[Freeipa-users] Replica and CA mess

Sigbjorn Lie sigbjorn at nixtra.com
Sun Nov 27 17:53:02 UTC 2011 

I had an odd performing IPA replica server, it had no knowledge to any 
other services besides dirsrv, DNS and CA, lots of GSSAPI errors in the 
dirsrv logs, etc, so I decided to re-configure the IPA replica.

# ipactl status
Directory Service: RUNNING
DNS Service: RUNNING
CA Service: RUNNING


I removed the IPA instance on the host as per the document below.

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/Uninstalling_IPA_Servers.html


I prepared a new replica package for the host using ipa-replica-prepare 
on ipa01. And started ipa-replica-install on ipa03. This gave unexpected 
results.

# ipa-replica-install --setup-dns --forwarder=192.168.1.1 
--forwarder=192.168.1.2 /var/lib/ipa/replica-info-ipa03.ix.test.com.gpg
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'ipa01.ix.test.com':
    Directory Service: Unsecure port (389): OK
    Directory Service: Secure port (636): OK
    Kerberos KDC: TCP (88): OK
    Kerberos KDC: UDP (88): OK
    Kerberos Kpasswd: TCP (464): OK
    Kerberos Kpasswd: UDP (464): OK
    HTTP Server: port 80 (80): OK
    HTTP Server: port 443(https) (443): OK

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin at IX.TEST.COM password:

Execute check on remote master
Check connection from master to remote replica 'ipa03.ix.test.com':
    Directory Service: Unsecure port (389): OK
    Directory Service: Secure port (636): OK
    Kerberos KDC: TCP (88): OK
    Kerberos KDC: UDP (88): OK
    Kerberos Kpasswd: TCP (464): OK
    Kerberos Kpasswd: UDP (464): OK
    HTTP Server: port 80 (80): OK
    HTTP Server: port 443(https) (443): OK

Connection from master to replica is OK.

Connection check OK
The host ipa03.ix.test.com already exists on the master server. 
Depending on your configuration, you may perform the following:

Remove the replication agreement, if any:
     % ipa-replica-manage del ipa03.ix.test.com
Remove the host entry:
     % ipa host-del ipa03.ix.test.com

So I went back to ipa01 to remove the replica:

#  ipa-replica-manage del ipa03.ix.test.com
Unable to delete replica ipa03.ix.test.com: {'desc': "Can't contact LDAP 
server"}

Hm, ok, I tried to force removal.

]#  ipa-replica-manage del -f ipa03.ix.test.com
Unable to connect to replica ipa03.ix.test.com, forcing removal
Failed to get data from 'ipa03.ix.test.com': {'desc': "Can't contact 
LDAP server"}
Forcing removal on 'ipa01.ix.test.com'
Failed to get data from 'ipa02.ix.test.com': {'info': 'SASL(-1): generic 
failure: GSSAPI Error: An invalid name was supplied (Cannot determine 
realm for numeric host address)', 'desc': 'Local error'}
Failed to get data from 'ipa03.ix.test.com': {'desc': "Can't contact 
LDAP server"}


Not a complete success? However I was now able to install my replica. 
But I no now longer have a CA instance on the replica:

# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
HTTP Service: RUNNING


Perhaps an opertunity for improvements here? My suggestions:

* First off, add to the documentation to remove the replica on another 
IPA server before uninstalling the IPA replica?
* Why not automatically delete the replication agreement when 
uninstalling the replica?
* Where did the CA instance go? I see nothing in the documentation about 
this, but I found a ipa-ca-install command. ipa-ca-install yelded the 
error below. Same error occour if I attempt to --setup-ca while doing 
the ipa-replica-install:

Configuring certificate server: Estimated time 3 minutes 30 seconds
   [1/11]: creating certificate server user
   [2/11]: creating pki-ca instance
   [3/11]: configuring certificate server instance
root        : CRITICAL failed to configure ca instance Command 
'/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 
'ipa03.ix.test.com' '-cs_port' '9445' '-client_certdb_dir' 
'/tmp/tmp-GyGkkW' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 
'BZiIPv9BeXIPIKs7hJrv' '-domain_name' 'IPA' '-admin_user' 'admin' 
'-admin_email' 'root at localhost' '-admin_password' XXXXXXXX '-agent_name' 
'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' 
'-agent_cert_subject' 'CN=ipa-ca-agent,O=IX.TEST.COM' '-ldap_host' 
'ipa03.ix.test.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory 
Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 
'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 
'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX 
'-subsystem_name' 'pki-cad' '-token_name' 'internal' 
'-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=IX.TEST.COM' 
'-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=IX.TEST.COM' 
'-ca_server_cert_subject_name' 'CN=ipa03.ix.test.com,O=IX.TEST.COM' 
'-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=IX.TEST.COM' 
'-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=IX.TEST.COM' 
'-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' 
'-clone_p12_password' XXXXXXXX '-sd_hostname' 'ipa01.ix.test.com' 
'-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' 
XXXXXXXX '-clone_start_tls' 'true' '-clone_uri' 
'https://ipa01.ix.test.com:443'' returned non-zero exit status 255
creation of replica failed: Configuration of CA failed

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


Running ipa-ca-install on a IPv6 enabled host is even worse off:

root        : DEBUG    stderr=gpg: WARNING: unsafe permissions on 
homedir `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg'
gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/secring.gpg' created
gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/pubring.gpg' created
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

root        : DEBUG    args=tar xf /tmp/tmpQ_4Prsipa/files.tar -C 
/tmp/tmpQ_4Prsipa
root        : DEBUG    stdout=
root        : DEBUG    stderr=
creation of replica failed: The network address 2001:db8:abab:2::21 does 
not match the DNS lookup 192.168.1.21. Check /etc/hosts and ensure that 
2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com
root        : DEBUG    The network address 2001:db8:abab:2::21 does not 
match the DNS lookup 192.168.1.21. Check /etc/hosts and ensure that 
2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com
   File "/usr/sbin/ipa-ca-install", line 156, in <module>
     main()

   File "/usr/sbin/ipa-ca-install", line 121, in main
     host = get_host_name(options.no_host_dns)

   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
line 540, in get_host_name
     verify_fqdn(hostname, no_host_dns)

   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
line 201, in verify_fqdn
     verify_dns_records(host_name, rs, resaddr, 'ipv6')

   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
line 113, in verify_dns_records
     raise RuntimeError("The network address %s does not match the DNS 
lookup %s. Check /etc/hosts and ensure that %s is the IP address for %s" 
% (dns_addr.format(), resaddr, dns_addr.format(), host_name))


Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


Both A and AAAA records are configure for both hosts, as well as ipv4 
and ipv6 reverse addresses. All addresses, forward and reverse, are 
resolvable from both IPA hosts.

As a sidenote: The ipa-replica-install scripts works sucessfully on the 
IPv6 enabled hosts, and I use IPv6 from Linux and Solaris clients for 
LDAPS and kerberos without any issues.



Regards,
Siggi

More information about the Freeipa-users mailing list