Bug 1195811
Summary: | PKI fails to install, missing support for Tomcat 8.0 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Martin Kosek <mkosek> |
Component: | pki-core | Assignee: | Matthew Harmsen <mharmsen> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 22 | CC: | alee, awilliam, danofsatx, dennis, edewata, extras-orphan, gsterlin, ivan.afonichev, krzysztof.daniel, mharmsen, mitr, pschindl, robatino, satellitgo, sgallagh, spoore |
Target Milestone: | --- | Keywords: | CommonBugs, Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | AcceptedFreezeException https://fedoraproject.org/wiki/Common_F22_bugs#rolekit-alpha-tomcat | ||
Fixed In Version: | tomcat-7.0.59-3.fc22 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-09-28 18:05:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1043123 |
Description
Martin Kosek
2015-02-24 16:03:01 UTC
Proposed as a Blocker for 22-alpha by Fedora user sgallagh using the blocker tracking app because: This prevents proper installation and deployment of FreeIPA, which powers the Domain Controller Role of Fedora Server. This is in violation of the Core Requirements of https://fedoraproject.org/wiki/Domain_controller_role_requirements Possibly relevant: http://svn.apache.org/viewvc?diff_format=h&view=revision&revision=1542822 So according to comment 2 updating server.xml to remove the listener in question should fix the problem. Are there any other problems? There are other problems. Please see this page: http://pki.fedoraproject.org/wiki/Tomcat_8 Note that this is still an ongoing investigation, so there may be more problems. +1 AlphaBlocker based on criteria sgallagh cited. So I've been informed that the ongoing efforts of Dogtag to use Tomcat 8 is proving unsuccessful. Too many things have changed under the hood, and after a full week of trying, they still cannot manage to get it built such that it will run at all. I've tried to reach out to the Tomcat maintainers, but other than Alexander Kurtakov, I have had no success. With Alpha Freeze already upon us, I think we really need to move forward with the request to downgrade back to Tomcat 7 in Fedora 22 so that efforts to support Tomcat 8 can be moved to Rawhide/F23. I've opened a FESCo ticket to decide whether to require Tomcat 7 on Fedora 22. https://fedorahosted.org/fesco/ticket/1418 Discussed at today's blocker review meeting [1]. This bug was accepted as Alpha Blocker - This bug is a clear violation of the criterion: "The core functional requirements for all Featured Server Roles must be met, but it is acceptable if moderate workarounds are necessary to achieve this." The QA recommendation for the fix is to downgrade the version of Tomcat included in F22, as the development and testing required for the current version to work for F22 is high. http://meetbot.fedoraproject.org/fedora-blocker-review/2015-03-02/ tomcat-7.0.59-2.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/tomcat-7.0.59-2.fc22 Package tomcat-7.0.59-3.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing tomcat-7.0.59-3.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-3074/tomcat-7.0.59-3.fc22 then log in and leave karma (feedback). On a fresh F22 machine installing Tomcat with yum brings in a mix of Tomcat 7 and 8 packages: * tomcat-lib-7.0.59-3.fc22.noarch * tomcat-servlet-3.1-api-8.0.18-2.fc22.noarch * tomcat-el-3.0-api-8.0.18-2.fc22.noarch * tomcat-jsp-2.3-api-8.0.18-2.fc22.noarch * tomcat-7.0.59-3.fc22.noarch With this combination the tomcat-lib will contain links to non-existent files: * /usr/share/java/tomcat/tomcat-jsp-2.2-api.jar * /usr/share/java/tomcat/tomcat-servlet-3.0-api.jar Dogtag/IPA installation will fail because of this. Removing the Tomcat 8 packages manually and reinstalling the corresponding Tomcat 7 packages with yum doesn't work since the packages are considered obsolete: $ yum install tomcat-servlet-3.0-api tomcat-el-2.2-api tomcat-jsp-2.2-api Package tomcat-servlet-3.0-api is obsoleted by tomcat-servlet-3.1-api, trying to install tomcat-servlet-3.1-api-8.0.18-2.fc22.noarch instead Package tomcat-el-2.2-api is obsoleted by tomcat-el-3.0-api, trying to install tomcat-el-3.0-api-8.0.18-2.fc22.noarch instead Package tomcat-jsp-2.2-api is obsoleted by tomcat-jsp-2.3-api, trying to install tomcat-jsp-2.3-api-8.0.18-2.fc22.noarch instead Resolving Dependencies --> Running transaction check ---> Package tomcat-el-3.0-api.noarch 0:8.0.18-2.fc22 will be installed ---> Package tomcat-jsp-2.3-api.noarch 0:8.0.18-2.fc22 will be installed ---> Package tomcat-servlet-3.1-api.noarch 0:8.0.18-2.fc22 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================================ Package Arch Version Repository Size ================================================================================================ Installing: tomcat-el-3.0-api noarch 8.0.18-2.fc22 fedora 105 k tomcat-jsp-2.3-api noarch 8.0.18-2.fc22 fedora 70 k tomcat-servlet-3.1-api noarch 8.0.18-2.fc22 fedora 255 k Transaction Summary ================================================================================================ Install 3 Packages The workaround is to download and install the Tomcat 7 RPM packages manually. I will leave a negative karma for this build. I'm looking into it, but we may still be able to ship with this, because if this package goes stable, it will replace the 8.0.x ones in the repository (since this isn't going to [updates], but [fedora]). It would still be an issue for anyone who upgraded their tomcat packages while 8.0 was there, though. So, I discussed this with Alexander. What we really need to do is get this pushed to the stable [fedora] repo. It will fix itself, because it will remove the 8.0 packages that are obsoleting. This wouldn't work in a stable update, but it *WILL* work during pre-release. If someone upgraded to get to this point, they'll have to do a manual donwgrade, but there's nothing we can do to fix it that wouldn't cause bigger problems due to the intricacies of tomcat virtual Provides. So Endi, please revert your karma, as it's only going to make this problem worse :) OK, karma reversed. FYI when I tested successfully, I had to make sure all the tomcat 8 packages were removed and install only the tomcat 7 ones here. Then ipa-server-install worked as expected. tomcat-7.0.59-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. The problem still persists as described in comment #11. endi: the stable push has not yet actually completed. Reopening. During Alpha validation testing, we discovered that the stable push hadn't happened in time for the compose and as a result, the composed ISOs contained both the old and new packages (and the network install "Everything" mirrors still had only the Tomcat 8.0 stuff). We're currently waiting for the mash to complete of the stable push, which should hopefully resolve the situation for the network install (and rolekit deploy) of Dogtag/FreeIPA. If that works, what will remain to be decided is whether a Common Bug about not actually selecting FreeIPA/Dogtag/Tomcat packages during anaconda/kickstart is acceptable (and relying on network install to work) or if we consider this a blocking issue and slip one week in the schedule to fix it. I'll update this BZ once we know if the mash fixes the problem. I'm off to bed and probably won't make the go/no-go, so posting my thoughts here. Assuming FreeIPA server role deployment works from the repos once the stable push is done, I'm not sure we have a violation of the criteria here, on a strict reading. Deploying the Domain Controller role will work. The criteria don't explicitly require it to work with the packages from the DVD, and there's no Alpha criterion relating to optional package sets. I don't honestly think people really use the frozen Alpha/Beta repos much for this kind of purpose, I strongly suspect anyone testing FreeIPA with Alpha will be using the 'live' repos. It is sub-optimal that you can't deploy FreeIPA server from the DVD alone, but I'm not sure it violates the criteria, and I don't feel strongly that it necessarily *should*. So, count me a fairly weak -1 blocker on the current state of this, *assuming* domain controller role deployment works reasonably well once the stable push is complete. For the record, to my mind the relevant criteria here are the two at https://fedoraproject.org/wiki/Fedora_22_Alpha_Release_Criteria#Role_definition_requirements : Role definition requirements Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried. Role functional requirements The core functional requirements for all Featured Server Roles must be met, but it is acceptable if moderate workarounds are necessary to achieve this. (for the record I'd definitely consider this issue a *Final* blocker - we should always make sure the role criteria are met for deployment from the *Final* DVD.) I just tried installing freeipa-server from default repos from an RC3 kickstart. I'm still seeing the tomcat 7/8 mix that Endi described earlier when I run dnf install. [root@fedora0 ~]# rpm -qa|grep -i tomcat tomcat-servlet-3.1-api-8.0.18-2.fc22.noarch tomcat-jsp-2.3-api-8.0.18-2.fc22.noarch tomcat-7.0.59-3.fc22.noarch tomcat-el-3.0-api-8.0.18-2.fc22.noarch tomcat-lib-7.0.59-3.fc22.noarch tomcatjss-7.1.1-1.fc22.noarch When I check the RC3 repo, it looks to me like it's still got a mix: http://dl.fedoraproject.org/pub/alt/stage/22_Alpha_RC3/Server/x86_64/os/Packages/t/ Should this have been updated yet? The RC3 repo will never be updated, but it's not the 'default' repo. The default repo is the one for your arch from the development/22 tree: https://dl.fedoraproject.org/pub/fedora/linux/development/22/ If you look in https://dl.fedoraproject.org/pub/fedora/linux/development/22/x86_64/os/Packages/t/ , you should see only 7.x packages. If you actually installed from the 22 'fedora' repo and got the 8.x mix, you might've gotten a stale mirror, they don't all sync immediately. To be clear, there will be a frozen Alpha tree here, once Alpha is released: https://dl.fedoraproject.org/pub/fedora/linux/releases/test/22-Alpha but installs of 22 Alpha will not use that as their base repository by default. As I said in #c23 they use the 'fedora' repo, the same one that is the base repo post-install, which is the regularly updated 22 'stable' repo in https://dl.fedoraproject.org/pub/fedora/linux/development/22/ . I was wondering if I just got unlucky and hit something not in sync. And I wasn't sure if there was some backend voodoo that would update RC3 repo. Now I know it's static after it's built. And yes, I do now see all tomcat 7 with another run: [root@fedora0 ~]# dnf list tomcat* Using metadata from Fri Mar 6 17:43:37 2015 Available Packages tomcat.noarch 1:7.0.59-3.fc22 fedora tomcat-admin-webapps.noarch 1:7.0.59-3.fc22 fedora tomcat-docs-webapp.noarch 1:7.0.59-3.fc22 fedora tomcat-el-2.2-api.noarch 1:7.0.59-3.fc22 fedora tomcat-javadoc.noarch 1:7.0.59-3.fc22 fedora tomcat-jsp-2.2-api.noarch 1:7.0.59-3.fc22 fedora tomcat-jsvc.noarch 1:7.0.59-3.fc22 fedora tomcat-lib.noarch 1:7.0.59-3.fc22 fedora tomcat-log4j.noarch 1:7.0.59-3.fc22 fedora tomcat-native.x86_64 1.1.32-1.fc22 fedora tomcat-servlet-3.0-api.noarch 1:7.0.59-3.fc22 fedora tomcat-webapps.noarch 1:7.0.59-3.fc22 fedora tomcatjss.noarch 7.1.1-1.fc22 fedora I'll run a quick check and update here shortly. so far, so good: [root@fedora0 ~]# rpm -qa|grep -i tomcat tomcatjss-7.1.1-1.fc22.noarch tomcat-7.0.59-3.fc22.noarch tomcat-el-2.2-api-7.0.59-3.fc22.noarch tomcat-lib-7.0.59-3.fc22.noarch tomcat-servlet-3.0-api-7.0.59-3.fc22.noarch tomcat-jsp-2.2-api-7.0.59-3.fc22.noarch Looks good: [root@fedora0 ~]# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r EXAMPLE.TEST -a Secret123 -p Secret123 -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) Warning: skipping DNS resolution of host fedora0.example.test The domain name has been determined based on the host name. Adding [192.168.122.30 fedora0.example.test] to your /etc/hosts file Checking forwarders, please wait ... WARNING: DNS forwarder 192.168.122.1 does not return DNSSEC signatures in answers Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive "dnssec-enable yes;" to "options {}") WARNING: DNSSEC validation will be disabled Using reverse zone(s) 122.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: fedora0.example.test IP address(es): 192.168.122.30 Domain name: example.test Realm name: EXAMPLE.TEST BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.122.1 Reverse zone(s): 122.168.192.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring certmap.conf [18/38]: configure autobind for root [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache [21/38]: enable SASL mapping fallback [22/38]: restarting directory server [23/38]: adding default layout [24/38]: adding delegation layout [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: initializing group membership [33/38]: adding master entry [34/38]: configuring Posix uid/gid generation [35/38]: adding replication acis [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance [9/27]: creating RA agent certificate database [10/27]: importing CA chain to RA certificate database [11/27]: fixing RA database permissions [12/27]: setting up signing cert profile [13/27]: set certificate subject base [14/27]: enabling Subject Key Identifier [15/27]: enabling Subject Alternative Name [16/27]: enabling CRL and OCSP extensions for certificates [17/27]: setting audit signing renewal to 2 years [18/27]: configuring certificate server to start on boot [19/27]: restarting certificate server [20/27]: requesting RA certificate from CA [21/27]: issuing RA agent certificate [22/27]: adding RA agent as a trusted user [23/27]: configure certmonger for renewals [24/27]: configure certificate renewals [25/27]: configure RA certificate renewal [26/27]: configure Server-Cert certificate renewal [27/27]: Configure HTTP to proxy connections Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv): Estimated time 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd): Estimated time 1 minute [1/16]: setting mod_nss port to 443 [2/16]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [3/16]: setting mod_nss password file [4/16]: enabling mod_nss renegotiate [5/16]: adding URL rewriting rules [6/16]: configuring httpd [7/16]: configure certmonger for renewals [8/16]: setting up ssl [9/16]: importing CA certificates from LDAP [10/16]: setting up browser autoconfig [11/16]: publish CA cert [12/16]: creating a keytab for httpd [13/16]: clean up any existing httpd ccache [14/16]: configuring SELinux for httpd [15/16]: restarting httpd [16/16]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting Directory server to apply updates [1/2]: stopping directory server [2/2]: starting directory server Done. Restarting the directory server Restarting the KDC Restarting the certificate server Configuring DNS (named) [1/12]: generating rndc key file [2/12]: adding DNS container [3/12]: setting up our zone [4/12]: setting up reverse zone [5/12]: setting up our own record [6/12]: setting up records for other masters [7/12]: adding NS record to the zones [8/12]: setting up CA record [9/12]: setting up kerberos principal [10/12]: setting up named.conf [11/12]: configuring named to start on boot [12/12]: changing resolv.conf to point to ourselves Done configuring DNS (named). Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password [root@fedora0 ~]# Discussed at today's mini blocker review during Go/No-Go meeting [1]. This bug was rejected as Alpha blocker but will be considered as Freeze Exception - This bug can be resolved with update. Setting it as Common bug should be enough so there's no need to block on it. If the problem will reappear we can propose it to block beta later http://meetbot.fedoraproject.org/fedora-meeting-2/2015-03-06/ What's the current status on this effort? This is quite likely to bite us again in Fedora 23 if not addressed. The latest PKI runs with Tomcat 8 on F23, but it has not been extensively tested and the tool to migrate from Tomcat 7 is not complete. Can we mark this as closed? FreeIPA 4.2.1 is testing out just fine on my F23 systems. After conferring with edewata on IRC on 9/28/2015 - closing bug as currentrelease FYI, I also ran a quick install check for this on a fresh Fedora 23 Beta TC5 build: [root@fedora-0 yum.repos.d]# dnf -y install freeipa-server-dns Last metadata expiration check performed 0:16:39 ago on Mon Sep 28 11:31:07 2015. Dependencies resolved. ... tomcat noarch 1:8.0.26-1.fc23 fedora 91 k tomcat-el-3.0-api noarch 1:8.0.26-1.fc23 fedora 106 k tomcat-jsp-2.3-api noarch 1:8.0.26-1.fc23 fedora 71 k tomcat-lib noarch 1:8.0.26-1.fc23 fedora 4.1 M tomcat-servlet-3.1-api noarch 1:8.0.26-1.fc23 fedora 256 k tomcatjss noarch 7.1.3-1.fc23 fedora 39 k ... Complete! [root@fedora-0 yum.repos.d]# rpm -qa|grep -i tomcat tomcat-jsp-2.3-api-8.0.26-1.fc23.noarch tomcat-lib-8.0.26-1.fc23.noarch tomcat-servlet-3.1-api-8.0.26-1.fc23.noarch tomcat-8.0.26-1.fc23.noarch tomcat-el-3.0-api-8.0.26-1.fc23.noarch tomcatjss-7.1.3-1.fc23.noarch [root@fedora-0 yum.repos.d]# rpm -q freeipa-server freeipa-server-4.2.1-1.fc23.x86_64 [root@fedora-0 yum.repos.d]# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r EXAMPLE.COM -aSecret123 -p Secret123 -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) Warning: skipping DNS resolution of host fedora-0.example.com The domain name has been determined based on the host name. Checking DNS forwarders, please wait ... Using reverse zone(s) 122.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: fedora-0.example.com IP address(es): 192.168.122.100 Domain name: example.com Realm name: EXAMPLE.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.122.1 Reverse zone(s): 122.168.192.in-addr.arpa. Adding [192.168.122.100 fedora-0.example.com] to your /etc/hosts file Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/43]: creating directory server user [2/43]: creating directory server instance [3/43]: adding default schema [4/43]: enabling memberof plugin [5/43]: enabling winsync plugin [6/43]: configuring replication version plugin [7/43]: enabling IPA enrollment plugin [8/43]: enabling ldapi [9/43]: configuring uniqueness plugin [10/43]: configuring uuid plugin [11/43]: configuring modrdn plugin [12/43]: configuring DNS plugin [13/43]: enabling entryUSN plugin [14/43]: configuring lockout plugin [15/43]: creating indices [16/43]: enabling referential integrity plugin [17/43]: configuring certmap.conf [18/43]: configure autobind for root [19/43]: configure new location for managed entries [20/43]: configure dirsrv ccache [21/43]: enable SASL mapping fallback [22/43]: restarting directory server [23/43]: adding default layout [24/43]: adding delegation layout [25/43]: creating container for managed entries [26/43]: configuring user private groups [27/43]: configuring netgroups from hostgroups [28/43]: creating default Sudo bind user [29/43]: creating default Auto Member layout [30/43]: adding range check plugin [31/43]: creating default HBAC rule allow_all [32/43]: creating default CA ACL rule [33/43]: adding entries for topology management [34/43]: initializing group membership [35/43]: adding master entry [36/43]: initializing domain level [37/43]: configuring Posix uid/gid generation [38/43]: adding replication acis [39/43]: enabling compatibility plugin [40/43]: activating sidgen plugin [41/43]: activating extdom plugin [42/43]: tuning directory server [43/43]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/25]: creating certificate server user [2/25]: configuring certificate server instance [3/25]: stopping certificate server instance to update CS.cfg [4/25]: backing up CS.cfg [5/25]: disabling nonces [6/25]: set up CRL publishing [7/25]: enable PKIX certificate path discovery and validation [8/25]: starting certificate server instance [9/25]: creating RA agent certificate database [10/25]: importing CA chain to RA certificate database [11/25]: fixing RA database permissions [12/25]: setting up signing cert profile [13/25]: setting audit signing renewal to 2 years [14/25]: restarting certificate server [15/25]: requesting RA certificate from CA [16/25]: issuing RA agent certificate [17/25]: adding RA agent as a trusted user [18/25]: authorizing RA to modify profiles [19/25]: configure certmonger for renewals [20/25]: configure certificate renewals [21/25]: configure RA certificate renewal [22/25]: configure Server-Cert certificate renewal [23/25]: Configure HTTP to proxy connections [24/25]: restarting certificate server [25/25]: Importing IPA certificate profiles Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv). Estimated time: 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd). Estimated time: 1 minute [1/18]: setting mod_nss port to 443 [2/18]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [3/18]: setting mod_nss password file [4/18]: enabling mod_nss renegotiate [5/18]: adding URL rewriting rules [6/18]: configuring httpd [7/18]: configure certmonger for renewals [8/18]: setting up ssl [9/18]: importing CA certificates from LDAP [10/18]: setting up browser autoconfig [11/18]: publish CA cert [12/18]: creating a keytab for httpd [13/18]: clean up any existing httpd ccache [14/18]: configuring SELinux for httpd [15/18]: create KDC proxy config [16/18]: enable KDC proxy [17/18]: restarting httpd [18/18]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Upgrading IPA: [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Restarting the directory server Restarting the KDC Configuring DNS (named) [1/12]: generating rndc key file [2/12]: adding DNS container [3/12]: setting up our zone [4/12]: setting up reverse zone [5/12]: setting up our own record [6/12]: setting up records for other masters [7/12]: adding NS record to the zones [8/12]: setting up CA record [9/12]: setting up kerberos principal [10/12]: setting up named.conf [11/12]: configuring named to start on boot [12/12]: changing resolv.conf to point to ourselves Done configuring DNS (named). Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password |