#7976 Issue with adding multiple RHEL 7 IPA replica to RHEL 6 IPA master
Closed: fixed 7 days ago by fcami. Opened a month ago by frenaud.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1714076

Description of problem:
When migrating IPA from RHEL 6 to RHEL 7, it is only working on the first RHEL
7 IPA server replica install, the succeeding RHEL 7 replica install fails
consistently

We are following the documentation link below:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/l
inux_domain_identity_authentication_and_policy_guide/migrate-6-to-7

Version-Release number of selected component (if applicable):

ipaserver6.example.local
RHEL 6.10
ipa-server-3.0.0-51
IP = 10.10.92.254

ipaserver7.example.local
RHEL 7.6
ipa-server-4.6.4-10
IP = 10.74.177.255

ipaserver8.example.local
RHEL 7.6
ipa-server-4.6.4-10
IP = 10.74.176.168


How reproducible:
Reproducible everytime


Steps to Reproduce:
-----
ipaserver6.example.local
-----
### Update the system to the latest version and install IPA packages
# hostnamectl set-hostname ipaserver6.example.local
# subscription-manager register --auto-attach --force
# yum update -y
# yum install "*ipa-server" "*ipa-server-trust-ad" bind bind-dyndb-ldap
ipa-server-dns -y
### Add the host entry of the server's ip address
# cat /etc/hosts
  10.10.92.254 ipaserver6.example.local ipaserver6
# ipa-server-install
# ipa-dns-install

-----
ipaserver7.example.local
-----
### Update the system to the latest version and install IPA packages
# hostnamectl set-hostname ipaserver7.example.local
# subscription-manager register --auto-attach --force
# yum update -y

# yum install ipa-server ipa-server-dns -y

### Note: ensure that the file below only contains the following lines
# cat /etc/resolv.conf
   search example.local
   nameserver 10.10.92.254

### Note: add the following line under NSSCipherSuite
# cat /etc/httpd/conf.d/nss.conf
  +ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
# scp /usr/share/ipa/copy-schema-to-ca.py root@ipaserver6.example.local:/root

-----
ipaserver6.example.local
-----
# cd /root
# python copy-schema-to-ca.py
# ipa-replica-prepare ipaserver7.example.local --ip-address 10.74.177.255
# scp /var/lib/ipa/replica-info-ipaserver7.example.local.gpg
root@ipaserver7.example.local:/var/lib/ipa/

-----
ipaserver7.example.local
-----
# ipa-replica-install /var/lib/ipa/replica-info-ipaserver7.example.local.gpg
--setup-ca --setup-dns --no-forwarders --ip-address 10.74.177.255


WE WILL ADD A NEW IPA RHEL 7 REPLICA, THIS IS WHERE THE ISSUE APPEARS:
-----
ipaserver8.example.local
-----
### Update the system to the latest version and install IPA packages
# hostnamectl set-hostname ipaserver8.example.local
# subscription-manager register --auto-attach --force
# yum update -y
# yum install ipa-server ipa-server-dns -y

### Note: ensure that the file below only contains the following lines
# cat /etc/resolv.conf
   search example.local
   nameserver 10.10.92.254

### Note: add the following line under NSSCipherSuite
# cat /etc/httpd/conf.d/nss.conf
  +ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha

-----
ipaserver6.example.local
-----
# ipa-replica-prepare ipaserver8.example.local --ip-address 10.74.176.168
# scp /var/lib/ipa/replica-info-ipaserver8.example.local.gpg
root@ipaserver8.example.local:/var/lib/ipa/


-----
ipaserver8.example.local
-----
# ipa-replica-install /var/lib/ipa/replica-info-ipaserver8.example.local.gpg
--setup-ca --setup-dns --no-forwarders --ip-address 10.74.176.168
[...]
Configuring the web interface (httpd)
  [1/22]: stopping httpd
  [2/22]: setting mod_nss port to 443
  [3/22]: setting mod_nss cipher suite
  [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [5/22]: setting mod_nss password file
  [6/22]: enabling mod_nss renegotiate
  [7/22]: disabling mod_nss OCSP
  [8/22]: adding URL rewriting rules
  [9/22]: configuring httpd
  [10/22]: setting up httpd keytab
  [error] NotFound: wait_for_entry timeout on
ldap://ipaserver6.example.local:389 for krbprincipalname=HTTP/ipaserver8.exampl
e.local@EXAMPLE.LOCAL,cn=services,cn=accounts,dc=example,dc=local
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipapython.admintool: ERROR    wait_for_entry timeout on
ldap://ipaserver6.example.local:389 for krbprincipalname=HTTP/ipaserver8.exampl
e.local@EXAMPLE.LOCAL,cn=services,cn=accounts,dc=example,dc=local
ipapython.admintool: ERROR    The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information

Actual results:
Error appears as above

Expected results:
Expecting to be able to add IPA RHEL 7 replica multiple times on a RHEL 6 IPA
Master

Additional info:

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1714076

a month ago

Metadata Update from @frenaud:
- Issue assigned to frenaud

a month ago

Note: the issue happens with ipa-4-6 branch only, as the DL0 replica installation is not supported any more on ipa-4-7 and master branches.

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/3269

a month ago

ipa-4-6:

  • 30f3816 DL0 replica install: fix nsDS5ReplicaBindDN config

Metadata Update from @fcami:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 days ago

Login to comment on this ticket.

Metadata