Bug 1437951
Summary: | Remove pkinit-related options from server/replica-install on DL0 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Vobornik <pvoborni> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Scott Poore <spoore> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.4 | CC: | jcholast, ksiddiqu, pvoborni, rcritten, spoore, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.5.0-5.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 09:47:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Petr Vobornik
2017-03-31 14:11:35 UTC
Upstream ticket: https://pagure.io/freeipa/issue/6801 master: 6cda1509a68d7a21578280d381a6b9e994fd4f49 Fix the order of cert-files check 9e3ae785ac9b62b8e0809a4aa56363c458316135 Don't allow setting pkinit-related options on DL0 8af884d0489d5d57895959d27ca6eb8815c6c922 replica-prepare man: remove pkinit option refs fe7cf1e854b7dc28861455011091df3cbe45abe9 Remove redundant option check for cert files ipa-4-5: 497e766427b3ced865ff88a51cd0c2c96e8b24f9 Fix the order of cert-files check a1ad1ffa3540da4b5d5c1963b3818d9c9260e1a2 Don't allow setting pkinit-related options on DL0 85720b6bdc764b98dd471799ccc1045e1379709e replica-prepare man: remove pkinit option refs 8f7b6c349f4e81e88ef36f014e26de6b1f3f3e41 Remove redundant option check for cert files How can I attempt to install a master with DL0 with pkinit options? I thought those weren't introduced until 4.5. So can I attempt a DL0 Master install somehow with those or is this really just for replica installs? Thanks, Scott Testing on a replica. Just checking that this is the intended behavior? I setup a RHEL6.9 IPA Master and ran [root@rhel6-1 ~]# ipa-replica-prepare --ip-address=192.168.122.73 --reverse-zone=122.168.192.in-addr.arpa. rhel7-3.example.com Directory Manager (existing master) password: Preparing replica for rhel7-3.example.com from rhel6-1.example.com Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-rhel7-3.example.com.gpg Adding DNS records for rhel7-3.example.com Using reverse zone 122.168.192.in-addr.arpa. ... Checking that pkinit options don't work for [root@rhel7-3 ~]# ipa-replica-install --setup-ca --setup-dns --forwarder=192.168.122.1 -w Secret123 -n example.com -r EXAMPLE.COM -P Secret123 --pkinit-cert-file=/dev/null --pkinit-pin=123456 --pkinit-cert-name=KDC /var/lib/ipa/replica-info-rhel7-3.example.com.gpg Usage: ipa-replica-install [options] [REPLICA_FILE] ipa-replica-install: error: pkinit on domain level 0 is not supported. Please don't use any pkinit-related options. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Domain level 0 master can also be a IPA 4.5 upgraded from IPA 4.2 or IPA 4.4 (which was still on domain level 0). Alternative, quick, but not supported option is to use undocumented '--domain-level 0' option to test this without upgrading. Verified. Version :: ipa-server-4.5.0-13.el7.x86_64 Results :: Since we can't run ipa-server-install on IPA 4.5 after it was already run on 4.2 and then upgraded, we are focused here on the replica-install on domain level 0. See comment #6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |