Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1714076
Description of problem: When migrating IPA from RHEL 6 to RHEL 7, it is only working on the first RHEL 7 IPA server replica install, the succeeding RHEL 7 replica install fails consistently We are following the documentation link below: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/l inux_domain_identity_authentication_and_policy_guide/migrate-6-to-7 Version-Release number of selected component (if applicable): ipaserver6.example.local RHEL 6.10 ipa-server-3.0.0-51 IP = 10.10.92.254 ipaserver7.example.local RHEL 7.6 ipa-server-4.6.4-10 IP = 10.74.177.255 ipaserver8.example.local RHEL 7.6 ipa-server-4.6.4-10 IP = 10.74.176.168 How reproducible: Reproducible everytime Steps to Reproduce: ----- ipaserver6.example.local ----- ### Update the system to the latest version and install IPA packages # hostnamectl set-hostname ipaserver6.example.local # subscription-manager register --auto-attach --force # yum update -y # yum install "*ipa-server" "*ipa-server-trust-ad" bind bind-dyndb-ldap ipa-server-dns -y ### Add the host entry of the server's ip address # cat /etc/hosts 10.10.92.254 ipaserver6.example.local ipaserver6 # ipa-server-install # ipa-dns-install ----- ipaserver7.example.local ----- ### Update the system to the latest version and install IPA packages # hostnamectl set-hostname ipaserver7.example.local # subscription-manager register --auto-attach --force # yum update -y # yum install ipa-server ipa-server-dns -y ### Note: ensure that the file below only contains the following lines # cat /etc/resolv.conf search example.local nameserver 10.10.92.254 ### Note: add the following line under NSSCipherSuite # cat /etc/httpd/conf.d/nss.conf +ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha # scp /usr/share/ipa/copy-schema-to-ca.py root@ipaserver6.example.local:/root ----- ipaserver6.example.local ----- # cd /root # python copy-schema-to-ca.py # ipa-replica-prepare ipaserver7.example.local --ip-address 10.74.177.255 # scp /var/lib/ipa/replica-info-ipaserver7.example.local.gpg root@ipaserver7.example.local:/var/lib/ipa/ ----- ipaserver7.example.local ----- # ipa-replica-install /var/lib/ipa/replica-info-ipaserver7.example.local.gpg --setup-ca --setup-dns --no-forwarders --ip-address 10.74.177.255 WE WILL ADD A NEW IPA RHEL 7 REPLICA, THIS IS WHERE THE ISSUE APPEARS: ----- ipaserver8.example.local ----- ### Update the system to the latest version and install IPA packages # hostnamectl set-hostname ipaserver8.example.local # subscription-manager register --auto-attach --force # yum update -y # yum install ipa-server ipa-server-dns -y ### Note: ensure that the file below only contains the following lines # cat /etc/resolv.conf search example.local nameserver 10.10.92.254 ### Note: add the following line under NSSCipherSuite # cat /etc/httpd/conf.d/nss.conf +ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha ----- ipaserver6.example.local ----- # ipa-replica-prepare ipaserver8.example.local --ip-address 10.74.176.168 # scp /var/lib/ipa/replica-info-ipaserver8.example.local.gpg root@ipaserver8.example.local:/var/lib/ipa/ ----- ipaserver8.example.local ----- # ipa-replica-install /var/lib/ipa/replica-info-ipaserver8.example.local.gpg --setup-ca --setup-dns --no-forwarders --ip-address 10.74.176.168 [...] Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: setting mod_nss port to 443 [3/22]: setting mod_nss cipher suite [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [5/22]: setting mod_nss password file [6/22]: enabling mod_nss renegotiate [7/22]: disabling mod_nss OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd [10/22]: setting up httpd keytab [error] NotFound: wait_for_entry timeout on ldap://ipaserver6.example.local:389 for krbprincipalname=HTTP/ipaserver8.exampl e.local@EXAMPLE.LOCAL,cn=services,cn=accounts,dc=example,dc=local Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: ERROR wait_for_entry timeout on ldap://ipaserver6.example.local:389 for krbprincipalname=HTTP/ipaserver8.exampl e.local@EXAMPLE.LOCAL,cn=services,cn=accounts,dc=example,dc=local ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Actual results: Error appears as above Expected results: Expecting to be able to add IPA RHEL 7 replica multiple times on a RHEL 6 IPA Master Additional info:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1714076
Metadata Update from @frenaud: - Issue assigned to frenaud
Note: the issue happens with ipa-4-6 branch only, as the DL0 replica installation is not supported any more on ipa-4-7 and master branches.
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/3269
ipa-4-6:
Metadata Update from @fcami: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.