a cascade of issues • I needed to set the domainlevel to 1 in order to join my client. grant@ef-idm01:~[20220601-8:14][#1041]$ ipa domainlevel-get ----------------------- Current domain level: 0 ----------------------- grant@ef-idm01:~[20220601-8:14][#1042]$ ipa domainlevel-set 1 ----------------------- Current domain level: 1 ----------------------- grant@ef-idm01:~[20220601-8:14][#1043]$
• the new client requires the IPA certs have the hostname(s) as Subject Alternative Name I did this to the IPA servers sudo ipa-getcert resubmit -d /etc/dirsrv/slapd-PRODUCTION-EFILM-COM -n Server-Cert -D `hostname` then restarted IPA sudo certutil -L -d /etc/dirsrv/slapd-PRODUCTION-EFILM-COM -n Server-Cert now shows a SAN entry Things have changed though, it appears I no longer do a prepare, and instead promote a client: grant@ef-idm03:~[20220601-10:35][#215]$ sudo ipa-replica-prepare ef-idm04.production.efilm.com<http://ef-idm04.production.efilm.com> Replica creation using 'ipa-replica-prepare' to generate replica file is supported only in 0-level IPA domain. The current IPA domain level is 1 and thus the replica must be created by promoting an existing IPA client. To set up a replica use the following procedure: 1.) set up a client on the host using 'ipa-client-install' 2.) promote the client to replica running 'ipa-replica-install' *without* replica file specified 'ipa-replica-prepare' is allowed only in domain level 0 The ipa-replica-prepare command failed. grant@ef-idm03:~[20220601-10:36][#216]$ But promoting the client fails grant@ef-idm04:~[20220601-10:37][#70]$ sudo ipa-replica-install --setup-ca [sudo] password for grant: Password for [email protected]<mailto:[email protected]>: ************** Trust is configured but no NetBIOS domain name found, setting it now. Enter the NetBIOS name for the IPA domain. Only up to 15 uppercase ASCII letters, digits and dashes are allowed. Example: EXAMPLE. NetBIOS domain name [PRODUCTION]: WARNING: 340 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: yes Run connection check to master Connection check OK Disabled p11-kit-proxy Configuring directory server (dirsrv). Estimated time: 30 seconds [1/38]: creating directory server instance Validate installation settings ... Create file system structures ... Perform SELinux labeling ... Create database backend: dc=production,dc=efilm,dc=com ... Perform post-installation tasks ... [2/38]: tune ldbm plugin [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configure password logging [7/38]: configuring replication version plugin [8/38]: enabling IPA enrollment plugin [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: configuring topology plugin [16/38]: creating indices [17/38]: enabling referential integrity plugin [18/38]: configuring certmap.conf [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache and keytab [21/38]: enabling SASL mapping fallback [22/38]: restarting directory server [23/38]: creating DS keytab [24/38]: ignore time skew for initial replication [25/38]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 12 seconds elapsed Update succeeded [26/38]: prevent time skew after initial replication [27/38]: adding sasl mappings to the directory [28/38]: updating schema [29/38]: setting Auto Member configuration [30/38]: enabling S4U2Proxy delegation [31/38]: initializing group membership [32/38]: adding master entry [33/38]: initializing domain level [34/38]: configuring Posix uid/gid generation [35/38]: adding replication acis [36/38]: activating sidgen plugin [37/38]: activating extdom plugin [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/5]: configuring KDC [2/5]: adding the password extension to the directory [3/5]: creating anonymous principal [4/5]: starting the KDC [5/5]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: importing CA certificates from LDAP [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: backing up ssl.conf [3/22]: disabling nss.conf [4/22]: configuring mod_ssl certificate paths [5/22]: setting mod_ssl protocol list [6/22]: configuring mod_ssl log directory [7/22]: disabling mod_ssl OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd Nothing to do for configure_httpd_wsgi_conf [10/22]: setting up httpd keytab [11/22]: configuring Gssproxy [12/22]: setting up ssl [13/22]: configure certmonger for renewals [14/22]: publish CA cert [15/22]: clean up any existing httpd ccaches [16/22]: enable ccache sweep [17/22]: configuring SELinux for httpd [18/22]: create KDC proxy config [19/22]: enable KDC proxy [20/22]: starting httpd [21/22]: configuring httpd to start on boot [22/22]: enabling oddjobd Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Custodia uses 'ef-idm03.production.efilm.com<http://ef-idm03.production.efilm.com>' as master peer. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. 400 Client Error: Bad Request for url: https://ef-idm03.production.efilm.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.ytyWNFjh3bpO7KG0OBiRVgsFhFvHqjhxq51DkpcBiFfn3ZlUQYSnCjaUhFfhW9tGfe3E9e1RFBayuOFsr-0kGt2In639SYXiel6g7gmnWe_pdKn7EeCbUBwD2HkFelh0yEgnDQX62mciGPWfcCVjkSSh8YGI2XtcoVHhxHpaX8P7bwbkM1fLIbHzyyjrrUap7HvB17WMXhx73Nwo_Zwz_1txFcvGFJKVuJ45Oi_Z98vMfbDZtrKJkMcVyYL_kqSc8pfqYUY9LhX2OMPrCSDWviaNMIAVq59dvfYhR1YlWnfH2yEsbojNvflvk8joO5dsfmuddZY_Xw7taVDg2zke7w.dOGMctCsZR1nPx1_-zB3bQ.GHYEFsxLGuD1_X_C8wYgnfo3BRArNn0GRBFIIJAKNE_Uj3mogkYCciN66MCYS7CYefAJAT1f4tEP2iti5QCRCnaekoDVIAEFpYiKvYt-znJSjJFFzl7TGWLm18U5mK5-lpGQ-vP74RAsvr8AULLMRuNgt1HnYt0pRvELtwgkNK82P0zta4c8X1isYXix_TdqSgg5tTQqWvg6P52qzCAmJK_HsRqkgeb_hjFD7kbKZRigTXHzZX7oN8aarUBcCCkGJcQAv7zEgo-EgMgWytKsvT8Eyp_7j1O3HuaXpECqh5Tzv53ERW6yDtrDNMskFacxNvYb8B5h90pE1am5Hz5PYsGtgt5k_ECyJRVEZ9GIv8IwSVp3Lyxog_kYcNjiv075YGccTzRuJBSDNUVDmMZOgzgtmu1TZsBYdcgV_Rx-FPaK6lOvBq1_AD4QCMsuAyrUzdURkX53xeOG6AB2R1s4_KVfIWxR9MMRBIlH4yiklihsF7XUQQhJW2CtD_0LYycDacoy0sZedsWVm6jY0J6hIvWAPsh4kRlbgWTxv05Hmxh4WTXBZukQywTLD2X2aSFHsAekDSWpnxPSNXQ39hcC0h4XPhuhmDUd8WLZVYo3qAc1nhPeP6g5LmV9gdHQmdHh9BC7FXLTmLdXG3WymsWAJ6yiMPGw2f83yfvJ8QcIkmECQ66XJfvBSYT8Fx59chJC.LoAMvRj2tVYHSLEs-7NfnhCumDM0-HTgzzTSWTiagks The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information grant@ef-idm04:~[20220601-10:44][#71]$ I’m uncertain how to proceed. - grant
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
