Bug 1732620

Summary: FreeIPA enrolment via kickstart fails since Fedora-Rawhide-20190722.n.1 (anaconda-31.20-1.fc31), 'realm join' step not run at all
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: anacondaAssignee: Vendula Poncova <vponcova>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: anaconda-maint-list, jonathan, kellin, robatino, vanmeeuwen+fedora, vponcova, wwoods
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: openqa
Fixed In Version: anaconda-31.21-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-26 21:02:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1644937    

Description Adam Williamson 2019-07-23 22:04:47 UTC
Since anaconda-31.20 appeared in Fedora-Rawhide-20190722.n.1, the openQA test for enrolling to a FreeIPA domain via kickstart has been failing. The install completes successfully, but the system is not actually enrolled to the FreeIPA domain at all.

From program.log , it looks like anaconda just never actually attempts to run 'realm join'. Here's an extract from program.log from when this tested passed, in the previous compose:

===

21:30:45,876 INF program: Running... realm discover --verbose ipa001.domain.local
21:30:46,063 INF program: domain.local
21:30:46,064 INF program: type: kerberos
21:30:46,064 INF program: realm-name: DOMAIN.LOCAL
21:30:46,064 INF program: domain-name: domain.local
21:30:46,064 INF program: configured: no
21:30:46,064 INF program: server-software: ipa
21:30:46,064 INF program: client-software: sssd
21:30:46,064 INF program: required-package: freeipa-client
21:30:46,064 INF program: required-package: oddjob
21:30:46,064 INF program: required-package: oddjob-mkhomedir
21:30:46,065 INF program: required-package: sssd
21:30:46,065 INF program: * Resolving: _ldap._tcp.ipa001.domain.local
21:30:46,065 INF program: * Resolving: ipa001.domain.local
21:30:46,065 INF program: * Performing LDAP DSE lookup on: 10.0.2.100
21:30:46,065 INF program: * Successfully discovered: domain.local
21:30:46,066 DBG program: Return code: 0
...[later]...
21:36:17,009 INF program: Running... realm join --install /mnt/sysroot --verbose --one-time-password=monkeys ipa001.do
main.local
21:36:36,373 INF program: * Resolving: _ldap._tcp.ipa001.domain.local
21:36:36,374 INF program: * Resolving: ipa001.domain.local
21:36:36,374 INF program: * Performing LDAP DSE lookup on: 10.0.2.100
21:36:36,374 INF program: * Successfully discovered: domain.local
21:36:36,374 INF program: * Assuming packages are installed
21:36:36,374 INF program: * LANG=C /usr/sbin/ipa-client-install --domain domain.local --realm DOMAIN.LOCAL --mkhomedir --enable-dns-updates --unattended --force-join --server ipa001.domain.local --fixed-primary --password monkeys --force-ntpd
21:36:36,375 INF program: Option --force-ntpd has been deprecated and will be removed in a future release.
21:36:36,375 INF program: Client hostname: client001.domain.local
21:36:36,375 INF program: Realm: DOMAIN.LOCAL
21:36:36,375 INF program: DNS Domain: domain.local
21:36:36,375 INF program: IPA Server: ipa001.domain.local
21:36:36,375 INF program: BaseDN: dc=domain,dc=local
21:36:36,375 INF program: Synchronizing time
21:36:36,375 INF program: No SRV records of NTP servers found and no NTP server or pool address was provided.
21:36:36,375 INF program: Attempting to sync time with chronyc.
21:36:36,375 INF program: Time synchronization was successful.
21:36:36,375 INF program: Downloading the CA certificate via HTTP, this is INSECURE
21:36:36,376 INF program: Successfully retrieved CA cert
21:36:36,376 INF program: Subject:     CN=Certificate Authority,O=DOMAIN.LOCAL
21:36:36,376 INF program: Issuer:      CN=Certificate Authority,O=DOMAIN.LOCAL
21:36:36,376 INF program: Valid From:  2019-07-23 01:24:55
21:36:36,376 INF program: Valid Until: 2039-07-23 01:24:55
21:36:36,376 INF program: 
21:36:36,376 INF program: Enrolled in IPA realm DOMAIN.LOCAL
...

===

From the failed 20190722.n.1 test, this part of the log looks the same:

===

17:27:18,605 INF program: Running... realm discover --verbose ipa001.domain.local
17:27:18,692 INF program: domain.local
17:27:18,693 INF program: type: kerberos
17:27:18,693 INF program: realm-name: DOMAIN.LOCAL
17:27:18,693 INF program: domain-name: domain.local
17:27:18,693 INF program: configured: no
17:27:18,693 INF program: server-software: ipa
17:27:18,694 INF program: client-software: sssd
17:27:18,694 INF program: required-package: freeipa-client
17:27:18,694 INF program: required-package: oddjob
17:27:18,695 INF program: required-package: oddjob-mkhomedir
17:27:18,695 INF program: required-package: sssd
17:27:18,695 INF program: * Resolving: _ldap._tcp.ipa001.domain.local
17:27:18,695 INF program: * Resolving: ipa001.domain.local
17:27:18,695 INF program: * Performing LDAP DSE lookup on: 10.0.2.100
17:27:18,697 INF program: * Successfully discovered: domain.local
17:27:18,697 DBG program: Return code: 0

===

i.e. the 'realm discover' step is run...but the later 'realm join' step simply does not appear in the log at all, it doesn't seem to be tried at all.

Proposing as a Beta blocker as a violation of Basic criterion "It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install..." - https://fedoraproject.org/wiki/Basic_Release_Criteria#Remote_authentication

Comment 1 Vendula Poncova 2019-07-24 10:21:30 UTC
Fixed in a pull request: https://github.com/rhinstaller/anaconda/pull/2052

Comment 2 Adam Williamson 2019-07-26 21:02:34 UTC
The test passed in most recent compose, so this does indeed seem fixed. Thanks!