[Freeipa-users] Migrate from FreeIPA 3 to 4

Peter Larsen peter at peterlarsen.org
Wed Jan 4 04:11:28 UTC 2017 

I'm attempting to migrate my IDM server from RHEL6 to RHEL7. Ie. from
IPA 3 to IPA 4. My IPA 3 installation does not manage DNS - but other
than that, it's a very basic installation on a very small set of servers
(less than 50).

To start the migration I run
# ipa-replica-prepare ipa.peterlarsen.org

(ipa is the name of the new RHEL7 server). My intention is to setup a
replica on that server, and once fully established remove the old
installation.

I'm prompted for the dirsrv password and once entered it's accepted. It
also gets accepted if I use the --password=blabla option. However, the
process doesn't get far and terminates with:

ipa-replica-prepare ipa.peterlarsen.org

Preparing replica for ipa.peterlarsen.org from idm.peterlarsen.org
preparation of replica failed: Insufficient access:  Invalid credentials
Insufficient access:  Invalid credentials
  File "/usr/sbin/ipa-replica-prepare", line 529, in <module>
    main()

  File "/usr/sbin/ipa-replica-prepare", line 391, in main
    update_pki_admin_password(dirman_password)

  File "/usr/sbin/ipa-replica-prepare", line 247, in
update_pki_admin_password
    bind_pw=dirman_password

  File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in
connect
    conn = self.create_connection(*args, **kw)

  File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
line 846, in create_connection
    self.handle_errors(e)

  File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
line 712, in handle_errors
    raise errors.ACIError(info="%s %s" % (info, desc))

=====

I'm not sure the "invalid credentials" error message can be trusted (as
it does do a successful bind initially). Here's the log from the PKI-IPA:

[03/Jan/2017:23:08:26 -0500] conn=36 fd=73 slot=73 connection from
192.168.11.xxx to 192.168.11.xxx
[03/Jan/2017:23:08:26 -0500] conn=36 op=0 BIND dn="cn=Directory Manager"
method=128 version=2
[03/Jan/2017:23:08:26 -0500] conn=36 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[03/Jan/2017:23:08:26 -0500] conn=36 op=1 SRCH
base="ou=sessions,ou=Security Domain,o=ipaca" scope=2
filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[03/Jan/2017:23:08:26 -0500] conn=36 op=1 RESULT err=32 tag=101
nentries=0 etime=0
[03/Jan/2017:23:08:26 -0500] conn=36 op=2 UNBIND
[03/Jan/2017:23:08:26 -0500] conn=36 op=2 fd=73 closed - U1
[03/Jan/2017:23:08:27 -0500] conn=6 op=40 MOD
dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca"
[03/Jan/2017:23:08:27 -0500] conn=6 op=40 RESULT err=0 tag=103
nentries=0 etime=0
[03/Jan/2017:23:09:04 -0500] conn=37 fd=73 slot=73 SSL connection from
192.168.11.xxx to 192.168.11.xxx
[03/Jan/2017:23:09:04 -0500] conn=37 TLS1.2 256-bit AES
[03/Jan/2017:23:09:04 -0500] conn=37 op=0 BIND dn="cn=directory manager"
method=128 version=3
[03/Jan/2017:23:09:04 -0500] conn=37 op=0 RESULT err=49 tag=97
nentries=0 etime=0 - Invalid credentials
[03/Jan/2017:23:09:04 -0500] conn=37 op=1 UNBIND
[03/Jan/2017:23:09:04 -0500] conn=37 op=1 fd=73 closed - U1

Looks more like a structural issue?

-- 
Regards
  Peter Larsen

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170103/fd49fcfc/attachment.htm>

More information about the Freeipa-users mailing list