| Summary: | Replication Failure: Allocation of a new value for range cn=posix ids | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Dmitri Pal <dpal> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.3 | CC: | grajaiya, jgalipea, mkosek, spoore, syeghiay |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.2.0-3.el6 | Doc Type: | Bug Fix |
| Doc Text: |
No documentation needed.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 13:30:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Dmitri Pal
2012-01-19 00:36:20 UTC
There were several problems. The allocation of new ranges was fixed in 389-ds upstream in version 1.2.10.a7 There was also a schema replication issue that was fixed in version 389-ds-base-1.2.10-0.10.rc1 Both of these fixes are in 389-ds-base-1.2.10.0-1.el6. The minimum n-v-r for 389-ds-base was set to this in ipa-2.2.0-3.el6 with the rebase to upstream freeipa-2.1.90.rc1.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
No documentation needed.
Verified. Version :: ipa-server-2.2.0-13.el6.x86_64 Automated Test Results :: ################################################# #### From MASTER ################################################# :: [23:27:13] :: EXECUTING: ipa-server-install --idstart=3000 --idmax=50000 --setup-dns --forwarder=<FORWARDIP> --hostname=kvm-guest-05.testrelm.com -r TESTRELM.COM -n testrelm.com -p <PASSWORD> -P <PASSWORD> -a <PASSWORD> -U :: [ PASS ] :: Making sure selinux is enforced :: [ PASS ] :: Making ipa install script executable The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: skipping DNS resolution of host kvm-guest-05.testrelm.com Using reverse zone <MASTERREVERSEZONE>.in-addr.arpa. The IPA Master Server will be configured with: Hostname: kvm-guest-05.testrelm.com IP address: <MASTERIP> Domain name: testrelm.com Realm name: TESTRELM.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: <FORWARDERIP> Reverse zone: <MASTERREVERSEZONE>.in-addr.arpa. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/18]: creating certificate server user [2/18]: creating pki-ca instance [3/18]: configuring certificate server instance [4/18]: disabling nonces [5/18]: creating CA agent PKCS#12 file in /root [6/18]: creating RA agent certificate database [7/18]: importing CA chain to RA certificate database [8/18]: fixing RA database permissions [9/18]: setting up signing cert profile [10/18]: set up CRL publishing [11/18]: set certificate subject base [12/18]: enabling Subject Key Identifier [13/18]: configuring certificate server to start on boot [14/18]: restarting certificate server [15/18]: requesting RA certificate from CA [16/18]: issuing RA agent certificate [17/18]: adding RA agent as a trusted user [18/18]: Configure HTTP to proxy connections done configuring pki-cad. Configuring directory server: Estimated time 1 minute [1/35]: creating directory server user [2/35]: creating directory server instance [3/35]: adding default schema [4/35]: enabling memberof plugin [5/35]: enabling referential integrity plugin [6/35]: enabling winsync plugin [7/35]: configuring replication version plugin [8/35]: enabling IPA enrollment plugin [9/35]: enabling ldapi [10/35]: configuring uniqueness plugin [11/35]: configuring uuid plugin [12/35]: configuring modrdn plugin [13/35]: enabling entryUSN plugin [14/35]: configuring lockout plugin [15/35]: creating indices [16/35]: configuring ssl for ds instance [17/35]: configuring certmap.conf [18/35]: configure autobind for root [19/35]: configure new location for managed entries [20/35]: restarting directory server [21/35]: adding default layout [22/35]: adding delegation layout [23/35]: adding replication acis [24/35]: creating container for managed entries [25/35]: configuring user private groups [26/35]: configuring netgroups from hostgroups [27/35]: creating default Sudo bind user [28/35]: creating default Auto Member layout [29/35]: creating default HBAC rule allow_all [30/35]: initializing group membership [31/35]: adding master entry [32/35]: configuring Posix uid/gid generation [33/35]: enabling compatibility plugin [34/35]: tuning directory server [35/35]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC: Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extensio MARK-LWD-LOOP -- 2012-05-15 23:30:43 -- n to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot done configuring krb5kdc. Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot done configuring ipa_memcached. Configuring the web interface: Estimated time 1 minute [1/14]: disabling mod_ssl in httpd [2/14]: setting mod_nss port to 443 [3/14]: setting mod_nss password file [4/14]: enabling mod_nss renegotiate [5/14]: adding URL rewriting rules [6/14]: configuring httpd [7/14]: setting up ssl [8/14]: setting up browser autoconfig [9/14]: publish CA cert [10/14]: creating a keytab for httpd [11/14]: clean up any existing httpd ccache [12/14]: configuring SELinux for httpd [13/14]: restarting httpd [14/14]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates Restarting the directory server Restarting the KDC Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password ################################################# #### From REPLICA after setup: ################################################# No errors seen during automated tests on REPLICA: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Installing replica with --setup-ca option :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /dev/shm/replica-info-qe-blade-11.testrelm.com.gpg :: [ PASS ] :: Running 'cat /etc/resolv.conf' :: [18:11:07] :: EXECUTING: ipa-replica-install -U --setup-dns --forwarder=<forwarderIP> --setup-ca -w <PASSWORD> -p <PASSWORD> /dev/shm/replica-info-qe-blade-11.testrelm.com.gpg Warning: Hostname (qe-blade-11.testrelm.com) not found in DNS Run connection check to master Check connection from replica to remote master 'kvm-guest-05.testrelm.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master Execute check on remote master Check connection from master to remote replica 'qe-blade-11.testrelm.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/13]: creating certificate server user [2/13]: creating pki-ca instance [3/13]: configuring certificate server instance [4/13]: disabling nonces [5/13]: creating RA agent certificate database [6/13]: importing CA chain to RA certificate database [7/13]: fixing RA database permissions [8/13]: setting up signing cert profile [9/13]: set up CRL publishing [10/13]: set certificate subject base [11/13]: enabling Subject Key Identifier [12/13]: configuring certificate server to start on boot [13/13]: Configure HTTP to proxy connections done configuring pki-cad. Restarting the directory and certificate servers Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance [17/30]: configuring certmap.conf [18/30]: configure autobind for root [19/30]: configure new location for managed entries [20/30]: restarting directory server [21/30]: setting up initial replication Starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [22/30]: adding replication acis [23/30]: setting Auto Member configuration [24/30]: enabling S4U2Proxy delegation [25/30]: initializing group membership [26/30]: adding master entry [27/30]: configuring Posix uid/gid generation [28/30]: enabling compatibility plugin [29/30]: tuning directory server [30/30]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC: Estimated time 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication [8/9]: starting the KDC [9/9]: configuring KDC to start on boot done configuring krb5kdc. Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot done configuring ipa_memcached. Configuring the web interface: Estimated time 1 minute [1/13]: disabling mod_ssl in httpd [2/13]: setting mod_nss port to 443 [3/13]: setting mod_nss password file [4/13]: enabling mod_nss renegotiate [5/13]: adding URL rewriting rules [6/13]: configuring httpd [7/13]: setting up ssl [8/13]: publish CA cert [9/13]: creating a keytab for httpd [10/13]: clean up any existing httpd ccache [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates Restarting the directory server Restarting the KDC Using reverse zone <REPLICAREVERSEZONE>.in-addr.arpa. Configuring named: [1/8]: adding NS record to the zone [2/8]: setting up reverse zone [3/8]: setting up our own record [4/8]: setting up kerberos principal [5/8]: setting up named.conf [6/8]: restarting named [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves done configuring named. Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server :: [ PASS ] :: Replica installation :: [18:15:10] :: verifies https://bugzilla.redhat.com/show_bug.cgi?id=782979 :: [18:15:10] :: create ipa user: [user1], firstname: [user1], lastname: [user1] password: [<PASSWORD>] -------------------- Deleted user "user1" -------------------- :: [ PASS ] :: delete account [user1] :: [18:15:19] :: create ipa user: [user1], password: [<PASSWORD>] ------------------ Added user "user1" ------------------ User login: user1 First name: user1 Last name: user1 Full name: user1 user1 Display name: user1 user1 Initials: uu Home directory: /home/user1 GECOS field: user1 user1 Login shell: /bin/sh Kerberos principal: user1 UID: 15001 GID: 15001 Password: True Kerberos keys available: True :: [ PASS ] :: add test user account spawn /usr/bin/kinit -V user1 Using default cache: /tmp/krb5cc_0 Using principal: user1 Password for user1: Password expired. You must change it now. Enter new password: Enter it again: Authenticated to Kerberos v5 Default principal: user1 :: [18:15:30] :: kinit as user1 with new password <PASSWORD> was successful. user1 :: [ PASS ] :: Running 'create_ipauser user1 user1 user1 <PASSWORD>' kdestroy: No credentials cache found while destroying cache spawn /usr/bin/kinit -V admin Using default cache: /tmp/krb5cc_0 Using principal: admin Password for admin: Authenticated to Kerberos v5 Default principal: admin :: [18:15:37] :: kinit as admin with password <PASSWORD> was successful. :: [ PASS ] :: Kinit as admin user :: [18:15:37] :: create ipa user: [user2], firstname: [user2], lastname: [user2] password: [<PASSWORD>] -------------------- Deleted user "user2" -------------------- :: [ PASS ] :: delete account [user2] :: [18:15:45] :: create ipa user: [user2], password: [<PASSWORD>] ------------------ Added user "user2" ------------------ User login: user2 First name: user2 Last name: user2 Full name: user2 user2 Display name: user2 user2 Initials: uu Home directory: /home/user2 GECOS field: user2 user2 Login shell: /bin/sh Kerberos principal: user2 UID: 15002 GID: 15002 Password: True Kerberos keys available: True :: [ PASS ] :: add test user account spawn /usr/bin/kinit -V user2 Using default cache: /tmp/krb5cc_0 Using principal: user2 Password for user2: Password expired. You must change it now. Enter new password: Enter it again: Authenticated to Kerberos v5 Default principal: user2 :: [18:15:56] :: kinit as user2 with new password <PASSWORD> was successful. user2 :: [ PASS ] :: Running 'create_ipauser user2 user2 user2 <PASSWORD>' kdestroy: No credentials cache found while destroying cache spawn /usr/bin/kinit -V admin Using default cache: /tmp/krb5cc_0 Using principal: admin Password for admin: Authenticated to Kerberos v5 Default principal: admin :: [18:16:02] :: kinit as admin with password <PASSWORD> was successful. :: [ PASS ] :: Kinit as admin user :: [18:16:03] :: create ipa user: [user3], firstname: [user3], lastname: [user3] password: [<PASSWORD>] -------------------- Deleted user "user3" -------------------- :: [ PASS ] :: delete account [user3] :: [18:16:11] :: create ipa user: [user3], password: [<PASSWORD>] ------------------ Added user "user3" ------------------ User login: user3 First name: user3 Last name: user3 Full name: user3 user3 Display name: user3 user3 Initials: uu Home directory: /home/user3 GECOS field: user3 user3 Login shell: /bin/sh Kerberos principal: user3 UID: 15003 GID: 15003 Password: True Kerberos keys available: True :: [ PASS ] :: add test user account spawn /usr/bin/kinit -V user3 Using default cache: /tmp/krb5cc_0 Using principal: user3 Password for user3: Password expired. You must change it now. Enter new password: Enter it again: Authenticated to Kerberos v5 Default principal: user3 :: [18:16:20] :: kinit as user3 with new password <PASSWORD> was successful. user3 :: [ PASS ] :: Running 'create_ipauser user3 user3 user3 <PASSWORD>' kdestroy: No credentials cache found while destroying cache spawn /usr/bin/kinit -V admin Using default cache: /tmp/krb5cc_0 Using principal: admin Password for admin: Authenticated to Kerberos v5 Default principal: admin :: [18:16:22] :: kinit as admin with password <PASSWORD> was successful. :: [ PASS ] :: Testing kinit as admin User login: user1 First name: user1 Last name: user1 Home directory: /home/user1 Login shell: /bin/sh UID: 15001 GID: 15001 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True :: [ PASS ] :: Running 'ipa user-show user1' User login: user2 First name: user2 Last name: user2 Home directory: /home/user2 Login shell: /bin/sh UID: 15002 GID: 15002 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True :: [ PASS ] :: Running 'ipa user-show user2' Additional confirmation of ipa-server Requires for min 389-ds-base version: On MASTER: ... --> Processing Dependency: 389-ds-base >= 1.2.10.2-4 for package: ipa-server-2.2.0-13.el6.x86_64 ... ---> Package 389-ds-base.x86_64 0:1.2.10.2-11.el6 will be installed --> Processing Dependency: 389-ds-base-libs = 1.2.10.2-11.el6 for package: 389-ds-base-1.2.10.2-11.el6.x86_64 --> Processing Dependency: policycoreutils-python for package: 389-ds-base-1.2.10.2-11.el6.x86_64 --> Processing Dependency: perl-Mozilla-LDAP for package: 389-ds-base-1.2.10.2-11.el6.x86_64 --> Processing Dependency: perl(Mozilla::LDAP::Utils) for package: 389-ds-base-1.2.10.2-11.el6.x86_64 --> Processing Dependency: perl(Mozilla::LDAP::LDIF) for package: 389-ds-base-1.2.10.2-11.el6.x86_64 --> Processing Dependency: perl(Mozilla::LDAP::Conn) for package: 389-ds-base-1.2.10.2-11.el6.x86_64 --> Processing Dependency: perl(Mozilla::LDAP::API) for package: 389-ds-base-1.2.10.2-11.el6.x86_64 --> Processing Dependency: libsvrcore.so.0()(64bit) for package: 389-ds-base-1.2.10.2-11.el6.x86_64 --> Processing Dependency: libslapd.so.0()(64bit) for package: 389-ds-base-1.2.10.2-11.el6.x86_64 --> Processing Dependency: libnetsnmpmibs.so.20()(64bit) for package: 389-ds-base-1.2.10.2-11.el6.x86_64 --> Processing Dependency: libnetsnmphelpers.so.20()(64bit) for package: 389-ds-base-1.2.10.2-11.el6.x86_64 --> Processing Dependency: libnetsnmpagent.so.20()(64bit) for package: 389-ds-base-1.2.10.2-11.el6.x86_64 --> Processing Dependency: libnetsnmp.so.20()(64bit) for package: 389-ds-base-1.2.10.2-11.el6.x86_64 --> Processing Dependency: libicuuc.so.42()(64bit) for package: 389-ds-base-1.2.10.2-11.el6.x86_64 --> Processing Dependency: libicui18n.so.42()(64bit) for package: 389-ds-base-1.2.10.2-11.el6.x86_64 --> Processing Dependency: libicudata.so.42()(64bit) for package: 389-ds-base-1.2.10.2-11.el6.x86_64 ... Installing : 389-ds-base-1.2.10.2-11.el6.x86_64 91/94 ... :: [ PASS ] :: Running 'yum install -y ipa-server bind-dyndb-ldap bind' Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html |