I've been trying to rebuild my FreeIPA server that I run on CentOS 7.3. Previously, I was running FreeIPA 4.2.x and upgraded over time to 4.4.0 now, but somewhere along the lines, it totally broke and failed. For me it's not a big deal because it serves very little in a home cluster lab, but I wanted to take this time to update my chef cookbooks to accomodate the new way to auto-configure FreeIPA.
The Server installation portion was pretty much the same as before. It's the replica that's mostly changed.
Using the install method with ipa-replica-install, I'm using these arguments:
ipa-replica-install --unattended \ --no-ntp --mkhomedir --skip-conncheck \ --ip-address 172.17.0.102 \ --principal admin \ --admin-password "redacted" \ --server ipa1.home.ld \ --domain home.ld \ --realm HOME.LD
And it's failing with the following results:
Configuring directory server (dirsrv). Estimated time: 1 minute [1/44]: creating directory server user [2/44]: creating directory server instance [3/44]: updating configuration in dse.ldif [4/44]: restarting directory server [5/44]: adding default schema [6/44]: enabling memberof plugin [7/44]: enabling winsync plugin [8/44]: configuring replication version plugin [9/44]: enabling IPA enrollment plugin [10/44]: enabling ldapi [11/44]: configuring uniqueness plugin [12/44]: configuring uuid plugin [13/44]: configuring modrdn plugin [14/44]: configuring DNS plugin [15/44]: enabling entryUSN plugin [16/44]: configuring lockout plugin [17/44]: configuring topology plugin [18/44]: creating indices [19/44]: enabling referential integrity plugin [20/44]: configuring certmap.conf [21/44]: configure autobind for root [22/44]: configure new location for managed entries [23/44]: configure dirsrv ccache [24/44]: enabling SASL mapping fallback [25/44]: restarting directory server [26/44]: creating DS keytab [27/44]: retrieving DS Certificate [28/44]: restarting directory server [29/44]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 15 seconds elapsed [ipa1.home.ld] reports: Update failed! Status: [49 - LDAP error: Invalid credentials]
[error] RuntimeError: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. STDERR: Client hostname: ipa2.home.ld Realm: HOME.LD DNS Domain: home.ld IPA Server: ipa1.home.ld BaseDN: dc=home,dc=ld Skipping synchronizing time with NTP server. Successfully retrieved CA cert Subject: CN=Certificate Authority,O=HOME.LD Issuer: CN=Certificate Authority,O=HOME.LD Valid From: Sun Jun 11 14:31:12 2017 UTC Valid Until: Thu Jun 11 14:31:12 2037 UTC
Enrolled in IPA realm HOME.LD Created /etc/ipa/default.conf Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm HOME.LD trying https://ipa1.home.ld/ipa/json Forwarding 'schema' to json server 'https://ipa1.home.ld/ipa/json' trying https://ipa1.home.ld/ipa/session/json Forwarding 'ping' to json server 'https://ipa1.home.ld/ipa/session/json ' Forwarding 'ca_is_enabled' to json server 'https://ipa1.home.ld/ipa/ses sion/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://ipa1.home.ld/ipa/session/ json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring home.ld as NIS domain. Client configuration complete. ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to start replication ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa- replica-install command failed. See /var/log/ipareplica-install.log for more information
Attached is the full logs from ipareplica-install.log
Any help on this would be greatly appreciated. I had tried all weekend long trying to get this to work all to the same basic failure.
Eric
freeipa-users@lists.fedorahosted.org