Bug 739089
| Summary: | Unable to add ipa user on IPv6 machine. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Gowrishankar Rajaiyan <grajaiya> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.2 | CC: | benl, dpal, jgalipea, mkosek |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.1.2-1.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Do not document
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 18:31:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Gowrishankar Rajaiyan
2011-09-16 14:38:46 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/1807 I configured an IPv6-only environment and IPA server installation worked for me: # ipa user-add -d --first=User --last=Test utest Usage: ipa [global-options] user-add LOGIN [options] ipa: error: no such option: -d [root@vm-120 ~]# man ipa [root@vm-120 ~]# ipa -d user-add --first=User --last=Test utest ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py' ipa: DEBUG: args=klist -V ipa: DEBUG: stdout=Kerberos 5 version 1.9.1 ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/xmlclient.py' ipa: INFO: trying https://vm-120.idm.lab.bos.redhat.com/ipa/xml ipa: DEBUG: NSSConnection init vm-120.idm.lab.bos.redhat.com ipa: DEBUG: connect_socket_family: host=vm-120.idm.lab.bos.redhat.com port=443 family=PR_AF_INET ipa: DEBUG: connect_socket_family: host=vm-120.idm.lab.bos.redhat.com port=443 family=PR_AF_INET6 ipa: DEBUG: connecting: [fec0:0:a10:4c00:216:3eff:fe2d:4818]:443 ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 1003 (0x3eb) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: CN=IDM.LAB.BOS.REDHAT.COM Certificate Authority Validity: Not Before: Mon Sep 19 09:11:22 2011 UTC Not After : Sun Sep 19 09:11:22 2021 UTC Subject: CN=vm-120.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: cc:a1:ed:19:98:b6:84:eb:82:b8:88:42:61:c2:cf:92: 72:7a:11:55:97:d0:cc:8a:4a:ae:0a:1c:28:0e:2c:06: e1:47:02:f9:a8:48:f1:85:25:76:09:f5:0f:7b:d0:7f: 7f:82:43:94:46:73:46:f9:ef:d6:3c:00:fb:75:f1:01: 36:5f:73:0f:e0:71:c9:b5:cb:6c:2a:ff:fe:42:ea:57: d6:95:a0:35:22:2e:ad:17:31:38:9c:28:67:36:9e:a3: c1:9b:94:c4:10:e3:d3:04:f8:e2:b0:b0:a1:13:f7:a4: 4f:83:08:43:86:22:bf:21:2c:b9:8d:7f:29:e0:23:e5: 04:41:40:b4:ee:bd:17:70:63:f3:cc:52:1c:39:e1:ba: 55:0a:15:d8:67:4c:d4:f6:af:76:f8:cc:b0:8c:73:c6: 1b:5a:ae:ec:a1:22:1c:90:e7:50:af:09:65:74:1a:84: 4c:68:63:14:39:83:4a:0d:c0:54:8e:50:8f:d3:7c:9a: 9b:d9:97:73:9f:ed:6c:35:3b:65:0c:b4:7a:68:06:fe: ef:55:90:d2:98:de:0d:b9:90:b7:07:53:a8:71:24:1f: 98:3c:19:38:93:5d:3d:e9:56:88:3b:a2:55:b4:bd:e0: d9:60:e0:dc:4d:a1:ea:b1:f0:34:41:5f:f0:96:73:47 Exponent: 65537 (0x10001) Signed Extensions: (2) Name: Certificate Type Critical: False Name: Certificate Key Usage Critical: False Usages: Key Encipherment Fingerprint (MD5): 75:2b:db:c9:95:fa:f2:ad:ab:88:de:59:9f:7f:bd:75 Fingerprint (SHA1): 16:68:e5:4c:d7:67:37:49:40:06:cf:44:bb:d9:57:64: ba:94:83:dc Signature: Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature Data: a4:7e:6b:30:55:32:32:b7:4d:5e:1b:eb:0b:e9:07:30: 7f:f4:f5:d4:c0:f0:64:f0:ed:d0:c9:24:94:ae:54:c5: 57:e5:c3:e4:f1:16:0b:bd:72:96:68:89:36:1e:18:6f: da:3f:fd:a5:f3:d7:7f:45:f7:1d:b9:b2:16:18:ba:d1: 28:20:85:a2:9f:31:fc:ad:74:f5:b1:3b:d8:31:71:47: 0a:2a:8c:4c:84:fe:92:38:ea:67:a4:83:c0:74:b7:f8: 8e:44:99:e6:86:31:2c:ed:6c:7e:2d:b0:ba:3c:c3:f2: f9:c1:04:71:c9:bb:77:26:b3:ce:15:9c:79:9c:2b:ba ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for "CN=vm-120.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM" ipa: DEBUG: handshake complete, peer = [fec0:0:a10:4c00:216:3eff:fe2d:4818]:443 ipa: DEBUG: Created connection context.xmlclient ipa: DEBUG: raw: user_add(u'utest', givenname=u'User', sn=u'Test', noprivate=False, all=False, raw=False, version=u'2.11') ipa: DEBUG: user_add(u'utest', givenname=u'User', sn=u'Test', cn=u'User Test', displayname=u'User Test', initials=u'UT', gecos=u'User Test', krbprincipalname=u'utest.BOS.REDHAT.COM', uidnumber=999, noprivate=False, all=False, raw=False, version=u'2.11') ipa: INFO: Forwarding 'user_add' to server u'https://vm-120.idm.lab.bos.redhat.com/ipa/xml' ipa: DEBUG: NSSConnection init vm-120.idm.lab.bos.redhat.com ipa: DEBUG: connect_socket_family: host=vm-120.idm.lab.bos.redhat.com port=443 family=PR_AF_INET ipa: DEBUG: connect_socket_family: host=vm-120.idm.lab.bos.redhat.com port=443 family=PR_AF_INET6 ipa: DEBUG: connecting: [fec0:0:a10:4c00:216:3eff:fe2d:4818]:443 ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 1003 (0x3eb) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: CN=IDM.LAB.BOS.REDHAT.COM Certificate Authority Validity: Not Before: Mon Sep 19 09:11:22 2011 UTC Not After : Sun Sep 19 09:11:22 2021 UTC Subject: CN=vm-120.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: cc:a1:ed:19:98:b6:84:eb:82:b8:88:42:61:c2:cf:92: 72:7a:11:55:97:d0:cc:8a:4a:ae:0a:1c:28:0e:2c:06: e1:47:02:f9:a8:48:f1:85:25:76:09:f5:0f:7b:d0:7f: 7f:82:43:94:46:73:46:f9:ef:d6:3c:00:fb:75:f1:01: 36:5f:73:0f:e0:71:c9:b5:cb:6c:2a:ff:fe:42:ea:57: d6:95:a0:35:22:2e:ad:17:31:38:9c:28:67:36:9e:a3: c1:9b:94:c4:10:e3:d3:04:f8:e2:b0:b0:a1:13:f7:a4: 4f:83:08:43:86:22:bf:21:2c:b9:8d:7f:29:e0:23:e5: 04:41:40:b4:ee:bd:17:70:63:f3:cc:52:1c:39:e1:ba: 55:0a:15:d8:67:4c:d4:f6:af:76:f8:cc:b0:8c:73:c6: 1b:5a:ae:ec:a1:22:1c:90:e7:50:af:09:65:74:1a:84: 4c:68:63:14:39:83:4a:0d:c0:54:8e:50:8f:d3:7c:9a: 9b:d9:97:73:9f:ed:6c:35:3b:65:0c:b4:7a:68:06:fe: ef:55:90:d2:98:de:0d:b9:90:b7:07:53:a8:71:24:1f: 98:3c:19:38:93:5d:3d:e9:56:88:3b:a2:55:b4:bd:e0: d9:60:e0:dc:4d:a1:ea:b1:f0:34:41:5f:f0:96:73:47 Exponent: 65537 (0x10001) Signed Extensions: (2) Name: Certificate Type Critical: False Name: Certificate Key Usage Critical: False Usages: Key Encipherment Fingerprint (MD5): 75:2b:db:c9:95:fa:f2:ad:ab:88:de:59:9f:7f:bd:75 Fingerprint (SHA1): 16:68:e5:4c:d7:67:37:49:40:06:cf:44:bb:d9:57:64: ba:94:83:dc Signature: Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature Data: a4:7e:6b:30:55:32:32:b7:4d:5e:1b:eb:0b:e9:07:30: 7f:f4:f5:d4:c0:f0:64:f0:ed:d0:c9:24:94:ae:54:c5: 57:e5:c3:e4:f1:16:0b:bd:72:96:68:89:36:1e:18:6f: da:3f:fd:a5:f3:d7:7f:45:f7:1d:b9:b2:16:18:ba:d1: 28:20:85:a2:9f:31:fc:ad:74:f5:b1:3b:d8:31:71:47: 0a:2a:8c:4c:84:fe:92:38:ea:67:a4:83:c0:74:b7:f8: 8e:44:99:e6:86:31:2c:ed:6c:7e:2d:b0:ba:3c:c3:f2: f9:c1:04:71:c9:bb:77:26:b3:ce:15:9c:79:9c:2b:ba ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for "CN=vm-120.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM" ipa: DEBUG: handshake complete, peer = [fec0:0:a10:4c00:216:3eff:fe2d:4818]:443 ipa: DEBUG: Destroyed connection context.xmlclient ------------------ Added user "utest" ------------------ User login: utest First name: User Last name: Test Full name: User Test Display name: User Test Initials: UT Home directory: /home/utest GECOS field: User Test Login shell: /bin/sh Kerberos principal: utest.BOS.REDHAT.COM UID: 945800004 GID: 945800001 Keytab: False Password: False Can you please provide: 1) contents of /etc/hosts file 2) All configured DNS zones: ipa dnszone-find 3) All configured forward records: ipa dnsrecord-find lab.eng.pnq.redhat.com 4) All configured reverse records: ipa dnsrecord-find $REVERSE_ZONE 1. # cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost6 localhost6.localdomain6 2620:52:0:41c9:5054:ff:fea6:ec8 ratchet.lab.eng.pnq.redhat.com 2. # ipa dnszone-find Zone name: 9.c.1.4.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa. Authoritative nameserver: ratchet.lab.eng.pnq.redhat.com. Administrator e-mail address: root.9.c.1.4.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa. SOA serial: 2011160901 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Zone name: lab.eng.pnq.redhat.com Authoritative nameserver: ratchet.lab.eng.pnq.redhat.com. Administrator e-mail address: root.ratchet.lab.eng.pnq.redhat.com. SOA serial: 2011160901 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE ---------------------------- Number of entries returned 2 ---------------------------- 3. # ipa dnsrecord-find lab.eng.pnq.redhat.com Record name: @ NS record: ratchet.lab.eng.pnq.redhat.com. Record name: _kerberos TXT record: LAB.ENG.PNQ.REDHAT.COM Record name: _kerberos-master._tcp SRV record: 0 100 88 ratchet Record name: _kerberos-master._udp SRV record: 0 100 88 ratchet Record name: _kerberos._tcp SRV record: 0 100 88 ratchet Record name: _kerberos._udp SRV record: 0 100 88 ratchet Record name: _kpasswd._tcp SRV record: 0 100 464 ratchet Record name: _kpasswd._udp SRV record: 0 100 464 ratchet Record name: _ldap._tcp SRV record: 0 100 389 ratchet Record name: _ntp._udp SRV record: 0 100 123 ratchet Record name: ratchet AAAA record: 2620:52:0:41c9:5054:ff:fea6:ec8 ----------------------------- Number of entries returned 11 ----------------------------- 4. # ipa dnsrecord-find 9.c.1.4.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa. Record name: 8.c.e.0.6.a.e.f.f.f.0.0.4.5.0.5 PTR record: ratchet.lab.eng.pnq.redhat.com. Record name: @ NS record: ratchet.lab.eng.pnq.redhat.com. ---------------------------- Number of entries returned 2 ---------------------------- Everything seems to be configured OK. My best bet here would be that some service was not running. IPv6 connection to apache was probably OK since at least SSL cert was received. We should make sure that we have a valid Kerberos ticket and that "service ipa status" reports all services to be running. After investigation on ratchet machine, I found out that `kinit` was not run when the server was (re)installed which caused Authorization Error in /usr/bin/ipa. It seems to me that the only problem here is that the error message is not helpful and states that it "cannot connect to 'any of the configured servers'" instead of Authorization Error related error message. I have created a separate ticket to fix duplicate master IPA server in the server list: https://fedorahosted.org/freeipa/ticket/1817 This would let /usr/bin/ipa try connecting to all IPA masters just once and not print confusing server list like: # ipa user-show admin ... ipa: ERROR: cannot connect to 'any of the configured servers': https://ratchet.lab.eng.pnq.redhat.com/ipa/xml, https://ratchet.lab.eng.pnq.redhat.com/ipa/xml Duplicate master in the server list (ticket 1817) has been fixed upstream: master: https://fedorahosted.org/freeipa/changeset/ffd760c1002cfe6b27d140affa8e0608696d3668 ipa-2-1: https://fedorahosted.org/freeipa/changeset/798490ffb6b83bf9cf1a5bdbddefca441b9421f9 Ticket 1807 (NSS database not shutting down between requests) has been fixed upstream as well: master: https://fedorahosted.org/freeipa/changeset/a90e50cdf759a1b436381f0e9e91caf2d4288636 ipa-2-1: https://fedorahosted.org/freeipa/changeset/b8461e8d5661fbae86e0fb9c6dc85554704a4f0a Now, when running /usr/bin/ipa without valid credentials cache, the error message should explicitly mention Authorization Error.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Do not document
[root@jetfire ~]# ipa-server-install --setup-dns --no-forwarder --hostname=jetfire.testrelm -r TESTRELM -n testrelm -p Secret123 -P Secret123 -a Secret123 -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: skipping DNS resolution of host jetfire.testrelm The IPA Master Server will be configured with Hostname: jetfire.testrelm IP address: 2620:52:0:41c9:5054:ff:fea8:b669 Domain name: testrelm Using reverse zone 9.c.1.4.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance [4/17]: disabling nonces [5/17]: creating CA agent PKCS#12 file in /root [6/17]: creating RA agent certificate database [7/17]: importing CA chain to RA certificate database [8/17]: fixing RA database permissions [9/17]: setting up signing cert profile [10/17]: set up CRL publishing [11/17]: set certificate subject base [12/17]: configuring certificate server to start on boot [13/17]: restarting certificate server [14/17]: requesting RA certificate from CA [15/17]: issuing RA agent certificate [16/17]: adding RA agent as a trusted user [17/17]: Configure HTTP to proxy connections done configuring pki-cad. Configuring directory server: Estimated time 1 minute [1/35]: creating directory server user [2/35]: creating directory server instance [3/35]: adding default schema [4/35]: enabling memberof plugin [5/35]: enabling referential integrity plugin [6/35]: enabling winsync plugin [7/35]: configuring replication version plugin [8/35]: enabling IPA enrollment plugin [9/35]: enabling ldapi [10/35]: configuring uniqueness plugin [11/35]: configuring uuid plugin [12/35]: configuring modrdn plugin [13/35]: enabling entryUSN plugin [14/35]: configuring lockout plugin [15/35]: creating indices [16/35]: configuring ssl for ds instance [17/35]: configuring certmap.conf [18/35]: configure autobind for root [19/35]: configure new location for managed entries [20/35]: restarting directory server [21/35]: adding default layout [22/35]: adding delegation layout [23/35]: adding replication acis [24/35]: creating container for managed entries [25/35]: configuring user private groups [26/35]: configuring netgroups from hostgroups [27/35]: creating default Sudo bind user [28/35]: creating default Auto Member layout [29/35]: creating default HBAC rule allow_all [30/35]: initializing group membership [31/35]: adding master entry [32/35]: configuring Posix uid/gid generation [33/35]: enabling compatibility plugin Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. [34/35]: tuning directory server [35/35]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC: Estimated time 30 seconds [1/14]: setting KDC account password [2/14]: adding sasl mappings to the directory [3/14]: adding kerberos entries to the DS [4/14]: adding default ACIs [5/14]: configuring KDC [6/14]: adding default keytypes [7/14]: adding default password policy [8/14]: creating a keytab for the directory [9/14]: creating a keytab for the machine [10/14]: exporting the kadmin keytab [11/14]: adding the password extension to the directory [12/14]: adding the kerberos master key to the directory [13/14]: starting the KDC [14/14]: configuring KDC to start on boot done configuring krb5kdc. Configuring ipa_kpasswd [1/2]: starting ipa_kpasswd [2/2]: configuring ipa_kpasswd to start on boot done configuring ipa_kpasswd. Configuring the web interface: Estimated time 1 minute [1/13]: disabling mod_ssl in httpd [2/13]: setting mod_nss port to 443 [3/13]: setting mod_nss password file [4/13]: enabling mod_nss renegotiate [5/13]: adding URL rewriting rules [6/13]: configuring httpd [7/13]: setting up ssl [8/13]: setting up browser autoconfig [9/13]: publish CA cert [10/13]: creating a keytab for httpd [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. Restarting the directory server Restarting the KDC Restarting the web server Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password [root@jetfire ~]# [root@jetfire ~]# ipa user-show admin ipa: ERROR: cannot connect to u'https://jetfire.testrelm/ipa/xml': Authorization Required [root@jetfire ~]# [root@jetfire ~]# ipa user-add shanks --first=s --last=r ipa: ERROR: cannot connect to u'https://jetfire.testrelm/ipa/xml': Authorization Required [root@jetfire ~]# [root@jetfire ~]# kinit admin Password for admin@TESTRELM: [root@jetfire ~]# [root@jetfire ~]# ipa user-add shanks --first=s --last=r ------------------- Added user "shanks" ------------------- User login: shanks First name: s Last name: r Full name: s r Display name: s r Initials: sr Home directory: /home/shanks GECOS field: s r Login shell: /bin/sh Kerberos principal: shanks@TESTRELM UID: 831600003 GID: 831600003 Keytab: False Password: False Verified in version: ipa-server-2.1.3-7.el6.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |