Bug 1298103
| Summary: | ipa-server-upgrade fails if certmonger is not running | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Kurik <jkurik> |
| Component: | ipa | Assignee: | Martin Babinsky <mbabinsk> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.3 | CC: | ekeck, enewland, ipa-maint, jcholast, ksiddiqu, mbabinsk, mbasti, mkosek, orion, pvoborni, rcritten, xdong |
| Target Milestone: | rc | Keywords: | Regression, ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.2.0-15.el7_2.6 | Doc Type: | Bug Fix |
| Doc Text: |
The ipa-server-upgrade utility checks for a running certmonger service at the start of the upgrade process and raises an error if the service is not running. Previously, when the Certificate System CA service was not configured, a running certmonger service was not required, and the check always failed. Consequently, this effectively prevented the upgrade of a CA-less IdM master to later versions. With this update, the certmonger service is started also when the CA service is not configured, and the upgrade of a CA-less IdM master works as expected.
|
Story Points: | --- |
| Clone Of: | 1296216 | Environment: | |
| Last Closed: | 2016-02-16 10:59:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1296216 | ||
| Bug Blocks: | |||
|
Description
Jan Kurik
2016-01-13 09:03:57 UTC
Verified on ipa-server-4.2.0-15.el7_2.5: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_upgrade_bz1298103_setup: Prepare to test BZ1298103 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: . . . :: [ 12:06:50 ] :: Install ca-less master :: [ BEGIN ] :: Running 'mkdir ~/test_ca' :: [ PASS ] :: Command 'mkdir ~/test_ca' (Expected 0, got 0) :: [ BEGIN ] :: Running 'echo 'Secret123' > ~/test_ca/pwdfile.txt' :: [ PASS ] :: Command 'echo 'Secret123' > ~/test_ca/pwdfile.txt' (Expected 0, got 0) :: [ BEGIN ] :: Running 'certutil -d ~/test_ca -N -f ~/test_ca/pwdfile.txt' :: [ PASS ] :: Command 'certutil -d ~/test_ca -N -f ~/test_ca/pwdfile.txt' (Expected 0, got 0) :: [ BEGIN ] :: Running 'head -c20 /dev/random > ~/test_ca/noise.txt' :: [ PASS ] :: Command 'head -c20 /dev/random > ~/test_ca/noise.txt' (Expected 0, got 0) :: [ BEGIN ] :: Running 'echo -e 'y 10 y ' | certutil -d ~/test_ca -S -n 'CA' -s 'CN=Certificate Authority' -x -t CT,,C -2 --keyUsage digitalSignature,nonRepudiation,certSigning --nsCertType sslCA,smimeCA,objectSigningCA -m 12664 -v 120 -z ~/test_ca/noise.txt -f ~/test_ca/pwdfile.txt' Generating key. This may take a few moments... Is this a CA certificate [y/N]? Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]? :: [ PASS ] :: Command 'echo -e 'y\n10\ny\n' | certutil -d ~/test_ca -S -n 'CA' -s 'CN=Certificate Authority' -x -t CT,,C -2 --keyUsage digitalSignature,nonRepudiation,certSigning --nsCertType sslCA,smimeCA,objectSigningCA -m 12664 -v 120 -z ~/test_ca/noise.txt -f ~/test_ca/pwdfile.txt' (Expected 0, got 0) :: [ BEGIN ] :: Running 'head -c20 /dev/random > ~/test_ca/noise.txt' :: [ PASS ] :: Command 'head -c20 /dev/random > ~/test_ca/noise.txt' (Expected 0, got 0) :: [ BEGIN ] :: Running 'certutil -d ~/test_ca -R -s CN=cloud-qe-14.testrelm.test,O=IPA -o /tmp/servercert.req -k rsa -g 2048 -z ~/test_ca/noise.txt -f ~/test_ca/pwdfile.txt -a' Generating key. This may take a few moments... :: [ PASS ] :: Command 'certutil -d ~/test_ca -R -s CN=cloud-qe-14.testrelm.test,O=IPA -o /tmp/servercert.req -k rsa -g 2048 -z ~/test_ca/noise.txt -f ~/test_ca/pwdfile.txt -a' (Expected 0, got 0) :: [ BEGIN ] :: Running 'certutil -d ~/test_ca -C -c 'CA' -i /tmp/servercert.req -o /tmp/servercert.pem --keyUsage keyEncipherment --nsCertType sslServer -m 12665 -v 120 -f ~/test_ca/pwdfile.txt -a' :: [ PASS ] :: Command 'certutil -d ~/test_ca -C -c 'CA' -i /tmp/servercert.req -o /tmp/servercert.pem --keyUsage keyEncipherment --nsCertType sslServer -m 12665 -v 120 -f ~/test_ca/pwdfile.txt -a' (Expected 0, got 0) :: [ BEGIN ] :: Running 'certutil -d ~/test_ca -A -n Server-Cert -i /tmp/servercert.pem -t ,, -a' :: [ PASS ] :: Command 'certutil -d ~/test_ca -A -n Server-Cert -i /tmp/servercert.pem -t ,, -a' (Expected 0, got 0) :: [ BEGIN ] :: Running 'pk12util -d ~/test_ca -n Server-Cert -o ~/test_ca/servercert.p12 -k ~/test_ca/pwdfile.txt -w ~/test_ca/pwdfile.txt' pk12util: PKCS12 EXPORT SUCCESSFUL :: [ PASS ] :: Command 'pk12util -d ~/test_ca -n Server-Cert -o ~/test_ca/servercert.p12 -k ~/test_ca/pwdfile.txt -w ~/test_ca/pwdfile.txt' (Expected 0, got 0) :: [ BEGIN ] :: Running 'certutil -d ~/test_ca -L -n 'CA' -a > ~/test_ca/cacert.pem' :: [ PASS ] :: Command 'certutil -d ~/test_ca -L -n 'CA' -a > ~/test_ca/cacert.pem' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa-server-install -U --setup-dns --forwarder=10.11.5.19 -r TESTRELM.TEST -a Secret123 -p Secret123 --http-cert-file ~/test_ca/servercert.p12 --dirsrv-cert-file ~/test_ca/servercert.p12 --http-pin Secret123 --dirsrv-pin Secret123 --ca-cert-file ~/test_ca/cacert.pem' The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Warning: skipping DNS resolution of host cloud-qe-14.testrelm.test The domain name has been determined based on the host name. Checking DNS forwarders, please wait ... Using reverse zone(s) 96.16.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: cloud-qe-14.testrelm.test IP address(es): 10.16.96.101 Domain name: testrelm.test Realm name: TESTRELM.TEST BIND DNS server will be configured to serve IPA domain with: Forwarders: 10.11.5.19 Reverse zone(s): 96.16.10.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/42]: creating directory server user [2/42]: creating directory server instance [3/42]: adding default schema [4/42]: enabling memberof plugin [5/42]: enabling winsync plugin [6/42]: configuring replication version plugin [7/42]: enabling IPA enrollment plugin [8/42]: enabling ldapi [9/42]: configuring uniqueness plugin [10/42]: configuring uuid plugin [11/42]: configuring modrdn plugin [12/42]: configuring DNS plugin [13/42]: enabling entryUSN plugin [14/42]: configuring lockout plugin [15/42]: creating indices [16/42]: enabling referential integrity plugin [17/42]: configuring certmap.conf [18/42]: configure autobind for root [19/42]: configure new location for managed entries [20/42]: configure dirsrv ccache [21/42]: enable SASL mapping fallback [22/42]: restarting directory server [23/42]: adding default layout [24/42]: adding delegation layout [25/42]: creating container for managed entries [26/42]: configuring user private groups [27/42]: configuring netgroups from hostgroups [28/42]: creating default Sudo bind user [29/42]: creating default Auto Member layout [30/42]: adding range check plugin [31/42]: creating default HBAC rule allow_all [32/42]: adding entries for topology management [33/42]: initializing group membership [34/42]: adding master entry [35/42]: initializing domain level [36/42]: configuring Posix uid/gid generation [37/42]: adding replication acis [38/42]: enabling compatibility plugin [39/42]: activating sidgen plugin [40/42]: activating extdom plugin [41/42]: tuning directory server [42/42]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring directory server (dirsrv). Estimated time: 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd). Estimated time: 1 minute [1/18]: setting mod_nss port to 443 [2/18]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [3/18]: setting mod_nss password file [4/18]: enabling mod_nss renegotiate [5/18]: adding URL rewriting rules [6/18]: configuring httpd [7/18]: setting up ssl [8/18]: importing CA certificates from LDAP [9/18]: setting up browser autoconfig [10/18]: publish CA cert [11/18]: creating a keytab for httpd [12/18]: clean up any existing httpd ccache [13/18]: configuring SELinux for httpd [14/18]: create KDC proxy user [15/18]: create KDC proxy config [16/18]: enable KDC proxy [17/18]: restarting httpd [18/18]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Upgrading IPA: [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Restarting the directory server Restarting the KDC Configuring DNS (named) [1/12]: generating rndc key file WARNING: Your system is running out of entropy, you may experience long delays [2/12]: adding DNS container [3/12]: setting up our zone [4/12]: setting up reverse zone [5/12]: setting up our own record [6/12]: setting up records for other masters [7/12]: adding NS record to the zones [8/12]: setting up CA record [9/12]: setting up kerberos principal [10/12]: setting up named.conf [11/12]: configuring named to start on boot [12/12]: changing resolv.conf to point to ourselves Done configuring DNS (named). Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. In order for Firefox autoconfiguration to work you will need to use a SSL signing certificate. See the IPA documentation for more details. :: [ PASS ] :: Command 'ipa-server-install -U --setup-dns --forwarder=10.11.5.19 -r TESTRELM.TEST -a Secret123 -p Secret123 --http-cert-file ~/test_ca/servercert.p12 --dirsrv-cert-file ~/test_ca/servercert.p12 --http-pin Secret123 --dirsrv-pin Secret123 --ca-cert-file ~/test_ca/cacert.pem' (Expected 0, got 0) :: [ BEGIN ] :: Running 'echo Secret123|kinit admin' Password for admin: :: [ PASS ] :: Command 'echo Secret123|kinit admin' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa user-find' -------------- 1 user matched -------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 527200000 GID: 527200000 Account disabled: False Password: True Kerberos keys available: True ---------------------------- Number of entries returned 1 ---------------------------- :: [ PASS ] :: Command 'ipa user-find' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ps -ef|grep 't[o]m'' :: [ PASS ] :: Command 'ps -ef|grep 't[o]m'' (Expected 1, got 1) :: [ BEGIN ] :: Running 'ps -ef|grep 'p[k]i'' :: [ PASS ] :: Command 'ps -ef|grep 'p[k]i'' (Expected 1, got 1) :: [ BEGIN ] :: Running 'rhts-sync-set -s 'ipa_upgrade_bz1298103_setup.1' -m cloud-qe-14.idmqe.lab.eng.bos.redhat.com' :: [ PASS ] :: Command 'rhts-sync-set -s 'ipa_upgrade_bz1298103_setup.1' -m cloud-qe-14.idmqe.lab.eng.bos.redhat.com' (Expected 0, got 0) '85f18092-87ee-44f1-9cab-069a87e4a5dd' ipa-upgrade-bz1298103-setup-Prepare-to-test-BZ1298103 result: PASS metric: 0 Log: /var/tmp/beakerlib-37743252/journal.txt DMesg: /mnt/testarea/dmesg.log Info: Searching AVC errors produced since 1454087003.51 (Fri Jan 29 12:03:23 2016) Searching logs... Fail: AVC messages found. Checking for errors... Using stronger AVC checks. Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems. Info: No AVC messages found. Info: No AVC messages found. Writing to /mnt/testarea/tmp.ZocTsm : AvcLog: /mnt/testarea/tmp.ZocTsm :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_upgrade_bz1298103_check: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 12:09:25 ] :: Machine in recipe is MASTER :: [ BEGIN ] :: Running ipa-server-upgrade when certmonger is not running :: actually running 'ipa-server-upgrade > /tmp/bz1298103.check.out 2>&1' :: [ PASS ] :: Running ipa-server-upgrade when certmonger is not running (Expected 0, got 0) :: [ PASS ] :: File '/tmp/bz1298103.check.out' should not contain 'Certmonger is not running. Start certmonger and run upgrade again' This patch causes upgrade regression https://fedorahosted.org/freeipa/ticket/5655 Upstream ticket: https://fedorahosted.org/freeipa/ticket/5655 Ticket 5655 is fixed. master: 612f4aa9003658f9a494ec327d50ec5a0592f7b4 always start certmonger during IPA server configuration upgrade ipa-4-3: d99552a8a9f855a7c5e00c4b0736061e05d6ed31 always start certmonger during IPA server configuration upgrade ipa-4-2: 3664efa31edf0dff6dd3410e2eccd12c9cd25782 always start certmonger during IPA server configuration upgrade Verified on ipa-server-4.2.0-15.el7_2.6.x86_64: [root@intel-lizardhead-02 yum.repos.d]# systemctl stop ipa [root@intel-lizardhead-02 yum.repos.d]# ipactl status Directory Service: STOPPED Directory Service must be running in order to obtain status of other services ipa: INFO: The ipactl command was successful [root@intel-lizardhead-02 yum.repos.d]# ipa-server-upgrade session memcached servers not running Upgrading IPA: [1/8]: saving configuration [2/8]: disabling listeners [3/8]: enabling DS global lock [4/8]: starting directory server [5/8]: updating schema [6/8]: upgrading server [7/8]: stopping directory server [8/8]: restoring configuration Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating mod_nss protocol versions] Protocol versions already updated [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Exporting KRA agent PEM file] KRA is not enabled [Removing self-signed CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Enabling serial autoincrement in DNS] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] Changes to named.conf have been made, restart named [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration to version 4] [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Ensuring CA is using LDAPProfileSubsystem] [Ensuring presence of included profiles] [Add default CA ACL] Default CA ACL already added The IPA services were upgraded The ipa-server-upgrade command was successful [root@intel-lizardhead-02 yum.repos.d]# ipactl status Directory Service: STOPPED Directory Service must be running in order to obtain status of other services ipa: INFO: The ipactl command was successful [root@intel-lizardhead-02 yum.repos.d]# systemctl restart ipa [root@intel-lizardhead-02 yum.repos.d]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful Reverified on ipa-server-4.2.0-15.el7_2.6.x86_64: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_upgrade_bz1298103_setup: Prepare to test BZ1298103 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: . . . :: [ 10:23:06 ] :: Install ca-less master :: [ BEGIN ] :: Running 'mkdir ~/test_ca' :: [ PASS ] :: Command 'mkdir ~/test_ca' (Expected 0, got 0) :: [ BEGIN ] :: Running 'echo 'Secret123' > ~/test_ca/pwdfile.txt' :: [ PASS ] :: Command 'echo 'Secret123' > ~/test_ca/pwdfile.txt' (Expected 0, got 0) :: [ BEGIN ] :: Running 'certutil -d ~/test_ca -N -f ~/test_ca/pwdfile.txt' :: [ PASS ] :: Command 'certutil -d ~/test_ca -N -f ~/test_ca/pwdfile.txt' (Expected 0, got 0) :: [ BEGIN ] :: Running 'head -c20 /dev/random > ~/test_ca/noise.txt' :: [ PASS ] :: Command 'head -c20 /dev/random > ~/test_ca/noise.txt' (Expected 0, got 0) :: [ BEGIN ] :: Running 'echo -e 'y 10 y ' | certutil -d ~/test_ca -S -n 'CA' -s 'CN=Certificate Authority' -x -t CT,,C -2 --keyUsage digitalSignature,nonRepudiation,certSigning --nsCertType sslCA,smimeCA,objectSigningCA -m 26909 -v 120 -z ~/test_ca/noise.txt -f ~/test_ca/pwdfile.txt' Generating key. This may take a few moments... Is this a CA certificate [y/N]? Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]? :: [ PASS ] :: Command 'echo -e 'y\n10\ny\n' | certutil -d ~/test_ca -S -n 'CA' -s 'CN=Certificate Authority' -x -t CT,,C -2 --keyUsage digitalSignature,nonRepudiation,certSigning --nsCertType sslCA,smimeCA,objectSigningCA -m 26909 -v 120 -z ~/test_ca/noise.txt -f ~/test_ca/pwdfile.txt' (Expected 0, got 0) :: [ BEGIN ] :: Running 'head -c20 /dev/random > ~/test_ca/noise.txt' :: [ PASS ] :: Command 'head -c20 /dev/random > ~/test_ca/noise.txt' (Expected 0, got 0) :: [ BEGIN ] :: Running 'certutil -d ~/test_ca -R -s CN=cloud-qe-22.testrelm.test,O=IPA -o /tmp/servercert.req -k rsa -g 2048 -z ~/test_ca/noise.txt -f ~/test_ca/pwdfile.txt -a' Generating key. This may take a few moments... :: [ PASS ] :: Command 'certutil -d ~/test_ca -R -s CN=cloud-qe-22.testrelm.test,O=IPA -o /tmp/servercert.req -k rsa -g 2048 -z ~/test_ca/noise.txt -f ~/test_ca/pwdfile.txt -a' (Expected 0, got 0) :: [ BEGIN ] :: Running 'certutil -d ~/test_ca -C -c 'CA' -i /tmp/servercert.req -o /tmp/servercert.pem --keyUsage keyEncipherment --nsCertType sslServer -m 26910 -v 120 -f ~/test_ca/pwdfile.txt -a' :: [ PASS ] :: Command 'certutil -d ~/test_ca -C -c 'CA' -i /tmp/servercert.req -o /tmp/servercert.pem --keyUsage keyEncipherment --nsCertType sslServer -m 26910 -v 120 -f ~/test_ca/pwdfile.txt -a' (Expected 0, got 0) :: [ BEGIN ] :: Running 'certutil -d ~/test_ca -A -n Server-Cert -i /tmp/servercert.pem -t ,, -a' :: [ PASS ] :: Command 'certutil -d ~/test_ca -A -n Server-Cert -i /tmp/servercert.pem -t ,, -a' (Expected 0, got 0) :: [ BEGIN ] :: Running 'pk12util -d ~/test_ca -n Server-Cert -o ~/test_ca/servercert.p12 -k ~/test_ca/pwdfile.txt -w ~/test_ca/pwdfile.txt' pk12util: PKCS12 EXPORT SUCCESSFUL :: [ PASS ] :: Command 'pk12util -d ~/test_ca -n Server-Cert -o ~/test_ca/servercert.p12 -k ~/test_ca/pwdfile.txt -w ~/test_ca/pwdfile.txt' (Expected 0, got 0) :: [ BEGIN ] :: Running 'certutil -d ~/test_ca -L -n 'CA' -a > ~/test_ca/cacert.pem' :: [ PASS ] :: Command 'certutil -d ~/test_ca -L -n 'CA' -a > ~/test_ca/cacert.pem' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa-server-install -U --setup-dns --forwarder=10.11.5.19 -r TESTRELM.TEST -a Secret123 -p Secret123 --http-cert-file ~/test_ca/servercert.p12 --dirsrv-cert-file ~/test_ca/servercert.p12 --http-pin Secret123 --dirsrv-pin Secret123 --ca-cert-file ~/test_ca/cacert.pem' The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Warning: skipping DNS resolution of host cloud-qe-22.testrelm.test The domain name has been determined based on the host name. Checking DNS forwarders, please wait ... Using reverse zone(s) 96.16.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: cloud-qe-22.testrelm.test IP address(es): 10.16.96.142 Domain name: testrelm.test Realm name: TESTRELM.TEST BIND DNS server will be configured to serve IPA domain with: Forwarders: 10.11.5.19 Reverse zone(s): 96.16.10.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/42]: creating directory server user [2/42]: creating directory server instance [3/42]: adding default schema [4/42]: enabling memberof plugin [5/42]: enabling winsync plugin [6/42]: configuring replication version plugin [7/42]: enabling IPA enrollment plugin [8/42]: enabling ldapi [9/42]: configuring uniqueness plugin [10/42]: configuring uuid plugin [11/42]: configuring modrdn plugin [12/42]: configuring DNS plugin [13/42]: enabling entryUSN plugin [14/42]: configuring lockout plugin [15/42]: creating indices [16/42]: enabling referential integrity plugin [17/42]: configuring certmap.conf [18/42]: configure autobind for root [19/42]: configure new location for managed entries [20/42]: configure dirsrv ccache [21/42]: enable SASL mapping fallback [22/42]: restarting directory server [23/42]: adding default layout [24/42]: adding delegation layout [25/42]: creating container for managed entries [26/42]: configuring user private groups [27/42]: configuring netgroups from hostgroups [28/42]: creating default Sudo bind user [29/42]: creating default Auto Member layout [30/42]: adding range check plugin [31/42]: creating default HBAC rule allow_all [32/42]: adding entries for topology management [33/42]: initializing group membership [34/42]: adding master entry [35/42]: initializing domain level [36/42]: configuring Posix uid/gid generation [37/42]: adding replication acis [38/42]: enabling compatibility plugin [39/42]: activating sidgen plugin [40/42]: activating extdom plugin [41/42]: tuning directory server [42/42]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring directory server (dirsrv). Estimated time: 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd). Estimated time: 1 minute [1/18]: setting mod_nss port to 443 [2/18]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [3/18]: setting mod_nss password file [4/18]: enabling mod_nss renegotiate [5/18]: adding URL rewriting rules [6/18]: configuring httpd [7/18]: setting up ssl [8/18]: importing CA certificates from LDAP [9/18]: setting up browser autoconfig [10/18]: publish CA cert [11/18]: creating a keytab for httpd [12/18]: clean up any existing httpd ccache [13/18]: configuring SELinux for httpd [14/18]: create KDC proxy user [15/18]: create KDC proxy config [16/18]: enable KDC proxy [17/18]: restarting httpd [18/18]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Upgrading IPA: [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Restarting the directory server Restarting the KDC Configuring DNS (named) [1/12]: generating rndc key file [2/12]: adding DNS container [3/12]: setting up our zone [4/12]: setting up reverse zone [5/12]: setting up our own record [6/12]: setting up records for other masters [7/12]: adding NS record to the zones [8/12]: setting up CA record [9/12]: setting up kerberos principal [10/12]: setting up named.conf [11/12]: configuring named to start on boot [12/12]: changing resolv.conf to point to ourselves Done configuring DNS (named). Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. In order for Firefox autoconfiguration to work you will need to use a SSL signing certificate. See the IPA documentation for more details. :: [ PASS ] :: Command 'ipa-server-install -U --setup-dns --forwarder=10.11.5.19 -r TESTRELM.TEST -a Secret123 -p Secret123 --http-cert-file ~/test_ca/servercert.p12 --dirsrv-cert-file ~/test_ca/servercert.p12 --http-pin Secret123 --dirsrv-pin Secret123 --ca-cert-file ~/test_ca/cacert.pem' (Expected 0, got 0) :: [ BEGIN ] :: Running 'echo Secret123|kinit admin' Password for admin: :: [ PASS ] :: Command 'echo Secret123|kinit admin' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa user-find' -------------- 1 user matched -------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 1307200000 GID: 1307200000 Account disabled: False Password: True Kerberos keys available: True ---------------------------- Number of entries returned 1 ---------------------------- :: [ PASS ] :: Command 'ipa user-find' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ps -ef|grep 't[o]m'' :: [ PASS ] :: Command 'ps -ef|grep 't[o]m'' (Expected 1, got 1) :: [ BEGIN ] :: Running 'ps -ef|grep 'p[k]i'' :: [ PASS ] :: Command 'ps -ef|grep 'p[k]i'' (Expected 1, got 1) :: [ BEGIN ] :: Running 'rhts-sync-set -s 'ipa_upgrade_bz1298103_setup.1' -m cloud-qe-22.idmqe.lab.eng.bos.redhat.com' :: [ PASS ] :: Command 'rhts-sync-set -s 'ipa_upgrade_bz1298103_setup.1' -m cloud-qe-22.idmqe.lab.eng.bos.redhat.com' (Expected 0, got 0) 'a2ff65ca-a9e2-4e64-885a-73fc3015ec0f' ipa-upgrade-bz1298103-setup-Prepare-to-test-BZ1298103 result: PASS metric: 0 Log: /var/tmp/beakerlib-37834343/journal.txt DMesg: /mnt/testarea/dmesg.log Info: Searching AVC errors produced since 1454426375.19 (Tue Feb 2 10:19:35 2016) Searching logs... Fail: AVC messages found. Checking for errors... Using stronger AVC checks. Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems. Info: No AVC messages found. Info: No AVC messages found. Writing to /mnt/testarea/tmp.VbKa1d : AvcLog: /mnt/testarea/tmp.VbKa1d :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_upgrade_bz1298103_check: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 10:25:40 ] :: Machine in recipe is MASTER :: [ BEGIN ] :: Running ipa-server-upgrade when certmonger is not running :: actually running 'ipa-server-upgrade > /tmp/bz1298103.check.out 2>&1' :: [ PASS ] :: Running ipa-server-upgrade when certmonger is not running (Expected 0, got 0) :: [ PASS ] :: File '/tmp/bz1298103.check.out' should not contain 'Certmonger is not running. Start certmonger and run upgrade again' Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0211.html |