Bug 1026434

Summary: ipa-server-install crashes when AD subpackage is not installed
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.0CC: mpolovka, nsoman, rcritten, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.3.3-2.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:58:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Kosek 2013-11-04 16:05:29 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4011

This issues was caused by #3479. ipa-server-install should not depend so heavily on an optional subpackage `freeipa-server-trust-ad`:

{{{
# ipa-server-install 
Traceback (most recent call last):
  File "/usr/sbin/ipa-server-install", line 43, in <module>
    from ipaserver.install import adtrustinstance
ImportError: cannot import name adtrustinstance
}}}
Comment 2 Martin Kosek 2013-11-05 08:13:16 UTC 
Bumping severity, this affects tests.
Comment 3 Martin Kosek 2013-11-05 14:56:55 UTC 
Fixed upstream:

master: 989493979da3ef1136a9b346cace5689ef22eed8
ipa-3-3: 90ac36c780d6e5d0bcb26f8c7f153d35af1db70f
Comment 5 Scott Poore 2013-11-15 00:24:05 UTC 
Verified.

Version ::

ipa-server-3.3.3-3.el7.x86_64

Test Results ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: BZ1026434 -  ipa-server-install crashes when AD subpackage is not installed
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


package ipa-server-trust-ad is not installed
:: [   PASS   ] :: Checking for the non-presence of ipa-server-trust-ad rpm 
:: [   PASS   ] :: Running 'ipa-server-install --setup-dns --forwarder=192.168.122.1 --hostname=rhel7-1.testrelm.com --mkhomedir -r TESTRELM.COM -n testrelm.com -p Secret123 -P Secret123 -a Secret123 -U > /tmp/tmpout.ipaserverinstall_BZ1026434.out 2>&1' (Expected 0, got 0)

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

Warning: skipping DNS resolution of host rhel7-1.testrelm.com
Using reverse zone 122.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      rhel7-1.testrelm.com
IP address:    192.168.122.71
Domain name:   testrelm.com
Realm name:    TESTRELM.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    192.168.122.1
Reverse zone:  122.168.192.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/38]: creating directory server user
  [2/38]: creating directory server instance
  [3/38]: adding default schema
  [4/38]: enabling memberof plugin
  [5/38]: enabling winsync plugin
  [6/38]: configuring replication version plugin
  [7/38]: enabling IPA enrollment plugin
  [8/38]: enabling ldapi
  [9/38]: configuring uniqueness plugin
  [10/38]: configuring uuid plugin
  [11/38]: configuring modrdn plugin
  [12/38]: configuring DNS plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: creating indices
  [16/38]: enabling referential integrity plugin
  [17/38]: configuring certmap.conf
  [18/38]: configure autobind for root
  [19/38]: configure new location for managed entries
  [20/38]: configure dirsrv ccache
  [21/38]: enable SASL mapping fallback
  [22/38]: restarting directory server
  [23/38]: adding default layout
  [24/38]: adding delegation layout
  [25/38]: creating container for managed entries
  [26/38]: configuring user private groups
  [27/38]: configuring netgroups from hostgroups
  [28/38]: creating default Sudo bind user
  [29/38]: creating default Auto Member layout
  [30/38]: adding range check plugin
  [31/38]: creating default HBAC rule allow_all
  [32/38]: initializing group membership
  [33/38]: adding master entry
  [34/38]: configuring Posix uid/gid generation
  [35/38]: adding replication acis
  [36/38]: enabling compatibility plugin
  [37/38]: tuning directory server
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/22]: creating certificate server user
  [2/22]: configuring certificate server instance
  [3/22]: stopping certificate server instance to update CS.cfg
  [4/22]: disabling nonces
  [5/22]: set up CRL publishing
  [6/22]: starting certificate server instance
  [7/22]: creating RA agent certificate database
  [8/22]: importing CA chain to RA certificate database
  [9/22]: fixing RA database permissions
  [10/22]: setting up signing cert profile
  [11/22]: set certificate subject base
  [12/22]: enabling Subject Key Identifier
  [13/22]: enabling CRL and OCSP extensions for certificates
  [14/22]: setting audit signing renewal to 2 years
  [15/22]: configuring certificate server to start on boot
  [16/22]: restarting certificate server
  [17/22]: requesting RA certificate from CA
  [18/22]: issuing RA agent certificate
  [19/22]: adding RA agent as a trusted user
  [20/22]: configure certificate renewals
  [21/22]: configure Server-Cert certificate renewal
  [22/22]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/14]: setting mod_nss port to 443
  [2/14]: setting mod_nss password file
  [3/14]: enabling mod_nss renegotiate
  [4/14]: adding URL rewriting rules
  [5/14]: configuring httpd
  [6/14]: setting up ssl
  [7/14]: setting up browser autoconfig
  [8/14]: publish CA cert
  [9/14]: creating a keytab for httpd
  [10/14]: clean up any existing httpd ccache
  [11/14]: configuring SELinux for httpd
  [12/14]: configure httpd ccache
  [13/14]: restarting httpd
  [14/14]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
  [1/11]: adding DNS container
  [2/11]: setting up our zone
  [3/11]: setting up reverse zone
  [4/11]: setting up our own record
  [5/11]: setting up records for other masters
  [6/11]: setting up CA record
  [7/11]: setting up kerberos principal
  [8/11]: setting up named.conf
  [9/11]: restarting named
  [10/11]: configuring named to start on boot
  [11/11]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
:: [   PASS   ] :: Running 'cat /tmp/tmpout.ipaserverinstall_BZ1026434.out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmpout.ipaserverinstall_BZ1026434.out' should not contain 'adtrustinstance' 
:: [   PASS   ] :: BZ1026434 not found
Comment 6 Ludek Smid 2014-06-13 11:58:15 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.