[root@vm-221 ~]# kinit nonadminuser ... [root@vm-221 ~]# ipa-ca-install Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'vm-065.example.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'vm-221.example.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 88, 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder. Connection from master to replica is OK. Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/24]: creating certificate server user [2/24]: creating certificate server db [3/24]: setting up initial replication [error] INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' privilege to the 'nsDS5ReplicaId' attribute of entry 'cn=replication,cn=etc,dc=example,dc=com'.\n", 'desc': 'Insufficient access'} Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Insufficient access
This state is hard to fix.
User does not have access/write rights to finish installation. We want to use GSSAPI to connect to remote server, thus #5401 must be resolved first.
Metadata Update from @mbasti: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.3
Login to comment on this ticket.