[Pkg-freeipa-devel] Bug#786411: freeipa: replication doesnt work, how to get it to work...

Holger Levsen holger at layer-acht.org
Thu May 21 12:39:47 UTC 2015 

package: freeipa
severity: important

Hi,

I'm filing this bug to (try to) document how to get freeipa replication to 
work on Debian jessie. I'm filing this bug with severity important as I think 
replication is a major and mandatory feature for this software.

The version of freeipa in Debian is currently 4.0.5 and is known to need 
openldap build against libnss for working replication - a switch to GSSAPI has 
been planned for freeipa 4.2 (which will make this moot), though there is no 
ETA for that.

The bug about building openldap against libnss is #725153 (in Debian openldap 
is currently build against gnutls) and in that bug Timo pointed to 
git://git.debian.org/git/users/tjaalton/openldap.git where he has provided 
patches to achieve that.

In *this* bug (here) I want to document the steps I've taken to get 
replication to work, based on a jessie system.

- build dogtag-pki (10.2.0-4) against jessie
- build bind-dyndb-ldap (6.0-4) against jessie
- build openldap (from the above git repo at c982527e5ac / 2.4.40+dfsg-2) 
against jessie
- build 389-ds-base (1.3.3.5-4) against that openldap built and jessie
- build freeipa (4.0.5-4) against that 389-ds-base, openldap and jessie

With these preperations I've set up a freeipa server simply with 

# apt-get install freeipa-server
# ipa-server-install

Preparing the replica (on the master) also just works in this setup:

# ipa-replica-prepare --ip-address 192.168.178.38 replica.example.org

(On Ubuntu there is lp#1449304 "ipa-replica-prepare fails due to gnupg-agent 
missing".)

Then I ran "apt-get install freeipa-server" on the replica and copied 
/var/lib/ipa/replica-info-replica.example.org.gpg from the master to the 
replica server.

Then I ran this to replicate:

# ipa-replica-install --setup-dns --forwarder=192.168.178.30 \
	 /var/lib/ipa/replica-info-replica.example.org.gpg

which fails, claiming it cannot reach the KDC on port 88.

So on the master one needs to edit /etc/krb5kdc/kdc.conf and add this line:
	kdc_tcp_ports = 750,88 
(this deserves another bug I'll file after sending this one.)

and restart it:

# service krb5-kdc restaŕt

when I then again run 

# ipa-replica-install --setup-dns --forwarder=192.168.178.30 \
	 /var/lib/ipa/replica-info-replica.example.org.gpg

it fails with:

------begin------
[...]
Connection from master to replica is OK.

Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/34]: creating directory server user
  [2/34]: creating directory server instance
  [3/34]: adding default schema
  [4/34]: enabling memberof plugin
  [5/34]: enabling winsync plugin
  [6/34]: configuring replication version plugin
  [7/34]: enabling IPA enrollment plugin
  [8/34]: enabling ldapi
  [9/34]: configuring uniqueness plugin
  [10/34]: configuring uuid plugin
  [11/34]: configuring modrdn plugin
  [12/34]: configuring DNS plugin
  [13/34]: enabling entryUSN plugin
  [14/34]: configuring lockout plugin
  [15/34]: creating indices
  [16/34]: enabling referential integrity plugin
  [17/34]: configuring ssl for ds instance
  [18/34]: configuring certmap.conf
  [19/34]: configure autobind for root
  [20/34]: configure new location for managed entries
  [21/34]: configure dirsrv ccache
  [22/34]: enable SASL mapping fallback
  [23/34]: restarting directory server
  [24/34]: setting up initial replication
Starting replication, please wait until this has completed.

[ipa-master.example.org] reports: Update failed! Status: [-11  - LDAP error: 
Connect error]


Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Failed to start replication

------end------

But this was actually *without* the openldap and 398-ds-base packages build 
against libnss (as shown in #725153) - but just with pure rebuilds of the 
packages in sid against jessie.

What's strange is that even with the unmodified openldap packages I get this:

# ldapsearch -H ldaps://ipa-master.example.org -x -ZZZ -d 1
ldap_url_parse_ext(ldaps://ipa-master.example.org)
ldap_create
ldap_url_parse_ext(ldaps://ipa-master.example.org:636/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ipa-master.example.org:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 192.168.178.34:636
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect success
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)
        additional info: (unknown error code)


So, what happens when using the openldap, 398-ds-base and freeipa packages 
rebuild against libnss as described in #725153:

# ldapsearch -H ldaps://ipa-master.example.org -x -ZZZ -d 1
ldap_url_parse_ext(ldaps://ipa-master.example.org)
ldap_create
ldap_url_parse_ext(ldaps://ipa-master.example.org:636/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ipa-master.example.org:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.178.34:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: could not initialize moznss PEM module - error -5977:Failure to load 
dynamic library.
TLS: could not perform TLS system initialization.
TLS: error: could not initialize moznss security context - error -5977:Failure 
to load dynamic library
TLS: can't create ssl handle.
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)

and such, replication obviously also fails:

2015-05-21T11:34:37Z DEBUG Saving StateFile to 
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-05-21T11:34:37Z DEBUG   File "/usr/lib/python2.7/dist-
packages/ipaserver/install/installutils.py", line 639, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-replica-install", line 608, in main
    tls_cacertfile=CACERT)

  File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 63, in 
connect
    conn = self.create_connection(*args, **kw)

  File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/ldap2.py", line 
169, in create_connection
    clientctrls=clientctrls)

  File "/usr/lib/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)

  File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1200, in 
error_handler
    error=info)

2015-05-21T11:34:37Z DEBUG The ipa-replica-install command failed, exception: 
NetworkError: cannot connect to 'ldaps://ipa-master.example.org':


So at the moment my replication problem is foremost an ldap connection 
problem, but I thought I'd write down these steps anyway, hoping they are 
useful for others.



Oh, and if I run ipa-server-install using the packages build against libnss 
this fails with:

------------begin---------------
Restarting the certificate server
Configuring DNS (named)
  [1/12]: generating rndc key file
  [2/12]: adding DNS container
  [3/12]: setting up our zone
  [4/12]: setting up reverse zone
  [5/12]: setting up our own record
  [6/12]: setting up records for other masters
  [7/12]: setting up CA record
  [8/12]: setting up kerberos principal
  [9/12]: setting up named.conf
  [10/12]: restarting named
  [11/12]: configuring named to start on boot
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
Unable to set admin password Command ''/usr/bin/ldappasswd' '-h' 'ipa-
master.example.org' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y' 
'/var/lib/ipa/tmp6adcss' '-T' '/var/lib/ipa/tmpqpdz6B' 
'uid=admin,cn=users,cn=accounts,dc=profitbricks,dc=net'' returned non-zero 
exit status 1
Configuration of client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' '--on-
master' '--unattended' '--domain' 'example.org' '--server' 'ipa-
master.example.org' '--realm' 'PROFITBRICKS.NET' '--hostname' 'ipa-
master.example.org'' returned non-zero exit status 1
-------------end----------------

And obvisouly this freeipa-server doesn't work at all.

I'd be glad for any hints how to proceed further! Also if you want me to test 
something, please shout!


cheers,
	Holger

Note: actually one wants to run ipa-replica-install with --setup-ca too, but 
there was another problem with it. One step at a time :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-freeipa-devel/attachments/20150521/c8955ee3/attachment.sig>

More information about the Pkg-freeipa-devel mailing list