I've been trying to rebuild my FreeIPA server that I run on CentOS 7.3. Previously, I was running FreeIPA 4.2.x and upgraded over time to 4.4.0 now, but somewhere along the lines, it totally broke and failed. For me it's not a big deal because it serves very little in a home cluster lab, but I wanted to take this time to update my chef cookbooks to accomodate the new way to auto-configure FreeIPA.

The Server installation portion was pretty much the same as before. It's the replica that's mostly changed.

Using the install method with ipa-replica-install, I'm using these arguments:

ipa-replica-install --unattended \ --no-ntp --mkhomedir --skip-conncheck \ --ip-address 172.17.0.102 \ --principal admin \ --admin-password "redacted" \ --server ipa1.home.ld \ --domain home.ld \ --realm HOME.LD

And it's failing with the following results:

Configuring directory server (dirsrv). Estimated time: 1 minute   [1/44]: creating directory server user   [2/44]: creating directory server instance   [3/44]: updating configuration in dse.ldif   [4/44]: restarting directory server   [5/44]: adding default schema   [6/44]: enabling memberof plugin   [7/44]: enabling winsync plugin   [8/44]: configuring replication version plugin   [9/44]: enabling IPA enrollment plugin   [10/44]: enabling ldapi   [11/44]: configuring uniqueness plugin   [12/44]: configuring uuid plugin   [13/44]: configuring modrdn plugin   [14/44]: configuring DNS plugin   [15/44]: enabling entryUSN plugin   [16/44]: configuring lockout plugin   [17/44]: configuring topology plugin   [18/44]: creating indices   [19/44]: enabling referential integrity plugin   [20/44]: configuring certmap.conf   [21/44]: configure autobind for root   [22/44]: configure new location for managed entries   [23/44]: configure dirsrv ccache   [24/44]: enabling SASL mapping fallback   [25/44]: restarting directory server   [26/44]: creating DS keytab   [27/44]: retrieving DS Certificate   [28/44]: restarting directory server   [29/44]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 15 seconds elapsed [ipa1.home.ld] reports: Update failed! Status: [49  - LDAP error: Invalid credentials]

[error] RuntimeError: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. STDERR: Client hostname: ipa2.home.ld Realm: HOME.LD DNS Domain: home.ld IPA Server: ipa1.home.ld BaseDN: dc=home,dc=ld Skipping synchronizing time with NTP server. Successfully retrieved CA cert     Subject:     CN=Certificate Authority,O=HOME.LD     Issuer:      CN=Certificate Authority,O=HOME.LD     Valid From:  Sun Jun 11 14:31:12 2017 UTC     Valid Until: Thu Jun 11 14:31:12 2037 UTC

Enrolled in IPA realm HOME.LD Created /etc/ipa/default.conf Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm HOME.LD trying https://ipa1.home.ld/ipa/json Forwarding 'schema' to json server 'https://ipa1.home.ld/ipa/json' trying https://ipa1.home.ld/ipa/session/json Forwarding 'ping' to json server 'https://ipa1.home.ld/ipa/session/json ' Forwarding 'ca_is_enabled' to json server 'https://ipa1.home.ld/ipa/ses sion/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://ipa1.home.ld/ipa/session/ json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring home.ld as NIS domain. Client configuration complete. ipa.ipapython.install.cli.install_tool(Replica): ERROR    Failed to start replication ipa.ipapython.install.cli.install_tool(Replica): ERROR    The ipa- replica-install command failed. See /var/log/ipareplica-install.log for more information

Attached is the full logs from ipareplica-install.log

Any help on this would be greatly appreciated. I had tried all weekend long trying to get this to work all to the same basic failure.

Eric