[Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.

Steven Jones Steven.Jones at vuw.ac.nz
Mon Feb 16 23:31:03 UTC 2015 

yep this is all double dutch to me.

regards

Steven

________________________________________
From: Rob Crittenden <rcritten at redhat.com>
Sent: Tuesday, 17 February 2015 12:08 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.

Steven Jones wrote:
> ?
>
> ====
> [root at xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX
> SASL/GSSAPI authentication started
> SASL username:   xxxx
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=CAcert,cn=ipa,cn=etc,> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 4
> result: 32 No such object
>
> # numResponses: 1

Did you literally use $SUFFIX? You need to use dc=example,dc=com,
whatever is appropriate for your install.

rob

>
> ====
>
> regards
>
> Steven
> ________________________________________
> From: Rob Crittenden <rcritten at redhat.com>
> Sent: Tuesday, 17 February 2015 10:59 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
>
> Steven Jones wrote:
>> Hi,
>>
>> I have no idea how.
>
> $ kinit admin
> $ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX
>
> It should have an attribuete cACertificate;binary likely beginning with
> MII. If it begins with TU then it is likely double-encoded.
>
> And remember, this may be a red herring.
>
> rob
>
>>
>> regards
>>
>> Steven
>> ________________________________________
>> From: Rob Crittenden <rcritten at redhat.com>
>> Sent: Tuesday, 17 February 2015 10:40 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
>>
>> Steven Jones wrote:
>>> While attempting to initialise the new server I am getting,
>>>
>>>
>>> [root at xx <mailto:root at vuwunicoipam001> replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug
>>>
>>>
>>> =====8><----
>>> packages/ipaserver/install/plugins/update_uniqueness.py'
>>> ipa         : DEBUG    importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py'
>>> ipa         : DEBUG    importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py'
>>> ipa.ipaserver.install.installutils: DEBUG    group dirsrv exists
>>> ipa.ipaserver.install.installutils: DEBUG    user dirsrv exists
>>> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG    Created connection context.ldap2_59928528
>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG    flushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache
>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG    retrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0>
>>> error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>>> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG    Destroyed connection context.ldap2_59928528
>>> ipa         : DEBUG      File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script
>>>     return_value = main_function()
>>>
>>>   File "/sbin/ipa-replica-install", line 658, in main
>>>     install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
>>>
>>>   File "/sbin/ipa-replica-install", line 227, in install_ca_cert
>>>     sys.exit(1)
>>>
>>> ipa         : DEBUG    The ipa-replica-install command failed, exception: SystemExit: 1
>>>
>>> ========
>>>
>>>
>>> Any idea what is wrong please?
>>
>> What a strange error. My initial thought was that it couldn't read or
>> parse the CA cert from the 3.0 master, but this security library error
>> is unexpected.
>>
>> I might be sending you on a wild goose chase but take a look at the CA
>> cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX
>>
>> There was a bug quite a while back where the cert value was
>> double-base64-encoded. I wouldn't expect this error from this problem
>> but who knows.
>>
>> rob
>>
>
>

More information about the Freeipa-users mailing list