[Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
Matt .
yamakasi.014 at gmail.com
Sat Jun 27 15:11:24 UTC 2015
Hi,
Not yet, I'm busy with it right now.
I created a bugreport where I'm checking the reference bugs now, but I
didn't saw a solution that fast.
https://bugzilla.redhat.com/show_bug.cgi?id=1235766
I did do point 3 & 4.
Matt
2015-06-27 15:27 GMT+02:00 Dmitri Pal <dpal at redhat.com>:
> On 06/23/2015 06:15 PM, Matt . wrote:
>>
>> Anyone some suggestions about this ?
>>
>> I'm thinking about adding from my second 3.x master where I first need
>> to split that cluster to make that happen.
>
>
>
> Was that resolved?
>
>
>
>>
>>
>>
>> 2015-06-22 22:57 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>>
>>> OK,
>>>
>>> I'm on the go here but I have some issue.
>>>
>>> When I install the replica server I get this error on the new replica:
>>>
>>> ipa : CRITICAL CA DS schema check failed. Make sure the PKI
>>> service on the remote master is operational.
>>>
>>>
>>> When I restart IPA on the old master I get this:
>>>
>>> PKI-IPA...[22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error:
>>> the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with
>>> the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
>>> [22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: the SUBSTR
>>> matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with
>>> the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
>>> [ OK ]
>>>
>>> So the error on the replica is not that strange, but how to fix this
>>> on the master ?
>>>
>>> Matt
>>>
>>> 2015-06-22 15:59 GMT+02:00 Hendrik Frenzel <hf+redhat.com at scunc.net>:
>>>>
>>>> Am 22.06.2015 12:10, schrieb Matt .:
>>>>>
>>>>> Hi Guys,
>>>>
>>>>
>>>> Hi Matt,
>>>>
>>>>> I found some good information about migrating from 3.3 to 4.x using
>>>>> replica's.
>>>>>
>>>>> It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as
>>>>> CentOS doesn't provide 3.3.
>>>>
>>>>
>>>> Could you please share an URL or something?
>>>>
>>>> Currently I'm here:
>>>>
>>>> * ipa-6 - CentOS 6.6:
>>>> ipa-admintools-3.0.0-42.el6.centos.x86_64
>>>> ipa-client-3.0.0-42.el6.centos.x86_64
>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>>>> ipa-python-3.0.0-42.el6.centos.x86_64
>>>> ipa-server-3.0.0-42.el6.centos.x86_64
>>>> ipa-server-selinux-3.0.0-42.el6.centos.x86_64
>>>> sssd-ipa-1.11.6-30.el6_6.4.x86_64
>>>> pki-ca-9.0.3-38.el6_6.noarch
>>>>
>>>> * ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server,
>>>> bind,
>>>> bind-dyndb-ldap):
>>>> ipa-admintools-4.1.0-18.el7.centos.3.x86_64
>>>> ipa-client-4.1.0-18.el7.centos.3.x86_64
>>>> ipa-python-4.1.0-18.el7.centos.3.x86_64
>>>> ipa-server-4.1.0-18.el7.centos.3.x86_64
>>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64
>>>> pki-ca-10.1.2-7.el7.noarch
>>>>
>>>> -1. Update schema
>>>> ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py root at ipa-6:
>>>> ipa-6# python copy-schema-to-ca.py
>>>>
>>>> 0. clean up old/stale replication aggreements
>>>> ipa-replica-manage del --force ipa-6.example.com
>>>> ipa-csreplica-manage del --force ipa-6.example.com
>>>>
>>>> 1. prepare replication on ipa-6 for ipa-7
>>>> ipa-replica-prepare ipa-7.example.com
>>>>
>>>> 2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in
>>>> /etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s.
>>>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html)
>>>> - <LocationMatch
>>>>
>>>> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">
>>>> + <LocationMatch
>>>>
>>>> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
>>>>
>>>> 3. slow down the network a bit
>>>> (don't know how effective it is, as we already got 1GBit, but
>>>> without
>>>> it, a timing bug in 389-ds-base is triggered - s.
>>>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html)
>>>> tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency
>>>> 1ms
>>>> burst 1540
>>>>
>>>> 4. install replication (without CA for the moment)
>>>> ipa-replica-install
>>>> /var/lib/ipa/replica-info-ipa-7.example.com.gpg
>>>> --setup-dns --mkhomedir --no-forwarders
>>>>
>>>> Up to now, everything works, but we need the CA too:
>>>>
>>>> 5. install ca
>>>> ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg
>>>>
>>>> But this won't work and I don't have a clue how to fix/proceed from
>>>> here.
>>>>
>>>> # ipa-7: /var/log/ipareplica-ca-install.log
>>>> ipa : DEBUG stderr=pkispawn : WARNING ....... unable
>>>> to
>>>> validate security domain user/password through REST interface. Interface
>>>> not
>>>> available
>>>> pkispawn : ERROR ....... Exception from Java Configuration
>>>> Servlet:
>>>> Error while updating security domain: java.io.IOException: 2
>>>>
>>>> ipa : CRITICAL failed to configure ca instance Command
>>>> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmppByBPz'' returned non-zero
>>>> exit status 1
>>>> ipa : DEBUG Traceback (most recent call last):
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 382, in start_creation
>>>> run_step(full_msg, method)
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 372, in run_step
>>>> method()
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line 673, in __spawn_instance
>>>> raise RuntimeError('Configuration of CA failed')
>>>> RuntimeError: Configuration of CA failed
>>>>
>>>> # ipa-7: /var/log/pki/pki-tomcat/ca/system
>>>> 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [3] [3] Cannot
>>>> build
>>>> CA chain. Error java.security.cert.CertificateException: Certificate is
>>>> not
>>>> a PKCS #11 certificate
>>>> 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [13] [3] authz
>>>> instance DirAclAuthz initialization failed and skipped, error=Property
>>>> internaldb.ldapconn.port missing value
>>>>
>>>> # ipa-7: /var/log/pki/pki-tomcat/ca/debug
>>>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: Cloning a domain master
>>>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase
>>>> updateDomainXML start hostname=ipa-6.example.com port=443
>>>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain:
>>>> failed
>>>> to update security domain using admin port 443:
>>>> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
>>>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain:
>>>> now
>>>> trying agent port with client auth
>>>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase
>>>> updateDomainXML start hostname=ipa-6.example.com port=443
>>>> [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateDomainXML()
>>>> nickname=subsystemCert cert-pki-ca
>>>> [22/Jun/2015:15:12:32][http-bio-8443-exec-3]: WizardPanelBase
>>>> updateDomainXML: status=1
>>>>
>>>> # ipa-6: /var/log/httpd/access_log
>>>> 10.1.1.2 - - [22/Jun/2015:15:12:59 +0200] "POST
>>>> /ca/admin/ca/updateDomainXML HTTP/1.0" 404 309
>>>> 10.1.1.2 - - [22/Jun/2015:15:12:59 +0200] "POST
>>>> /ca/agent/ca/updateDomainXML HTTP/1.0" 200 115
>>>>
>>>> # ipa-6: /var/log/pki-ca/debug
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet:service() uri =
>>>> /ca/agent/ca/updateDomainXML
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
>>>> name='name' value='CA ipa-7.example.com 8443'
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
>>>> name='eeclientauthsport' value='443'
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
>>>> name='httpport' value='80'
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
>>>> name='sport' value='443'
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
>>>> name='dm' value='true'
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
>>>> name='adminsport' value='443'
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
>>>> name='list' value='CAList'
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
>>>> name='clone' value='true'
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
>>>> name='type' value='CA'
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
>>>> name='agentsport' value='443'
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
>>>> name='sessionID' value='-4812857165985662682'
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
>>>> name='host' value='ipa-7.example.com'
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: caUpdateDomainXML
>>>> start
>>>> to service.
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: UpdateDomainXML: processing...
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: UpdateDomainXML process:
>>>> authentication starts
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: IP: 10.1.1.2
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: AuthMgrName: certUserDBAuthMgr
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: retrieving SSL
>>>> certificate
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: certUID=CN=CA
>>>> Subsystem,O=EXAMPLE.COM
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: started
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: Retrieving
>>>> client
>>>> certificate
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: Got client
>>>> certificate
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: In
>>>> LdapBoundConnFactory::getConn()
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: masterConn is connected: true
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: conn is connected
>>>> true
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: mNumConns now 2
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: returnConn: mNumConns now 3
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: Authentication: client
>>>> certificate
>>>> found
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: In
>>>> LdapBoundConnFactory::getConn()
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: masterConn is connected: true
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: conn is connected
>>>> true
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: getConn: mNumConns now 2
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: returnConn: mNumConns now 3
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: SignedAuditEventFactory:
>>>> create()
>>>>
>>>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=CA
>>>> Subsystem,O=EXAMPLE.COM] authentication failure
>>>> [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: curDate=Mon Jun 22
>>>> 15:12:59 CEST 2015 id=caUpdateDomainXML time=11
>>>>
>>>> # ipa-6: /var/log/pki-ca/system
>>>> 5651.TP-Processor5 - [22/Jun/2015:15:12:59 MESZ] [6] [3] Cannot
>>>> authenticate agent with certificate Serial 0x272 Subject DN CN=CA
>>>> Subsystem,O=EXAMPLE.COM. Error: User not found
>>>> 5651.TP-Processor5 - [22/Jun/2015:15:12:59 MESZ] [3] [3] Servlet
>>>> caUpdateDomainXML: Failed to authorize: Invalid Credential..
>>>>
>>>> It would be great if someone could give a hint where to look and what
>>>> user
>>>> can't authenticate and why.
>>>>
>>>> @Matt: For renaming the IdM server, see
>>>> https://access.redhat.com/solutions/174733 it could possibly help.
>>>>
>>>> b/r
>>>> H.
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Director of Engineering for IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list