Bug 1399524

Summary: Running ipa-server-install in rawhide container fails at kadmin.local -q addprinc -randkey ldap/ipa.example.test@EXAMPLE.TEST -x ipa-setup-override-restrictions
Product: [Fedora] Fedora Reporter: Jan Pazdziora <jpazdziora>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: abokovoy, ipa-maint, jcholast, jhrozek, jpazdziora, mkosek, pvoborni, rcritten, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeipa-4.4.2-3.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-15 15:22:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jan Pazdziora 2016-11-29 09:10:35 UTC 
Description of problem:

Running ipa-server-install in fedora:rawhide container fails in/after the

  [5/9]: creating a keytab for the directory

step.

Version-Release number of selected component (if applicable):

freeipa-server-4.4.2-2.fc26.x86_64
krb5-server-1.15-3.fc26.beta2.0.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have Dockerfile

FROM fedora:rawhide
RUN mkdir -p /run/lock && dnf upgrade -y && dnf install -y freeipa-server freeipa-server-dns freeipa-server-trust-ad initscripts && dnf clean all
# This is to workaround https://fedorahosted.org/freeipa/ticket/6518
RUN sed -i 's/getaddrinfo(fqdn/getaddrinfo(fqdn.rstrip(".")/' /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py && python -m compileall /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py

2. Build image:
     docker build -t ipa-rh .
3. Run container:
     docker run --rm -ti --name ipa -h ipa.example.test -e container=docker ipa-rh /usr/sbin/init
4. In another terminal, run ipa-server-install in the container:
     docker exec -ti ipa ipa-server-install -U -r EXAMPLE.TEST -a Secret123 -p Secret123

Actual results:

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

The domain name has been determined based on the host name.


The IPA Master Server will be configured with:
Hostname:       ipa.example.test
IP address(es): 172.17.0.2
Domain name:    example.test
Realm name:     EXAMPLE.TEST

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/47]: creating directory server user
  [2/47]: creating directory server instance
  [3/47]: updating configuration in dse.ldif
  [4/47]: restarting directory server
  [5/47]: adding default schema
  [6/47]: enabling memberof plugin
  [7/47]: enabling winsync plugin
  [8/47]: configuring replication version plugin
  [9/47]: enabling IPA enrollment plugin
  [10/47]: enabling ldapi
  [11/47]: configuring uniqueness plugin
  [12/47]: configuring uuid plugin
  [13/47]: configuring modrdn plugin
  [14/47]: configuring DNS plugin
  [15/47]: enabling entryUSN plugin
  [16/47]: configuring lockout plugin
  [17/47]: configuring topology plugin
  [18/47]: creating indices
  [19/47]: enabling referential integrity plugin
  [20/47]: configuring certmap.conf
  [21/47]: configure autobind for root
  [22/47]: configure new location for managed entries
  [23/47]: configure dirsrv ccache
  [24/47]: enabling SASL mapping fallback
  [25/47]: restarting directory server
  [26/47]: adding sasl mappings to the directory
  [27/47]: adding default layout
  [28/47]: adding delegation layout
  [29/47]: creating container for managed entries
  [30/47]: configuring user private groups
  [31/47]: configuring netgroups from hostgroups
  [32/47]: creating default Sudo bind user
  [33/47]: creating default Auto Member layout
  [34/47]: adding range check plugin
  [35/47]: creating default HBAC rule allow_all
  [36/47]: adding sasl mappings to the directory
  [37/47]: adding entries for topology management
  [38/47]: initializing group membership
  [39/47]: adding master entry
  [40/47]: initializing domain level
  [41/47]: configuring Posix uid/gid generation
  [42/47]: adding replication acis
  [43/47]: enabling compatibility plugin
  [44/47]: activating sidgen plugin
  [45/47]: activating extdom plugin
  [46/47]: tuning directory server
  [47/47]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/31]: creating certificate server user
  [2/31]: configuring certificate server instance
  [3/31]: stopping certificate server instance to update CS.cfg
  [4/31]: backing up CS.cfg
  [5/31]: disabling nonces
  [6/31]: set up CRL publishing
  [7/31]: enable PKIX certificate path discovery and validation
  [8/31]: starting certificate server instance
  [9/31]: creating RA agent certificate database
  [10/31]: importing CA chain to RA certificate database
  [11/31]: fixing RA database permissions
  [12/31]: setting up signing cert profile
  [13/31]: setting audit signing renewal to 2 years
  [14/31]: restarting certificate server
  [15/31]: requesting RA certificate from CA
  [16/31]: issuing RA agent certificate
  [17/31]: adding RA agent as a trusted user
  [18/31]: authorizing RA to modify profiles
  [19/31]: authorizing RA to manage lightweight CAs
  [20/31]: Ensure lightweight CAs container exists
  [21/31]: configure certmonger for renewals
  [22/31]: configure certificate renewals
  [23/31]: configure RA certificate renewal
  [24/31]: configure Server-Cert certificate renewal
  [25/31]: Configure HTTP to proxy connections
  [26/31]: restarting certificate server
  [27/31]: migrating certificate profiles to LDAP
  [28/31]: importing IPA certificate profiles
  [29/31]: adding default CA ACL
  [30/31]: adding 'ipa' CA entry
  [31/31]: updating IPA configuration
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv). Estimated time: 10 seconds
  [1/3]: configuring ssl for ds instance
  [2/3]: restarting directory server
  [3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
  [1/9]: adding kerberos container to the directory
  [2/9]: configuring KDC
  [3/9]: initialize kerberos container
Failed to initialize the realm container
  [4/9]: adding default ACIs
  [5/9]: creating a keytab for the directory
  [error] CalledProcessError: Command 'kadmin.local -q addprinc -randkey ldap/ipa.example.test -x ipa-setup-override-restrictions' returned non-zero exit status -11
ipa.ipapython.install.cli.install_tool(Server): ERROR    Command 'kadmin.local -q addprinc -randkey ldap/ipa.example.test -x ipa-setup-override-restrictions' returned non-zero exit status -11
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

The log file ends with

2016-11-29T08:55:01Z DEBUG   [5/9]: creating a keytab for the directory
2016-11-29T08:55:01Z DEBUG Starting external process
2016-11-29T08:55:01Z DEBUG args=kadmin.local -q addprinc -randkey ldap/ipa.example.test -x ipa-setup-override-restrictions
2016-11-29T08:55:02Z DEBUG Process finished, return code=-11
2016-11-29T08:55:02Z DEBUG stdout=
2016-11-29T08:55:02Z DEBUG stderr=
2016-11-29T08:55:02Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 327, in __create_ds_keytab
    installutils.kadmin_addprinc(ldap_principal)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 454, in kadmin_addprinc
    kadmin("addprinc -randkey " + principal)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 451, in kadmin
    "-x", "ipa-setup-override-restrictions"])
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 515, in run
    raise CalledProcessError(p.returncode, arg_string, str(output))
CalledProcessError: Command 'kadmin.local -q addprinc -randkey ldap/ipa.example.test -x ipa-setup-override-restrictions' returned non-zero exit status -11

2016-11-29T08:55:02Z DEBUG   [error] CalledProcessError: Command 'kadmin.local -q addprinc -randkey ldap/ipa.example.test -x ipa-setup-override-restrictions' returned non-zero exit status -11
2016-11-29T08:55:02Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run
    self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 334, in execute
    for nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 376, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 405, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 395, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 366, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 363, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 597, in _configure
    next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 376, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 405, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 460, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 395, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 457, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 395, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 366, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 363, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
    for nothing in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1372, in main
    install(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 270, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 807, in install
    subject_base=options.subject)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 167, in create_instance
    self.start_creation(runtime=30)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 327, in __create_ds_keytab
    installutils.kadmin_addprinc(ldap_principal)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 454, in kadmin_addprinc
    kadmin("addprinc -randkey " + principal)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 451, in kadmin
    "-x", "ipa-setup-override-restrictions"])
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 515, in run
    raise CalledProcessError(p.returncode, arg_string, str(output))

2016-11-29T08:55:02Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command 'kadmin.local -q addprinc -randkey ldap/ipa.example.test -x ipa-setup-override-restrictions' returned non-zero exit status -11
2016-11-29T08:55:02Z ERROR Command 'kadmin.local -q addprinc -randkey ldap/ipa.example.test -x ipa-setup-override-restrictions' returned non-zero exit status -11
2016-11-29T08:55:02Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected results:

No error, FreeIPA server properly configured.

Additional info:
Comment 1 Petr Vobornik 2016-12-02 19:33:35 UTC 
I wonder if new build freeipa-4.4.2-3.fc26 http://koji.fedoraproject.org/koji/buildinfo?buildID=821068 fixes it. It was originally a fix for bug 1389866
Comment 2 Jan Pazdziora 2016-12-06 10:51:05 UTC 
I'll recheck it once samba gets rebuilt so that freeipa-server actually installs in rawhide.
Comment 3 Jan Pazdziora 2016-12-09 13:29:50 UTC 
I confirm that latest rawhide containers get past this error.