Bug 1433082

Summary: systemctl daemon-reload needs to be called after httpd.service.d/ipa.conf is manipulated
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.4CC: ipa-qe, mbabinsk, nsoman, pvoborni, rcritten, spoore, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:46:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2017-03-16 18:09:36 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6773

The reason is that systemd won't pick up the file unless daemon-reload is called. As a result, required environment variables (GSS_USE_PROXY=yes in particular) will not be set for httpd, which will cause failures such as this one in ipa-server-install:
```
No valid Negotiate header in server response
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    Configuration of client side components failed!
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
```
Comment 2 Petr Vobornik 2017-03-16 18:17:58 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6773
Comment 3 Martin Babinsky 2017-03-21 15:40:49 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/3de09709cc33f1d26f2d605bac82110fe73dde03
ipa-4-5:
https://pagure.io/freeipa/c/62c41219acdd0e82201168aea5cb22879c655742
Comment 4 Scott Poore 2017-03-22 13:24:44 UTC 
*** Bug 1434568 has been marked as a duplicate of this bug. ***
Comment 6 Scott Poore 2017-03-29 21:30:13 UTC 
Verified.

Version ::

ipa-server-4.5.0-4.el7.x86_64


Results ::

Clean server install seen:

[root@rhel7-1 ~]# ipa-server-install \
>     --setup-dns \
>     --forwarder=192.168.122.1 \
>     --allow-zone-overlap \
>     --domain=example.com \
>     --realm=EXAMPLE.COM \
>     --hostname=rhel7-1.example.com \
>     --ip-address=192.168.122.71 \
>     --ds-password=Secret123 \
>     --admin-password=Secret123 \
>     --unattended

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
  * Configure the KDC to enable PKINIT

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Warning: skipping DNS resolution of host rhel7-1.example.com
Checking DNS domain example.com., please wait ...
Checking DNS forwarders, please wait ...

The IPA Master Server will be configured with:
Hostname:       rhel7-1.example.com
IP address(es): 192.168.122.71
Domain name:    example.com
Realm name:     EXAMPLE.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       192.168.122.1
Forward policy:   only
Reverse zone(s):  No reverse zone

Adding [192.168.122.71 rhel7-1.example.com] to your /etc/hosts file
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/47]: creating directory server user
  [2/47]: creating directory server instance
  [3/47]: enabling ldapi
  [4/47]: configure autobind for root
  [5/47]: stopping directory server
  [6/47]: updating configuration in dse.ldif
  [7/47]: starting directory server
  [8/47]: adding default schema
  [9/47]: enabling memberof plugin
  [10/47]: enabling winsync plugin
  [11/47]: configuring replication version plugin
  [12/47]: enabling IPA enrollment plugin
  [13/47]: configuring uniqueness plugin
  [14/47]: configuring uuid plugin
  [15/47]: configuring modrdn plugin
  [16/47]: configuring DNS plugin
  [17/47]: enabling entryUSN plugin
  [18/47]: configuring lockout plugin
  [19/47]: configuring topology plugin
  [20/47]: creating indices
  [21/47]: enabling referential integrity plugin
  [22/47]: configuring certmap.conf
  [23/47]: configure new location for managed entries
  [24/47]: configure dirsrv ccache
  [25/47]: enabling SASL mapping fallback
  [26/47]: restarting directory server
  [27/47]: adding sasl mappings to the directory
  [28/47]: adding default layout
  [29/47]: adding delegation layout
  [30/47]: creating container for managed entries
  [31/47]: configuring user private groups
  [32/47]: configuring netgroups from hostgroups
  [33/47]: creating default Sudo bind user
  [34/47]: creating default Auto Member layout
  [35/47]: adding range check plugin
  [36/47]: creating default HBAC rule allow_all
  [37/47]: adding entries for topology management
  [38/47]: initializing group membership
  [39/47]: adding master entry
  [40/47]: initializing domain level
  [41/47]: configuring Posix uid/gid generation
  [42/47]: adding replication acis
  [43/47]: enabling compatibility plugin
  [44/47]: activating sidgen plugin
  [45/47]: activating extdom plugin
  [46/47]: tuning directory server
  [47/47]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/30]: creating certificate server user
  [2/30]: configuring certificate server instance
  [3/30]: exporting Dogtag certificate store pin
  [4/30]: stopping certificate server instance to update CS.cfg
  [5/30]: backing up CS.cfg
  [6/30]: disabling nonces
  [7/30]: set up CRL publishing
  [8/30]: enable PKIX certificate path discovery and validation
  [9/30]: starting certificate server instance
  [10/30]: configure certmonger for renewals
  [11/30]: requesting RA certificate from CA
  [12/30]: setting up signing cert profile
  [13/30]: setting audit signing renewal to 2 years
  [14/30]: restarting certificate server
  [15/30]: publishing the CA certificate
  [16/30]: adding RA agent as a trusted user
  [17/30]: authorizing RA to modify profiles
  [18/30]: authorizing RA to manage lightweight CAs
  [19/30]: Ensure lightweight CAs container exists
  [20/30]: configure certificate renewals
  [21/30]: configure Server-Cert certificate renewal
  [22/30]: Configure HTTP to proxy connections
  [23/30]: restarting certificate server
  [24/30]: migrating certificate profiles to LDAP
  [25/30]: importing IPA certificate profiles
  [26/30]: adding default CA ACL
  [27/30]: adding 'ipa' CA entry
  [28/30]: updating IPA configuration
  [29/30]: enabling CA instance
  [30/30]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [2/3]: restarting directory server
  [3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/10]: adding kerberos container to the directory
  [2/10]: configuring KDC
  [3/10]: initialize kerberos container
  [4/10]: adding default ACIs
  [5/10]: creating a keytab for the directory
  [6/10]: creating a keytab for the machine
  [7/10]: adding the password extension to the directory
  [8/10]: creating anonymous principal
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Restarting directory server to enable password extension plugin
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
  [1/5]: Generating ipa-custodia config file
  [2/5]: Making sure custodia container exists
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring the web interface (httpd)
  [1/22]: setting mod_nss port to 443
  [2/22]: setting mod_nss cipher suite
  [3/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [4/22]: setting mod_nss password file
  [5/22]: enabling mod_nss renegotiate
  [6/22]: adding URL rewriting rules
  [7/22]: configuring httpd
  [8/22]: setting up httpd keytab
  [9/22]: retrieving anonymous keytab
  [10/22]: configuring Gssproxy
  [11/22]: setting up ssl
  [12/22]: configure certmonger for renewals
  [13/22]: importing CA certificates from LDAP
  [14/22]: publish CA cert
  [15/22]: clean up any existing httpd ccaches
  [16/22]: configuring SELinux for httpd
  [17/22]: create KDC proxy user
  [18/22]: create KDC proxy config
  [19/22]: enable KDC proxy
  [20/22]: restarting httpd
  [21/22]: configuring httpd to start on boot
  [22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/9]: stopping directory server
  [2/9]: saving configuration
  [3/9]: disabling listeners
  [4/9]: enabling DS global lock
  [5/9]: starting directory server
  [6/9]: upgrading server
  [7/9]: stopping directory server
  [8/9]: restoring configuration
  [9/9]: starting directory server
Done.
Restarting the KDC
Configuring DNS (named)
  [1/11]: generating rndc key file
  [2/11]: adding DNS container
  [3/11]: setting up our zone
  [4/11]: setting up our own record
  [5/11]: setting up records for other masters
  [6/11]: adding NS record to the zones
  [7/11]: setting up kerberos principal
  [8/11]: setting up named.conf
  [9/11]: setting up server configuration
  [10/11]: configuring named to start on boot
  [11/11]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: rhel7-1.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: rhel7-1.example.com
BaseDN: dc=example,dc=com

Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://rhel7-1.example.com/ipa/json
Forwarding 'schema' to json server 'https://rhel7-1.example.com/ipa/json'
trying https://rhel7-1.example.com/ipa/session/json
Forwarding 'ping' to json server 'https://rhel7-1.example.com/ipa/session/json'
Forwarding 'ca_is_enabled' to json server 'https://rhel7-1.example.com/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://rhel7-1.example.com/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password


And snippet from ipaserver-install.log showing reload:

2017-03-29T20:49:18Z DEBUG args=/usr/sbin/selinuxenabled
2017-03-29T20:49:18Z DEBUG Process finished, return code=0
2017-03-29T20:49:18Z DEBUG stdout=
2017-03-29T20:49:18Z DEBUG stderr=
2017-03-29T20:49:18Z DEBUG Starting external process
2017-03-29T20:49:18Z DEBUG args=/sbin/restorecon /etc/systemd/system/httpd.service.d/ipa.conf
2017-03-29T20:49:18Z DEBUG Process finished, return code=0
2017-03-29T20:49:18Z DEBUG stdout=
2017-03-29T20:49:18Z DEBUG stderr=
2017-03-29T20:49:18Z DEBUG Starting external process
2017-03-29T20:49:18Z DEBUG args=/bin/systemctl --system daemon-reload
2017-03-29T20:49:18Z DEBUG Process finished, return code=0
2017-03-29T20:49:18Z DEBUG stdout=
2017-03-29T20:49:18Z DEBUG stderr=
Comment 7 errata-xmlrpc 2017-08-01 09:46:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304