Bug 728614

Summary: el61 - ipa-replica-install does not check for dbus, fails on certmonger
Product: Red Hat Enterprise Linux 6 Reporter: Marc Sauton <msauton>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: high    
Version: 6.1CC: benl, dpal, grajaiya, jgalipea, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.1.1-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: ipa-replica-install does not ensure that the dbus service is running so tracking certificates with certmonger returns an error. Consequence: Replica installation fails. Fix: Make sure messagebus is running prior to starting certmonger. Result: Replica installation succeeds.
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 18:29:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marc Sauton 2011-08-05 19:36:27 UTC
Description of problem:

Just an annoyance to be able to get a clean replica installation when one forget to check this:

/usr/sbin/ipa-replica-install does not check for dbus, fails on certmonger
but /usr/sbin/ipa-server-install do check and starts dbus.
could we add the same sanity check for requirements in /usr/sbin/ipa-replica-install?


Version-Release number of selected component (if applicable):

Red Hat Enterprise Linux Server release 6.1 (Santiago)
Linux ipaserver2.example.com 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux

ipa-pki-common-theme-9.0.3-6.el6.noarch
ipa-server-2.0.0-23.el6_1.1.x86_64
ipa-pki-ca-theme-9.0.3-6.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.0.0-23.el6_1.1.x86_64
ipa-client-2.0.0-23.el6_1.1.x86_64
ipa-server-selinux-2.0.0-23.el6_1.1.x86_64
ipa-admintools-2.0.0-23.el6_1.1.x86_64


How reproducible:
always


Steps to Reproduce:

1. have a first system installed with RHEL 6.1, ipaserver1.example.com

2. have RHN repo access

3. have this first system with a ipa server installed, on ipaserver1.example.com:
ipa-server-install --realm=EXAMPLE.COM --domain=example.com --ds-password=password --master-password=password --admin-password=password --hostname=ipaserver1.example.com --ip-address=10.14.5.16 --setup-dns --forwarder=10.14.7.221 --zonemgr=msauton --idstart=100 --unattended

4. prepare an ipa replica, with adding dns entries in ipaserver1:
ipa-replica-prepare ipaserver2.example.com --ip-address 10.14.5.15

3. have a second system installed with RHEL 6.1, ipaserver2.example.com

4. make ipaserver2.example.com an ipa replica with ipaserver1.example.com:
ipa-replica-install /var/lib/ipa/replica-info-ipaserver2.example.com.gpg

  
Actual results:

Directory Manager (existing master) password:
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
creation of replica failed: Command '/sbin/service certmonger start ' returned non-zero exit status 1
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


Expected results:


Additional info:

Have no problems installing and running ipaserver1, messagebus has been up and running, was started after creating some certs and before configuring DS:

[root@ipaserver1 ~]# grep messagebus /var/log/*
/var/log/ipaserver-install.log:2011-08-04 19:08:41,298 DEBUG args=/sbin/service messagebus start

less /usr/sbin/ipa-server-install
...
    # Now put the CA cert where other instances exepct it
    ca.publish_ca_cert("/etc/ipa/ca.crt")

    service.start('messagebus')

    # Create a directory server instance
...


But not on replica after running ipa-replica-install:
[root@ipaserver2 ~]# /etc/init.d/messagebus status
messagebus is stopped

[root@ipaserver2 ~]# grep messagebus /var/log/*
[root@ipaserver2 ~]#

Comment 2 Rob Crittenden 2011-08-05 19:45:45 UTC
https://fedorahosted.org/freeipa/ticket/1580

Comment 3 Rob Crittenden 2011-08-19 15:18:21 UTC
master: 1ec531469ee0cf91ed9e150307d93e5ab12aa2a6

ipa-2-1: 704732630cbb466c00b0d49a88a016ed7f861c63

Comment 5 Rob Crittenden 2011-11-01 01:19:55 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: ipa-replica-install does not ensure that the dbus service is running so tracking certificates with certmonger returns an error.
Consequence: Replica installation fails.
Fix: Make sure messagebus is running prior to starting certmonger.
Result: Replica installation succeeds.

Comment 6 Gowrishankar Rajaiyan 2011-11-08 07:06:53 UTC
IPA SERVER1:

[root@ipaqavma ~]# ipa-server-install --realm=IDM.LAB.BOS.REDHAT.COM --domain=idm.lab.bos.redhat.com --ds-password=Secret123 --master-password=Secret123 --admin-password=Secret123 --hostname=ipaqavma.idm.lab.bos.redhat.com --ip-address=10.16.98.178 --setup-dns --forwarder=10.14.7.221 --zonemgr=gsr --idstart=100 --unattended

[root@ipaqavma ~]# ipa-replica-prepare ipaqavmc.idm.lab.bos.redhat.com --ip-address=10.16.98.180
Directory Manager (existing master) password: 

Preparing replica for ipaqavmc.idm.lab.bos.redhat.com from ipaqavma.idm.lab.bos.redhat.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-ipaqavmc.idm.lab.bos.redhat.com.gpg
Adding DNS records for ipaqavmc.idm.lab.bos.redhat.com
Using reverse zone 98.16.10.in-addr.arpa.
[root@ipaqavma ~]# 


IPA SERVER2:
[root@ipaqavmc ~]# ipa-replica-install /var/lib/ipa/replica-info-ipaqavmc.idm.lab.bos.redhat.com.gpg 
Directory Manager (existing master) password: 

Run connection check to master
Check connection from replica to remote master 'ipaqavma.idm.lab.bos.redhat.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: port 80 (80): OK
   HTTP Server: port 443(https) (443): OK

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin.BOS.REDHAT.COM password: 

Execute check on remote master
Check connection from master to remote replica 'ipaqavmc.idm.lab.bos.redhat.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: port 80 (80): OK
   HTTP Server: port 443(https) (443): OK

Connection from master to replica is OK.

Connection check OK
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server: Estimated time 1 minute
  [1/29]: creating directory server user
  [2/29]: creating directory server instance
  [3/29]: adding default schema
  [4/29]: enabling memberof plugin
  [5/29]: enabling referential integrity plugin
  [6/29]: enabling winsync plugin
  [7/29]: configuring replication version plugin
  [8/29]: enabling IPA enrollment plugin
  [9/29]: enabling ldapi
  [10/29]: configuring uniqueness plugin
  [11/29]: configuring uuid plugin
  [12/29]: configuring modrdn plugin
  [13/29]: enabling entryUSN plugin
  [14/29]: configuring lockout plugin
  [15/29]: creating indices
  [16/29]: configuring ssl for ds instance
  [17/29]: configuring certmap.conf
  [18/29]: configure autobind for root
  [19/29]: configure new location for managed entries
  [20/29]: restarting directory server
  [21/29]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update succeeded
  [22/29]: adding replication acis
  [23/29]: setting Auto Member configuration
  [24/29]: initializing group membership
  [25/29]: adding master entry
  [26/29]: configuring Posix uid/gid generation
  [27/29]: enabling compatibility plugin
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
  [28/29]: tuning directory server
  [29/29]: configuring directory to start on boot
done configuring dirsrv.
Configuring Kerberos KDC: Estimated time 30 seconds
  [1/9]: adding sasl mappings to the directory
  [2/9]: writing stash file from DS
  [3/9]: configuring KDC
  [4/9]: creating a keytab for the directory
  [5/9]: creating a keytab for the machine
  [6/9]: adding the password extension to the directory
  [7/9]: enable GSSAPI for replication
  [8/9]: starting the KDC
  [9/9]: configuring KDC to start on boot
done configuring krb5kdc.
Configuring ipa_kpasswd
  [1/2]: starting ipa_kpasswd 
  [2/2]: configuring ipa_kpasswd to start on boot
done configuring ipa_kpasswd.
Configuring the web interface: Estimated time 1 minute
  [1/12]: disabling mod_ssl in httpd
  [2/12]: setting mod_nss port to 443
  [3/12]: setting mod_nss password file
  [4/12]: enabling mod_nss renegotiate
  [5/12]: adding URL rewriting rules
  [6/12]: configuring httpd
  [7/12]: setting up ssl
  [8/12]: publish CA cert
  [9/12]: creating a keytab for httpd
  [10/12]: configuring SELinux for httpd
  [11/12]: restarting httpd
  [12/12]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
[root@ipaqavmc ~]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
HTTP Service: RUNNING
[root@ipaqavmc ~]# 


[root@ipaqavmc ~]# grep messagebus /var/log/*
/var/log/ipareplica-install.log:2011-11-08 01:54:34,987 DEBUG args=/sbin/service messagebus start 
/var/log/ipareplica-install.log:2011-11-08 01:55:29,506 DEBUG args=/sbin/service messagebus start 


[root@ipaqavmc ~]# /etc/init.d/messagebus status
messagebus (pid  1355) is running...
[root@ipaqavmc ~]# 


[root@ipaqavmc ~]# ipa user-add shanks --first=shanks --last=r --password
Password: 
Enter Password again to verify: 
-------------------
Added user "shanks"
-------------------
  User login: shanks
  First name: shanks
  Last name: r
  Full name: shanks r
  Display name: shanks r
  Initials: sr
  Home directory: /home/shanks
  GECOS field: shanks r
  Login shell: /bin/sh
  Kerberos principal: shanks.BOS.REDHAT.COM
  UID: 100100
  GID: 100100
  Keytab: True
  Password: True
[root@ipaqavmc ~]# 


IPA SERVER1:
[root@ipaqavma ~]# ipa user-find shanks
--------------
1 user matched
--------------
  User login: shanks
  First name: shanks
  Last name: r
  Home directory: /home/shanks
  Login shell: /bin/sh
  UID: 100100
  GID: 100100
  Account disabled: False
  Keytab: True
  Password: True
----------------------------
Number of entries returned 1
----------------------------
[root@ipaqavma ~]# 


Verified.
[root@ipaqavma ~]# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 9.el6                         Build Date: Mon 07 Nov 2011 03:00:54 PM EST
Install Date: Tue 08 Nov 2011 01:32:36 AM EST      Build Host: x86-001.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-9.el6.src.rpm
Size        : 3382131                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
[root@ipaqavma ~]#

Comment 7 errata-xmlrpc 2011-12-06 18:29:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html