Bug 751703

Summary: ipa-client-install does not create /etc/ipa directory before wget of server ca.crt.
Product: Red Hat Enterprise Linux 6 Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED NOTABUG QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: jgalipea, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 13:13:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 746190    
Bug Blocks: 756082    

Description Gowrishankar Rajaiyan 2011-11-07 08:36:34 UTC 
Description of problem:
ipa-client-install fails on a pristine system, it tries to wget the ca.crt from the ipa server to /etc/ipa and the directory is not created before the wget operation which causes the failure.

Version-Release number of selected component (if applicable):
ipa-server-2.1.3-8.el6.x86_64
ipa-client-2.1.3-8.el6.x86_64

How reproducible:


Steps to Reproduce:
1. Server: install ipa-server
2. Client: On a pristine system "ipa-client-install"

  
Actual results:
ipa-client-install fails. 

Expected results:
ipa-client-install is successful.

Additional info:
Provide the domain name of your IPA server (ex: example.com): rhts.eng.bos.redhat.com
root        : DEBUG    will use domain: rhts.eng.bos.redhat.com

root        : DEBUG    [ipadnssearchldap]
root        : DEBUG    IPA Server not found
DNS discovery failed to find the IPA Server
Provide your IPA server name (ex: ipa.example.com): hp-dl580g5-01.rhts.eng.bos.redhat.com
root        : DEBUG    will use server: hp-dl580g5-01.rhts.eng.bos.redhat.com

root        : DEBUG    [ipadnssearchkrb]
root        : DEBUG    [ipacheckldap]
root        : DEBUG    args=/usr/bin/wget -O /tmp/tmpFr1aWH/ca.crt -T 15 -t 2 http://hp-dl580g5-01.rhts.eng.bos.redhat.com/ipa/config/ca.crt
root        : DEBUG    stdout=
root        : DEBUG    stderr=--2011-11-07 03:17:20--  http://hp-dl580g5-01.rhts.eng.bos.redhat.com/ipa/config/ca.crt
Resolving hp-dl580g5-01.rhts.eng.bos.redhat.com... 10.16.65.72
Connecting to hp-dl580g5-01.rhts.eng.bos.redhat.com|10.16.65.72|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1369 (1.3K) [application/x-x509-ca-cert]
Saving to: ¬タワ/tmp/tmpFr1aWH/ca.crt¬タン

     0K .                                                     100% 75.9M=0s

2011-11-07 03:17:20 (75.9 MB/s) - ¬タワ/tmp/tmpFr1aWH/ca.crt¬タン saved [1369/1369]


root        : DEBUG    Init ldap with: ldap://hp-dl580g5-01.rhts.eng.bos.redhat.com:389
root        : DEBUG    Search LDAP server for IPA base DN
root        : DEBUG    Check if naming context 'dc=rhts,dc=eng,dc=bos,dc=redhat,dc=com' is for IPA
root        : DEBUG    Naming context 'dc=rhts,dc=eng,dc=bos,dc=redhat,dc=com' is a valid IPA context
root        : DEBUG    Search for (objectClass=krbRealmContainer) in dc=rhts,dc=eng,dc=bos,dc=redhat,dc=com(sub)
root        : DEBUG    Found: [('cn=RHTS.ENG.BOS.REDHAT.COM,cn=kerberos,dc=rhts,dc=eng,dc=bos,dc=redhat,dc=com', {'krbSubTrees': ['dc=rhts,dc=eng,dc=bos,dc=redhat,dc=com'], 'cn': ['RHTS.ENG.BOS.REDHAT.COM'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})]

The failure to use DNS to find your IPA server indicates that your
resolv.conf file is not properly configured.

Autodiscovery of servers for failover cannot work with this configuration.

If you proceed with the installation, services will be configured to always
access the discovered server for all operation and will not fail over to
other servers in case of failure.

Proceed with fixed values and no DNS discovery? [no]: yes
root        : DEBUG    will use cli_realm: RHTS.ENG.BOS.REDHAT.COM

root        : DEBUG    will use cli_basedn: dc=rhts,dc=eng,dc=bos,dc=redhat,dc=com

Hostname: ipaqa64vmc.idm.lab.bos.redhat.com
Realm: RHTS.ENG.BOS.REDHAT.COM
DNS Domain: rhts.eng.bos.redhat.com
IPA Server: hp-dl580g5-01.rhts.eng.bos.redhat.com
BaseDN: dc=rhts,dc=eng,dc=bos,dc=redhat,dc=com


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
root        : DEBUG    will use principal: admin

root        : DEBUG    args=/usr/bin/wget -O /etc/ipa/ca.crt http://hp-dl580g5-01.rhts.eng.bos.redhat.com/ipa/config/ca.crt
root        : DEBUG    stdout=
root        : DEBUG    stderr=/etc/ipa/ca.crt: No such file or directory

Retrieving CA from hp-dl580g5-01.rhts.eng.bos.redhat.com failed.
Command '/usr/bin/wget -O /etc/ipa/ca.crt http://hp-dl580g5-01.rhts.eng.bos.redhat.com/ipa/config/ca.crt' returned non-zero exit status 1
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root@ipaqa64vmc ~]# Provide the domain name of your IPA server (ex: example.com): rhts.eng.bos.redhat.com
root        : DEBUG    will use domain: rhts.eng.bos.redhat.com

root        : DEBUG    [ipadnssearchldap]
root        : DEBUG    IPA Server not found
DNS discovery failed to find the IPA Server
Provide your IPA server name (ex: ipa.example.com): hp-dl580g5-01.rhts.eng.bos.redhat.com
root        : DEBUG    will use server: hp-dl580g5-01.rhts.eng.bos.redhat.com

root        : DEBUG    [ipadnssearchkrb]
root        : DEBUG    [ipacheckldap]
root        : DEBUG    args=/usr/bin/wget -O /tmp/tmpFr1aWH/ca.crt -T 15 -t 2 http://hp-dl580g5-01.rhts.eng.bos.redhat.com/ipa/config/ca.crt
root        : DEBUG    stdout=
root        : DEBUG    stderr=--2011-11-07 03:17:20--  http://hp-dl580g5-01.rhts.eng.bos.redhat.com/ipa/config/ca.crt
Resolving hp-dl580g5-01.rhts.eng.bos.redhat.com... 10.16.65.72
Connecting to hp-dl580g5-01.rhts.eng.bos.redhat.com|10.16.65.72|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1369 (1.3K) [application/x-x509-ca-cert]
Saving to: ¬タワ/tmp/tmpFr1aWH/ca.crt¬タン

     0K .                                                     100% 75.9M=0s

2011-11-07 03:17:20 (75.9 MB/s) - ¬タワ/tmp/tmpFr1aWH/ca.crt¬タン saved [1369/1369]


root        : DEBUG    Init ldap with: ldap://hp-dl580g5-01.rhts.eng.bos.redhat.com:389
root        : DEBUG    Search LDAP server for IPA base DN
root        : DEBUG    Check if naming context 'dc=rhts,dc=eng,dc=bos,dc=redhat,dc=com' is for IPA
root        : DEBUG    Naming context 'dc=rhts,dc=eng,dc=bos,dc=redhat,dc=com' is a valid IPA context
root        : DEBUG    Search for (objectClass=krbRealmContainer) in dc=rhts,dc=eng,dc=bos,dc=redhat,dc=com(sub)
root        : DEBUG    Found: [('cn=RHTS.ENG.BOS.REDHAT.COM,cn=kerberos,dc=rhts,dc=eng,dc=bos,dc=redhat,dc=com', {'krbSubTrees': ['dc=rhts,dc=eng,dc=bos,dc=redhat,dc=com'], 'cn': ['RHTS.ENG.BOS.REDHAT.COM'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})]

The failure to use DNS to find your IPA server indicates that your
resolv.conf file is not properly configured.

Autodiscovery of servers for failover cannot work with this configuration.

If you proceed with the installation, services will be configured to always
access the discovered server for all operation and will not fail over to
other servers in case of failure.

Proceed with fixed values and no DNS discovery? [no]: yes
root        : DEBUG    will use cli_realm: RHTS.ENG.BOS.REDHAT.COM

root        : DEBUG    will use cli_basedn: dc=rhts,dc=eng,dc=bos,dc=redhat,dc=com

Hostname: ipaqa64vmc.idm.lab.bos.redhat.com
Realm: RHTS.ENG.BOS.REDHAT.COM
DNS Domain: rhts.eng.bos.redhat.com
IPA Server: hp-dl580g5-01.rhts.eng.bos.redhat.com
BaseDN: dc=rhts,dc=eng,dc=bos,dc=redhat,dc=com


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
root        : DEBUG    will use principal: admin

root        : DEBUG    args=/usr/bin/wget -O /etc/ipa/ca.crt http://hp-dl580g5-01.rhts.eng.bos.redhat.com/ipa/config/ca.crt
root        : DEBUG    stdout=
root        : DEBUG    stderr=/etc/ipa/ca.crt: No such file or directory

Retrieving CA from hp-dl580g5-01.rhts.eng.bos.redhat.com failed.
Command '/usr/bin/wget -O /etc/ipa/ca.crt http://hp-dl580g5-01.rhts.eng.bos.redhat.com/ipa/config/ca.crt' returned non-zero exit status 1
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root@ipaqa64vmc ~]#
Comment 2 Martin Kosek 2011-11-07 12:35:25 UTC 
Shanks, can you please attach the output of how you installed ipa server package? It is highly relevant.

This issue does not occur for standard installation and /etc/ipa is created

# ls /etc/ipa/
ls: cannot access /etc/pipa/: No such file or directory

# yum install ipa-client
Loaded plugins: product-id, subscription-manager
Updating certificate-based repositories.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ipa-client.x86_64 0:2.1.3-8.el6 will be installed
--> Processing Dependency: ipa-python = 2.1.3-8.el6 for package: ipa-client-2.1.3-8.el6.x86_64
--> Running transaction check
---> Package ipa-python.x86_64 0:2.1.3-8.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
 Package               Arch              Version                 Repository                       Size
=======================================================================================================
Installing:
 ipa-client            x86_64            2.1.3-8.el6             RHEL6-nightly-x86_64             97 k
Installing for dependencies:
 ipa-python            x86_64            2.1.3-8.el6             RHEL6-nightly-x86_64            630 k

Transaction Summary
=======================================================================================================
Install       2 Package(s)

Total download size: 727 k
Installed size: 3.3 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): ipa-client-2.1.3-8.el6.x86_64.rpm                                        |  97 kB     00:00     
(2/2): ipa-python-2.1.3-8.el6.x86_64.rpm                                        | 630 kB     00:00     
-------------------------------------------------------------------------------------------------------
Total                                                                  8.8 MB/s | 727 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : ipa-python-2.1.3-8.el6.x86_64                                                       1/2 
  Installing : ipa-client-2.1.3-8.el6.x86_64                                                       2/2 
Installed products updated.

Installed:
  ipa-client.x86_64 0:2.1.3-8.el6                                                                      

Dependency Installed:
  ipa-python.x86_64 0:2.1.3-8.el6                                                                      

Complete!

# ls /etc/ipa/; echo $?
0
Comment 4 Martin Kosek 2011-11-08 12:00:10 UTC 
Shanks, please attach the steps you taken and the output of how you installed/updated ipa server package. IIRC, there were some errors during yum update.

I think we should try this again when relevant yum Bug 746190 is resolved. It may have caused this problem.
Comment 5 Jenny Severance 2011-12-05 17:40:31 UTC 
Martin, can you explain why you think this is related to the referenced yum bug?  I can't see the connection :-) thanks!
Comment 6 Gowrishankar Rajaiyan 2011-12-06 07:49:55 UTC 
Ok, I tried to reproduce this on multiple setups and I couldn't reproduce this and neither Bug 751711. 
We may go ahead and mark it as NOTABUG.
Comment 7 Gowrishankar Rajaiyan 2011-12-06 13:13:11 UTC 
Closing as NOTABUG.