819110 – Setup IPA Replica of different version than Master failed

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 819110 - Setup IPA Replica of different version than Master failed

Summary: Setup IPA Replica of different version than Master failed

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	doc-Identity_Management_Guide
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Deon Ballard
QA Contact:	ecs-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	824491
TreeView+	depends on / blocked

Reported:	2012-05-04 21:12 UTC by Scott Poore
Modified:	2014-05-10 03:43 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	824491 (view as bug list)
Environment:
Last Closed:	2014-05-10 03:43:37 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Scott Poore 2012-05-04 21:12:37 UTC

Description of problem:

Trying to test something else, I ran into a problem when trying to have one IPA server on RHEL 6.2 and another on 6.3.   I tried both master=6.3/replica=6.2 and master=6.2/replica=6.3.   I'll have to re-run the tests to get the latter error but, I believe it was the same as the former which I have here:

I setup a RHEL 6.3 IPA Master.   Then I tried to setup a RHEL 6.2 Replica
but, the install fails.  However, during install, I do see some errors but, not
the invalid syntax ones.   Could those be from multiple re-install attempts?

### On MASTER:
# ipa-replica-prepare -p $ADMINPW --ip-address=$SLAVEIP $hostname_s.$DOMAIN

### On REPLICA:
# ipa-replica-install -U --setup-dns --forwarder=$DNSFORWARD --setup-ca -w
$ADMINPW -p $ADMINPW /dev/shm/replica-info-$hostname_s.$DOMAIN.gpg

...looked normal until the following error:

  [29/29]: configuring directory to start on boot
done configuring dirsrv.
creation of replica failed: [Errno 2] No such file or directory:
'/tmp/tmp1O5dxFipa/realm_info/ldappwd'

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


Version-Release number of selected component (if applicable):
master=2.2.0-12 from RHEL 6.3
replica=2.1.3-9 from RHEL 6.2

How reproducible:
always

Steps to Reproduce:
On MASTER (RHEL 6.3):
1.  <setup rhel 6.3 master>
2.  ipa-replica-prepare -p $ADMINPW --ip-address=$SLAVEIP $hostname_s.$DOMAIN
On REPLICA (RHEL 6.2)
3.  sftp root@$MASTERIP:/var/lib/ipa/replica-info-$hostname_s.$DOMAIN.gpg
4.  ipa-replica-install -U --setup-dns --forwarder=$DNSFORWARD --setup-ca -w
$ADMINPW -p $ADMINPW /dev/shm/replica-info-$hostname_s.$DOMAIN.gpg

Actual results:

  [29/29]: configuring directory to start on boot
done configuring dirsrv.
creation of replica failed: [Errno 2] No such file or directory:
'/tmp/tmp1O5dxFipa/realm_info/ldappwd'

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Expected results:

6.2 server setup as replica of the 6.3 master. 

Additional info:

Comment 2 Martin Kosek 2012-05-07 11:13:47 UTC

We need to decide if we want to support this scenario. There are significant differences between 6.2 and 6.3, including of Kerberos backend. IPA with RHEL 6.3 has its own krbkdc database backend.

This is the list of files that differs between replica info file generated by RHEL 6.2 and 6.3 versions:

# diff /home/mkosek/realm_info_62 /home/mkosek/realm_info_63
9,10d8
< kpasswd.keytab
< ldappwd

If we want to support RHEL 6.2 replicas for RHEL 6.3 masters, we would need to keep support for the 6.2 Kerberos DB backend (configuration of uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX account, kpasswd keytab, etc) and bundle the appropriate files in our replica info files.

Comment 3 Scott Poore 2012-05-07 14:28:06 UTC

Ok, tested Master=6.2/Replica=6.3 install from scratch.   This is what happened on the Replica when I tried to install it:

[root@spoore-dvm2 shm]# ipa-replica-install -U --setup-dns --forwarder=$DNSFORWARD -w $ADMINPW -p $ADMINPW /dev/shm/replica-info-$SLAVEFQDN.gpg
Run connection check to master
Check connection from replica to remote master 'spoore-dvm1.testrelm.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Execute check on remote master
Check connection from master to remote replica 'spoore-dvm2.testrelm.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: port 80 (80): OK
   HTTP Server: port 443(https) (443): OK

Connection from master to replica is OK.

Connection check OK
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server: Estimated time 1 minute
  [1/30]: creating directory server user
  [2/30]: creating directory server instance
  [3/30]: adding default schema
  [4/30]: enabling memberof plugin
  [5/30]: enabling referential integrity plugin
  [6/30]: enabling winsync plugin
  [7/30]: configuring replication version plugin
  [8/30]: enabling IPA enrollment plugin
  [9/30]: enabling ldapi
  [10/30]: configuring uniqueness plugin
  [11/30]: configuring uuid plugin
  [12/30]: configuring modrdn plugin
  [13/30]: enabling entryUSN plugin
  [14/30]: configuring lockout plugin
  [15/30]: creating indices
  [16/30]: configuring ssl for ds instance
  [17/30]: configuring certmap.conf
  [18/30]: configure autobind for root
  [19/30]: configure new location for managed entries
  [20/30]: restarting directory server
  [21/30]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update succeeded
  [22/30]: adding replication acis
  [23/30]: setting Auto Member configuration
  [24/30]: enabling S4U2Proxy delegation
ipa         : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -h spoore-dvm2.testrelm.com -v -f /tmp/tmpigyZWo -x -D cn=Directory Manager -y /tmp/tmp4adRIY' returned non-zero exit status 32
  [25/30]: initializing group membership
  [26/30]: adding master entry
  [27/30]: configuring Posix uid/gid generation
  [28/30]: enabling compatibility plugin
  [29/30]: tuning directory server
  [30/30]: configuring directory to start on boot
done configuring dirsrv.
Configuring Kerberos KDC: Estimated time 30 seconds
  [1/9]: adding sasl mappings to the directory
  [2/9]: writing stash file from DS
  [3/9]: configuring KDC
  [4/9]: creating a keytab for the directory
  [5/9]: creating a keytab for the machine
  [6/9]: adding the password extension to the directory
  [7/9]: enable GSSAPI for replication
  [8/9]: starting the KDC
  [9/9]: configuring KDC to start on boot
done configuring krb5kdc.
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
done configuring ipa_memcached.
Configuring the web interface: Estimated time 1 minute
  [1/13]: disabling mod_ssl in httpd
  [2/13]: setting mod_nss port to 443
  [3/13]: setting mod_nss password file
  [4/13]: enabling mod_nss renegotiate
  [5/13]: adding URL rewriting rules
  [6/13]: configuring httpd
  [7/13]: setting up ssl
  [8/13]: publish CA cert
  [9/13]: creating a keytab for httpd
  [10/13]: clean up any existing httpd ccache
  [11/13]: configuring SELinux for httpd
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
ipa         : ERROR    Update failed: Type or value exists: 
ipa         : ERROR    Update failed: Object class violation: attribute "ipaSELinuxUserMapOrder" not allowed
creation of replica failed: attribute "idnsAllowQuery" not allowed

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


will upload logs too

Comment 6 RHEL Program Management 2012-05-11 04:04:04 UTC

Since RHEL 6.3 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

Comment 7 Martin Kosek 2012-05-14 07:05:03 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2751

Comment 8 Rob Crittenden 2012-05-22 13:00:50 UTC

Creating replication agreements requires that both sides be the same IPA version. Please add as a documentation note.

Comment 9 Dmitri Pal 2012-05-23 15:16:36 UTC

Moving back to IPA to handle it nicely.

Comment 10 Dmitri Pal 2012-09-24 13:16:31 UTC

Converting to the doc bug.

During upgrade process you should not create new replicas. You should finish upgrading and then create new ones. If for any reason you have to create a replica then you must create it on the latest version.

Comment 12 Deon Ballard 2014-05-10 03:43:37 UTC

Mass closure of bugs modified in 2013. All of these are in the currently-published docs.

Note You need to log in before you can comment on or make changes to this bug.