On 25.08.2016 19:44, Rob Crittenden wrote:
Rene Trippen wrote:
Hi,
I`ve got an IPA with a broken CA infrastructure (don`t know what
happened, but new clients cannot be registered)
It is even not possible to setup a new replica.
It may be fairly straightforward to getting the CA back up. How is it
broken?
I don't know how that happened exactly, we had an IPA 3.x Server, then
we migrated it to another machine and upgraded to IPA 4.1, later, we
upgraded (on the same machine) to IPA 4.2.
The IPA Server is basically working, but when I want to register a new
machine, the registration process fails with following (I think these
are the relevant lines) error
2016-08-30T22:40:25Z DEBUG flushing ldap://ipa.internal.domain:389 from
SchemaCache
2016-08-30T22:40:25Z DEBUG retrieving schema for SchemaCache
url=ldap://ipa.internal.domain:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x375d5a8>
2016-08-30T22:40:26Z DEBUG Adding CA certificates to the IPA NSS database.
2016-08-30T22:40:26Z DEBUG Starting external process
2016-08-30T22:40:26Z DEBUG args='/usr/bin/certutil' '-d'
'/etc/ipa/nssdb' '-A' '-n' 'INTERNAL.DOMAIN IPA CA' '-t' 'CT,C,C'
2016-08-30T22:40:26Z DEBUG Process finished, return code=0
2016-08-30T22:40:26Z DEBUG stdout=
2016-08-30T22:40:26Z DEBUG stderr=
2016-08-30T22:40:26Z DEBUG Starting external process
2016-08-30T22:40:26Z DEBUG args='/usr/bin/certutil' '-d'
'/etc/ipa/nssdb' '-A' '-n' 'INTERNAL.DOMAIN IPA CA' '-t' 'CT,C,C'
2016-08-30T22:40:26Z DEBUG Process finished, return code=255
2016-08-30T22:40:26Z DEBUG stdout=
2016-08-30T22:40:26Z DEBUG stderr=certutil: could not add certificate to
token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to
database.
2016-08-30T22:40:26Z ERROR Failed to add INTERNAL.DOMAIN IPA CA to the
IPA NSS database.
2016-08-30T22:40:26Z ERROR Installation failed. Rolling back changes.
The client tries to add 2 certificates, but fails with the second, I
think, it is because we have 2 CA certificates (one from the old IPA 3.x
server and one from the new 4.x server). My current workaround is to
register the client with an ipa3.x client, then I do an upgrade to the
4.x client
I've tried many ways to setup a new CA:
- tried ipa-cacert-manage renew
- tried to setup a new replica with new CA, but the setup failed with
the same problems described above
- tried to remove all old certificates refering to the old ipa server
(but I think I failed somewhere)
My thoughts are, the CA is in a bad condition, and I spent much time in
trying to fix it, with no success. And, my fears are, if I find some
crude, not documented workaround for the CA problem, the problem maybe
pops up at the next update. So, setting up a fresh IPA and migrating
everything (except the clients), was my hope to get an IPA running
without all the CA problems. Migrating the clients is not the problem,
that can be done by script (spacewalk or ansible), but migrating the
users is not that easy, because the users cannot be scripted :)
So, I wanted to setup a new IPA Server with new CA, and I want to move
all users with their passwords to the new IPA instance.
I`ve tried with 'ipa migrate-ds'
ipa migrate-ds --continue --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
--group-overwrite-gid --with-compat ldap://<ldapserver>
The output is OK
=======
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.
========
But the ipa/migration website is not working for me.
Anyway, is there a way to export the users with passwords? I think I
have to export some kerberos specific stuff from the old IPA?
The log file /var/log/httpd/error_log may have details on what isn't
working.
Sorry, that was not clearly described:
The site is basically working, but when I enter the password, nothing
happens in the backend (I cannot login with my user on the ipa login site).
- rene
The way to export users with passwords is the method you've already
tried. To not have to change a password at all would require the same
Kerberos master key and these are generated randomly at install time.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
