957244 – Changing Directory Manager password on IPA server and replica-info

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 957244 - Changing Directory Manager password on IPA server and replica-info

Summary: Changing Directory Manager password on IPA server and replica-info

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	958134 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-26 17:54 UTC by Harri Savolainen
Modified:	2015-03-09 15:17 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ipa-3.2.2-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 12:49:57 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Harri Savolainen 2013-04-26 17:54:51 UTC

Description of problem:
Replica-info contains files, like cacert.p12 which are protected by Directory Manager password of initial installation. If the password is changed, the replication information still contains the old password and the installation of CA replica fails. 

Version-Release number of selected component (if applicable):
ipa-server 3.0.0-26.el6_4.2
pki-ca 9.0.3-30.el6

How reproducible:
Every time.

Steps to Reproduce:
1. Install ipa-server
2. Change Directory Manager password
3. Install CA replica with a new password
  
Actual results:

ipa-replica-manage --setup-ca /replica-info-[fqdn].gpg
...
[3/17]: configuring certificate server instance
..
ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname XXXXXXXX -cs_port 9445 -client_certdb_dir /tmp/tmp-lhZ4xM -client_certdb_pwd XXXXXXXX -preop_pin XXXXX -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=XXXXXX -ldap_host XXXXXX -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=XXXXXXX -ca_subsystem_cert_subject_name CN=CA Subsystem,O=XXXXX -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=XXXXX -ca_server_cert_subject_name CN=fqdn,O=XXXXXXX -ca_audit_signing_cert_subject_name CN=CA Audit,O=XXXXXX -ca_sign_cert_subject_name CN=Certificate Authority,O=XXXX -external false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname XXXXXX -sd_admin_port 443 -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri https://XXXXXXX:443' returned non-zero exit status 255


Expected results:
[3/17]: configuring certificate server instance
-> Success


Additional info:

Comment 1 Rob Crittenden 2013-04-26 18:07:43 UTC

The RHCS team tells me we can use the PKCS12Export command to re-generate cacert.p12. They recommend regenerating this before preparing a replica.

Comment 2 Rob Crittenden 2013-04-26 18:18:45 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3594

Comment 4 Martin Kosek 2013-06-07 08:04:22 UTC

*** Bug 958134 has been marked as a duplicate of this bug. ***

Comment 5 Martin Kosek 2013-07-17 07:58:12 UTC

Fixed upstream:

master: c1e9b6fa1d3b334e6331c00158bf8e71926cd658
ipa-3-2: 7b402b3bc30af1e57b0451bd2ecfb121ee1739e5

Comment 7 Scott Poore 2014-02-12 21:01:18 UTC

Verified.

Version ::

ipa-server-3.3.3-18.el7.x86_64

Results ::

(manual below but, test case automated as indicated in the qe_test_coverage):

ON MASTER:

# First reset DM password:

[root@rhel7-1 ~]# ipactl stop
Stopping Directory Service
Stopping ipa-otpd Service
Stopping pki-tomcatd Service
Stopping httpd Service
Stopping ipa_memcached Service
Stopping named Service
Stopping kadmin Service
Stopping krb5kdc Service
ipa: INFO: The ipactl command was successful

[root@rhel7-1 ~]# cd /etc/dirsrv/slapd-IPA1-EXAMPLE-TEST/

[root@rhel7-1 slapd-IPA1-EXAMPLE-TEST]# NEWPASS=$(pwdhash RedHat1234)

[root@rhel7-1 slapd-IPA1-EXAMPLE-TEST]# sed -i "s|nsslapd-rootpw:.*$|nsslapd-rootpw: $NEWPASS|" dse.ldif

[root@rhel7-1 slapd-IPA1-EXAMPLE-TEST]# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
ipa: INFO: The ipactl command was successful

# Prepare info file

[root@rhel7-1 slapd-IPA1-EXAMPLE-TEST]# ipa-replica-prepare -p RedHat1234 --ip-address=192.168.122.72 replica1.ipa1.example.test
Preparing replica for replica1.ipa1.example.test from master.ipa1.example.test
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Saving dogtag Directory Server port
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-replica1.ipa1.example.test.gpg
Adding DNS records for replica1.ipa1.example.test
Using reverse zone 122.168.192.in-addr.arpa.
The ipa-replica-prepare command was successful

ON REPLICA:

# Download info file

[root@rhel7-2 ~]# sftp root.example.test:/var/lib/ipa/replica-info-replica1.ipa1.example.test.gpg /dev/shm
root.example.test's password: 
Connected to master.ipa1.example.test.
Fetching /var/lib/ipa/replica-info-replica1.ipa1.example.test.gpg to /dev/shm/replica-info-replica1.ipa1.example.test.gpg
/var/lib/ipa/replica-info-replica1.ipa1.example.test.gpg             100%   37KB  37.3KB/s   00:00    

# Install replica using new DM Password:

[root@rhel7-2 ~]# ipa-replica-install -U --setup-ca --setup-dns --forwarder=192.168.122.1 -w Secret123 -p RedHat1234 /dev/shm/replica-info-replica1.ipa1.example.test.gpg 
Run connection check to master
Check connection from replica to remote master 'master.ipa1.example.test':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'replica1.ipa1.example.test':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

Connection from master to replica is OK.

Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/34]: creating directory server user
  [2/34]: creating directory server instance
  [3/34]: adding default schema
  [4/34]: enabling memberof plugin
  [5/34]: enabling winsync plugin
  [6/34]: configuring replication version plugin
  [7/34]: enabling IPA enrollment plugin
  [8/34]: enabling ldapi
  [9/34]: configuring uniqueness plugin
  [10/34]: configuring uuid plugin
  [11/34]: configuring modrdn plugin
  [12/34]: configuring DNS plugin
  [13/34]: enabling entryUSN plugin
  [14/34]: configuring lockout plugin
  [15/34]: creating indices
  [16/34]: enabling referential integrity plugin
  [17/34]: configuring ssl for ds instance
  [18/34]: configuring certmap.conf
  [19/34]: configure autobind for root
  [20/34]: configure new location for managed entries
  [21/34]: configure dirsrv ccache
  [22/34]: enable SASL mapping fallback
  [23/34]: restarting directory server
  [24/34]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded

  [25/34]: updating schema
  [26/34]: setting Auto Member configuration
  [27/34]: enabling S4U2Proxy delegation
  [28/34]: initializing group membership
  [29/34]: adding master entry
  [30/34]: configuring Posix uid/gid generation
  [31/34]: adding replication acis
  [32/34]: enabling compatibility plugin
  [33/34]: tuning directory server
  [34/34]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/19]: creating certificate server user
  [2/19]: configuring certificate server instance
  [3/19]: stopping certificate server instance to update CS.cfg
  [4/19]: disabling nonces
  [5/19]: set up CRL publishing
  [6/19]: starting certificate server instance
  [7/19]: creating RA agent certificate database
  [8/19]: importing CA chain to RA certificate database
  [9/19]: fixing RA database permissions
  [10/19]: setting up signing cert profile
  [11/19]: set certificate subject base
  [12/19]: enabling Subject Key Identifier
  [13/19]: enabling CRL and OCSP extensions for certificates
  [14/19]: setting audit signing renewal to 2 years
  [15/19]: configuring certificate server to start on boot
  [16/19]: configure certmonger for renewals
  [17/19]: configure clone certificate renewals
  [18/19]: configure Server-Cert certificate renewal
  [19/19]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Restarting the directory and certificate servers
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/9]: adding sasl mappings to the directory
  [2/9]: writing stash file from DS
  [3/9]: configuring KDC
  [4/9]: creating a keytab for the directory
  [5/9]: creating a keytab for the machine
  [6/9]: adding the password extension to the directory
  [7/9]: enable GSSAPI for replication
  [8/9]: starting the KDC
  [9/9]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/13]: setting mod_nss port to 443
  [2/13]: setting mod_nss password file
  [3/13]: enabling mod_nss renegotiate
  [4/13]: adding URL rewriting rules
  [5/13]: configuring httpd
  [6/13]: setting up ssl
  [7/13]: publish CA cert
  [8/13]: creating a keytab for httpd
  [9/13]: clean up any existing httpd ccache
  [10/13]: configuring SELinux for httpd
  [11/13]: configure httpd ccache
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Using reverse zone 122.168.192.in-addr.arpa.
Configuring DNS (named)
  [1/9]: adding NS record to the zone
  [2/9]: setting up reverse zone
  [3/9]: setting up our own record
  [4/9]: setting up CA record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server

Comment 8 Ludek Smid 2014-06-13 12:49:57 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.