Bug 1482225

Summary: ipa-replica-install fails with 'HTTPError: 403 Client Error: Forbidden' due to a custodia issue
Product: Red Hat Enterprise Linux 7 Reporter: Kent Perrier <kperrier>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED UPSTREAM QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact:
Priority: high    
Version: 7.3CC: aheverle, cheimes, frenaud, gparente, jstephen, pasik, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-22 11:30:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
error log for the operation none

Description Kent Perrier 2017-08-16 19:28:09 UTC 
Created attachment 1314328 [details]
error log for the operation

Description of problem:
Customer is attempting to set up IPA replica. The replica install fails with the above error

Version-Release number of selected component (if applicable):
ipa-admintools-4.4.0-14.el7_3.4.noarch                      Tue Jun 13 16:36:09 2017
ipa-client-4.4.0-14.el7_3.4.x86_64                          Tue Jun 13 16:36:09 2017
ipa-client-common-4.4.0-14.el7_3.4.noarch                   Tue Jun 13 16:35:55 2017
ipa-common-4.4.0-14.el7_3.4.noarch                          Tue Jun 13 16:35:55 2017
ipa-server-4.4.0-14.el7_3.4.x86_64                          Tue Jun 13 16:36:25 2017
ipa-server-common-4.4.0-14.el7_3.4.noarch                   Tue Jun 13 16:36:09 2017

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 8 Florence Blanc-Renaud 2017-08-18 10:53:57 UTC 
Copying info added in the customer case 01847286:
----
Hi,
I noticed the following 2 points when looking at the sos report sosreport-DMendez.01847286-20170804101647.tar.xz (57.5 MB) 
1/ the master utuidmapp01 has the following /etc/hostname:
utuidmapp01

i.e. it does not define a FQDN for the machine. IPA recommends to define fqdn for the machines (see in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#dns-reqs :
The host name must be a fully qualified domain name

2/ on the master, the sos report does not show any custodia configuration file in /etc/ipa/custodia/custodia.conf and the journal shows
Aug 02 09:37:33 utuidmapp01 custodia[5330]: File "/usr/sbin/custodia", line 46, in parse_config 
Aug 02 09:37:33 utuidmapp01 custodia[5330]: raise IOError("Failed to read config file")

Can you check if this file is present on the master? After a successfull custodia install we should find
sudo ls -l /etc/ipa/custodia
total 8
-rw-r--r--. 1 root root  663 Aug 17 12:04 custodia.conf
-rw-------. 1 root root 3437 Aug 17 12:05 server.keys
Comment 15 Petr Vobornik 2017-10-13 16:22:06 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7196
Comment 21 Florence Blanc-Renaud 2018-10-22 11:30:08 UTC 
The issue was probably related to a broken custodia environment (see comment # c16).

- The customer cases have been closed
- ipa-server-upgrade now checks custodia server keys and recreates missing files if needed (since commit 387ae9fd0f0afeecffb41ff8ffd6835ae66ea8ff present in ipa-4-7 and backported to ipa-4-6 with commit b216655d601e011b0c144cf5bed88c7a6579a3cf). The code is available in 4.6.4 which is used in RHEL 7.6.

Because of the 2 above reasons, closing this issue as UPSTREAM.