I'm trying to create a replica of my single FreeIPA server to aid in migration and move to a clustered environment.
I spun up a CentOS host, enrolled it as a client to the ipa server, and added it to the group ipaservers. I then ran ipa-replica-install after running kinit to login as admin.
Run connection check to master
Connection check OK
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
[2/41]: configure autobind for root
[3/41]: stopping directory server
[4/41]: updating configuration in dse.ldif
[5/41]: starting directory server
[6/41]: adding default schema
[7/41]: enabling memberof plugin
[8/41]: enabling winsync plugin
[9/41]: configure password logging
[10/41]: configuring replication version plugin
[11/41]: enabling IPA enrollment plugin
[12/41]: configuring uniqueness plugin
[13/41]: configuring uuid plugin
[14/41]: configuring modrdn plugin
[15/41]: configuring DNS plugin
[16/41]: enabling entryUSN plugin
[17/41]: configuring lockout plugin
[18/41]: configuring topology plugin
[19/41]: creating indices
[20/41]: enabling referential integrity plugin
[21/41]: configuring certmap.conf
[22/41]: configure new location for managed entries
[23/41]: configure dirsrv ccache and keytab
[24/41]: enabling SASL mapping fallback
[25/41]: restarting directory server
[26/41]: creating DS keytab
[error] CalledProcessError: CalledProcessError(Command ['/usr/sbin/ipa-getkeytab', '-k', '/etc/dirsrv/ds.keytab', '-p', 'ldap/[email protected]', '-H', 'ldaps://ipa.whitefamilyserver.com'] returned non-zero exit status 9: 'Failed to parse result: Failed to decode GetKeytab Control.\n\nRetrying with pre-4.0 keytab retrieval method...\nFailed to parse result: Insufficient access rights\n\nFailed to get keytab!\nFailed to get keytab\n')
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
CalledProcessError(Command ['/usr/sbin/ipa-getkeytab', '-k', '/etc/dirsrv/ds.keytab', '-p', 'ldap/[email protected]', '-H', 'ldaps://ipa.whitefamilyserver.com'] returned non-zero exit status 9: 'Failed to parse result: Failed to decode GetKeytab Control.\n\nRetrying with pre-4.0 keytab retrieval method...\nFailed to parse result: Insufficient access rights\n\nFailed to get keytab!\nFailed to get keytab\n')
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
As you can see, the command fails. It says it has insufficient permissions, but I don't see which permission to add to allow this command to work properly.
Yet when I run the command that failed manually, it succeeds. So why does it fail during the install, but not when I run it manually?
[root@ipa-apollo mendicant]# ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/[email protected] -H ldaps://ipa.whitefamilyserver.com
Failed to parse result: Failed to decode GetKeytab Control.
Retrying with pre-4.0 keytab retrieval method...
Failed to retrieve encryption type AES-128 CTS mode with 128-bit SHA-256 HMAC (#19)
Failed to retrieve encryption type Camellia-128 CTS mode with CMAC (#25)
Keytab successfully retrieved and stored in: /etc/dirsrv/ds.keytab
Extended downtime will not be an issue to try and fix this.
0 Answers