#5399 ipa-ca-install on replica fails during installation, if non admin user is kinited
Closed: Fixed None Opened 8 years ago by mbasti.

[root@vm-221 ~]# kinit nonadminuser
...
[root@vm-221 ~]# ipa-ca-install 
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'vm-065.example.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'vm-221.example.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): WARNING
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): WARNING
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
The following UDP ports could not be verified as open: 88, 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.

Connection from master to replica is OK.

Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/24]: creating certificate server user
  [2/24]: creating certificate server db
  [3/24]: setting up initial replication
  [error] INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' privilege to the 'nsDS5ReplicaId' attribute of entry 'cn=replication,cn=etc,dc=example,dc=com'.\n", 'desc': 'Insufficient access'}

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Insufficient access

This state is hard to fix.


User does not have access/write rights to finish installation. We want to use GSSAPI to connect to remote server, thus #5401 must be resolved first.

  • 6ea868e aci: merge domain and CA suffix replication agreement ACIs
  • b248dfd ca install: use host credentials in domain level 1

Metadata Update from @mbasti:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.3

7 years ago

Login to comment on this ticket.

Metadata