Bug 1482225
Summary: | ipa-replica-install fails with 'HTTPError: 403 Client Error: Forbidden' due to a custodia issue | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Kent Perrier <kperrier> | ||||
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
Status: | CLOSED UPSTREAM | QA Contact: | ipa-qe <ipa-qe> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 7.3 | CC: | aheverle, cheimes, frenaud, gparente, jstephen, pasik, pvoborni, rcritten, tscherf | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-10-22 11:30:08 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Copying info added in the customer case 01847286: ---- Hi, I noticed the following 2 points when looking at the sos report sosreport-DMendez.01847286-20170804101647.tar.xz (57.5 MB) 1/ the master utuidmapp01 has the following /etc/hostname: utuidmapp01 i.e. it does not define a FQDN for the machine. IPA recommends to define fqdn for the machines (see in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#dns-reqs : The host name must be a fully qualified domain name 2/ on the master, the sos report does not show any custodia configuration file in /etc/ipa/custodia/custodia.conf and the journal shows Aug 02 09:37:33 utuidmapp01 custodia[5330]: File "/usr/sbin/custodia", line 46, in parse_config Aug 02 09:37:33 utuidmapp01 custodia[5330]: raise IOError("Failed to read config file") Can you check if this file is present on the master? After a successfull custodia install we should find sudo ls -l /etc/ipa/custodia total 8 -rw-r--r--. 1 root root 663 Aug 17 12:04 custodia.conf -rw-------. 1 root root 3437 Aug 17 12:05 server.keys Upstream ticket: https://pagure.io/freeipa/issue/7196 The issue was probably related to a broken custodia environment (see comment # c16). - The customer cases have been closed - ipa-server-upgrade now checks custodia server keys and recreates missing files if needed (since commit 387ae9fd0f0afeecffb41ff8ffd6835ae66ea8ff present in ipa-4-7 and backported to ipa-4-6 with commit b216655d601e011b0c144cf5bed88c7a6579a3cf). The code is available in 4.6.4 which is used in RHEL 7.6. Because of the 2 above reasons, closing this issue as UPSTREAM. |
Created attachment 1314328 [details] error log for the operation Description of problem: Customer is attempting to set up IPA replica. The replica install fails with the above error Version-Release number of selected component (if applicable): ipa-admintools-4.4.0-14.el7_3.4.noarch Tue Jun 13 16:36:09 2017 ipa-client-4.4.0-14.el7_3.4.x86_64 Tue Jun 13 16:36:09 2017 ipa-client-common-4.4.0-14.el7_3.4.noarch Tue Jun 13 16:35:55 2017 ipa-common-4.4.0-14.el7_3.4.noarch Tue Jun 13 16:35:55 2017 ipa-server-4.4.0-14.el7_3.4.x86_64 Tue Jun 13 16:36:25 2017 ipa-server-common-4.4.0-14.el7_3.4.noarch Tue Jun 13 16:36:09 2017 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: