#2751 Setup IPA Replica of different version than Master failed
Closed: Invalid None Opened 11 years ago by mkosek.

https://bugzilla.redhat.com/show_bug.cgi?id=819110 (Red Hat Enterprise Linux 6)

Description of problem:

Trying to test something else, I ran into a problem when trying to have one IPA
server on RHEL 6.2 and another on 6.3.   I tried both master=6.3/replica=6.2
and master=6.2/replica=6.3.   I'll have to re-run the tests to get the latter
error but, I believe it was the same as the former which I have here:

I setup a RHEL 6.3 IPA Master.   Then I tried to setup a RHEL 6.2 Replica
but, the install fails.  However, during install, I do see some errors but, not
the invalid syntax ones.   Could those be from multiple re-install attempts?

### On MASTER:
# ipa-replica-prepare -p $ADMINPW --ip-address=$SLAVEIP $hostname_s.$DOMAIN

### On REPLICA:
# ipa-replica-install -U --setup-dns --forwarder=$DNSFORWARD --setup-ca -w
$ADMINPW -p $ADMINPW /dev/shm/replica-info-$hostname_s.$DOMAIN.gpg

...looked normal until the following error:

  [29/29]: configuring directory to start on boot
done configuring dirsrv.
creation of replica failed: [Errno 2] No such file or directory:
'/tmp/tmp1O5dxFipa/realm_info/ldappwd'

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


Version-Release number of selected component (if applicable):
master=2.2.0-12 from RHEL 6.3
replica=2.1.3-9 from RHEL 6.2

How reproducible:
always

Steps to Reproduce:
On MASTER (RHEL 6.3):
1.  <setup rhel 6.3 master>
2.  ipa-replica-prepare -p $ADMINPW --ip-address=$SLAVEIP $hostname_s.$DOMAIN
On REPLICA (RHEL 6.2)
3.  sftp root@$MASTERIP:/var/lib/ipa/replica-info-$hostname_s.$DOMAIN.gpg
4.  ipa-replica-install -U --setup-dns --forwarder=$DNSFORWARD --setup-ca -w
$ADMINPW -p $ADMINPW /dev/shm/replica-info-$hostname_s.$DOMAIN.gpg

Actual results:

  [29/29]: configuring directory to start on boot
done configuring dirsrv.
creation of replica failed: [Errno 2] No such file or directory:
'/tmp/tmp1O5dxFipa/realm_info/ldappwd'

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Expected results:

6.2 server setup as replica of the 6.3 master.

Additional info:

Add a version to replica file and compare during installation.

Remember to handle old replica files that don't provide a version. I think forcing them to prepare a new file is ok.

I've been having a devil of a time trying to reproduce this. We no longer have RHEL 6.2 templates for VM's in the lab, only 6.3. On the assumption the RHEL update is probably not significant I created 6.3 vm's and installed the specific ipa packages on them. Setting up the ca on the replica always fails when pkisilent aborts with a classpath error for ConfigureCA, however the class is defined in an installed jar (/usr/share/java/pki/pki-silent.jar) which is in the class path. I also tried doing a normal server install and pkisilent also failed. This is on x86_64 which I know at one point had some java class path issues for native jars. I also verified the problem is not due to a partial install because I nuked the vm and rebuilt it from scratch. FWIW, the CA installed cleanly on the master.

At this point I've sunk 2 days into trying to reproduce this problem and I think time is better spent looking at other bugs. There appears to be a problem with pki-ca and pki-silent that has nothing to do with the problem reported here. For the near term I'm going to put this one on hold and come back to it later.

I finally was able to reproduce this, it is very reproducible. The initial problem was due to incompatibility between the ipa versions cited above and current dogtag versions. However if you use the current ipa rpms in rhel 6.3 and rhel 6.2 you can install the server and prepare the replica.

on the master I'm using 2.1.3-9.el6.x86_64
on the replica I'm using 2.1.3-9.el6.x86_64

It appears the problem is the 6.2 version is expecting ldap_passwd_filename and kpasswd_filename to be passed in the replica config data, but the 6.3 version do not include that data.

Next I have to figure how those values are being used in 6.2 and why they're not used in 6.3

O.K, here's the problem

In IPA 2.2 and above the kdc ldap driver was changed, the kdc no longer uses a password to bind to the ldap backend. Thus replication configuration prepared on IPA 2.2 and above omits the ldap password for the kdc. But IPA 2.1 servers require this password. The consensus at this point is that replicas cannot be created between IPA > 2.2 and IPA <= 2.1

This will converted to a doc bug.

There was a typo in comment #8, the master is using 2.2.0-16.el6.x86_64

The rule of thumb should be: a replica can be created from an older to a newer version, but not a newer version to an older one.

The only time that there should be mixed versions of IPA is during upgrades. Adding a new replica during this time is not recommended but if required it should be made as the latest version.

FreeIPA project no longer actively maintains an upstream guide (see details). This ticket is already cloned to RHEL downstream guide so the issue should fixed at least there. Closing the upstream ticket.

Metadata Update from @mkosek:
- Issue assigned to elladeon
- Issue set to the milestone: FreeIPA 3.x Documentation

7 years ago

Login to comment on this ticket.

Metadata