When I install a replica with the third-party certs as admin, I get the following error:
ipa.ipapython.install.cli.install_tool(Replica): ERROR Insufficient privileges to promote the server. ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
The full installation commandline looks like this:
ipa-replica-install -p x2k1j5tdsl --http-cert-file http.p12 --dirsrv-cert-file dirsrv.p12 --http-pin x2k1j5tdsl --dirsrv-pin x2k1j5tdsl -P admin -n pesen.net -r PESEN.NET --server f23master.pesen.net -U
The log is attached
attachment ipareplica-install.log
I was able to reproduce this even without custom certs involved:
# ipa-replica-install -U -P admin -p <password> --setup-ca -r DOM-066.SOMETEST.COM -n dom-066.sometest.com --server vm-066.sometest.com Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Client hostname: vm-051.sometest.com Realm: DOM-066.SOMETEST.COM DNS Domain: dom-066.sometest.com IPA Server: vm-066.sometest.com BaseDN: dc=dom-066,dc=sometest,dc=com Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Enrolled in IPA realm DOM-066.SOMETEST.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm DOM-066.SOMETEST.COM trying https://vm-066.sometest.com/ipa/json Forwarding 'ping' to json server 'https://vm-sometest.com.com/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://vm-066.sometest.com/ipa/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://vm-066.sometest.com/ipa/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring dom-066.sometest.com as NIS domain. Client configuration complete. Removing client side components Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files Unconfiguring the NIS domain. nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Systemwide CA database updated. Client uninstall complete. ipa.ipapython.install.cli.install_tool(Replica): ERROR Insufficient privileges to promote the server. ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
The master was installed with the following options: {{{ipa-server-install --domain dom-066.sometest.com --realm DOM-066.SOMETEST.COM --forwarder <forwarder_ip> --auto-reverse -p <password> -U }}}
Note: Reproduced in Brno rhevm lab. Domain names are deliberately changed
This might be an incorrect usage of options.
You are using -P admin -p $password by -p $password do you mean admin password or OTP.
-P admin -p $password
-p $password
Given that -P admin is provided I assume an admin password was meant. Correct option is --admin-password which has a shorcut '-w'.
-P admin
The options are correct, see the help string for -p:
-p PASSWORD, --password=PASSWORD Password to join the IPA realm. Assumes bulk password unless principal is also set. (domain level 1+) Directory Manager (existing master) password. (domain level 0)
Anyway, I was not able to reproduce the issue.
Oleg, could you test with patch: http://www.redhat.com/archives/freeipa-devel/2016-March/msg00488.html it may show us more info
Reproduced with the latest packages built today on top of master branch (with the above mentioned patch merged). The args were as follows:
ipa-replica-install -w <admin_password> -n <domain_name> -r <domain_realm>
By the way, '-p' indeed expects a one-time password, so @pvoborni was right.
attachment ipareplica-install_03.29.2016.log
Patch 956 either doesn't work or was not applied on the machine which produced ipareplica-install_03.29.2016.log because I don't see any difference in the log.
To me, it seems that the patch was not applied because line numbers of sys.exit are still the same.
I couldn't reproduce it. Works for me on master branch.
Relevant part of log which Oleg sent me(with my patch applied):
2016-03-29T14:01:31Z DEBUG raw: hostgroup_find(None, cn=u'ipaservers', version=u'2.164', host=[u'vm-035.idm.lab.eng.brq.redhat.com']) 2016-03-29T14:01:31Z DEBUG hostgroup_find(None, cn=u'ipaservers', all=False, raw=False, version=u'2.164', no_members=False, pkey_only=False, host=(u'vm-035.idm.lab.eng.brq.redhat.com',)) 2016-03-29T14:01:31Z DEBUG KRB5CCNAME set to None 2016-03-29T14:01:31Z DEBUG Destroyed connection context.ldap2_139872739384528 2016-03-29T14:01:32Z DEBUG Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed)
This issue is probably caused by leftover ccache from previous replica promotion, since issuing kdestroy before the new run fixed the error. Possible steps to reproduce are the following:
1.) setup a master and replica
2.) kinit as admin on replica
3.) uninstall master and replica
4.) setup master
5.) setup replica on the same machine as before
During step 5. you should get the 'Decrypt integrity check failed' message in the log. If you the call kdestroy and try replica install again, it should work.
Indeed that did it. The patch was posted for the review
master:
ipa-4-3:
Metadata Update from @ofayans: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.3.2
Log in to comment on this ticket.