Debian Bug report logs - #786411
freeipa: replication doesnt work, how to get it to work...

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: submit@bugs.debian.org

Subject: freeipa: replication doesnt work, how to get it to work...

Date: Thu, 21 May 2015 14:39:47 +0200

[Message part 1 (text/plain, inline)]

package: freeipa
severity: important

Hi,

I'm filing this bug to (try to) document how to get freeipa replication to 
work on Debian jessie. I'm filing this bug with severity important as I think 
replication is a major and mandatory feature for this software.

The version of freeipa in Debian is currently 4.0.5 and is known to need 
openldap build against libnss for working replication - a switch to GSSAPI has 
been planned for freeipa 4.2 (which will make this moot), though there is no 
ETA for that.

The bug about building openldap against libnss is #725153 (in Debian openldap 
is currently build against gnutls) and in that bug Timo pointed to 
git://git.debian.org/git/users/tjaalton/openldap.git where he has provided 
patches to achieve that.

In *this* bug (here) I want to document the steps I've taken to get 
replication to work, based on a jessie system.

- build dogtag-pki (10.2.0-4) against jessie
- build bind-dyndb-ldap (6.0-4) against jessie
- build openldap (from the above git repo at c982527e5ac / 2.4.40+dfsg-2) 
against jessie
- build 389-ds-base (1.3.3.5-4) against that openldap built and jessie
- build freeipa (4.0.5-4) against that 389-ds-base, openldap and jessie

With these preperations I've set up a freeipa server simply with 

# apt-get install freeipa-server
# ipa-server-install

Preparing the replica (on the master) also just works in this setup:

# ipa-replica-prepare --ip-address 192.168.178.38 replica.example.org

(On Ubuntu there is lp#1449304 "ipa-replica-prepare fails due to gnupg-agent 
missing".)

Then I ran "apt-get install freeipa-server" on the replica and copied 
/var/lib/ipa/replica-info-replica.example.org.gpg from the master to the 
replica server.

Then I ran this to replicate:

# ipa-replica-install --setup-dns --forwarder=192.168.178.30 \
	 /var/lib/ipa/replica-info-replica.example.org.gpg

which fails, claiming it cannot reach the KDC on port 88.

So on the master one needs to edit /etc/krb5kdc/kdc.conf and add this line:
	kdc_tcp_ports = 750,88 
(this deserves another bug I'll file after sending this one.)

and restart it:

# service krb5-kdc restaŕt

when I then again run 

# ipa-replica-install --setup-dns --forwarder=192.168.178.30 \
	 /var/lib/ipa/replica-info-replica.example.org.gpg

it fails with:

------begin------
[...]
Connection from master to replica is OK.

Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/34]: creating directory server user
  [2/34]: creating directory server instance
  [3/34]: adding default schema
  [4/34]: enabling memberof plugin
  [5/34]: enabling winsync plugin
  [6/34]: configuring replication version plugin
  [7/34]: enabling IPA enrollment plugin
  [8/34]: enabling ldapi
  [9/34]: configuring uniqueness plugin
  [10/34]: configuring uuid plugin
  [11/34]: configuring modrdn plugin
  [12/34]: configuring DNS plugin
  [13/34]: enabling entryUSN plugin
  [14/34]: configuring lockout plugin
  [15/34]: creating indices
  [16/34]: enabling referential integrity plugin
  [17/34]: configuring ssl for ds instance
  [18/34]: configuring certmap.conf
  [19/34]: configure autobind for root
  [20/34]: configure new location for managed entries
  [21/34]: configure dirsrv ccache
  [22/34]: enable SASL mapping fallback
  [23/34]: restarting directory server
  [24/34]: setting up initial replication
Starting replication, please wait until this has completed.

[ipa-master.example.org] reports: Update failed! Status: [-11  - LDAP error: 
Connect error]


Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Failed to start replication

------end------

But this was actually *without* the openldap and 398-ds-base packages build 
against libnss (as shown in #725153) - but just with pure rebuilds of the 
packages in sid against jessie.

What's strange is that even with the unmodified openldap packages I get this:

# ldapsearch -H ldaps://ipa-master.example.org -x -ZZZ -d 1
ldap_url_parse_ext(ldaps://ipa-master.example.org)
ldap_create
ldap_url_parse_ext(ldaps://ipa-master.example.org:636/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ipa-master.example.org:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 192.168.178.34:636
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect success
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)
        additional info: (unknown error code)


So, what happens when using the openldap, 398-ds-base and freeipa packages 
rebuild against libnss as described in #725153:

# ldapsearch -H ldaps://ipa-master.example.org -x -ZZZ -d 1
ldap_url_parse_ext(ldaps://ipa-master.example.org)
ldap_create
ldap_url_parse_ext(ldaps://ipa-master.example.org:636/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ipa-master.example.org:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.178.34:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: could not initialize moznss PEM module - error -5977:Failure to load 
dynamic library.
TLS: could not perform TLS system initialization.
TLS: error: could not initialize moznss security context - error -5977:Failure 
to load dynamic library
TLS: can't create ssl handle.
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)

and such, replication obviously also fails:

2015-05-21T11:34:37Z DEBUG Saving StateFile to 
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-05-21T11:34:37Z DEBUG   File "/usr/lib/python2.7/dist-
packages/ipaserver/install/installutils.py", line 639, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-replica-install", line 608, in main
    tls_cacertfile=CACERT)

  File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 63, in 
connect
    conn = self.create_connection(*args, **kw)

  File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/ldap2.py", line 
169, in create_connection
    clientctrls=clientctrls)

  File "/usr/lib/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)

  File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1200, in 
error_handler
    error=info)

2015-05-21T11:34:37Z DEBUG The ipa-replica-install command failed, exception: 
NetworkError: cannot connect to 'ldaps://ipa-master.example.org':


So at the moment my replication problem is foremost an ldap connection 
problem, but I thought I'd write down these steps anyway, hoping they are 
useful for others.



Oh, and if I run ipa-server-install using the packages build against libnss 
this fails with:

------------begin---------------
Restarting the certificate server
Configuring DNS (named)
  [1/12]: generating rndc key file
  [2/12]: adding DNS container
  [3/12]: setting up our zone
  [4/12]: setting up reverse zone
  [5/12]: setting up our own record
  [6/12]: setting up records for other masters
  [7/12]: setting up CA record
  [8/12]: setting up kerberos principal
  [9/12]: setting up named.conf
  [10/12]: restarting named
  [11/12]: configuring named to start on boot
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
Unable to set admin password Command ''/usr/bin/ldappasswd' '-h' 'ipa-
master.example.org' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y' 
'/var/lib/ipa/tmp6adcss' '-T' '/var/lib/ipa/tmpqpdz6B' 
'uid=admin,cn=users,cn=accounts,dc=profitbricks,dc=net'' returned non-zero 
exit status 1
Configuration of client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' '--on-
master' '--unattended' '--domain' 'example.org' '--server' 'ipa-
master.example.org' '--realm' 'PROFITBRICKS.NET' '--hostname' 'ipa-
master.example.org'' returned non-zero exit status 1
-------------end----------------

And obvisouly this freeipa-server doesn't work at all.

I'd be glad for any hints how to proceed further! Also if you want me to test 
something, please shout!


cheers,
	Holger

Note: actually one wants to run ipa-replica-install with --setup-ca too, but 
there was another problem with it. One step at a time :)

[signature.asc (application/pgp-signature, inline)]

Message #18 received at 786411@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: 786411@bugs.debian.org

Subject: further digging

Date: Tue, 26 May 2015 16:55:27 +0200

[Message part 1 (text/plain, inline)]

Hi,

so freeipa uses libapache-mod-auth-kerb currently, and this package build-
depends on libkrb5-dev which build-depends against libldap2-dev, which has 
been been build against gnutls. So I'm wondering whether rebuilding those 
packages against libnss would be neccessary as well - or if this would be a 
useless excercise?


cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #23 received at 786411-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 770495-done@bugs.debian.org,781607-done@bugs.debian.org,786411-done@bugs.debian.org,787593-done@bugs.debian.org,795399-done@bugs.debian.org,809271-done@bugs.debian.org,828303-done@bugs.debian.org,829044-done@bugs.debian.org,832334-done@bugs.debian.org,835131-done@bugs.debian.org,

Cc: freeipa@packages.debian.org, freeipa@packages.qa.debian.org

Subject: Bug#835163: Removed package(s) from unstable

Date: Sun, 28 Aug 2016 23:14:49 +0000

Version: 4.0.5-6+rm

Dear submitter,

as the package freeipa has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/835163

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Chris Lamb (the ftpmaster behind the curtain)

Send a report that this bug log contains spam.