Hello,
I installed FreeIPA replica on 4.8.4 on CentOS 8 from 4.4.4 from Fedora 25 with `ipa-replica-install --setup-dns --auto-forwarders`, without `--setup-ca` due to errors, which went fine. I do want to install CA though, which failed when I did `--setup-ca` and then later `ipa-ca-install` with the following error:
``` [4/29]: creating installation admin user Unable to log in as uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca on ldap://freeipa.infra.opensuse.org:389 [hint] tune with replication_wait_timeout [error] NotFound: uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca did not replicate to ldap://freeipa.infra.opensuse.org:389 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ```
Obviously I did try try extending the timeout based on that, but I don't think that was helpful in the end, considering the logs produced by the old server:
httpd access_log ``` 192.168.47.90 - - [23/Jul/2020:00:25:36 +0000] "GET /ca/rest/account/login HTTP/1.1" 401 994 ```
server process in journal ``` SSLAuthenticatorWithFallback: Authenticating with BASIC authentication Invalid Credential. at com.netscape.cmscore.authentication.PasswdUserDBAuthentication.authenticate(PasswdUserDBAuthentication.java:167) at com.netscape.cms.realm.PKIRealm.authenticate(PKIRealm.java:63) at com.netscape.cms.tomcat.ProxyRealm.authenticate(ProxyRealm.java:78) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:94) at com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.doSubAuthenticate(SSLAuthenticatorWithFallback.java:37) at com.netscape.cms.tomcat.AbstractPKIAuthenticator.doAuthenticate(AbstractPKIAuthenticator.java:98) at com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.authenticate(SSLAuthenticatorWithFallback.java:47) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:579) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502) at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:877) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) SSLAuthenticatorWithFallback: Fallback auth header: WWW-Authenticate=Basic realm="Certificate Authority" SSLAuthenticatorWithFallback: Fallback auth return code: 401 SSLAuthenticatorWithFallback: Result: false ```
and from pki logs ``` Failed to authenticate as admin UID=admin-freeipa2.infra.opensuse.org. Error: netscape.ldap.LDAPException: error result (49) ```
I don't particularly know how to proceed from here, since those errors don't mean much to me. I see however it's not just me having issues with `ipa-ca-install` at least similar to this one (although by the looks of it, the reason is already different ;)
Thanks in advance for trying, LCP [Stasiek] https://lcp.world/
Stasiek Michalski via FreeIPA-users wrote:
Hello,
I installed FreeIPA replica on 4.8.4 on CentOS 8 from 4.4.4 from Fedora 25 with `ipa-replica-install --setup-dns --auto-forwarders`, without `--setup-ca` due to errors, which went fine. I do want to install CA though, which failed when I did `--setup-ca` and then later `ipa-ca-install` with the following error:
[4/29]: creating installation admin user Unable to log in as uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca on ldap://freeipa.infra.opensuse.org:389 [hint] tune with replication_wait_timeout [error] NotFound: uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca did not replicate to ldap://freeipa.infra.opensuse.org:389 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
Obviously I did try try extending the timeout based on that, but I don't think that was helpful in the end, considering the logs produced by the old server:
httpd access_log
192.168.47.90 - - [23/Jul/2020:00:25:36 +0000] "GET /ca/rest/account/login HTTP/1.1" 401 994
server process in journal
SSLAuthenticatorWithFallback: Authenticating with BASIC authentication Invalid Credential. at com.netscape.cmscore.authentication.PasswdUserDBAuthentication.authenticate(PasswdUserDBAuthentication.java:167) at com.netscape.cms.realm.PKIRealm.authenticate(PKIRealm.java:63) at com.netscape.cms.tomcat.ProxyRealm.authenticate(ProxyRealm.java:78) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:94) at com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.doSubAuthenticate(SSLAuthenticatorWithFallback.java:37) at com.netscape.cms.tomcat.AbstractPKIAuthenticator.doAuthenticate(AbstractPKIAuthenticator.java:98) at com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.authenticate(SSLAuthenticatorWithFallback.java:47) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:579) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502) at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:877) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) SSLAuthenticatorWithFallback: Fallback auth header: WWW-Authenticate=Basic realm="Certificate Authority" SSLAuthenticatorWithFallback: Fallback auth return code: 401 SSLAuthenticatorWithFallback: Result: false
and from pki logs
Failed to authenticate as admin UID=admin-freeipa2.infra.opensuse.org. Error: netscape.ldap.LDAPException: error result (49)
I don't particularly know how to proceed from here, since those errors don't mean much to me. I see however it's not just me having issues with `ipa-ca-install` at least similar to this one (although by the looks of it, the reason is already different ;)
This step creates the admin user on the local LDAP server and tries to authenticate to it on the other side.
I'd look to see if this user exists on both servers and the 389-ds access logs on both to see what is going on.
rob
I'd look to see if this user exists on both servers and the 389-ds access logs on both to see what is going on.
The user exists, and access logs tell me: ``` BIND dn="uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca" method=128 version=3 RESULT err=49 tag=97 nentries=0 etime=0 - Invalid credentials ``` over and over and over again
LCP [Stasiek] https://lcp.world/
Stasiek Michalski via FreeIPA-users wrote:
I'd look to see if this user exists on both servers and the 389-ds access logs on both to see what is going on.
The user exists, and access logs tell me:
BIND dn="uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca" method=128 version=3 RESULT err=49 tag=97 nentries=0 etime=0 - Invalid credentials
over and over and over again
Can we see the logs for the creation of the user? The password is set at that point and then immediately used to authenticate.
rob
Can we see the logs for the creation of the user? The password is set at that point and then immediately used to authenticate.
This seems like the relevant bit ``` BIND dn="" method=sasl version=3 mech=GSSAPI RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress BIND dn="" method=sasl version=3 mech=GSSAPI RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress BIND dn="" method=sasl version=3 mech=GSSAPI RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ldap/freeipa2.infra.opensuse.org@infra.opensuse.org,cn=services,cn=accounts,dc=infra,dc=opensuse,dc=org" SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" RESULT err=0 tag=101 nentries=1 etime=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" RESULT err=0 tag=101 nentries=1 etime=0 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" RESULT err=0 tag=120 nentries=0 etime=0 SRCH base="cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config" scope=0 filter="(objectClass=*)" attrs="nsDS5ReplicaId" RESULT err=0 tag=101 nentries=1 etime=0 DEL dn="uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca" RESULT err=0 tag=107 nentries=0 etime=0 csn=5f18d900000100140000 ADD dn="uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca" RESULT err=0 tag=105 nentries=0 etime=0 csn=5f18d900000300140000 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" RESULT err=0 tag=120 nentries=0 etime=0 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" RESULT err=0 tag=120 nentries=0 etime=0 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" RESULT err=0 tag=120 nentries=0 etime=0 UNBIND ```
LCP [Stasiek] https://lcp.world/
freeipa-users@lists.fedorahosted.org