Hello all...
FreeIPA newbie here.
I have inherited a freeipa infrastructure. It consists of 12 servers all authign to freeipa fro ssh and some ftp. My problem is as follows;
Original master(Dunlop) is dead, there remains a replica(freeipa) that barley works on a VM in virtualbox on a linux server. I am trying to setup a new freeipa server(Auth-1) to replace both of the current freeipa servers in vmware. SO in the current working serve(freeipa) i run this in debug mode....
[root@freeipa /]# ipa-replica-prepare --debug auth-1.domain.com ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: importing all plugin modules in ipaserver.plugins... ipa: DEBUG: importing plugin module ipaserver.plugins.aci ipa: DEBUG: importing plugin module ipaserver.plugins.automember ipa: DEBUG: importing plugin module ipaserver.plugins.automount ipa: DEBUG: importing plugin module ipaserver.plugins.baseldap ipa: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.baseuser ipa: DEBUG: importing plugin module ipaserver.plugins.batch ipa: DEBUG: importing plugin module ipaserver.plugins.ca ipa: DEBUG: importing plugin module ipaserver.plugins.caacl ipa: DEBUG: importing plugin module ipaserver.plugins.cert ipa: DEBUG: importing plugin module ipaserver.plugins.certprofile ipa: DEBUG: importing plugin module ipaserver.plugins.config ipa: DEBUG: importing plugin module ipaserver.plugins.delegation ipa: DEBUG: importing plugin module ipaserver.plugins.dns ipa: DEBUG: importing plugin module ipaserver.plugins.dnsserver ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag ipa: DEBUG: importing plugin module ipaserver.plugins.domainlevel ipa: DEBUG: importing plugin module ipaserver.plugins.group ipa: DEBUG: importing plugin module ipaserver.plugins.hbac ipa: DEBUG: ipaserver.plugins.hbac is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.hbacrule ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvc ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup ipa: DEBUG: importing plugin module ipaserver.plugins.hbactest ipa: DEBUG: importing plugin module ipaserver.plugins.host ipa: DEBUG: importing plugin module ipaserver.plugins.hostgroup ipa: DEBUG: importing plugin module ipaserver.plugins.idrange ipa: DEBUG: importing plugin module ipaserver.plugins.idviews ipa: DEBUG: importing plugin module ipaserver.plugins.internal ipa: DEBUG: importing plugin module ipaserver.plugins.join ipa: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 ipa: DEBUG: importing plugin module ipaserver.plugins.location ipa: DEBUG: importing plugin module ipaserver.plugins.migration ipa: DEBUG: importing plugin module ipaserver.plugins.misc ipa: DEBUG: importing plugin module ipaserver.plugins.netgroup ipa: DEBUG: importing plugin module ipaserver.plugins.otp ipa: DEBUG: ipaserver.plugins.otp is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.otpconfig ipa: DEBUG: importing plugin module ipaserver.plugins.otptoken ipa: DEBUG: importing plugin module ipaserver.plugins.passwd ipa: DEBUG: importing plugin module ipaserver.plugins.permission ipa: DEBUG: importing plugin module ipaserver.plugins.ping ipa: DEBUG: importing plugin module ipaserver.plugins.pkinit ipa: DEBUG: ipaserver.plugins.pkinit is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.privilege ipa: DEBUG: importing plugin module ipaserver.plugins.pwpolicy ipa: DEBUG: Starting external process ipa: DEBUG: args=klist -V ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=Kerberos 5 version 1.14.1
ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module ipaserver.plugins.rabase ipa: DEBUG: ipaserver.plugins.rabase is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.radiusproxy ipa: DEBUG: importing plugin module ipaserver.plugins.realmdomains ipa: DEBUG: importing plugin module ipaserver.plugins.role ipa: DEBUG: importing plugin module ipaserver.plugins.schema ipa: DEBUG: importing plugin module ipaserver.plugins.selfservice ipa: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap ipa: DEBUG: importing plugin module ipaserver.plugins.server ipa: DEBUG: importing plugin module ipaserver.plugins.serverrole ipa: DEBUG: importing plugin module ipaserver.plugins.serverroles ipa: DEBUG: importing plugin module ipaserver.plugins.service ipa: DEBUG: importing plugin module ipaserver.plugins.servicedelegation ipa: DEBUG: importing plugin module ipaserver.plugins.session ipa: DEBUG: importing plugin module ipaserver.plugins.stageuser ipa: DEBUG: importing plugin module ipaserver.plugins.sudo ipa: DEBUG: ipaserver.plugins.sudo is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmd ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup ipa: DEBUG: importing plugin module ipaserver.plugins.sudorule ipa: DEBUG: importing plugin module ipaserver.plugins.topology ipa: DEBUG: importing plugin module ipaserver.plugins.trust ipa: DEBUG: importing plugin module ipaserver.plugins.user ipa: DEBUG: importing plugin module ipaserver.plugins.vault ipa: DEBUG: importing plugin module ipaserver.plugins.virtual ipa: DEBUG: ipaserver.plugins.virtual is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4c178c0> Directory Manager (existing master) password:
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection context.ldap2_49561488 ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: raw: ca_is_enabled(version=u'2.213') ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: ca_is_enabled(version=u'2.213') ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection context.ldap2_49561488 ipa: DEBUG: Search DNS for auth-1.domain.com ipa: DEBUG: Check if auth-1.domain.com is not a CNAME ipa: DEBUG: Check reverse address of 192.168.2.251 ipa: DEBUG: Found reverse name: auth-1.domain.com ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO: If you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well. ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in execute self.ask_for_options() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 342, in ask_for_options raise admintool.ScriptError("The replica must be created on the "
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: ScriptError: The replica must be created on the primary IPA server. ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The replica must be created on the primary IPA server. ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The ipa-replica-prepare command failed.
So if i cannot create a replica prepare file i cannot create a new replica and hence not migrate the current dying vm server(freeipa) to the new vmware vm.
What can i do?? I am running freeipa v4 on current replica.
I have too many servers and user to start from scratch.. Any help appreciated...
Thanks to all!
On 08/25/2017 09:35 AM, Rob Morin via FreeIPA-users wrote:
Hello all...
FreeIPA newbie here.
I have inherited a freeipa infrastructure. It consists of 12 servers all authign to freeipa fro ssh and some ftp. My problem is as follows;
Original master(Dunlop) is dead, there remains a replica(freeipa) that barley works on a VM in virtualbox on a linux server. I am trying to setup a new freeipa server(Auth-1) to replace both of the current freeipa servers in vmware. SO in the current working serve(freeipa) i run this in debug mode....
...
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: ScriptError: The replica must be created on the primary IPA server. ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The replica must be created on the primary IPA server. ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The ipa-replica-prepare command failed.
So if i cannot create a replica prepare file i cannot create a new replica and hence not migrate the current dying vm server(freeipa) to the new vmware vm.
What can i do?? I am running freeipa v4 on current replica.
I have too many servers and user to start from scratch.. Any help appreciated...
Thanks to all! _______________________________________________
Let me get this straight, your Master (with CA) isn't pining for the fjords. Your replica (without CA) is a VirtualBox VM /on a linux server/. AFAIK, it's not possible to recreate your setup without a full replica (with CA). It also sounds to me like your replica isn't a true replica based on the error message. (Or at least hasn't been promoted to primary.)
Without that, I'm afraid, you're in for a long recreation process unless you have a backup of the primary (which, you do, right?).
The primary is sort of still there , but it was uninstalled using the ip-install-server --uninstall command as far as i can tell. so only this non ca replica(freeipa) remains, it was not my doing it was the person before me that i replaced. :) This was done like a year ago, so not backups other than files that might remain on on master.
So basically i am stuck only with a non ca replica that still thinks the missing server is still the CA
The master is gone, has been for a year, the server exists, but ipa was uninstalled with ip-server-install --uninstall command... so i only have this replica, and i assume that re-installing it on the old server would mess stuff up?
On 08/25/2017 11:07 AM, Rob Morin via FreeIPA-users wrote:
The master is gone, has been for a year, the server exists, but ipa was uninstalled with ip-server-install --uninstall command... so i only have this replica, and i assume that re-installing it on the old server would mess stuff up?
Without a backup of the data on Master, it wouldn't mess anything up, it just wouldn't help much. It would be a new installation that hasn't been setup for use yet. That gets you nowhere, really.
I'm curious as to how/why this was setup this way. And why the master was uninstalled if the organization was still using IPA for authentication.
FWIW, if I were in your position, I'd hobble along on the replica while I spend the time and effort building an entirely new IPA infrastructure. And certainly NOT in a virtualbox VM on a linux server. It would be better in the long run rather than trying to mend this broken system and have to fight it constantly afterwards.
Rob Morin via FreeIPA-users wrote:
The master is gone, has been for a year, the server exists, but ipa was uninstalled with ip-server-install --uninstall command... so i only have this replica, and i assume that re-installing it on the old server would mess stuff up?
Please don't try to re-install it. This would also fail and probably just make matters worse.
Do you have /root/cacert.p12 on that original master?
If so run:
# pk12util -l /root/cacert.p12 |grep "Not After"
If the certs aren't all expired it may be easier to get something restored (time is fungible). The first value is the most important one.
We've never had to do this but the dogtag team has a documented way to install a CA using an existing key. It wasn't exactly meant for this case but it could still work.
I haven't worked out in my head how things would actually work or tried this myself but you have the slightest sliver of hope with this.
Even if the CA can be stood back up there could still be hurdles to overcome.
But this goes nowhere if you don't have the root CA cert so see if you have that.
rob
freeipa-users@lists.fedorahosted.org