D S via FreeIPA-users wrote: > Hello, I've encountered several issues while installing freeipa replica. > > I have freeipa 4.6.8 master and the replica I tried installing is 4.9.12.
Rather than focusing on the versions, what OS release are you using? There are known crypto incompatibilities between RHEL 7 and RHEL 9, for example, such that you can't go directly between them. > During the replica install it seems that the replica is unable to get a CA > cert from my master: > > DEBUG Configuring Kerberos KDC (krb5kdc) > DEBUG [1/1]: installing X509 Certificate for PKINIT > DEBUG flushing ldapi://%2Frun%2Fslapd-[REDACTED].socket from SchemaCache > DEBUG retrieving schema for SchemaCache > url=ldapi://%2Frun%2Fslapd-[REDACTED].socket > conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f6ac1b7d6d8> > DEBUG certmonger request is in state 'NEWLY_ADDED_READING_KEYINFO' > DEBUG certmonger request is in state 'SUBMITTING' > DEBUG certmonger request is in state 'CA_UNREACHABLE' > DEBUG Cert request 20240312144851 failed: CA_UNREACHABLE (Server at > https://[REDACTED]/ipa/json failed request, will retry: 903 (an internal > error has occurred).) > DEBUG Giving up on cert request 20240312144851 > WARNING PKINIT certificate request failed: Certificate issuance failed > (CA_UNREACHABLE: Server at https://[REDACTED]/ipa/json failed request, will > retry: 903 (an internal error has occurred).) > WARNING Failed to configure PKINIT > DEBUG Full PKINIT configuration did not succeed > DEBUG The setup will only install bits essential to the server functionality > DEBUG You can enable PKINIT after the setup completed using > 'ipa-pkinit-manage' > DEBUG certmonger request is in state 'GENERATING_CSR' > DEBUG certmonger request is in state 'MONITORING' > DEBUG Cert request 20240312144853 was successful > DEBUG step duration: krb5kdc setup_pkinit 2.72 sec > DEBUG Done configuring Kerberos KDC (krb5kdc). > > (However the the installation succeeds with INFO The ipa-replica-install > command was successful) A failed PKINIT cert request is not considered fatal because a self-signed one is issued in this case. I'd also look in the journal for certmonger to see if it logged additional info about the request. > > On master in /var/log/httpd/error_log: > > ipa: ERROR: non-public: AttributeError: 'ldap2' object has no attribute > 'Object' > Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 369, in > wsgi_execute > result = command(*args, **options) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in > __call__ > return self.__do_call(*args, **options) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in > __do_call > ret = self.run(*args, **options) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in > run > return self.execute(*args, **options) > File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line > 863, in execute > ca_kdc_check(ldap, alt_principal.hostname) > File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line > 301, in ca_kdc_check > master_dn = api_instance.Object.server.get_dn(unicode(hostname)) > AttributeError: 'ldap2' object has no attribute 'Object' > ipa: INFO: [jsonserver_kerb] host/ipa-replica01.[REDACTED]@[REDACTED]: > cert_request(u'MIID3DCCAsQCAQAwQjEZMBcGA1UECgwQRkxPUkEuTFRGUy5UT09MUzElMCMGA1UEAxMcaXBhLXNsYXZlMDEuZmxvcmEubHRmcy50b29sczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANhiTu7x/3sRCBq0spuBM1M2dkAzfMFEtJRx/BUcDi7PrRhJBa+w2o+XfOjtP9YFYpnOYbqV6eNlslGuYbHYIZX5D4lawvcT+IfqBaeWAz3ZRyK+nFVotMm+BRHNeUFse3OUL2kGPLRgXZQ1wdzE+V17rTRtPHDV9cs0ERjTjMyntM24zYxWicrdsoFfwF/BJQRXVO+GZDdhJcmNvCcxywaUD8C/y9TYYLwhFdIRYFmOHvTHJwabPt5/QM8EkrAfkpCHypwf6oz7xvyiqnRFyx5okWexHqE1xXHbvMS+pjd2eNBl4n38H+hbdb83wJFS64M9zerlhU/u5h4cbY0WdIJtOz2dP7A3NvQL0X5oF10ivWYw5+Rbar8h6nCr07ApVku6m5kXePp6rK3c0f+IORxflJFEdRGBG7zBbE1Dt4Kf5Q+uTwiEjN2wEre1s6CFg8oTipncOwHkyettAplFisitfdxs4HlEZpsN3kxh6NQDFAhx4JE1WNGMPVZNKuBz6tHhMwgpDDXS16UjIXZqYllUDnBaf5GdawCgWr2wbXEaUflgOWje/QyvZkYVsHZzUFw9Bqh8B7jxw7h/4KAM43XBDWN9P6J2+gqp2M3SQ=', > profile_id=u'KDCs_PKINIT_Certs', principal=u'krbtgt/[REDACTED]@[REDACTED]', > add=True): InternalError > > That's the issue number one. Number two is that I can't login into web UI of > my replica - it gives me "Login failed due to an unknown reason" error. From > /var/log/httpd/error_log: > > [auth_gssapi:error] GSS ERROR gss_acquire_cred[_from]() failed to get server > creds: [Unspecified GSS failure. Minor code may provide more information ( > SPNEGO cannot find mechanisms to negotiate)] > [wsgi:error] ipa: INFO: 401 Unauthorized: No session cookie found Newer IPA requires that every user have a SID. I'm guessing this is related. > > Finally, my third issue is that I can't remove replica from my master. > ipa-replica-manage del --force --cleanup fails with: > > Traceback (most recent call last): > File "/usr/sbin/ipa-replica-manage", line 1624, in <module> > main(options, args) > File "/usr/sbin/ipa-replica-manage", line 1524, in main > api.finalize() > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 740, in > finalize > self.__do_if_not_done('load_plugins') > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 431, in > __do_if_not_done > getattr(self, name)() > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 620, in > load_plugins > self.add_package(package) > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 658, in > add_package > self.add_module(module) > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 675, in > add_module > self.add_plugin(**kwargs) > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 711, in > add_plugin > plugin=plugin, > PluginOverrideError: unexpected override of BaseCertObject.certreq with > <class 'ipaserver.plugins.cert.certreq'> > Unexpected error: unexpected override of BaseCertObject.certreq with <class > 'ipaserver.plugins.cert.certreq'> This and the previous ldap2.Object error point to a coding issue. Did you make any plugin changes? rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue