Bug 1623486
| Summary: | PKINIT configuration did not succeed message is received during Replica-install | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Nikhil Dehadrai <ndehadra> | |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.6 | CC: | frenaud, myusuf, pvoborni, rcritten, tscherf, twoerner | |
| Target Milestone: | rc | Keywords: | Regression, ZStream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-4.6.4-9.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1626379 1633061 (view as bug list) | Environment: | ||
| Last Closed: | 2018-10-30 11:00:22 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1626379, 1633061 | |||
|
Description
Nikhil Dehadrai
2018-08-29 13:26:44 UTC
Issue reproducible with ipa-server-4.6.4-6.el7.x86_64 or ipa-server-4.6.4-7.el7.x86_64 When the replica installer is performing the step 'installing X509 Certificate for PKINIT', it is contacting certmonger in order to get a certificate for PKINIT. certmonger in turn connects to the Apache server and performs a cert_request operation. This operation starts by validation steps, including checking if the hostname corresponds to a server where the KDC service is enabled (by reading the attribute ipaConfigString of the entry cn=KDC,cn=<hostname>,cn=masters,cn=ipa,cn=etc,$BASEDN). With recent changes (commit 7284097 Delay enabling services until end of installer), ipaconfigstring contains configuredService instead of enabledService and the check fails. Upstream ticket: https://pagure.io/freeipa/issue/7655 The issue is now reproducible with latest RHEL 7.5update4 version: ipa-server-4.5.4-10.el7_5.4.3.x86_64, but the issue is not observed in RHEL 7.5up4 older version :ipa-server-4.5.4-10.el7_5.4.2.x86_64 @Nikhil: Are you sure that ipa 4.5.4-10.el7.4.2 is not affected? Fixed upstream master: https://pagure.io/freeipa/c/2a227c240fae802d3625805e0905a8ce71706b2f https://pagure.io/freeipa/c/bcfd18f336d752483dffc048e1d9c0edac1628fd Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/2ff9684f14c14bcdf4a520c5e00cfe4030868143 https://pagure.io/freeipa/c/5b8531eb8f91c689cba1313dd2a7387f7bb5b5fa ipa-4-6: https://pagure.io/freeipa/c/e02041d9797c2478da27bace65bfc6853afcb638 https://pagure.io/freeipa/c/2a2fd0829e7b768974365b01ea540dc16e705199 ipa-4-7: https://pagure.io/freeipa/c/09c78a1e07056eea1036d974bcdfd8c00a254733 https://pagure.io/freeipa/c/5ea8f8ae9d250b86d66d20df95293a71dc40eb46 As this is a regression also present in 4.5.4, proposing for 7.5.z stream. Automation available in test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1::test_one_command_installation Version: ipa-server-4.6.4-10.el7.x86_64 Verified the bug on the basis of following observations: 1. Verified that the message mentioned 'PKINIT configuration did not succeed message is received during Replica-install' is no more observed during installation of replica. 2. The replica installation is successful Console: ---------- # /usr/sbin/ipa-replica-install -U --setup-ca --setup-dns --forwarder=10.x.x.x -- ip-address=10.x.x.x -P admin -w Secret123 Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Finalize replication settings Restarting the KDC Configuring DNS (named) [root@auto-hv-01-guest01 ~]# rpm -q ipa-server ipa-server-4.6.4-10.el7.x86_64 [root@auto-hv-01-guest01 ~]# grep "PKINIT configuration did not succeed message is received during Replica-install" /var/log/ipareplica-install.log [root@auto-hv-01-guest01 ~]# tail -1 /var/log/ipareplica-install.log 2018-09-20T08:40:17Z INFO The ipa-replica-install command was successful [root@auto-hv-01-guest01 ~]# grep -rn "FAIL" /var/log/ipareplica-install.log [root@auto-hv-01-guest01 ~]# Thus on the basis of above observations, marking the status of bug to 'VERIFIED'. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3187 |