Hi, On Mon, Mar 18, 2024 at 3:38 PM Ian Kumlien <ian.kuml...@gmail.com> wrote:
> On Thu, Mar 14, 2024 at 7:36 PM Florence Blanc-Renaud <f...@redhat.com> > wrote: > > > > Hi, > > > > On Thu, Mar 14, 2024 at 8:55 AM Ian Kumlien <ian.kuml...@gmail.com> > wrote: > >> > >> On Wed, Mar 13, 2024 at 1:58 PM Ian Kumlien <ian.kuml...@gmail.com> > wrote: > > [--8<--] > > >> As a side node, the conncheck for ipa-ca-install fails all the time > >> now, when executing check on remote master it ends with this: > >> 2024-03-14T07:42:26Z DEBUG Destroyed connection > >> context.rpcclient_139905569284576 > >> 2024-03-14T07:42:26Z ERROR ERROR: Remote master check failed with > >> following error message(s): > >> invalid 'cn': must be "freeipa-4.xerces.lan" > >> 2024-03-14T07:42:26Z DEBUG Stopping listening thread. > >> > >> Which seems really strange... > >> > > The message is highly misleading, but basically means that the conncheck > part tried to check the connection to freeipa-4.xerces.lan, there was an > issue and then a different server was tried. Discussed in this thread: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/VCARE7OOXWBEB5UXF75AQVFQXNOA43XM/ > > Ok, i have actually looked at that and checked the pki > security-domain-show --- perhaps i should look at the bug options as > well... > > > Can you provide the exact OS + ipa / 389-ds-base versions that you have > on your server and on your replica? And any relevant info about the history > of the master (for instance, was the master initially installed with this > version or was it upgraded from older versions). > > I verified that the plugin is available on the other end, so ... > Centos 8 Stream - master: > ipa-server-dns-4.9.10-6.module_el8.7.0+1209+42bcbcde.noarch > ipa-server-4.9.10-6.module_el8.7.0+1209+42bcbcde.x86_64 > ipa-server-common-4.9.10-6.module_el8.7.0+1209+42bcbcde.noarch > 389-ds-base-1.4.3.28-6.module_el8.6.0+1102+fe5d910f.x86_64 > 389-ds-base-libs-1.4.3.28-6.module_el8.6.0+1102+fe5d910f.x86_64 > > Fedora 39 - replica: > freeipa-server-common-4.11.1-2.fc39.noarch > freeipa-server-4.11.1-2.fc39.x86_64 > freeipa-server-dns-4.11.1-2.fc39.noarch > 389-ds-base-libs-2.4.5-1.fc39.x86_64 > 389-ds-base-2.4.5-1.fc39.x86_64 > In this version of 389-ds the default password storage scheme is PBKDF2-SHA *512* but as far as I know, 389-ds-base-1.4.3.28 does not support this scheme, only PBKDF2_SHA*256*. You either need to update the master to a more recent version or force a different password storage scheme on the replica, for instance by providing the following config file to ipa-replica-install: # cat /tmp/dse.ldif dn: cn=config changetype: modify replace: passwordStorageScheme passwordStorageScheme: PBKDF2_SHA256 # ipa-replica-install [...] --dirsrv-config-file /tmp/dse.ldif HTH, flo
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
