Bug 1614837
| Summary: | ipa-replica-install --setup-kra broken on DL0 with latest version [rhel-7.5.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jaroslav Reznik <jreznik> |
| Component: | pki-core | Assignee: | Alexander Bokovoy <abokovoy> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | high | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
| Priority: | high | ||
| Version: | 7.6 | CC: | abokovoy, cpelland, frenaud, ftweedal, mharmsen, msauton, ndehadra, nsoman, pvoborni, rcritten, rhcs-maint, tdudlak, tscherf |
| Target Milestone: | rc | Keywords: | Regression, ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.5.1-15.el7_5 | Doc Type: | Bug Fix |
| Doc Text: |
When you set up an Identity Management (IdM) replica with certificate authority (CA), the pkispawn utility, provided by the pki-core package, reads the replication status from the nsds5replicaLastInitStatus attribute stored in LDAP. A previous update of Red Hat Directory Server changed the status message from "0 Total update succeeded" to "Error (0) Total update succeeded". As a consequence, setting up an IdM replica with CA failed. The pkispawn utility has been updated to support both status messages. As a result, setting up an IdM replica with CA works as expected with both the previous and latest versions of Directory Server.
|
Story Points: | --- |
| Clone Of: | 1596629 | Environment: | |
| Last Closed: | 2018-09-25 19:07:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1596629 | ||
| Bug Blocks: | |||
|
Description
Jaroslav Reznik
2018-08-10 14:15:12 UTC
commit 151ecf63106425cada104d141a81722570ba2b28
Author: Alexander Bokovoy <abokovoy>
Date: Thu Aug 2 10:33:08 2018 +0300
ConfigurationUtil: support new format for nsds5replicaLastInitStatus value
pkispawn is reading the attribute nsds5replicaLastInitStatus in
cn=masterAgreement1-$hostname-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping
tree,cn=config in order to find the replication status. The new format
(in 389-ds-base-1.3.7) for this attribute is "Error (0) Total update
succeeded" but pkispawn is expecting "0 Total update succeeded"
389-ds-base introduced this change with https://pagure.io/389-ds-base/issue/49599
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1596629
Version: ipa-server-4.5.4-10.el7_5.4.3 Verified the bug on the basis of following observations: 1. Verified that IPA-server installation is successful at Dimain level 0. 2. verified that ipa-replica installation using --setup-kra is successful against this ipa-master in step1. Console: ../../../../../root/ipa-pytests/src/replica-install/test_bugcheck_dl0.py::TestBugCheck::test_0001_bz_1492560 MASTER: -------- RUNCMD: /usr/sbin/ipa-server-install --setup-dns --forwarder 10.x.x.x --domain testrelm.test --realm TESTRELM.TEST --admin-password Secret123 --ds-password Secret123 -U --reverse-zone x.x.10.in-addr.arpa. --allow-zone-overlap --setup-kra --domain-level=0 REPLICA: -------- RUNCMD: /usr/sbin/ipa-replica-install -U --setup-dns --forwarder 10.x.x.x --setup-ca --setup-kra --admin-password Secret123 --password Secret123 /var/lib/ipa/replica-info-vm-idm-028.testrelm.test.gpg STDOUT: WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Checking DNS forwarders, please wait ... Run connection check to master Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/42]: creating directory server instance [2/42]: enabling ldapi [3/42]: configure autobind for root [4/42]: stopping directory server [5/42]: updating configuration in dse.ldif [6/42]: starting directory server [7/42]: adding default schema [8/42]: enabling memberof plugin [9/42]: enabling winsync plugin [10/42]: configuring replication version plugin [11/42]: enabling IPA enrollment plugin [12/42]: configuring uniqueness plugin [13/42]: configuring uuid plugin [14/42]: configuring modrdn plugin [15/42]: configuring DNS plugin [16/42]: enabling entryUSN plugin [17/42]: configuring lockout plugin [18/42]: configuring topology plugin [19/42]: creating indices [20/42]: enabling referential integrity plugin [21/42]: configuring certmap.conf [22/42]: configure new location for managed entries [23/42]: configure dirsrv ccache [24/42]: enabling SASL mapping fallback [25/42]: restarting directory server [26/42]: creating DS keytab [27/42]: ignore time skew for initial replication [28/42]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 1 seconds elapsed Update in progress, 2 seconds elapsed Update in progress, 3 seconds elapsed Update in progress, 4 seconds elapsed Update succeeded [29/42]: prevent time skew after initial replication [30/42]: adding sasl mappings to the directory [31/42]: updating schema [32/42]: setting Auto Member configuration [33/42]: enabling S4U2Proxy delegation [34/42]: initializing group membership [35/42]: adding master entry [36/42]: initializing domain level [37/42]: configuring Posix uid/gid generation [38/42]: adding replication acis [39/42]: activating sidgen plugin [40/42]: activating extdom plugin [41/42]: tuning directory server [42/42]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/5]: configuring KDC [2/5]: adding the password extension to the directory [3/5]: creating anonymous principal [4/5]: starting the KDC [5/5]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: importing CA certificates from LDAP [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: setting mod_nss port to 443 [3/22]: setting mod_nss cipher suite [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [5/22]: setting mod_nss password file [6/22]: enabling mod_nss renegotiate [7/22]: disabling mod_nss OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd [10/22]: setting up httpd keytab [11/22]: configuring Gssproxy [12/22]: setting up ssl [13/22]: configure certmonger for renewals [14/22]: importing CA certificates from LDAP [15/22]: publish CA cert [16/22]: clean up any existing httpd ccaches [17/22]: configuring SELinux for httpd [18/22]: create KDC proxy config [19/22]: enable KDC proxy [20/22]: starting httpd [21/22]: configuring httpd to start on boot [22/22]: enabling oddjobd Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring ipa-custodia [1/5]: Making sure custodia container exists [2/5]: Generating ipa-custodia config file [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/29]: configuring certificate server instance [2/29]: exporting Dogtag certificate store pin [3/29]: stopping certificate server instance to update CS.cfg [4/29]: backing up CS.cfg [5/29]: disabling nonces [6/29]: set up CRL publishing [7/29]: enable PKIX certificate path discovery and validation [8/29]: starting certificate server instance [9/29]: configure certmonger for renewals [10/29]: importing RA certificate from PKCS #12 file [11/29]: setting up signing cert profile [12/29]: setting audit signing renewal to 2 years [13/29]: restarting certificate server [14/29]: authorizing RA to modify profiles [15/29]: authorizing RA to manage lightweight CAs [16/29]: Ensure lightweight CAs container exists [17/29]: Ensuring backward compatibility [18/29]: configure certificate renewals [19/29]: configure Server-Cert certificate renewal [20/29]: Configure HTTP to proxy connections [21/29]: restarting certificate server [22/29]: updating IPA configuration [23/29]: enabling CA instance [24/29]: exposing CA instance on LDAP [25/29]: migrating certificate profiles to LDAP [26/29]: importing IPA certificate profiles [27/29]: adding default CA ACL [28/29]: adding 'ipa' CA entry [29/29]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Finalize replication settings Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes [1/7]: configuring KRA instance [2/7]: restarting KRA [3/7]: configure certmonger for renewals [4/7]: configure certificate renewals [5/7]: configure HTTP to proxy connections [6/7]: apply LDAP updates [7/7]: enabling KRA instance Done configuring KRA server (pki-tomcatd). Restarting the directory server Restarting the KDC Configuring DNS (named) [1/8]: generating rndc key file [2/8]: setting up our own record [3/8]: adding NS record to the zones [4/8]: setting up kerberos principal [5/8]: setting up named.conf [6/8]: setting up server configuration [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Configuring client side components STDERR: Using existing certificate '/etc/ipa/ca.crt'. Client hostname: vm-idm-028.testrelm.test Realm: TESTRELM.TEST DNS Domain: testrelm.test IPA Server: vm-idm-028.testrelm.test BaseDN: dc=testrelm,dc=test Skipping synchronizing time with NTP server. New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying https://vm-idm-028.testrelm.test/ipa/json [try 1]: Forwarding 'schema' to json server 'https://vm-idm-028.testrelm.test/ipa/json' trying https://vm-idm-028.testrelm.test/ipa/session/json [try 1]: Forwarding 'ping' to json server 'https://vm-idm-028.testrelm.test/ipa/session/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://vm-idm-028.testrelm.test/ipa/session/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://vm-idm-028.testrelm.test/ipa/session/json' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring testrelm.test as NIS domain. Client configuration complete. The ipa-client-install command was successful TIME: 13:48:21 PASSED Thus on the basis of above observations, marking teh status of bug to 'VERIFIED'. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2759 |