Bug 750828
Summary: | named configuration error when installed with --external-ca option. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Gowrishankar Rajaiyan <grajaiya> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.2 | CC: | dpal, grajaiya, jgalipea, mkosek |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-2.2.0-1.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: When IPA is installed with --external-ca option, the installation is divided to 2 stages. The second stage of installation read configuration options from a file stored by the first stage. The installer however did not store a value with DNS forwarder IP address properly and it was then misread by the second stage installation.
Consequence: When IPA is installed with --external-ca and DNS support, forwarder IP address is corrupted. Name server configuration in second stage installation then fails.
Fix: Forwarder option is now stored properly.
Result: IPA can now be properly installed with external CA and DNS support.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-20 13:15:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 756082 |
Description
Gowrishankar Rajaiyan
2011-11-02 13:20:37 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2054 Seems like a dup of #743680. Related ticket is https://fedorahosted.org/freeipa/ticket/1931 No, in this case we're actually mis-writing the configuration file. We store the configuration options between runs when installing an external CA because the IPA installer needs to be run twice. Martin suggested using pickle to store the config data natively rather than using RawConfigParser. Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/32a506cac813d43461f03ecaa0add523e32a3652 ipa-2-1: https://fedorahosted.org/freeipa/changeset/c960e0a4b0f74afd55d88c8bb20cc532351ee728 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: When IPA is installed with --external-ca option, the installation is divided to 2 stages. The second stage of installation read configuration options from a file stored by the first stage. The installer however did not store a value with DNS forwarder IP address properly and it was then misread by the second stage installation. Consequence: When IPA is installed with --external-ca and DNS support, forwarder IP address is corrupted. Name server configuration in second stage installation then fails. Fix: Forwarder option is now stored properly. Result: IPA can now be properly installed with external CA and DNS support. # ipa-server-install --external-ca --setup-dns ... The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-install as: ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate # ipa-server-install --external_cert_file=/root/ipa-ca/ipa.crt --external_ca_file=/root/ipa-ca/ipacacert.asc ... Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING # cat /etc/named.conf options { // turns on IPv6 for port 53, IPv4 is on by default for all ifaces listen-on-v6 {any;}; // Put files that named is allowed to write in the data/ directory: directory "/var/named"; // the default dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; forward first; forwarders { 10.14.63.12; }; // Any host is permitted to issue recursive queries allow-recursion { any; }; tkey-gssapi-credential "DNS/goldbug.lab.eng.pnq.redhat.com"; tkey-domain "LAB.ENG.PNQ.REDHAT.COM"; }; /* If you want to enable debugging, eg. using the 'rndc trace' command, * By default, SELinux policy does not allow named to modify the /var/named directory, * so put the default debug log file in data/ : */ logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; dynamic-db "ipa" { library "ldap.so"; arg "uri ldapi://%2fvar%2frun%2fslapd-LAB-ENG-PNQ-REDHAT-COM.socket"; arg "base cn=dns, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com"; arg "fake_mname goldbug.lab.eng.pnq.redhat.com."; arg "auth_method sasl"; arg "sasl_mech GSSAPI"; arg "sasl_user DNS/goldbug.lab.eng.pnq.redhat.com"; arg "zone_refresh 30"; }; Verified: ipa-server-2.2.0-14.el6.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html |