RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Cloned from upstream: https://pagure.io/freeipa/issue/7593

``DogtagInstance.setup_admin`` and related methods have multiple LDAP replication race conditions. The bugs can cause parallel ``ipa-replica-install`` to fail. The issue typically manifests itself as:

``com.netscape.certsrv.base.PKIException: Failed to obtain installation token from security domain: com.netscape.certsrv.base.UnauthorizedException: User admin-replica1.ipa.example is not a member of Enterprise CA Administrators group.``

## _add_admin_to_group

The ``_add_admin_to_group`` method https://pagure.io/freeipa/blob/84ae625fe2c3786f7c5430f23a55c171ff54e110/f/ipaserver/install/dogtaginstance.py#_397-407 uses an LDAP search + ``MOD_REPLACE`` to add the host admin to the admin group. This is subject to race conditions. In case an other thread, process, or replica modifies the group between read and mod, the previous modification is lost. The method must use ``MOD_ADD`` to add the user to the group.

## setup_admin

The ``setup_admin`` waits until the new admin user has been replicated to the replication source. But that is not sufficient. Since the admin is first created and then appended to the groups, the method must wait until the group membership addition have been replicated, too.

https://pagure.io/freeipa/blob/84ae625fe2c3786f7c5430f23a55c171ff54e110/f/ipaserver/install/dogtaginstance.py#_439-444

Upstream ticket:
https://pagure.io/freeipa/issue/7593

https://github.com/freeipa/freeipa/pull/2051

Fixed upstream
master:
https://pagure.io/freeipa/c/14c869b347e488e40544ee1e6c4b35341124c76c
https://pagure.io/freeipa/c/1b966f708aa33c07f68fc30daaf6e4800a6b4a53
https://pagure.io/freeipa/c/ad838c37a9ca2d1c5a2e0becf73ddacb004b3ab6

ipa-4-5:

* 7e9648736185734fc39752df875321558f4464e4 Improve and fix timeout bug in wait_for_entry()
* d129cb2ab70f658e4b07e1fbb7f16905c66895e9 Use common replication wait timeout of 5min
* b763b62069040f3efafc65197063a84411bd4d10 Fix replication races in Dogtag admin code

Sanity Verified on ipa-server-4.6.4-7.el7.x86_64.
Installed 3x replica simultaneously in 15 runs and all installations were successful.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187