Issue #5996: ipa-replica-install failure: Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=ldap/... - freeipa

freeipa

#5996 ipa-replica-install failure: Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=ldap/...

Closed: Fixed None Opened 7 years ago by pspacek.

I'm unable to promote replica using admin credentials.

ipa-replica-install fails with following error:

ipa.ipapython.install.cli.install_tool(Replica): ERROR    Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=ldap/vm-046.abc.idm.lab.eng.brq.redhat.com@DOM-058-082.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=services,cn=accounts,dc=dom-058-082,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'.

Versions

389-ds-base-1.3.5.6-1.fc24.x86_64
IPA: eec440b

I'm going to attach full server install log.

pspacek commented 7 years ago

attachment
ipareplica-install.log.bz2

tbordaz commented 7 years ago

I can reproduce a failure but a different one.
Would you described what differs from my tests:

On master side:
freeipa-server-4.4.0.201606231659GITeec440b-0.fc24.x86_64
389-ds-base-1.3.5.6-1.fc24.x86_64
ipa-server-install --hostname=<master-vm-fqdn> -p Secret123 -a Secret123 --domain <domain>  -U --realm <REALM>

on replica side:
freeipa-server-4.4.0.201606231711GITeec440b-0.fc24.x86_64
389-ds-base-1.3.5.6-1.fc24.x86_64
ipa-client-install --domain  <domain> --realm <REALM> --server <<master-vm-fqdn> -p admin -w Secret123 -U
ipa-replica-install

==> ipa.ipaserver.plugins.ldap2.ldap2: ERROR    Configured time limit exceeded while getting entries (base DN: cn=ipaservers,cn=hostgroups,cn=accounts,<suffix>, filter: None)

pspacek commented 7 years ago

Interesting. It could be a deadlock in DS or just a slow VM. Is the time limit reproducible repeatedly?

tbordaz commented 7 years ago

For information, I was able to reproduce the 'Insufficient access...' issue.

I was no longer able to reproduce with the patch 00165 fixed

a6dffbf IPA API: Do not force setting krbCanonicalName on newly created entries
fd840a9 mod_auth_gssapi: enable unique credential caches names
1ce8d32 ipapwd_extop should use TARGET_DN defined by a pre-extop plugin
d64513f Tests: Fix ipatests/test_ipaserver/test_rpcserver.py
13328bc topo segment-add: validate that both masters support target suffix
...

mbasti commented 7 years ago

master:

7b8247a keep setting ipakrbprincipal objectclass on new service entries

Regresion caused by kerberos aliases commits

Metadata Update from @pspacek:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.4

7 years ago

Metadata

Assignee

mbabinsk

Tags

None

Blocking

None

Depending on

None

Priority

critical

Milestone

FreeIPA 4.4

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Replication

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#5996 ipa-replica-install failure: Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=ldap/... Closed: Fixed None Opened 7 years ago by pspacek.

Versions

Metadata

#5996 ipa-replica-install failure: Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=ldap/...

Closed: Fixed None Opened 7 years ago by pspacek.