Discussion:
[Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
Matt .
10 years ago
Permalink
Hi Guys,

I found some good information about migrating from 3.3 to 4.x using replica's.

It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as
CentOS doesn't provide 3.3.

Some other question is that my hostnames are now like ipa-01 and
ipa-02 where I make one replica ipa-01-1 and finally go from there.

But what is the best way to set my hostnames back to ipa-01 from
ipa-01-1 (and maybe ipa-02-1) ?

I hope for some good suggestions.

Thanks!

Matt
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Rob Crittenden
10 years ago
Permalink
Post by Matt .
Hi Guys,
I found some good information about migrating from 3.3 to 4.x using replica's.
It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as
CentOS doesn't provide 3.3.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
Post by Matt .
Some other question is that my hostnames are now like ipa-01 and
ipa-02 where I make one replica ipa-01-1 and finally go from there.
But what is the best way to set my hostnames back to ipa-01 from
ipa-01-1 (and maybe ipa-02-1) ?
I hope for some good suggestions.
You can't change a hostname in IPA. You'd need to create ipa-01-1 and
ipa-02-1, confirm that they are working ok, delete ipa-01 and ipa-02,
then re-create those as new replicas, connect them, then delete the -1
versions. It is a lot of trouble to go through to preserve a hostname.

Things to consider:
- maintaining a CA throughout
- consider DNA ranges
- ensure that RUVs are properly cleaned up

rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Hendrik Frenzel
10 years ago
Permalink
Post by Matt .
Hi Guys,
Hi Matt,
Post by Matt .
I found some good information about migrating from 3.3 to 4.x using replica's.
It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as
CentOS doesn't provide 3.3.
Could you please share an URL or something?

Currently I'm here:

* ipa-6 - CentOS 6.6:
ipa-admintools-3.0.0-42.el6.centos.x86_64
ipa-client-3.0.0-42.el6.centos.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-3.0.0-42.el6.centos.x86_64
ipa-server-3.0.0-42.el6.centos.x86_64
ipa-server-selinux-3.0.0-42.el6.centos.x86_64
sssd-ipa-1.11.6-30.el6_6.4.x86_64
pki-ca-9.0.3-38.el6_6.noarch

* ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server,
bind, bind-dyndb-ldap):
ipa-admintools-4.1.0-18.el7.centos.3.x86_64
ipa-client-4.1.0-18.el7.centos.3.x86_64
ipa-python-4.1.0-18.el7.centos.3.x86_64
ipa-server-4.1.0-18.el7.centos.3.x86_64
sssd-ipa-1.12.2-58.el7_1.6.x86_64
pki-ca-10.1.2-7.el7.noarch

-1. Update schema
ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py ***@ipa-6:
ipa-6# python copy-schema-to-ca.py

0. clean up old/stale replication aggreements
ipa-replica-manage del --force ipa-6.example.com
ipa-csreplica-manage del --force ipa-6.example.com

1. prepare replication on ipa-6 for ipa-7
ipa-replica-prepare ipa-7.example.com

2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in
/etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s.
https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html)
- <LocationMatch
"^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">
+ <LocationMatch
"^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">

3. slow down the network a bit
(don't know how effective it is, as we already got 1GBit, but
without it, a timing bug in 389-ds-base is triggered - s.
https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html)
tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency
1ms burst 1540

4. install replication (without CA for the moment)
ipa-replica-install
/var/lib/ipa/replica-info-ipa-7.example.com.gpg --setup-dns --mkhomedir
--no-forwarders

Up to now, everything works, but we need the CA too:

5. install ca
ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg

But this won't work and I don't have a clue how to fix/proceed from
here.

# ipa-7: /var/log/ipareplica-ca-install.log
ipa : DEBUG stderr=pkispawn : WARNING ....... unable
to validate security domain user/password through REST interface.
Interface not available
pkispawn : ERROR ....... Exception from Java Configuration
Servlet: Error while updating security domain: java.io.IOException: 2

ipa : CRITICAL failed to configure ca instance Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmppByBPz'' returned non-zero
exit status 1
ipa : DEBUG Traceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
382, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
372, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
673, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
RuntimeError: Configuration of CA failed

# ipa-7: /var/log/pki/pki-tomcat/ca/system
0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [3] [3] Cannot
build CA chain. Error java.security.cert.CertificateException:
Certificate is not a PKCS #11 certificate
0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [13] [3] authz
instance DirAclAuthz initialization failed and skipped, error=Property
internaldb.ldapconn.port missing value

# ipa-7: /var/log/pki/pki-tomcat/ca/debug
[22/Jun/2015:15:12:31][http-bio-8443-exec-3]: Cloning a domain master
[22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML start hostname=ipa-6.example.com port=443
[22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain:
failed to update security domain using admin port 443:
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
[22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain:
now trying agent port with client auth
[22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML start hostname=ipa-6.example.com port=443
[22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateDomainXML()
nickname=subsystemCert cert-pki-ca
[22/Jun/2015:15:12:32][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML: status=1

# ipa-6: /var/log/httpd/access_log
10.1.1.2 - - [22/Jun/2015:15:12:59 +0200] "POST
/ca/admin/ca/updateDomainXML HTTP/1.0" 404 309
10.1.1.2 - - [22/Jun/2015:15:12:59 +0200] "POST
/ca/agent/ca/updateDomainXML HTTP/1.0" 200 115

# ipa-6: /var/log/pki-ca/debug
[22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet:service() uri =
/ca/agent/ca/updateDomainXML
[22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
name='name' value='CA ipa-7.example.com 8443'
[22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
name='eeclientauthsport' value='443'
[22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
name='httpport' value='80'
[22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
name='sport' value='443'
[22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
name='dm' value='true'
[22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
name='adminsport' value='443'
[22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
name='list' value='CAList'
[22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
name='clone' value='true'
[22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
name='type' value='CA'
[22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
name='agentsport' value='443'
[22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
name='sessionID' value='-4812857165985662682'
[22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param
name='host' value='ipa-7.example.com'
[22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: caUpdateDomainXML
start to service.
[22/Jun/2015:15:12:59][TP-Processor5]: UpdateDomainXML: processing...
[22/Jun/2015:15:12:59][TP-Processor5]: UpdateDomainXML process:
authentication starts
[22/Jun/2015:15:12:59][TP-Processor5]: IP: 10.1.1.2
[22/Jun/2015:15:12:59][TP-Processor5]: AuthMgrName: certUserDBAuthMgr
[22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: retrieving SSL
certificate
[22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: certUID=CN=CA
Subsystem,O=EXAMPLE.COM
[22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: started
[22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: Retrieving
client certificate
[22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: Got client
certificate
[22/Jun/2015:15:12:59][TP-Processor5]: In
LdapBoundConnFactory::getConn()
[22/Jun/2015:15:12:59][TP-Processor5]: masterConn is connected: true
[22/Jun/2015:15:12:59][TP-Processor5]: getConn: conn is connected
true
[22/Jun/2015:15:12:59][TP-Processor5]: getConn: mNumConns now 2
[22/Jun/2015:15:12:59][TP-Processor5]: returnConn: mNumConns now 3
[22/Jun/2015:15:12:59][TP-Processor5]: Authentication: client
certificate found
[22/Jun/2015:15:12:59][TP-Processor5]: In
LdapBoundConnFactory::getConn()
[22/Jun/2015:15:12:59][TP-Processor5]: masterConn is connected: true
[22/Jun/2015:15:12:59][TP-Processor5]: getConn: conn is connected
true
[22/Jun/2015:15:12:59][TP-Processor5]: getConn: mNumConns now 2
[22/Jun/2015:15:12:59][TP-Processor5]: returnConn: mNumConns now 3
[22/Jun/2015:15:12:59][TP-Processor5]: SignedAuditEventFactory:
create()
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=CA
Subsystem,O=EXAMPLE.COM] authentication failure
[22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: curDate=Mon Jun 22
15:12:59 CEST 2015 id=caUpdateDomainXML time=11

# ipa-6: /var/log/pki-ca/system
5651.TP-Processor5 - [22/Jun/2015:15:12:59 MESZ] [6] [3] Cannot
authenticate agent with certificate Serial 0x272 Subject DN CN=CA
Subsystem,O=EXAMPLE.COM. Error: User not found
5651.TP-Processor5 - [22/Jun/2015:15:12:59 MESZ] [3] [3] Servlet
caUpdateDomainXML: Failed to authorize: Invalid Credential..

It would be great if someone could give a hint where to look and what
user can't authenticate and why.

@Matt: For renaming the IdM server, see
https://access.redhat.com/solutions/174733 it could possibly help.

b/r
H.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Matt .
10 years ago
Permalink
OK,

I'm on the go here but I have some issue.

When I install the replica server I get this error on the new replica:

ipa : CRITICAL CA DS schema check failed. Make sure the PKI
service on the remote master is operational.


When I restart IPA on the old master I get this:

PKI-IPA...[22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error:
the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with
the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: the SUBSTR
matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with
the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[ OK ]

So the error on the replica is not that strange, but how to fix this
on the master ?

Matt
...
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Matt .
10 years ago
Permalink
Anyone some suggestions about this ?

I'm thinking about adding from my second 3.x master where I first need
to split that cluster to make that happen.
...
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Dmitri Pal
10 years ago
Permalink
Post by Matt .
Anyone some suggestions about this ?
I'm thinking about adding from my second 3.x master where I first need
to split that cluster to make that happen.
Was that resolved?
...
--
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Matt .
10 years ago
Permalink
Hi,

Not yet, I'm busy with it right now.

I created a bugreport where I'm checking the reference bugs now, but I
didn't saw a solution that fast.

https://bugzilla.redhat.com/show_bug.cgi?id=1235766

I did do point 3 & 4.

Matt
...
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Continue reading on narkive:
Loading...