Bug 701763

Summary: ipa replica install failed
Product: Red Hat Enterprise Linux 6 Reporter: Yi Zhang <yzhang>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED DUPLICATE QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.1CC: benl, jgalipea, rmeggins
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-11 17:50:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yi Zhang 2011-05-03 19:14:15 UTC 
Description of problem:
ipa-replica-install failed. /var/log/ipareplica-install.log says:
2011-05-03 12:05:46,725 DEBUG   [7/9]: enable GSSAPI for replication
2011-05-03 12:05:46,759 INFO Changing agreement cn=meTodhcp-122.sjc.redhat.com,cn=replica,cn=dc\3Dsjc\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
2011-05-03 12:05:47,771 INFO Changing agreement cn=meTodhcp-122.sjc.redhat.com,cn=replica,cn=dc\3Dsjc\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config to restore original schedule 0000-2359 0123456
2011-05-03 12:05:48,785 INFO Replication Update in progress: TRUE: status: 0 Replica acquired successfully: Incremental update started: start: 20110503190548Z: end: 0
2011-05-03 12:05:49,787 INFO Replication Update in progress: TRUE: status: 0 Replica acquired successfully: Incremental update started: start: 20110503190548Z: end: 0
2011-05-03 12:05:50,790 INFO Replication Update in progress: TRUE: status: 0 Replica acquired successfully: Incremental update started: start: 20110503190548Z: end: 0
2011-05-03 12:05:51,792 INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20110503190548Z: end: 20110503190550Z
2011-05-03 12:05:51,795 INFO Changing agreement cn=meTodhcp-123.sjc.redhat.com,cn=replica,cn=dc\3Dsjc\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
2011-05-03 12:05:52,807 INFO Changing agreement cn=meTodhcp-123.sjc.redhat.com,cn=replica,cn=dc\3Dsjc\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config to restore original schedule 0000-2359 0123456
2011-05-03 12:05:53,832 INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20110503190552Z: end: 20110503190552Z
2011-05-03 12:05:53,930 DEBUG list index out of range
  File "/usr/sbin/ipa-replica-install", line 540, in <module>
    main()

  File "/usr/sbin/ipa-replica-install", line 501, in main
    install_krb(config, setup_pkinit=options.setup_pkinit)

  File "/usr/sbin/ipa-replica-install", line 242, in install_krb
    setup_pkinit, pkcs12_info)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py", line 217, in create_replica
    self.start_creation("Configuring Kerberos KDC", 30)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 301, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py", line 562, in __convert_to_gssapi_replication
    r_bindpw=self.dm_password)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 714, in convert_to_gssapi_replication
    self.gssapi_update_agreements(self.conn, r_conn)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 456, in gssapi_update_agreements
    self.setup_krb_princs_as_replica_binddns(a, b)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 449, in setup_krb_princs_as_replica_binddns
    mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)]



Version-Release number of selected component (if applicable):
[x86_64.c root@dhcp-123 ~] rpm -qa | grep ipa-server
ipa-server-2.0.0-23.el6.x86_64
ipa-server-selinux-2.0.0-23.el6.x86_64

[x86_64.c root@dhcp-123 ~] rpm -qa | grep ds-replication
ds-replication-1.2.8.0-1.el6.x86_64


How reproducible: always, since last Friday (4/29/2011)


Steps to Reproduce:
1. ON IPA Server: 
   ipa-server-install
   service iptables stop 
   yum install ds-replication  
   yum install bind-dyndb-ldap
   ipa-dns-install 
   ipa-replica-prepare dhcp-123.sjc.redhat.com --ip-address 10.14.54.123
   scp /var/lib/ipa/replica-info-dhcp-123.sjc.redhat.com.gpg root.redhat.com:/var/lib/ipa/.

2. ON IPA Replica
   service iptables stop
   ipa-replica-install /var/lib/ipa/replica-info-dhcp-123.sjc.redhat.com.gpg

  
Actual results: install failed
 
Additional info: firewall has been turned off on both ipa server and replica
Comment 2 Rich Megginson 2011-05-03 20:53:44 UTC 
Isn't this https://fedorahosted.org/freeipa/ticket/1188 ?  What version of RHEL-6 ipa has this fix?
Comment 3 RHEL Program Management 2011-05-04 06:00:39 UTC 
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 4 Yi Zhang 2011-05-04 15:42:08 UTC 
Rich:

It doesn't look relate to the ticket 1188.
What I observed is that all ds setup related work are done. The entry syncing are also finished. It is more like KDC related problem

[i386.c root@dhcp-120 ~] ipa-replica-install /var/lib/ipa/replica-info-dhcp-120.sjc.redhat.com.gpg 
Directory Manager (existing master) password: 

Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 6 minutes
  [1/11]: creating certificate server user
  [2/11]: creating pki-ca instance
  [3/11]: restarting certificate server
  [4/11]: configuring certificate server instance
  [5/11]: restarting certificate server
  [6/11]: creating RA agent certificate database
  [7/11]: importing CA chain to RA certificate database
  [8/11]: fixing RA database permissions
  [9/11]: setting up signing cert profile
  [10/11]: set up CRL publishing
  [11/11]: configuring certificate server to start on boot
done configuring pki-cad.
Restarting the directory and certificate servers
Configuring directory server: Estimated time 1 minute
  [1/27]: creating directory server user
  [2/27]: creating directory server instance
  [3/27]: adding default schema
  [4/27]: enabling memberof plugin
  [5/27]: enabling referential integrity plugin
  [6/27]: enabling winsync plugin
  [7/27]: configuring replication version plugin
  [8/27]: enabling IPA enrollment plugin
  [9/27]: enabling ldapi
  [10/27]: configuring uniqueness plugin
  [11/27]: configuring uuid plugin
  [12/27]: configuring modrdn plugin
  [13/27]: enabling entryUSN plugin
  [14/27]: configuring lockout plugin
  [15/27]: creating indices
  [16/27]: configuring ssl for ds instance
  [17/27]: configuring certmap.conf
  [18/27]: configure autobind for root
  [19/27]: restarting directory server
  [20/27]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update succeeded
  [21/27]: adding replication acis
  [22/27]: initializing group membership
  [23/27]: adding master entry
  [24/27]: configuring Posix uid/gid generation
  [25/27]: enabling compatibility plugin
  [26/27]: tuning directory server
  [27/27]: configuring directory to start on boot
done configuring dirsrv.
Configuring Kerberos KDC: Estimated time 30 seconds
  [1/9]: adding sasl mappings to the directory
  [2/9]: writing stash file from DS
  [3/9]: configuring KDC
  [4/9]: creating a keytab for the directory
  [5/9]: creating a keytab for the machine
  [6/9]: adding the password extension to the directory
  [7/9]: enable GSSAPI for replication
creation of replica failed: list index out of range
Comment 5 Rich Megginson 2011-05-04 15:53:46 UTC 
The reason why the list index is out of range is because the search to find the principal DN for the given principal failed.  The reason why the search failed is because the database is corrupted.  The reason why the database is corrupted is because the replica crashed during the fixup-memberof operation.  And the reason that happens is due to ticket 1188.  So I just want to confirm that you are testing a version of ipa with that fix in it.
Comment 6 Jenny Severance 2011-05-04 17:05:00 UTC 
This is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=698421
Comment 7 Jenny Severance 2011-05-11 17:50:02 UTC 

*** This bug has been marked as a duplicate of bug 698421 ***