-
Bug
-
Resolution: Unresolved
-
Undefined
-
rhel-9.8, rhel-10.2
-
ipa-4.13.1-3.el9
-
None
-
Critical
-
rhel-idm-ipa
-
25
-
27
-
0
-
QE ack, Dev ack
-
False
-
False
-
-
No
-
None
-
Pass
-
Automated
-
Unspecified Release Note Type - Unknown
-
Unspecified
-
Unspecified
-
Unspecified
-
None
Deploying a replica using another replica as the server fails in the replica conncheck:
# /usr/sbin/ipa-replica-conncheck --master replica3.ipadomain.test --auto-master-check --realm IPADOMAIN.TEST --hostname replica4.ipadomain.test --principal admin --password Secret.123 --ca-cert-file /etc/ipa/ca.crt Check connection from replica to remote master 'replica3.ipadomain.test': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master Check RPC connection to remote master Execute check on remote master ERROR: Remote master check failed with following error message(s): an internal error has occurred
The deployment was done with ansible-freeipa.
System log on replica3:
Feb 10 09:14:15 replica3.ipadomain.test dbus-broker[730]: A security policy denied :1.160 to send method call /:org.freeipa.server.conncheck to org.freeipa.server.
Feb 10 09:14:15 replica3.ipadomain.test /mod_wsgi[37021]: [IPA.API] admin@IPADOMAIN.TEST: server_conncheck: DBusException [ldap2_139836621592704] {"cn": "replica3.ipadomain.test", "remote_cn": "replica4.ipadomain.test", "version": "2.162"}
Restarting dbus and httpd on replica3 fixes the issue.
# /usr/sbin/ipa-replica-conncheck --master replica3.ipadomain.test --auto-master-check --realm IPADOMAIN.TEST --hostname replica4.ipadomain.test --principal admin --password Secret.123 --ca-cert-file /etc/ipa/ca.crt Check connection from replica to remote master 'replica3.ipadomain.test': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master Check RPC connection to remote master Execute check on remote master Check connection from master to remote replica 'replica4.ipadomain.test': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK.
$ rpm -qa "ipa*" | sort -u
ipa-client-4.13.1-2.el9.x86_64
ipa-client-common-4.13.1-2.el9.noarch
ipa-common-4.13.1-2.el9.noarch
ipa-healthcheck-core-0.19-1.el9.noarch
ipa-selinux-4.13.1-2.el9.noarch
ipa-server-4.13.1-2.el9.x86_64
ipa-server-common-4.13.1-2.el9.noarch
- links to
-
RHSA-2025:154922
ipa security update