Bug 888124
| Summary: | ipa install does not enable sssd start on boot | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Scott Poore <spoore> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.4 | CC: | dpal, jgalipea, jhrozek, mkosek, tlavigne, tmraz |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-3.0.0-16.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 09:31:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 895654 | ||
|
Description
Scott Poore
2012-12-18 02:56:58 UTC
Does this also affect client installs? (In reply to comment #2) > Does this also affect client installs? I just verified that this also affects client installs: # ipa-client-install --server vm-037.idm.lab.bos.redhat.com --domain idm.lab.bos.redhat.com ... SSSD enabled <<<<<<< Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. The problem here is that authconfig-6.1.12-13.el6.x86_64 does not enable sssd in RHEL-6.4: # /usr/sbin/authconfig --enablesssdauth --update --enablesssd # echo $? 0 # chkconfig sssd; echo $? 1 When I try this on RHEL-6.3 (authconfig-6.1.12-10.el6.x86_64), the behavior used to be different: # chkconfig sssd; echo $? 1 # /usr/sbin/authconfig --enablesssdauth --update --enablesssd; echo $? Starting sssd: [ OK ] 0 # chkconfig sssd; echo $? 0 I found that this is actually an authconfig feature (see Bug 874527) as authconfig no longer starts or enables sssd service. It seems, we will need to start (we already do that) and enable sssd ourselves. Adding Tomas Mraz and Jakub Hrozek to confirm that this is correct. Yes, the assessment above is correct. As authconfig does not set up the sssd domain in this case it should not enable and start the sssd service. Upstream ticket: https://fedorahosted.org/freeipa/ticket/3307 Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/b3ea7d2d626da9ffb86777bed9bbdf8d96849bc5 ipa-3-1: https://fedorahosted.org/freeipa/changeset/03c15741e38a972803a3532514fabb1981203e27 ipa-3-0: https://fedorahosted.org/freeipa/changeset/63c68683ef665d4309b9dfa4537e59be5f1d0afa Verified. Version :: ipa-server-3.0.0-17.el6.x86_64 Manual Test Results :: [root@rhel6-1 ~]# chkconfig --list sssd sssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off [root@rhel6-1 ~]# echo $? 0 [root@rhel6-1 ~]# chkconfig sssd [root@rhel6-1 ~]# echo $? 1 [root@rhel6-1 ~]# ipa-server-install --setup-dns --forwarder=$DNSFORWARD --hostname=$hostname_s.$DOMAIN -r $RELM -n $DOMAIN -p $ADMINPW -P $ADMINPW -a $ADMINPW -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: skipping DNS resolution of host rhel6-1.testrelm.com Using reverse zone 122.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: rhel6-1.testrelm.com IP address: 192.168.122.61 Domain name: testrelm.com Realm name: TESTRELM.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.122.1 Reverse zone: 122.168.192.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: creating pki-ca instance [3/21]: configuring certificate server instance [4/21]: disabling nonces [5/21]: creating CA agent PKCS#12 file in /root [6/21]: creating RA agent certificate database [7/21]: importing CA chain to RA certificate database [8/21]: fixing RA database permissions [9/21]: setting up signing cert profile [10/21]: set up CRL publishing [11/21]: set certificate subject base [12/21]: enabling Subject Key Identifier [13/21]: setting audit signing renewal to 2 years [14/21]: configuring certificate server to start on boot [15/21]: restarting certificate server [16/21]: requesting RA certificate from CA [17/21]: issuing RA agent certificate [18/21]: adding RA agent as a trusted user [19/21]: configure certificate renewals [20/21]: configure Server-Cert certificate renewal [21/21]: Configure HTTP to proxy connections Done configuring certificate server (pki-cad). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: disabling betxn plugins [10/38]: configuring uniqueness plugin [11/38]: configuring uuid plugin [12/38]: configuring modrdn plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring ssl for ds instance [18/38]: configuring certmap.conf [19/38]: configure autobind for root [20/38]: configure new location for managed entries [21/38]: restarting directory server [22/38]: adding default layout [23/38]: adding delegation layout [24/38]: adding replication acis [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: Upload CA cert to the directory [33/38]: initializing group membership [34/38]: adding master entry [35/38]: configuring Posix uid/gid generation [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd): Estimated time 1 minute [1/13]: setting mod_nss port to 443 [2/13]: setting mod_nss password file [3/13]: enabling mod_nss renegotiate [4/13]: adding URL rewriting rules [5/13]: configuring httpd [6/13]: setting up ssl [7/13]: setting up browser autoconfig [8/13]: publish CA cert [9/13]: creating a keytab for httpd [10/13]: clean up any existing httpd ccache [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Configuring DNS (named) [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves Done configuring DNS (named). Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password [root@rhel6-1 ~]# chkconfig sssd [root@rhel6-1 ~]# echo $? 0 [root@rhel6-1 ~]# chkconfig --list sssd sssd 0:off 1:off 2:on 3:on 4:on 5:on 6:off Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html |