Bug 1008534 - ipa server install failure on latest RHEL-65 build
ipa server install failure on latest RHEL-65 build
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nss-softokn (Show other bugs)
6.5
Unspecified Unspecified
urgent Severity urgent
: beta
: ---
Assigned To: Elio Maldonado Batiz
Namita Soman
: Regression, TestBlocker
: 1008464 (view as bug list)
Depends On:
Blocks: 993793
  Show dependency treegraph
 
Reported: 2013-09-16 10:39 EDT by Kaleem
Modified: 2014-11-06 08:18 EST (History)
28 users (show)

See Also:
Fixed In Version: nss-softokn-3.14.3-8.el6 nss-3.15.1-9.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 01:19:59 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ipa server installation log file (258.29 KB, text/plain)
2013-09-16 10:39 EDT, Kaleem
no flags Details
audit log file (7.68 KB, text/plain)
2013-09-17 03:22 EDT, Kaleem
no flags Details
update pkgs (26.33 KB, text/plain)
2013-09-17 13:21 EDT, Namita Soman
no flags Details
prelink-undo-o-.patch (2.12 KB, patch)
2013-09-20 15:07 EDT, Jakub Jelinek
no flags Details | Diff

  None (edit)
Description Kaleem 2013-09-16 10:39:26 EDT
Created attachment 798304 [details]
ipa server installation log file

Description of problem:
IPA Server installations is failing with latest RHEL-65 build (RHEL6.5-20130913.0)

Version-Release number of selected component (if applicable):
[root@rhel65-master1 ~]# rpm -q ipa-server pki-ca
ipa-server-3.0.0-35.el6.x86_64
pki-ca-9.0.3-32.el6.noarch
[root@rhel65-master1 ~]#

How reproducible:
Always

Steps to Reproduce:
1.Install IPA server with RHEL-65 build RHEL6.5-20130913.0

Actual results:
Installation fails

Done configuring certificate server (pki-cad).
Configuring directory server (dirsrv): Estimated time 31 minutes
  [1/38]: creating directory server user
  [2/38]: creating directory server instance
  [3/38]: adding default schema
  [4/38]: enabling memberof plugin
  [5/38]: enabling winsync plugin
  [6/38]: configuring replication version plugin
  [7/38]: enabling IPA enrollment plugin
  [8/38]: enabling ldapi
  [9/38]: disabling betxn plugins
  [10/38]: configuring uniqueness plugin
  [11/38]: configuring uuid plugin
  [12/38]: configuring modrdn plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: creating indices
  [16/38]: enabling referential integrity plugin
  [17/38]: configuring ssl for ds instance
Unexpected error - see /var/log/ipaserver-install.log for details:
NetworkError: cannot connect to 'https://rhel65-master1.testrelm.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8015] error (-8015) unknown
[root@rhel65-master1 ~]#

Expected results:
Installation should be successful.

Additional info:
(1)Find the attached ipa server installation log file.
Comment 3 Nathan Kinder 2013-09-17 00:38:21 EDT
Error -8015 looks like a NSS error.  This maps to SEC_ERROR_LEGACY_DATABASE, which is an error I have never seen before.  What is the NSS package version on the system?

Also, are there any AVC messages from the time when the failure occurs?
Comment 4 Kaleem 2013-09-17 03:22:45 EDT
Created attachment 798647 [details]
audit log file

nss version is

[root@rhel65-master1 ~]# rpm -q nss
nss-3.15.1-5.el6.x86_64
[root@rhel65-master1 ~]
Comment 5 Martin Kosek 2013-09-17 04:30:20 EDT
I was able to reproduce even with an older versions of affected packages. I still to not know which updated package cause the problem:

# rpm -qa openldap-clients nss nss-util
nss-3.14.3-37.el6.x86_64
openldap-clients-2.4.23-32.el6_4.1.x86_64
nss-util-3.14.3-4.el6.x86_64

But I was able to get closer to the root cause. python-ldap/openldap library currently cannot cope with empty TLS_CACERTDIR directory (/etc/openldap/cacerts/) which was being configured in previous RHEL versions and which can still reside in /etc/openldap/ldap.conf.

/etc/openldap/ldap.conf:
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE	dc=example,dc=com
#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never

TLS_CACERTDIR	/etc/openldap/cacerts

# ls /etc/openldap/cacerts
ls: cannot access /etc/openldap/cacerts: No such file or directory

Even when doing a simple ldapsearch using a valid certificate, ldapsearch ends with error:

# ldapsearch -h ipa.example.com -x -b "" -s base -ZZZ
ldap_start_tls: Connect error (-11)
	additional info: Start TLS request accepted.Server willing to negotiate SSL.

After I comment out TLS_CACERTDIR or point it to the right location (/etc/openldap/certs) it works:

# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE	dc=example,dc=com
#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never

#TLS_CACERTDIR	/etc/openldap/cacerts
TLS_CACERT	/etc/ipa/ca.crt

# ldapsearch -h ipa.example.com -x -b "" -s base -ZZZ
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
...

Jan, can you please advise what should we do? Is this a bug in openldap? Or NSS?
Comment 6 Jan Synacek 2013-09-17 04:56:55 EDT
(In reply to Martin Kosek from comment #5)
> I was able to reproduce even with an older versions of affected packages. I
> still to not know which updated package cause the problem:
> 
> # rpm -qa openldap-clients nss nss-util
> nss-3.14.3-37.el6.x86_64
> openldap-clients-2.4.23-32.el6_4.1.x86_64
> nss-util-3.14.3-4.el6.x86_64
> 
> But I was able to get closer to the root cause. python-ldap/openldap library
> currently cannot cope with empty TLS_CACERTDIR directory
> (/etc/openldap/cacerts/) which was being configured in previous RHEL
> versions and which can still reside in /etc/openldap/ldap.conf.
> 
> /etc/openldap/ldap.conf:
> #
> # LDAP Defaults
> #
> 
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
> 
> #BASE	dc=example,dc=com
> #URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
> 
> #SIZELIMIT	12
> #TIMELIMIT	15
> #DEREF		never
> 
> TLS_CACERTDIR	/etc/openldap/cacerts
> 
> # ls /etc/openldap/cacerts
> ls: cannot access /etc/openldap/cacerts: No such file or directory
> 
> Even when doing a simple ldapsearch using a valid certificate, ldapsearch
> ends with error:

Well, that makes sense, doesn't it? It's not an empty directory, is a non-existent directory. Normally, the certificate database resides in /etc/openldap/certs. TLS_CACERTDIR is also set to /etc/openldap/certs by default.
Comment 7 Jan Cholasta 2013-09-17 05:49:04 EDT
NSS returns SEC_ERROR_LEGACY_DATABASE when it can't read the database directory (for whatever reason, including non-existent directory). I have seen it many times with certutil:

    $ certutil -L -d non-existent
    certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

So, this particular error:

  [17/38]: configuring ssl for ds instance
Unexpected error - see /var/log/ipaserver-install.log for details:
NetworkError: cannot connect to 'https://rhel65-master1.testrelm.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8015] error (-8015) unknown

seems to be caused by /etc/httpd/alias not being readable by ipa-server-install.

As far as ldap.conf and TLS_CACERTDIR is concerned, I would suggest unsetting it when setting TLS_CACERT, everywhere in IPA. Not only pointing TLS_CACERTDIR to non-existent directory causes trouble (as Martin demonstrated), it is also not portable, as the format of the directory depends on the SSL library which libldap is linked with.
Comment 8 Martin Kosek 2013-09-17 06:51:52 EDT
(In reply to Jan Synacek from comment #6)
> Well, that makes sense, doesn't it? It's not an empty directory, is a
> non-existent directory. Normally, the certificate database resides in
> /etc/openldap/certs. TLS_CACERTDIR is also set to /etc/openldap/certs by
> default.

It is set by default _now_, but previously it was being set to /etc/openldap/cacerts which no longer exist and thus cause this issue. For example, with Fedora 19, I am able to do ldapsearch even though there is a pointer to non-existent directory in TLS_CACERTDIR:

# rpm -q openldap nss
openldap-2.4.35-5.fc19.x86_64
nss-3.15.1-3.fc19.x86_64

/etc/openldap/ldap.conf:
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/ipa/ca.crt

# ls /etc/openldap/cacerts
ls: cannot access /etc/openldap/cacerts: No such file or directory


# ldapsearch -h localhost -x -b "" -s base -ZZZ
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
...

So I see a very important difference in behavior which is now causing problems in RHEL-6.5.

(In reply to Jan Cholasta from comment #7)
> NSS returns SEC_ERROR_LEGACY_DATABASE when it can't read the database
> directory (for whatever reason, including non-existent directory). I have
> seen it many times with certutil:
> 
>     $ certutil -L -d non-existent
>     certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> certificate/key database is in an old, unsupported format.
> 
> So, this particular error:
> 
>   [17/38]: configuring ssl for ds instance
> Unexpected error - see /var/log/ipaserver-install.log for details:
> NetworkError: cannot connect to
> 'https://rhel65-master1.testrelm.com:9444/ca/ee/ca/profileSubmitSSLClient':
> [Errno -8015] error (-8015) unknown
> 
> seems to be caused by /etc/httpd/alias not being readable by
> ipa-server-install.

This may another error, even unrelated to the openldap one. But it is interesting that the directory seems readable:

# su - apache
-bash-4.1$ certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

EXAMPLE.COM IPA CA                                           CT,C,C
ipaCert                                                      u,u,u

> 
> As far as ldap.conf and TLS_CACERTDIR is concerned, I would suggest
> unsetting it when setting TLS_CACERT, everywhere in IPA. Not only pointing
> TLS_CACERTDIR to non-existent directory causes trouble (as Martin
> demonstrated), it is also not portable, as the format of the directory
> depends on the SSL library which libldap is linked with.

Yes, this is a workaround I was also thinking about.
Comment 9 Suzanne Forsberg 2013-09-17 10:31:21 EDT
Marking as a potential beta blocker
Comment 10 Suzanne Forsberg 2013-09-17 10:35:11 EDT
Maybe I should be giving more information :-)
We think this BZ is related to 998974 which is in policycoreutils. If the assignee agrees, let's change the component to policycoreutils.
Comment 11 Eric Paris 2013-09-17 10:57:57 EDT
I see no reason at this time to think this and 998974 are related.
Comment 12 Jan Cholasta 2013-09-17 10:59:16 EDT
(In reply to Martin Kosek from comment #8)
> This may another error, even unrelated to the openldap one. But it is
> interesting that the directory seems readable:

I did some investigation and found out that the error happens only sometimes, so I can confirm this is not the cause. I used the following code snippet, which repeats the failing step in ipa-server-install, and it succeeded after a few tries:

    from ipaserver.install import certs
    from ipalib import api
    api.bootstrap(in_server=True)
    api.finalize()
    cadb = certs.CertDB('EXAMPLE.COM', host_name='ipa.example.com', subject_base='O=EXAMPLE.COM')
    dsdb = certs.CertDB('EXAMPLE.COM', nssdir='/etc/dirsrv/slapd-EXAMPLE-COM', subject_base='O=EXAMPLE.COM')
    dsdb.create_server_cert('Server-Cert', 'ipa.example.com', cadb)

I would guess that there is some race condition inside NSS causing this.
Comment 13 Martin Kosek 2013-09-17 10:59:56 EDT
(In reply to Suzanne Forsberg from comment #10)
> Maybe I should be giving more information :-)
> We think this BZ is related to 998974 which is in policycoreutils. If the
> assignee agrees, let's change the component to policycoreutils.

I do not think these issues are related at all. This particular bug is rather related to NSS and problems after it recently upgraded to 3.15.1. It reproduces in SELinux enforcing mode which rules out Bug 998974.
Comment 14 Jan Cholasta 2013-09-17 11:15:08 EDT
I agree that this is not related to #998974.
Comment 15 Namita Soman 2013-09-17 13:21:45 EDT
Created attachment 798913 [details]
update pkgs

ipa server install was working with the rhel6.5 build for 0912, and fails for 0913. Attaching list of pkgs that will be updated going from 0912 to 0913
Comment 16 Suzanne Forsberg 2013-09-17 13:28:00 EDT
I am changing component to NSS. I already asked the NSS team to take a look, but it seems like we should have this bug marked against the suspected culprit.
Comment 17 Martin Kosek 2013-09-18 03:16:29 EDT
Thanks Suzanne! I investigated this bug further with an older VM snapshot and found out that IPA broke after I upgraded nss-softokn packages:

BEFORE UPGRADE:

# ipa-client-install 
Discovery was successful!
...

ipa-server-instal finishes as well


AFTER UPGRADE:
# yum update nss-softokn
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package nss-softokn.x86_64 0:3.14.3-5.el6 will be updated
--> Processing Dependency: nss-softokn(x86-64) = 3.14.3-5.el6 for package: nss-softokn-devel-3.14.3-5.el6.x86_64
---> Package nss-softokn.x86_64 0:3.14.3-6.el6 will be an update
--> Running transaction check
---> Package nss-softokn-devel.x86_64 0:3.14.3-5.el6 will be updated
---> Package nss-softokn-devel.x86_64 0:3.14.3-6.el6 will be an update
--> Processing Dependency: nss-softokn-freebl-devel(x86-64) = 3.14.3-6.el6 for package: nss-softokn-devel-3.14.3-6.el6.x86_64
--> Running transaction check
---> Package nss-softokn-freebl-devel.x86_64 0:3.14.3-5.el6 will be updated
---> Package nss-softokn-freebl-devel.x86_64 0:3.14.3-6.el6 will be an update
--> Processing Dependency: nss-softokn-freebl(x86-64) = 3.14.3-6.el6 for package: nss-softokn-freebl-devel-3.14.3-6.el6.x86_64
--> Running transaction check
---> Package nss-softokn-freebl.x86_64 0:3.14.3-5.el6 will be updated
---> Package nss-softokn-freebl.x86_64 0:3.14.3-6.el6 will be an update
--> Finished Dependency Resolution

Dependencies Resolved
...
Complete!

# ipa-client-install 
LDAP Error: Connect error: Start TLS request accepted.Server willing to negotiate SSL.
Provide your IPA server name (ex: ipa.example.com):

# ipa-server-install 

  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: creating indices
  [16/38]: enabling referential integrity plugin
  [17/38]: configuring ssl for ds instance
Unexpected error - see /var/log/ipaserver-install.log for details:
NetworkError: cannot connect to 'https://vm-089.idm.lab.bos.redhat.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8015] error (-8015) unknown

Changing the component and marking as Regression.
Comment 18 Martin Kosek 2013-09-18 03:24:54 EDT
For QE - WORKAROUND:

On my RHEL-6.5 up to date VM, I just needed to download all nss and nss-softokn packages of the 3.14.3 version and downgrade. Downgrade was just a bit complicated due to the fact I had do downgrade&remove packages in the same transaction:

BEFORE DOWNGRADE:
# ldapsearch -h localhost -x -b "" -s base -ZZZ
ldap_start_tls: Connect error (-11)
	additional info: Start TLS request accepted.Server willing to negotiate SSL.

DOWNGRADE PROCESS:

# ll
total 8344
-rw-r--r--. 1 root root     543 Sep 18 03:09 downgrade-nss.yum
-rw-r--r--. 1 root root  842500 Aug 13 19:02 nss-3.14.3-37.el6.x86_64.rpm
-rw-r--r--. 1 root root 4811360 Aug 13 19:02 nss-debuginfo-3.14.3-37.el6.x86_64.rpm
-rw-r--r--. 1 root root  187568 Aug 13 19:02 nss-devel-3.14.3-37.el6.x86_64.rpm
-rw-r--r--. 1 root root   84472 Aug 13 19:02 nss-pkcs11-devel-3.14.3-37.el6.x86_64.rpm
-rw-r--r--. 1 root root  269008 Jul 30 13:41 nss-softokn-3.14.3-5.el6.x86_64.rpm
-rw-r--r--. 1 root root 1777424 Jul 30 13:41 nss-softokn-debuginfo-3.14.3-5.el6.x86_64.rpm
-rw-r--r--. 1 root root   10616 Jul 30 13:41 nss-softokn-devel-3.14.3-5.el6.x86_64.rpm
-rw-r--r--. 1 root root  158944 Jul 30 13:41 nss-softokn-freebl-3.14.3-5.el6.x86_64.rpm
-rw-r--r--. 1 root root   35636 Aug 13 19:02 nss-sysinit-3.14.3-37.el6.x86_64.rpm
-rw-r--r--. 1 root root  349944 Aug 13 19:02 nss-tools-3.14.3-37.el6.x86_64.rpm


# cat downgrade-nss.yum 
remove nss-softokn-freebl-fips
remove nss-softokn-fips
downgrade nss-3.14.3-37.el6.x86_64.rpm
downgrade nss-debuginfo-3.14.3-37.el6.x86_64.rpm
downgrade nss-devel-3.14.3-37.el6.x86_64.rpm
downgrade nss-pkcs11-devel-3.14.3-37.el6.x86_64.rpm
downgrade nss-softokn-3.14.3-5.el6.x86_64.rpm
downgrade nss-softokn-debuginfo-3.14.3-5.el6.x86_64.rpm
downgrade nss-softokn-devel-3.14.3-5.el6.x86_64.rpm
downgrade nss-softokn-freebl-3.14.3-5.el6.x86_64.rpm
downgrade nss-sysinit-3.14.3-37.el6.x86_64.rpm
downgrade nss-tools-3.14.3-37.el6.x86_64.rpm
run


# yum shell downgrade-nss.yum 
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Yum Shell
Setting up Remove Process
Setting up Downgrade Process
Examining nss-3.14.3-37.el6.x86_64.rpm: nss-3.14.3-37.el6.x86_64
Examining nss-debuginfo-3.14.3-37.el6.x86_64.rpm: nss-debuginfo-3.14.3-37.el6.x86_64
No Match for available package: nss-debuginfo-3.14.3-37.el6.x86_64
Examining nss-devel-3.14.3-37.el6.x86_64.rpm: nss-devel-3.14.3-37.el6.x86_64
No Match for available package: nss-devel-3.14.3-37.el6.x86_64
Examining nss-pkcs11-devel-3.14.3-37.el6.x86_64.rpm: nss-pkcs11-devel-3.14.3-37.el6.x86_64
No Match for available package: nss-pkcs11-devel-3.14.3-37.el6.x86_64
Examining nss-softokn-3.14.3-5.el6.x86_64.rpm: nss-softokn-3.14.3-5.el6.x86_64
Examining nss-softokn-debuginfo-3.14.3-5.el6.x86_64.rpm: nss-softokn-debuginfo-3.14.3-5.el6.x86_64
No Match for available package: nss-softokn-debuginfo-3.14.3-5.el6.x86_64
Examining nss-softokn-devel-3.14.3-5.el6.x86_64.rpm: nss-softokn-devel-3.14.3-5.el6.x86_64
No Match for available package: nss-softokn-devel-3.14.3-5.el6.x86_64
Examining nss-softokn-freebl-3.14.3-5.el6.x86_64.rpm: nss-softokn-freebl-3.14.3-5.el6.x86_64
Examining nss-sysinit-3.14.3-37.el6.x86_64.rpm: nss-sysinit-3.14.3-37.el6.x86_64
Examining nss-tools-3.14.3-37.el6.x86_64.rpm: nss-tools-3.14.3-37.el6.x86_64
--> Running transaction check
---> Package nss.x86_64 0:3.14.3-37.el6 will be a downgrade
---> Package nss.x86_64 0:3.15.1-5.el6 will be erased
---> Package nss-softokn.x86_64 0:3.14.3-5.el6 will be a downgrade
---> Package nss-softokn.x86_64 0:3.14.3-6.el6 will be erased
---> Package nss-softokn-fips.x86_64 0:3.14.3-6.el6 will be erased
---> Package nss-softokn-freebl.x86_64 0:3.14.3-5.el6 will be a downgrade
---> Package nss-softokn-freebl.x86_64 0:3.14.3-6.el6 will be erased
---> Package nss-softokn-freebl-fips.x86_64 0:3.14.3-6.el6 will be erased
---> Package nss-sysinit.x86_64 0:3.14.3-37.el6 will be a downgrade
---> Package nss-sysinit.x86_64 0:3.15.1-5.el6 will be erased
---> Package nss-tools.x86_64 0:3.14.3-37.el6 will be a downgrade
---> Package nss-tools.x86_64 0:3.15.1-5.el6 will be erased
--> Finished Dependency Resolution
...
Removed:
  nss.x86_64 0:3.15.1-5.el6                        nss-softokn.x86_64 0:3.14.3-6.el6    nss-softokn-fips.x86_64 0:3.14.3-6.el6    nss-softokn-freebl.x86_64 0:3.14.3-6.el6   
  nss-softokn-freebl-fips.x86_64 0:3.14.3-6.el6    nss-sysinit.x86_64 0:3.15.1-5.el6    nss-tools.x86_64 0:3.15.1-5.el6          

Installed:
  nss.x86_64 0:3.14.3-37.el6  nss-softokn.x86_64 0:3.14.3-5.el6  nss-softokn-freebl.x86_64 0:3.14.3-5.el6  nss-sysinit.x86_64 0:3.14.3-37.el6  nss-tools.x86_64 0:3.14.3-37.el6 

Finished Transaction
Leaving Shell

NSS&IPA WORKING AGAIN:
# ldapsearch -h localhost -x -b "" -s base -ZZZ
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
...
Comment 19 Bob Relyea 2013-09-18 18:39:43 EDT
Sigh,

This is appears to be SELinux policy issue created by new FIPS requirement. Sort answer: We need to change the policy to allow the following access that is currently denied:

type=AVC msg=audit(1379402317.832:17369): avc:  denied  { relabelto } for  pid=6676 comm="prelink" name="undo.#prelink#.pz4E3J" dev=dm-0 ino=388935 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1379402317.832:17369): arch=c000003e syscall=188 success=no exit=-13 a0=7fff44872480 a1=4fb1eb a2=1ded140 a3=1b items=0 ppid=6675 pid=6676 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=147 comm="prelink" exe="/usr/sbin/prelink" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)

Long answer: FIPS requires a software integrity check against the FIPS library. For the libraries in the FIPS boundary (libsoftkn.so libfreebl.so and libdbm.so), NSS supplies check file (.chk) which have a 'signature' which functions as a checksum over the file. Because prelink can legitimately modify this these files, we call prelink to return the state of the shared library before it was modified. In the old FIPS requirement, this was only done in FIPS mode. Unfortuately NIST has changed these requirements and we have to do this check at library load time, whether or not we are in FIPS mode!

Upshot is we need to update the policies:(.

bob
Comment 20 Nathan Kinder 2013-09-19 00:52:07 EDT
Does this mean that any confined process that uses NSS needs a policy update?  At a minimum, that would include updates to 389/RHDS (dirsrv_t and dirsrv_admin_t), httpd_t, some of the Dogtag types (pki_*), and a number of other things mist likely (certmonger, IPA, etc.).  I don't know everything that uses NSS that is confined, but this is a decent sized list and something might get missed.

I've added Miroslav to the cc list to see if he knows of any easy way to deal with this from a policy standpoint.  If there is no other way to get around this problem without policy updates, it's going to need to be fixed in multiple packages since not everyone uses the selinux-policy package in RHEL6 (I know we have our own package for Dogtag, and I believe IPA has it's own package as well).  This seems very risky considering that we're only 2 weeks away from the planed public beta release date.  Is there any alternative aside from updating the policies?
Comment 21 Miroslav Grepl 2013-09-19 03:33:23 EDT
So now we have answer for

https://bugzilla.redhat.com/show_bug.cgi?id=1008464

bug.
Comment 29 Steve Grubb 2013-09-19 11:55:07 EDT
The FIPS-140 requirements are that we have to define a FIPS product. We define that as nss-softoken + the -fips package. Whenever the .hmac file is found, we must do the checksum whether we are in fips mode or not. The rationale being that since the library is a fips product, it must perform the test always and without program control. They even specify on linux that it must reside in the library constructor. If the .hmac file is not found, then it is not a fips product and does not have to honor any other fips mode request. Something like this:

        |   hmac  | no hmac
--------+---------+------
fips    | enforce | no test/no fips
--------+---------+------
no fips |   test  | no test
Comment 30 Steve Grubb 2013-09-19 11:56:43 EDT
Also, we want nss to follow the packaging worked out for the other libraries as much as possible including the blacklist. We need consistency so that admins understand the rules.
Comment 31 Bob Relyea 2013-09-19 12:37:51 EDT
The challenge in NSS is that NSS can be put into FIPS mode under application control, which means nss needs to have the -fips packages by default.

 If we don't include the -fips package, any customer that has put his product (including ipa) into fips mode will fail.
Comment 32 Jakub Jelinek 2013-09-19 12:41:21 EDT
That is a reasonable limitation, something that just need documentation that you need to install -fips package to make it work.
Forcing -fips onto everybody just because 0.01% of users might turn it on through application checkbox is a mistake.
Comment 34 Miloslav Trmač 2013-09-19 16:05:23 EDT
(In reply to Bob Relyea from comment #19)
> Sigh,
> 
> This is appears to be SELinux policy issue created by new FIPS requirement.
> Sort answer: We need to change the policy to allow the following access that
> is currently denied:
> 
> type=AVC msg=audit(1379402317.832:17369): avc:  denied  { relabelto } for 
> pid=6676 comm="prelink" name="undo.#prelink#.pz4E3J" dev=dm-0 ino=388935
> scontext=unconfined_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> type=SYSCALL msg=audit(1379402317.832:17369): arch=c000003e syscall=188
> success=no exit=-13 a0=7fff44872480 a1=4fb1eb a2=1ded140 a3=1b items=0
> ppid=6675 pid=6676 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts0 ses=147 comm="prelink" exe="/usr/sbin/prelink"
> subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
> 
> Long answer: FIPS requires a software integrity check against the FIPS
> library. For the libraries in the FIPS boundary (libsoftkn.so libfreebl.so
> and libdbm.so), NSS supplies check file (.chk) which have a 'signature'
> which functions as a checksum over the file. Because prelink can
> legitimately modify this these files, we call prelink to return the state of
> the shared library before it was modified.

I assume this means (prelink -y); where prelink presumably only creates a temporary file and later deletes it, without intending any program to execute/load the temporary file.  Does prelink actually need to do the relabels to preserve the original context?  Couldn't it work with any label for the temporary file?
Comment 35 Bob Relyea 2013-09-20 12:14:34 EDT
There are two forks on this problem:

1) we are making nss-softokn-freebl-fips an optional package, so it can be removed without downgrading NSS. Those builds should have gone into last nights compose. If they are not, you can simulate this by hand deleting the following files:

/usr/{lib,lib64}/libsoftokn.chk
/usr/{lib,lib64}/libnssdbm.chk
/usr/{lib,lib64}/libfreebl.chk
/{lib,lib64}/libfreebl.chk

The better solution, though is to update to the latest compose and yum remove nss-softokn-freelbl-fips if necessary (If it's a new install it shouldn't have it).


2) we still need to work in nss-softoken-freebl-fips installed (users will need to install this independently of going into system FIPS mode), so we still need to have the selinux discussion. The best way to do this is really the domain of Miloslav and Dan Walsh.

Miloslav, if there is an invocation of prelink that makes the security policy easier, we can change it. The current explicit flags we pass are:

/usr/sbin/prelink -u -o -


bob
Comment 36 Jakub Jelinek 2013-09-20 12:30:16 EDT
For prelink -u -o - in theory there shouldn't be a need to copy SELinux context, so perhaps I could look into changing prelink not to perform it (on the temporary file that is deleted soon afterwards anyway, after writing it to stdout) for that combination of options.

That said, I'd really appreciate if by default the checking wasn't performed, unless in FIPS mode or users in some other way requested FIPS compliance.  Because, as has been discussed in the past, the check is completely useless from security POV, when the kernel, dynamic linker and all other shared libraries aren't verified together with the NSS libraries.
Comment 37 Eric Paris 2013-09-20 14:29:14 EDT
I'm with Jakub on both accounts.  It looks like we are not going to ship the -fips sub-package by default and thus we will not hit the checks by default.  So you get that on Jakub.

If the relabeling is on a tmp file we shouldn't 'fix' policy, we should 'fix' prelink.  That means revert the policy change and get Jakub to address it in prelink.  That prelink change is likely to get called a rhel 6.5 blocker.  Just so you know a firedrill is likely to be about to land in your lap...
Comment 38 Jakub Jelinek 2013-09-20 15:07:12 EDT
Created attachment 800625 [details]
prelink-undo-o-.patch

Untested prelink patch.
Comment 39 Martin Kosek 2013-09-20 17:31:02 EDT
I just tested the new updated NSS packages and they did not fix the issue for me (although it is true that nss-softokn-freebl-fips was not pulled now). Maybe this particular issue is a rebase issue of the new NSS version.

# rpm -qa "nss*"
nss-softokn-3.14.3-7.el6.x86_64
nss-softokn-freebl-3.14.3-7.el6.x86_64
nss-3.15.1-8.el6.x86_64
nss-tools-3.15.1-8.el6.x86_64
nss-util-3.15.1-2.el6.x86_64
nss-sysinit-3.15.1-8.el6.x86_64

# ldapsearch -h vm-052.example.com -x -b "" -s base -ZZZ | head
ldap_start_tls: Connect error (-11)
	additional info: Start TLS request accepted.Server willing to negotiate SSL.

# ipa-server-install
...
  [7/38]: enabling IPA enrollment plugin
  [8/38]: enabling ldapi
  [9/38]: disabling betxn plugins
  [10/38]: configuring uniqueness plugin
  [11/38]: configuring uuid plugin
  [12/38]: configuring modrdn plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: creating indices
  [16/38]: enabling referential integrity plugin
  [17/38]: configuring ssl for ds instance
Unexpected error - see /var/log/ipaserver-install.log for details:
NetworkError: cannot connect to 'https://vm-086.example.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8015] error (-8015) unknown
Comment 40 Eric Paris 2013-09-20 17:32:21 EDT
Do you have AVC denials in /var/log/audit/audit.log   ?   Does it work in permissive?
Comment 41 Namita Soman 2013-09-21 07:20:02 EDT
When using:
# rpm -qa |grep -i nss |sort
mod_nss-1.0.8-18.el6.x86_64
nss-3.15.1-8.el6.x86_64
nss-softokn-3.14.3-8.el6.x86_64
nss-softokn-freebl-3.14.3-8.el6.x86_64
nss-sysinit-3.15.1-8.el6.x86_64
nss-tools-3.15.1-8.el6.x86_64
nss-util-3.15.1-2.el6.x86_64
openssh-5.3p1-92.el6.x86_64
openssh-clients-5.3p1-92.el6.x86_64
openssh-server-5.3p1-92.el6.x86_64
openssl-1.0.1e-11.el6.x86_64
pyOpenSSL-0.10-2.el6.x86_64
python-nss-0.13-1.el6.x86_64

Scott was able to get further with the install, but is now hitting bz1010224 ::  NSS 3.15 breaks SSL in OpenLDAP clients
Comment 43 Kaleem 2013-09-23 05:41:07 EDT
I tried with latest RHEL-65 build (RHEL6.5-20130923.n.0) and found that reported error is no more there but encountered another failure.

snip from console for ipa server install
========================================

  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
Unable to set admin password Command '/usr/bin/ldappasswd -h rhel65-master.testrelm.com -ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmp0tXjrL -T /var/lib/ipa/tmpr7TBhd uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com' returned non-zero exit status 1
Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server rhel65-master.testrelm.com --realm TESTRELM.COM --hostname rhel65-master.testrelm.com' returned non-zero exit status 1

ipa-server-install debug log
============================
2013-09-23T12:05:13Z DEBUG   [9/9]: changing resolv.conf to point to ourselves
2013-09-23T12:05:13Z DEBUG Backing up system configuration file '/etc/resolv.conf'
2013-09-23T12:05:13Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
2013-09-23T12:05:13Z DEBUG   duration: 0 seconds
2013-09-23T12:05:13Z DEBUG Done configuring DNS (named).
2013-09-23T12:05:13Z DEBUG raw: dnsconfig_show()
2013-09-23T12:05:13Z DEBUG dnsconfig_show(rights=False, all=False, raw=False)
2013-09-23T12:05:13Z DEBUG Restarting the web server
2013-09-23T12:05:14Z DEBUG args=/sbin/service httpd restart 
2013-09-23T12:05:14Z DEBUG stdout=Stopping httpd:          [  OK  ]
Starting httpd:                                            [  OK  ]

2013-09-23T12:05:14Z DEBUG stderr=
2013-09-23T12:05:14Z DEBUG args=/sbin/service httpd status 
2013-09-23T12:05:14Z DEBUG stdout=httpd dead but subsys locked

2013-09-23T12:05:14Z DEBUG stderr=
2013-09-23T12:05:14Z DEBUG Changing admin password
2013-09-23T12:05:15Z DEBUG args=/usr/bin/ldappasswd -h rhel65-master.testrelm.com -ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmp0tXjrL -T /var/lib/ipa/tmpr7TBhd uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com
2013-09-23T12:05:15Z DEBUG stdout=
2013-09-23T12:05:15Z DEBUG stderr=ldap_start_tls: Connect error (-11)
	additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.

2013-09-23T12:05:15Z DEBUG Unable to set admin password Command '/usr/bin/ldappasswd -h rhel65-master.testrelm.com -ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmp0tXjrL -T /var/lib/ipa/tmpr7TBhd uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com' returned non-zero exit status 1
2013-09-23T12:05:16Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server rhel65-master.testrelm.com --realm TESTRELM.COM --hostname rhel65-master.testrelm.com
2013-09-23T12:05:16Z DEBUG stdout=
2013-09-23T12:05:16Z DEBUG stderr=LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
Failed to verify that rhel65-master.testrelm.com is an IPA Server.
This may mean that the remote server is not up or is not reachable due to network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.

2013-09-23T12:05:16Z INFO   File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1103, in main
    sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e))

2013-09-23T12:05:16Z INFO The ipa-server-install command failed, exception: SystemExit: Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server rhel65-master.testrelm.com --realm TESTRELM.COM --hostname rhel65-master.testrelm.com' returned non-zero exit status 1
[root@dhcp207-16 ~]#

NSS version:
============
[root@rhel65-master ~]# rpm -qa|grep ^nss-*|sort
nss-3.15.1-8.el6.x86_64
nss-softokn-3.14.3-8.el6.x86_64
nss-softokn-freebl-3.14.3-8.el6.x86_64
nss-sysinit-3.15.1-8.el6.x86_64
nss-tools-3.15.1-8.el6.x86_64
nss-util-3.15.1-2.el6.x86_64
[root@rhel65-master ~]#

[root@rhel65-master ~]# rpm -q ipa-server
ipa-server-3.0.0-36.el6.x86_64
[root@rhel65-master ~]#
Comment 45 Martin Kosek 2013-09-23 11:31:05 EDT
The updated packages clearly did not resolve the issues they caused in IPA, as seen in several comments above. Moving back to ASSIGNED state.
Comment 46 Martin Kosek 2013-09-23 12:45:57 EDT
I tested the NSS again, I would just like to help and clarify the root cause.

IPA server installation calls ldappasswd utility and sets LDAPTLS_CACERT and LDAPTLS_CACERTDIRs for it:

# LDAPTLS_CACERT=/etc/ipa/ca.crt LDAPTLS_CACERTDIR=/etc/ipa /usr/bin/ldappasswd -h `hostname` -ZZ -x -D "cn=Directory Manager" -w Secret123 -s Secret123 uid=admin,cn=users,cn=accounts,dc=example,dc=com
ldap_start_tls: Connect error (-11)
	additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.

This is, however, not accepted by NSS and fails - thus regression.

It is strange though that ldapsearch works with -ZZZ:
# LDAPTLS_CACERT=/etc/ipa/ca.crt LDAPTLS_CACERTDIR=/etc/ipa ldapsearch -h localhost -x -b "" -s base -ZZZ | head
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:

I tested the commands in RHEL-7.0 and it worked:

# LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -h `hostname` -ZZ -x -D "cn=Directory Manager" -w Secret123 -s Secret123 uid=admin,cn=users,cn=accounts,dc=example,dc=com
# echo $?
0
Comment 47 Martin Kosek 2013-09-23 13:40:19 EDT
I cannot reproduce the working ldapsearch part now when connecting from home laptop.

But still, I did investigation with openssl and it seemed to work (compared to NSS):

# /usr/bin/ldappasswd -H ldaps://`hostname`:636 -ZZ -x -D "cn=Directory Manager" -w Secret123 -s Secret123
ldap_start_tls: Can't contact LDAP server (-1)
	additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.


# openssl s_client -connect `hostname`:636 -CAfile /etc/ipa/ca.crt 
CONNECTED(00000003)
depth=1 O = EXAMPLE.COM, CN = Certificate Authority
verify return:1
depth=0 O = EXAMPLE.COM, CN = vm-086.example.com
verify return:1
---
Certificate chain
 0 s:/O=EXAMPLE.COM/CN=vm-086.example.com
   i:/O=EXAMPLE.COM/CN=Certificate Authority
 1 s:/O=EXAMPLE.COM/CN=Certificate Authority
   i:/O=EXAMPLE.COM/CN=Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIBCDANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0u
...
mxPLzVlYhO8E6NW1QNDPpwoafyRSjeWy+b5DlRJezBYQ00QaEpnXHTAvugsLhwUB
VTF1IGcr7rJP
-----END CERTIFICATE-----
subject=/O=EXAMPLE.COM/CN=vm-086.example.com
issuer=/O=EXAMPLE.COM/CN=Certificate Authority
---
Acceptable client certificate CA names
/O=EXAMPLE.COM/CN=Certificate Authority
---
SSL handshake has read 2157 bytes and written 647 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 1024D40901D48508EE0423A6BFBD0EFA4048424E5E48CAD8AB375AC21AD1F1BE
    Session-ID-ctx: 
    Master-Key: 0044F8D48EEAA32514E362726B814F36A9C13544E1B6C1202112552780309420FEDDF02EF0CBB3DA0DA564EE1DB64800
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1379957910
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
Comment 49 Martin Kosek 2013-09-24 03:19:13 EDT
Thanks guys! At least judging from a quick server/client installation tests I just did, it seems that the new nss-3.15.1-9.el6 fixed the issues we had.

Namita, can you please run the IPA test suite to do the verification?
Comment 50 Kaleem 2013-09-24 04:01:36 EDT
Verified. Now ipa server/client installation is successful. 

nss and ipa version:
====================
[root@rhel65-master ~]# rpm -qa|grep ^nss-*|sort
nss-3.15.1-9.el6.x86_64
nss-softokn-3.14.3-8.el6.x86_64
nss-softokn-freebl-3.14.3-8.el6.x86_64
nss-sysinit-3.15.1-9.el6.x86_64
nss-tools-3.15.1-9.el6.x86_64
nss-util-3.15.1-2.el6.x86_64
[root@rhel65-master ~]#

[root@rhel65-master ~]# rpm -q ipa-server
ipa-server-3.0.0-36.el6.x86_64
[root@rhel65-master ~]#


Installation log from console
=============================

:: [ 13:15:57 ] ::    ipa-server-3.0.0-36.el6.x86_64

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host rhel65-master.testrelm.com
Using reverse zone 207.65.10.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      rhel65-master.testrelm.com
IP address:    10.65.207.74
Domain name:   testrelm.com
Realm name:    TESTRELM.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    10.65.201.89
Reverse zone:  207.65.10.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 minutes 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 33 minutes 30 seconds
  [1/21]: creating certificate server user
  [2/21]: creating pki-ca instance
  [3/21]: configuring certificate server instance
  [4/21]: disabling nonces
  [5/21]: creating CA agent PKCS#12 file in /root
  [6/21]: creating RA agent certificate database
  [7/21]: importing CA chain to RA certificate database
  [8/21]: fixing RA database permissions
  [9/21]: setting up signing cert profile
  [10/21]: set up CRL publishing
  [11/21]: set certificate subject base
  [12/21]: enabling Subject Key Identifier
  [13/21]: setting audit signing renewal to 2 years
  [14/21]: configuring certificate server to start on boot
  [15/21]: restarting certificate server
  [16/21]: requesting RA certificate from CA
  [17/21]: issuing RA agent certificate
  [18/21]: adding RA agent as a trusted user
  [19/21]: configure certificate renewals
  [20/21]: configure Server-Cert certificate renewal
  [21/21]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Configuring directory server (dirsrv): Estimated time 31 minutes
  [1/38]: creating directory server user
  [2/38]: creating directory server instance
  [3/38]: adding default schema
  [4/38]: enabling memberof plugin
  [5/38]: enabling winsync plugin
  [6/38]: configuring replication version plugin
  [7/38]: enabling IPA enrollment plugin
  [8/38]: enabling ldapi
  [9/38]: disabling betxn plugins
  [10/38]: configuring uniqueness plugin
  [11/38]: configuring uuid plugin
  [12/38]: configuring modrdn plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: creating indices
  [16/38]: enabling referential integrity plugin
  [17/38]: configuring ssl for ds instance
  [18/38]: configuring certmap.conf
  [19/38]: configure autobind for root
  [20/38]: configure new location for managed entries
  [21/38]: restarting directory server
  [22/38]: adding default layout
  [23/38]: adding delegation layout
  [24/38]: adding replication acis
  [25/38]: creating container for managed entries
  [26/38]: configuring user private groups
  [27/38]: configuring netgroups from hostgroups
  [28/38]: creating default Sudo bind user
  [29/38]: creating default Auto Member layout
  [30/38]: adding range check plugin
  [31/38]: creating default HBAC rule allow_all
  [32/38]: Upload CA cert to the directory
  [33/38]: initializing group membership
  [34/38]: adding master entry
  [35/38]: configuring Posix uid/gid generation
  [36/38]: enabling compatibility plugin
  [37/38]: tuning directory server
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 minutes 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 31 minutes
  [1/13]: setting mod_nss port to 443
  [2/13]: setting mod_nss password file
  [3/13]: enabling mod_nss renegotiate
  [4/13]: adding URL rewriting rules
  [5/13]: configuring httpd
  [6/13]: setting up ssl
  [7/13]: setting up browser autoconfig
  [8/13]: publish CA cert
  [9/13]: creating a keytab for httpd
  [10/13]: clean up any existing httpd ccache
  [11/13]: configuring SELinux for httpd
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
Comment 51 Miroslav Grepl 2013-09-27 13:41:06 EDT
*** Bug 1008464 has been marked as a duplicate of this bug. ***
Comment 52 errata-xmlrpc 2013-11-21 01:19:59 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1558.html

Note You need to log in before you can comment on or make changes to this bug.