Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1397439
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Created attachment 1222747 Replica install log Creating bug for this issue (https://fedorahosted.org/freeipa/ticket/5412) , as I do not see one referenced on it. The customer ended up working with Martin Babinsky to resolve their issue. Martin provided the following LDIF's for me to try once the ipa-replica-install issue got stuck and it resolved their issue: == on IPA master: dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config changetype: modify add: nsDS5ReplicaBindDNGroup nsDS5ReplicaBindDNGroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=example,dc=com dn: cn=replication managers,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: modify add: member member: krbprincipalname=ldap/replica.example.com@EXAMPLE. COM,cn=services,cn=accounts,dc=example,dc=com == on IPA replica: dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config changetype: modify add: nsDS5ReplicaBindDN nsDS5ReplicaBindDNGroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=example=com dn: cn=replication managers,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: modify add: member member: krbprincipalname=ldap/master.example.com@EXAMPLE. COM,cn=services,cn=accounts,dc=example,dc=com
The actual issue and workaround are summarized here:
After debugging the issue in my test environment with Thierry Bordaz and Ludwig Krispenz, we found out that the root cause is a missing 'nsds5replicabinddngroupcheckinterval' attribute on 'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry. Without this attribute the replication plugin does not check for the current members of the 'cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX' groupand so does not recognize and denies updates made by them. A workaround is to modify the relevant entry in '/usr/share/ipa/ca-topology.uldif' file: """ <SNIP> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX add: nsds5replicabinddngroupcheckinterval: 60 <-- insert this line """ Then run `ipa-ldap-updater /usr/share/ipa/ca-topology.uldif` and then try reinstalling the replica. The process has to be repeated to all CA replicas that were upgraded.
Steps to reproduce the issue:
1.) install 4.2 or 4.3 domain level 0 master and CA replica
2.) Upgrade (sequentially) master and replica to 4.4
3.) raise domain level to 1
4.) Try to set up another CA replica against existing one
Alternatively (shorter one):
1.) install 4.3 master and CA replica in domain level 0
2.) raise domain level to 1
3.) try to set up new CA replica against the old ones
In both cases, expected result is that CA replica is installed and functional
Actual result is that CA installation gets stuck indefinitely on creating temporary CA admin
master:
ipa-4-4 will follow
ipa-4-4:
Commit 266b9d9 probably causes upgrade issues on first server
2016-12-07T12:09:16Z DEBUG Executing upgrade plugin: update_ca_topology 2016-12-07T12:09:16Z DEBUG raw: update_ca_topology .... 2016-12-07T12:09:18Z DEBUG New entry: cn=replica,cn=o\=ipaca,cn=mapping tree,cn=config 2016-12-07T12:09:18Z DEBUG --------------------------------------------- 2016-12-07T12:09:18Z DEBUG Initial value 2016-12-07T12:09:18Z DEBUG dn: cn=replica,cn=o\=ipaca,cn=mapping tree,cn=config 2016-12-07T12:09:18Z DEBUG onlyifexist: 'cn=replication managers,cn=sysaccounts,cn=etc,dc=dom-028,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to nsds5replicabinddngroup, current value [] 2016-12-07T12:09:18Z DEBUG add: '60' to nsds5replicabinddngroupcheckinterval, current value [] 2016-12-07T12:09:18Z DEBUG add: updated value ['60'] 2016-12-07T12:09:18Z DEBUG --------------------------------------------- 2016-12-07T12:09:18Z DEBUG Final value after applying updates 2016-12-07T12:09:18Z DEBUG dn: cn=replica,cn=o\=ipaca,cn=mapping tree,cn=config 2016-12-07T12:09:18Z DEBUG nsds5replicabinddngroupcheckinterval: 2016-12-07T12:09:18Z DEBUG 60 2016-12-07T12:09:18Z ERROR Add failure missing required attribute "objectclass"
object does not exists, but there is add statement in upgrade file which tries to create an entry without objectclass and it fails
Metadata Update from @mbabinsk: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.4.3
Log in to comment on this ticket.