to have ipa-sidgen Directory Server plugin > generate > the SID identifier for all these users. Please note, in case of a high > number of users and groups, the operation might lead to high replication > traffic and performance degradation. Refer to ipa-adtrust-install(1) > man page > for details. > > Do you want to run the ipa-sidgen task? [no]: yes > Run connection check to master > Connection check OK > Disabled p11-kit-proxy > Configuring directory server (dirsrv). Estimated time: 30 seconds > [1/38]: creating directory server instance > Validate installation settings ... > Create file system structures ... > Perform SELinux labeling ... > Create database backend: dc=production,dc=efilm,dc=com ... > Perform post-installation tasks ... > [2/38]: tune ldbm plugin > [3/38]: adding default schema > [4/38]: enabling memberof plugin > [5/38]: enabling winsync plugin > [6/38]: configure password logging > [7/38]: configuring replication version plugin > [8/38]: enabling IPA enrollment plugin > [9/38]: configuring uniqueness plugin > [10/38]: configuring uuid plugin > [11/38]: configuring modrdn plugin > [12/38]: configuring DNS plugin > [13/38]: enabling entryUSN plugin > [14/38]: configuring lockout plugin > [15/38]: configuring topology plugin > [16/38]: creating indices > [17/38]: enabling referential integrity plugin > [18/38]: configuring certmap.conf > [19/38]: configure new location for managed entries > [20/38]: configure dirsrv ccache and keytab > [21/38]: enabling SASL mapping fallback > [22/38]: restarting directory server > [23/38]: creating DS keytab > [24/38]: ignore time skew for initial replication > [25/38]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 12 seconds elapsed > Update succeeded > > [26/38]: prevent time skew after initial replication > [27/38]: adding sasl mappings to the directory > [28/38]: updating schema > [29/38]: setting Auto Member configuration > [30/38]: enabling S4U2Proxy delegation > [31/38]: initializing group membership > [32/38]: adding master entry > [33/38]: initializing domain level > [34/38]: configuring Posix uid/gid generation > [35/38]: adding replication acis > [36/38]: activating sidgen plugin > [37/38]: activating extdom plugin > [38/38]: configuring directory to start on boot > Done configuring directory server (dirsrv). > Configuring Kerberos KDC (krb5kdc) > [1/5]: configuring KDC > [2/5]: adding the password extension to the directory > [3/5]: creating anonymous principal > [4/5]: starting the KDC > [5/5]: configuring KDC to start on boot > Done configuring Kerberos KDC (krb5kdc). > Configuring kadmin > [1/2]: starting kadmin > [2/2]: configuring kadmin to start on boot > Done configuring kadmin. > Configuring directory server (dirsrv) > [1/3]: configuring TLS for DS instance > [2/3]: importing CA certificates from LDAP > [3/3]: restarting directory server > Done configuring directory server (dirsrv). > Configuring the web interface (httpd) > [1/22]: stopping httpd > [2/22]: backing up ssl.conf > [3/22]: disabling nss.conf > [4/22]: configuring mod_ssl certificate paths > [5/22]: setting mod_ssl protocol list > [6/22]: configuring mod_ssl log directory > [7/22]: disabling mod_ssl OCSP > [8/22]: adding URL rewriting rules > [9/22]: configuring httpd > Nothing to do for configure_httpd_wsgi_conf > [10/22]: setting up httpd keytab > [11/22]: configuring Gssproxy > [12/22]: setting up ssl > [13/22]: configure certmonger for renewals > [14/22]: publish CA cert > [15/22]: clean up any existing httpd ccaches > [16/22]: enable ccache sweep > [17/22]: configuring SELinux for httpd > [18/22]: create KDC proxy config > [19/22]: enable KDC proxy > [20/22]: starting httpd > [21/22]: configuring httpd to start on boot > [22/22]: enabling oddjobd > Done configuring the web interface (httpd). > Configuring ipa-otpd > [1/2]: starting ipa-otpd > [2/2]: configuring ipa-otpd to start on boot > Done configuring ipa-otpd. > Custodia uses 'ef-idm03.production.efilm.com > <http://ef-idm03.production.efilm.com>' as master peer. > Configuring ipa-custodia > [1/4]: Generating ipa-custodia config file > [2/4]: Generating ipa-custodia keys > [3/4]: starting ipa-custodia > [4/4]: configuring ipa-custodia to start on boot > Done configuring ipa-custodia. > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > 400 Client Error: Bad Request for url: > > https://ef-idm03.production.efilm.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.ytyWNFjh3bpO7KG0OBiRVgsFhFvHqjhxq51DkpcBiFfn3ZlUQYSnCjaUhFfhW9tGfe3E9e1RFBayuOFsr-0kGt2In639SYXiel6g7gmnWe_pdKn7EeCbUBwD2HkFelh0yEgnDQX62mciGPWfcCVjkSSh8YGI2XtcoVHhxHpaX8P7bwbkM1fLIbHzyyjrrUap7HvB17WMXhx73Nwo_Zwz_1txFcvGFJKVuJ45Oi_Z98vMfbDZtrKJkMcVyYL_kqSc8pfqYUY9LhX2OMPrCSDWviaNMIAVq59dvfYhR1YlWnfH2yEsbojNvflvk8joO5dsfmuddZY_Xw7taVDg2zke7w.dOGMctCsZR1nPx1_-zB3bQ.GHYEFsxLGuD1_X_C8wYgnfo3BRArNn0GRBFIIJAKNE_Uj3mogkYCciN66MCYS7CYefAJAT1f4tEP2iti5QCRCnaekoDVIAEFpYiKvYt-znJSjJFFzl7TGWLm18U5mK5-lpGQ-vP74RAsvr8AULLMRuNgt1HnYt0pRvELtwgkNK82P0zta4c8X1isYXix_TdqSgg5tTQqWvg6P52qzCAmJK_HsRqkgeb_hjFD7kbKZRigTXHzZX7oN8aarUBcCCkGJcQAv7zEgo-EgMgWytKsvT8Eyp_7j1O3HuaXpECqh5Tzv53ERW6yDtrDNMskFacxNvYb8B5h90pE1am5Hz5PYsGtgt5k_ECyJRVEZ9GIv8IwSVp3Lyxog_kYcNjiv075YGccTzRuJBSDNUVDmMZOgzgtmu1TZsBYdcgV_Rx-FPaK6lOvBq1_AD4QCMsuAyrUzdURkX53xeOG6AB2R1s4_KVfIWxR9MMRBIlH4yiklihsF7XUQQhJW2CtD_0LYycDacoy0sZedsWVm6jY0J6hIvWAPsh4kRlbgWTxv05Hmxh4WTXBZukQywTLD2X2aSFHsAekDSWpnxPSNXQ39hcC0h4XPhuhmDUd8WLZVYo3qAc1nhPeP6g5LmV9gdHQmdHh9BC7FXLTmLdXG3WymsWAJ6yiMPGw2f83yfvJ8QcIkmECQ66XJfvBSYT8Fx59chJC.LoAMvRj2tVYHSLEs-7NfnhCumDM0-HTgzzTSWTiagks > The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > grant@ef-idm04:~[20220601-10:44][#71]$ > > > I’m uncertain how to proceed.
Can you share ipareplica-install.log? I don't know that this will fix it but you'll want a SAN for the web server as well in any case. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure