<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <p>Hello,<br> </p> <p>The first half of the first issue is this bug: <a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/6226">https://fedorahosted.org/freeipa/ticket/6226</a></p> <p>you have to enable SSL on server manually after installation</p> <p><br> </p> <p>The second half of the first issue shouldn't be related to ticket above, but I don't know more details I'll leave this for IPA CA gurus</p> <p><br> </p> <p>The second issue is unrelated to certificates, I believe that something in dirsrv causes this unusual behavior. I saw this before with other users.</p> <p>* both no such entry for HTTP principal, or for topology plugin are the same issue</p> <p>* all users have this issue with CA-less installation, but not always reproducible, I'm not sure if there can be a step in CA-less install that can cause this<br> </p> <p>* entries are in database (were added previously by installer) but during installation the search failed with no such entry, ldapsearch after installation works<br> </p> <p>* in access log SRCH is before ADD operation, but this is against the steps in installer, entry is added first and even installer failed hard so there is no way how to add it after failure caused by not found error.</p> <p> <meta http-equiv="content-type" content="text/html; charset=windows-1252"> </p> <pre style="color: rgb(0, 0, 0); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; white-space: pre-wrap;">[29/Dec/2016:10:33:02.775715491 +0000] conn=16 op=1 SRCH base=<a class="moz-txt-link-rfc2396E" href="mailto:krbprincipalname=HTTP/ipa01.pakos.uk@PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk">"krbprincipalname=HTTP/ipa01.pakos.uk@PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk"</a> scope=0 filter="(objectClass=*)" attrs=ALL <meta http-equiv="content-type" content="text/html; charset=windows-1252">[29/Dec/2016:10:33:02.775892719 +0000] conn=16 op=1 RESULT err=32 tag=101 nentries=0 etime=0<pre style="color: rgb(0, 0, 0); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; white-space: pre-wrap;"></pre> This caused installation failure (IMO - there is no more SRCH operation for HTTP principal in log) ^^^^^^ ...... <meta http-equiv="content-type" content="text/html; charset=windows-1252">[29/Dec/2016:10:33:05.487917960 +0000] conn=17 op=10 ADD dn=<a class="moz-txt-link-rfc2396E" href="mailto:krbprincipalname=HTTP/ipa01.pakos.uk@PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk">"krbprincipalname=HTTP/ipa01.pakos.uk@PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk"</a> [29/Dec/2016:10:33:05.492213776 +0000] conn=17 op=10 RESULT err=0 tag=105 nentries=0 etime=0 csn=5864e653000000040000 [29/Dec/2016:10:33:05.492372184 +0000] conn=17 op=11 MOD dn=<a class="moz-txt-link-rfc2396E" href="mailto:krbprincipalname=HTTP/ipa01.pakos.uk@PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk">"krbprincipalname=HTTP/ipa01.pakos.uk@PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk"</a> [29/Dec/2016:10:33:05.494649080 +0000] conn=17 op=11 RESULT err=0 tag=103 nentries=0 etime=0 csn=5864e653000100040000 [29/Dec/2016:10:33:05.494816357 +0000] conn=17 op=12 MOD dn=<a class="moz-txt-link-rfc2396E" href="mailto:krbprincipalname=HTTP/ipa01.pakos.uk@PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk">"krbprincipalname=HTTP/ipa01.pakos.uk@PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk"</a> These were added after failure ??? ^^^^^ <pre style="color: rgb(0, 0, 0); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; white-space: pre-wrap;"></pre> I need a DS guru assistance to resolve this :) Martin^2 </pre> <div class="moz-cite-prefix">On 29.12.2016 19:13, Peter Pakos wrote: </div><blockquote cite="mid:CAOGqY2xLi48D84mzGow8MS102GQx4BLVkqi+cyRdb7wYuEbTAw@mail.gmail.com" type="cite"><div dir="ltr">Access log: <a moz-do-not-send="true" href="https://files.pakos.uk/access.txt">https://files.pakos.uk/access.txt</a><div>Error log: <a moz-do-not-send="true" href="https://files.pakos.uk/ipareplica-install.log.txt">https://files.pakos.uk/ipareplica-install.log.txt</a></div><div> </div><div>I hope it helps.</div></div><div class="gmail_extra"> <div class="gmail_quote">On 29 December 2016 at 12:52, Peter Pakos <span dir="ltr"><<a moz-do-not-send="true" href="mailto:peter@pakos.uk" target="_blank">peter@pakos.uk</a>></span> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi guys,<div> </div><div>I'm facing yet another problem with CA-less install of FreeIPA replica and 3rd party SSL certificate.</div><div> </div><div>Few days ago I deployed a new CA-less server (ipa02) by running the following command:</div><div> </div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">ipa-server-install \ -r <a moz-do-not-send="true" href="http://PAKOS.UK" target="_blank">PAKOS.UK</a> \ -n <a moz-do-not-send="true" href="http://pakos.uk" target="_blank">pakos.uk</a> \ -p 'password' \ -a 'password' \ --mkhomedir \ --setup-dns \ --no-forwarders \ --no-dnssec-validation \ --dirsrv-cert-file=/root/ssl/<wbr>star.pakos.uk.pfx \ --dirsrv-pin='' \ --http-cert-file=/root/ssl/<wbr>star.pakos.uk.pfx \ --http-pin='' \ --http-cert-name=<wbr>AlphaWildcardIPA \ --idstart=1000</blockquote><div> </div><div>This server appears to be working OK.</div><div> </div><div>Then yesterday I deployed a client (ipa01):</div><div> </div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">ipa-client-install \ -p admin \ -w 'password' \ --mkhomedir</blockquote></div><div> </div><div>Next, I promoted it to IPA server:</div><div> </div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">ipa-replica-install \ -w 'password' \ --mkhomedir \ --setup-dns \ --no-forwarders \ --no-dnssec-validation \ --dirsrv-cert-file=/root/ssl/<wbr>star.pakos.uk.pfx \ --dirsrv-pin='' \ --dirsrv-cert-name=<wbr>AlphaWildcardIPA \ --http-cert-file=/root/ssl/<wbr>star.pakos.uk.pfx \ --http-pin='' \ --http-cert-name=<wbr>AlphaWildcardIPA</blockquote></div><div> </div><div>After it finished, I've noticed that dirsrv wasn't running on port 636 on ipa01.</div><div> </div><div>Further investigation revealed that the SSL wildcard certificate (AlphaWildcardIPA) wasn't installed in dirsrv DB and CA certificates were named oddly (CA 1 and CA 2):</div><div> </div><div><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"><font face="monospace, monospace" size="1">[root@ipa01 ~]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI AlphaWildcardIPA u,u,u CA 1 ,, CA 2 C,, [root@ipa01 ~]# certutil -L -d /etc/dirsrv/slapd-PAKOS-UK/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI GlobalSign Root CA - GlobalSign nv-sa ,, AlphaSSL CA - SHA256 - G2 - GlobalSign nv-sa C,,</font></pre></div><div> </div><div>This is what I found in the error log:</div><div> </div><div><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"><font face="monospace, monospace" size="1">[29/Dec/2016:01:43:58.<wbr>852745536 +0000] 389-Directory/<a moz-do-not-send="true" href="http://1.3.5.10" target="_blank">1.3.5.10</a> B2016.341.2222 starting up [29/Dec/2016:01:43:58.<wbr>867642515 +0000] default_mr_indexer_create: warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match [29/Dec/2016:01:43:58.<wbr>889866051 +0000] schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [29/Dec/2016:01:43:58.<wbr>905267535 +0000] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=pakos,<wbr>dc=uk does not exist [29/Dec/2016:01:43:58.<wbr>907051833 +0000] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=<wbr>pakos,dc=uk does not exist [29/Dec/2016:01:43:58.<wbr>908396407 +0000] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.<wbr>909758735 +0000] NSACLPlugin - The ACL target ou=sudoers,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.<wbr>911133739 +0000] NSACLPlugin - The ACL target cn=users,cn=compat,dc=pakos,<wbr>dc=uk does not exist [29/Dec/2016:01:43:58.<wbr>912416230 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=<wbr>uk does not exist [29/Dec/2016:01:43:58.<wbr>913644794 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=<wbr>uk does not exist [29/Dec/2016:01:43:58.<wbr>914901802 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=<wbr>uk does not exist [29/Dec/2016:01:43:58.<wbr>916158004 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=<wbr>uk does not exist [29/Dec/2016:01:43:58.<wbr>917409810 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=<wbr>uk does not exist [29/Dec/2016:01:43:58.<wbr>918636743 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=<wbr>uk does not exist [29/Dec/2016:01:43:58.<wbr>919904210 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=<wbr>uk does not exist [29/Dec/2016:01:43:58.<wbr>921175543 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=<wbr>uk does not exist [29/Dec/2016:01:43:58.<wbr>922417264 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=<wbr>uk does not exist [29/Dec/2016:01:43:58.<wbr>923818252 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=<wbr>uk does not exist [29/Dec/2016:01:43:58.<wbr>925218237 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=pakos,dc=<wbr>uk does not exist [29/Dec/2016:01:43:58.<wbr>928474915 +0000] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.<wbr>943158867 +0000] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=<wbr>ipa,cn=etc,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:58.<wbr>944679679 +0000] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=<wbr>ipa,cn=etc,dc=pakos,dc=uk does not exist [29/Dec/2016:01:43:59.<wbr>060335708 +0000] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [29/Dec/2016:01:43:59.<wbr>066618653 +0000] Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pakos,<wbr>dc=uk--no CoS Templates found, which should be added before the CoS Definition. [29/Dec/2016:01:43:59.<wbr>100168779 +0000] schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [29/Dec/2016:01:43:59.<wbr>108366423 +0000] slapd started. Listening on All Interfaces port 389 for LDAP requests [29/Dec/2016:01:43:59.<wbr>109788596 +0000] Listening on /var/run/slapd-PAKOS-UK.socket for LDAPI requests [29/Dec/2016:01:44:04.<wbr>117095313 +0000] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=pakos,dc=uk [29/Dec/2016:01:44:04.<wbr>142962437 +0000] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=pakos,dc=uk [29/Dec/2016:01:44:04.<wbr>164958006 +0000] schema-compat-plugin - Finished plugin initialization. [29/Dec/2016:01:44:20.<wbr>113621699 +0000] ipa-topology-plugin - ipa_topo_util_get_replica_<wbr>conf: server configuration missing [29/Dec/2016:01:44:20.<wbr>115517170 +0000] ipa-topology-plugin - ipa_topo_util_get_replica_<wbr>conf: cannot create replica</font></pre></div><div> </div><div>At this point I trashed ipa01 and tried to re-deploy it again using the same commands. The install failed with the following error message:</div><div> </div><div><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"><font face="monospace, monospace" size="1">Done configuring directory server (dirsrv). Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/4]: configuring KDC [2/4]: adding the password extension to the directory [3/4]: starting the KDC [4/4]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd). Estimated time: 1 minute [1/19]: setting mod_nss port to 443 [2/19]: setting mod_nss cipher suite [3/19]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [4/19]: setting mod_nss password file [5/19]: enabling mod_nss renegotiate [6/19]: adding URL rewriting rules [7/19]: configuring httpd [8/19]: setting up httpd keytab [9/19]: setting up ssl [error] NotFound: no such entry Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.<wbr>install_tool(Replica): ERROR no such entry ipa.ipapython.install.cli.<wbr>install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.<wbr>log for more information</font></pre></div><div>Here's the full install log: <a moz-do-not-send="true" href="https://files.pakos.uk/ipareplica-install.log.txt" target="_blank">https://files.pakos.uk/<wbr>ipareplica-install.log.txt</a></div><div> </div><div>I've raised this problem on #freeipa channel (many thanks to mbasti and ab for their help in investigating this issue with me) however we didn't get too far and some further input from dirsrv gurus is required here.</div><div> </div><div><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"><font face="monospace, monospace" size="1">[root@ipa01 ipa]# echo $SERVICE HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.pakos.uk@PAKOS.UK</a> [root@ipa01 ipa]# echo $DN krbprincipalname=HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.<wbr>pakos.uk@PAKOS.UK</a>,cn=services,<wbr>cn=accounts,dc=pakos,dc=uk [root@ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub Enter LDAP Password: # extended LDIF # # LDAPv3 # base <krbprincipalname=HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.<wbr>pakos.uk@PAKOS.UK</a>,cn=services,<wbr>cn=accounts,dc=pakos,dc=uk> with scope subtree # filter: (objectclass=*) # requesting: ALL # # HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.pakos.uk@PAKOS.UK</a>, services, accounts, <a moz-do-not-send="true" href="http://pakos.uk" target="_blank">pakos.uk</a> dn: krbprincipalname=HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.<wbr>pakos.uk@PAKOS.UK</a>,cn=services,<wbr>cn=accounts,dc=p akos,dc=uk krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy<wbr>51a0BQQUtPUy5VSwA= krbLastPwdChange: 20161229103250Z krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQ<wbr>GkgccwgcQwaKAbMBmgAwIBBKESBBB5 NUQyJVZFPGYyMTZAUU0+<wbr>oUkwR6ADAgESoUAEPiAA1r2NfOUD/<wbr>7xph6tSb4hg/nTOwIVYhOusG/omq a1qMz/ZVA/<wbr>nn4pct9yNwFxKUGOFOz1suDz0l2Rur<wbr>2vUMFigGzAZoAMCAQShEgQQOiQnZGE<wbr>8Nk93V3 pvJSRLVaE5MDegAwIBEaEwBC4QAJbW<wbr>I/ipYCPMu9I/<wbr>jUqL39P0a9WHq8BdW2kpY9kYqsoy7D<wbr>+A3fP LwmAX3lYm objectClass: ipaobject objectClass: ipaservice objectClass: krbticketpolicyaux objectClass: ipakrbprincipal objectClass: krbprincipal objectClass: krbprincipalaux objectClass: pkiuser objectClass: top ipaKrbPrincipalAlias: HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.pakos.uk@PAKOS.UK</a> krbCanonicalName: HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.pakos.uk@PAKOS.UK</a> managedBy: fqdn=<a moz-do-not-send="true" href="http://ipa01.pakos.uk" target="_blank">ipa01.pakos.uk</a>,cn=<wbr>computers,cn=accounts,dc=<wbr>pakos,dc=uk krbPrincipalName: HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.pakos.uk@PAKOS.UK</a> ipaUniqueID: 25dc5432-cdb2-11e6-a20e-<wbr>005056a2f7f5 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub "krbprincipalname=*" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <krbprincipalname=HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.<wbr>pakos.uk@PAKOS.UK</a>,cn=services,<wbr>cn=accounts,dc=pakos,dc=uk> with scope subtree # filter: krbprincipalname=* # requesting: ALL # # HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.pakos.uk@PAKOS.UK</a>, services, accounts, <a moz-do-not-send="true" href="http://pakos.uk" target="_blank">pakos.uk</a> dn: krbprincipalname=HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.<wbr>pakos.uk@PAKOS.UK</a>,cn=services,<wbr>cn=accounts,dc=p akos,dc=uk krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy<wbr>51a0BQQUtPUy5VSwA= krbLastPwdChange: 20161229103250Z krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQ<wbr>GkgccwgcQwaKAbMBmgAwIBBKESBBB5 NUQyJVZFPGYyMTZAUU0+<wbr>oUkwR6ADAgESoUAEPiAA1r2NfOUD/<wbr>7xph6tSb4hg/nTOwIVYhOusG/omq a1qMz/ZVA/<wbr>nn4pct9yNwFxKUGOFOz1suDz0l2Rur<wbr>2vUMFigGzAZoAMCAQShEgQQOiQnZGE<wbr>8Nk93V3 pvJSRLVaE5MDegAwIBEaEwBC4QAJbW<wbr>I/ipYCPMu9I/<wbr>jUqL39P0a9WHq8BdW2kpY9kYqsoy7D<wbr>+A3fP LwmAX3lYm objectClass: ipaobject objectClass: ipaservice objectClass: krbticketpolicyaux objectClass: ipakrbprincipal objectClass: krbprincipal objectClass: krbprincipalaux objectClass: pkiuser objectClass: top ipaKrbPrincipalAlias: HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.pakos.uk@PAKOS.UK</a> krbCanonicalName: HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.pakos.uk@PAKOS.UK</a> managedBy: fqdn=<a moz-do-not-send="true" href="http://ipa01.pakos.uk" target="_blank">ipa01.pakos.uk</a>,cn=<wbr>computers,cn=accounts,dc=<wbr>pakos,dc=uk krbPrincipalName: HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.pakos.uk@PAKOS.UK</a> ipaUniqueID: 25dc5432-cdb2-11e6-a20e-<wbr>005056a2f7f5 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub "(objectclass=*)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <krbprincipalname=HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.<wbr>pakos.uk@PAKOS.UK</a>,cn=services,<wbr>cn=accounts,dc=pakos,dc=uk> with scope subtree # filter: (objectclass=*) # requesting: ALL # # HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.pakos.uk@PAKOS.UK</a>, services, accounts, <a moz-do-not-send="true" href="http://pakos.uk" target="_blank">pakos.uk</a> dn: krbprincipalname=HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.<wbr>pakos.uk@PAKOS.UK</a>,cn=services,<wbr>cn=accounts,dc=p akos,dc=uk krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy<wbr>51a0BQQUtPUy5VSwA= krbLastPwdChange: 20161229103250Z krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQ<wbr>GkgccwgcQwaKAbMBmgAwIBBKESBBB5 NUQyJVZFPGYyMTZAUU0+<wbr>oUkwR6ADAgESoUAEPiAA1r2NfOUD/<wbr>7xph6tSb4hg/nTOwIVYhOusG/omq a1qMz/ZVA/<wbr>nn4pct9yNwFxKUGOFOz1suDz0l2Rur<wbr>2vUMFigGzAZoAMCAQShEgQQOiQnZGE<wbr>8Nk93V3 pvJSRLVaE5MDegAwIBEaEwBC4QAJbW<wbr>I/ipYCPMu9I/<wbr>jUqL39P0a9WHq8BdW2kpY9kYqsoy7D<wbr>+A3fP LwmAX3lYm objectClass: ipaobject objectClass: ipaservice objectClass: krbticketpolicyaux objectClass: ipakrbprincipal objectClass: krbprincipal objectClass: krbprincipalaux objectClass: pkiuser objectClass: top ipaKrbPrincipalAlias: HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.pakos.uk@PAKOS.UK</a> krbCanonicalName: HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.pakos.uk@PAKOS.UK</a> managedBy: fqdn=<a moz-do-not-send="true" href="http://ipa01.pakos.uk" target="_blank">ipa01.pakos.uk</a>,cn=<wbr>computers,cn=accounts,dc=<wbr>pakos,dc=uk krbPrincipalName: HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.pakos.uk@PAKOS.UK</a> ipaUniqueID: 25dc5432-cdb2-11e6-a20e-<wbr>005056a2f7f5 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1</font></pre></div><div><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"><font face="monospace, monospace" size="1">[root@ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s base Enter LDAP Password: # extended LDIF # # LDAPv3 # base <krbprincipalname=HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.<wbr>pakos.uk@PAKOS.UK</a>,cn=services,<wbr>cn=accounts,dc=pakos,dc=uk> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.pakos.uk@PAKOS.UK</a>, services, accounts, <a moz-do-not-send="true" href="http://pakos.uk" target="_blank">pakos.uk</a> dn: krbprincipalname=HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.<wbr>pakos.uk@PAKOS.UK</a>,cn=services,<wbr>cn=accounts,dc=p akos,dc=uk krbExtraData:: AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy<wbr>51a0BQQUtPUy5VSwA= krbLastPwdChange: 20161229103250Z krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQ<wbr>GkgccwgcQwaKAbMBmgAwIBBKESBBB5 NUQyJVZFPGYyMTZAUU0+<wbr>oUkwR6ADAgESoUAEPiAA1r2NfOUD/<wbr>7xph6tSb4hg/nTOwIVYhOusG/omq a1qMz/ZVA/<wbr>nn4pct9yNwFxKUGOFOz1suDz0l2Rur<wbr>2vUMFigGzAZoAMCAQShEgQQOiQnZGE<wbr>8Nk93V3 pvJSRLVaE5MDegAwIBEaEwBC4QAJbW<wbr>I/ipYCPMu9I/<wbr>jUqL39P0a9WHq8BdW2kpY9kYqsoy7D<wbr>+A3fP LwmAX3lYm objectClass: ipaobject objectClass: ipaservice objectClass: krbticketpolicyaux objectClass: ipakrbprincipal objectClass: krbprincipal objectClass: krbprincipalaux objectClass: pkiuser objectClass: top ipaKrbPrincipalAlias: HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.pakos.uk@PAKOS.UK</a> krbCanonicalName: HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.pakos.uk@PAKOS.UK</a> managedBy: fqdn=<a moz-do-not-send="true" href="http://ipa01.pakos.uk" target="_blank">ipa01.pakos.uk</a>,cn=<wbr>computers,cn=accounts,dc=<wbr>pakos,dc=uk krbPrincipalName: HTTP/<a moz-do-not-send="true" href="mailto:ipa01.pakos.uk@PAKOS.UK" target="_blank">ipa01.pakos.uk@PAKOS.UK</a> ipaUniqueID: 25dc5432-cdb2-11e6-a20e-<wbr>005056a2f7f5 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1</font></pre></div><div> </div><div>I must say that this a show stopper for us at WANdisco which is holding back the upgrade from FreeIPA 4.2 to FreeIPA 4.4.</div><div> </div><div>If there is anything else I can do to help with the investigation, please just let me know.</div><div> </div><div>Many thanks in advance.</div><span class="HOEnZb"><font color="#888888"><div> </div>-- <div class="m_-3656198681700890369gmail_signature"><div dir="ltr">Kind regards,<div> Peter Pakos</div></div></div> </font></span></div></div> </blockquote></div> <div> </div>-- <div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Kind regards,<div> Peter Pakos</div></div></div> </div> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> </body></html>