ipa-replica-prepare fails with error 'Password reuse not permitted'
Issue
-
Trying to setup a RHEL7 IdM replica fails with error
Password reuse not permitted, debug logs are similar to below:[root@master ~]# ipa-replica-prepare --debug replica.example.com ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: importing all plugin modules in ipaserver.plugins... ipa: DEBUG: importing plugin module ipaserver.plugins.aci ipa: DEBUG: importing plugin module ipaserver.plugins.automember ipa: DEBUG: importing plugin module ipaserver.plugins.automount ipa: DEBUG: importing plugin module ipaserver.plugins.baseldap ipa: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.baseuser ipa: DEBUG: importing plugin module ipaserver.plugins.batch ipa: DEBUG: importing plugin module ipaserver.plugins.ca ipa: DEBUG: importing plugin module ipaserver.plugins.caacl ipa: DEBUG: importing plugin module ipaserver.plugins.cert ipa: DEBUG: importing plugin module ipaserver.plugins.certmap ipa: DEBUG: importing plugin module ipaserver.plugins.certprofile ipa: DEBUG: importing plugin module ipaserver.plugins.config ipa: DEBUG: importing plugin module ipaserver.plugins.delegation ipa: DEBUG: importing plugin module ipaserver.plugins.dns ipa: DEBUG: importing plugin module ipaserver.plugins.dnsserver ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag ipa: DEBUG: importing plugin module ipaserver.plugins.domainlevel ipa: DEBUG: importing plugin module ipaserver.plugins.group ipa: DEBUG: importing plugin module ipaserver.plugins.hbac ipa: DEBUG: ipaserver.plugins.hbac is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.hbacrule ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvc ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup ipa: DEBUG: importing plugin module ipaserver.plugins.hbactest ipa: DEBUG: importing plugin module ipaserver.plugins.host ipa: DEBUG: importing plugin module ipaserver.plugins.hostgroup ipa: DEBUG: importing plugin module ipaserver.plugins.idrange ipa: DEBUG: importing plugin module ipaserver.plugins.idviews ipa: DEBUG: importing plugin module ipaserver.plugins.internal ipa: DEBUG: importing plugin module ipaserver.plugins.join ipa: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 ipa: DEBUG: importing plugin module ipaserver.plugins.location ipa: DEBUG: importing plugin module ipaserver.plugins.migration ipa: DEBUG: importing plugin module ipaserver.plugins.misc ipa: DEBUG: importing plugin module ipaserver.plugins.netgroup ipa: DEBUG: importing plugin module ipaserver.plugins.otp ipa: DEBUG: ipaserver.plugins.otp is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.otpconfig ipa: DEBUG: importing plugin module ipaserver.plugins.otptoken ipa: DEBUG: importing plugin module ipaserver.plugins.passwd ipa: DEBUG: importing plugin module ipaserver.plugins.permission ipa: DEBUG: importing plugin module ipaserver.plugins.ping ipa: DEBUG: importing plugin module ipaserver.plugins.pkinit ipa: DEBUG: importing plugin module ipaserver.plugins.privilege ipa: DEBUG: importing plugin module ipaserver.plugins.pwpolicy ipa: DEBUG: importing plugin module ipaserver.plugins.rabase ipa: DEBUG: ipaserver.plugins.rabase is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.radiusproxy ipa: DEBUG: importing plugin module ipaserver.plugins.realmdomains ipa: DEBUG: importing plugin module ipaserver.plugins.role ipa: DEBUG: importing plugin module ipaserver.plugins.schema ipa: DEBUG: importing plugin module ipaserver.plugins.selfservice ipa: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap ipa: DEBUG: importing plugin module ipaserver.plugins.server ipa: DEBUG: importing plugin module ipaserver.plugins.serverrole ipa: DEBUG: importing plugin module ipaserver.plugins.serverroles ipa: DEBUG: importing plugin module ipaserver.plugins.service ipa: DEBUG: importing plugin module ipaserver.plugins.servicedelegation ipa: DEBUG: importing plugin module ipaserver.plugins.session ipa: DEBUG: importing plugin module ipaserver.plugins.stageuser ipa: DEBUG: importing plugin module ipaserver.plugins.sudo ipa: DEBUG: ipaserver.plugins.sudo is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmd ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup ipa: DEBUG: importing plugin module ipaserver.plugins.sudorule ipa: DEBUG: importing plugin module ipaserver.plugins.topology ipa: DEBUG: importing plugin module ipaserver.plugins.trust ipa: DEBUG: importing plugin module ipaserver.plugins.user ipa: DEBUG: importing plugin module ipaserver.plugins.vault ipa: DEBUG: importing plugin module ipaserver.plugins.virtual ipa: DEBUG: ipaserver.plugins.virtual is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.whoami ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection context.ldap2_71869456 ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x61bf3f8> Directory Manager (existing ) password: ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection context.ldap2_71869456 ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection context.ldap2_71869456 ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: raw: ca_is_enabled(version=u'2.228') ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: ca_is_enabled(version=u'2.228') ipa: DEBUG: Search DNS for replica.example.com ipa: DEBUG: Check if replica.example.com is not a CNAME ipa: DEBUG: Check reverse address of 10.10.10.20 ipa: DEBUG: Found reverse name: replica.example.com ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: Not logging to a file ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: ipa-replica-prepare was invoked with arguments ['replica.example.com'] and options: {'password': None, 'ca_file': '/root/cacert.p12', 'verbose': True, 'auto_reverse': False, 'ip_addresses': [], 'quiet': False, 'dirsrv_cert_name': None, 'http_cert_name': None, 'dirsrv_cert_files': None, 'http_cert_files': None, 'wait_for_dns': True, 'no_reverse': False, 'log_file': None, 'allow_zone_overlap': False, 'reverse_zones': []} ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: IPA version 4.5.0-22.el7_4 ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO: Preparing replica for replica.example.com from master.example.com ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias -p /tmp/tmp1RdkBb -w /tmp/tmpc7mGNG -o /root/cacert.p12 ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=Export complete. ipa: DEBUG: stderr= ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 321, in run self.copy_ds_certificate() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 358, in copy_ds_certificate self.update_pki_admin_password() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 586, in update_pki_admin_password api.Backend.ldap2.modify_password(dn, self.dirman_password) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 390, in modify_password self.conn.passwd_s(str(dn), old_pass, new_pass) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 975, in error_handler raise errors.DatabaseError(desc=desc, info=info) ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: DatabaseError: Constraint violation: Password reuse not permitted ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: Constraint violation: Password reuse not permitted ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The ipa-replica-prepare command failed.
Environment
- Red Hat Enterprise Linux 7 (RHEL) IdM
ipa-server-4.5.0-22. - Password policy is setup, restricting password reuse (History size).
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
