When attempting to install a replica against an old (3.0.0) master, the installation fails when requesting keytab for DS:
[26/44]: enabling SASL mapping fallback [27/44]: restarting directory server [28/44]: creating DS keytab [error] ACIError: Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=ldap/replica2.ipa.test@IPA.TEST,cn=services,cn=accounts,dc=ipa,dc=test'. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
Traceback seen in ipareplica-install.log:
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 411, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1246, in _request_service_keytab super(DsInstance, self)._request_service_keytab() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 581, in _request_service_keytab self._add_service_principal() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 537, in _add_service_principal self.api.Command.service_add(self.principal, force=True) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 798, in run return self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1188, in execute self._exc_wrapper(keys, options, ldap.add_entry)(entry_attrs) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1098, in wrapped return func(*call_args, **call_kwargs) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1516, in add_entry self.conn.add_s(str(entry.dn), list(attrs.items())) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 995, in error_handler raise errors.ACIError(info=info)
The root cause of this issue is probably caused by the fact that the remote connection in domain level 0 is created using host keytab of using Directory Manager password. Since ACIs permitting hosts to manage their own services were added in 4.2 release the old master denies this operations.
For this reason domain level 0 replica install should always use Directory manager credentials to create remote LDAP connection.
Metadata Update from @mbabinsk: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5
Metadata Update from @fbarreto: - Custom field affects_doc reset - Custom field component reset - Custom field rhbz reset - Custom field type reset - Issue close_status updated to: None - Issue set to the milestone: None (was: FreeIPA 4.5)
Metadata Update from @fbarreto: - Custom field affects_doc reset
Metadata Update from @pvoborni: - Custom field affects_doc reset - Custom field tester adjusted to wanted - Issue assigned to fbarreto (was: someone)
Metadata Update from @pvoborni: - Custom field design adjusted to wanted - Issue set to the milestone: FreeIPA 4.5
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)
PR to fix it https://github.com/freeipa/freeipa/pull/620
Metadata Update from @fbarreto: - Custom field design reset - Custom field tester reset - Issue set to the milestone: None (was: FreeIPA 4.5.1)
master:
ipa-4-5:
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue set to the milestone: FreeIPA 4.5.1 - Issue status updated to: Closed (was: Open)
@pvoborni Do we want to clone this to BZ?
@tkrizek 100% yes, otherwise one doesn not simply migrate from older IPA
Metadata Update from @tkrizek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1434910
Issue linked to Bugzilla: Bug 1434910
Login to comment on this ticket.