Bug 1013043 - ipa-server-install should warn you to do DNS configuration before proceeding to ipa-client-install
ipa-server-install should warn you to do DNS configuration before proceeding ...
Product: Fedora
Classification: Fedora
Component: freeipa (Show other bugs)
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-09-27 12:41 EDT by Adam Williamson
Modified: 2013-10-02 08:52 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-10-02 08:52:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Williamson 2013-09-27 12:41:54 EDT
I can't swear to this _absolutely_, but I'm pretty sure when I deployed my new FreeIPA server, it ran ipa-client-install for me 'automatically' once ipa-server-install was done.

Only problem, I was using external DNS, so client-install wouldn't work.

If you select external DNS during ipa-server-install, perhaps as well as generating the sample Bind config (which is very helpful), it should explicitly warn you to put your DNS config in order with a 'Press a key when your DNS config is done' message or something before proceeding to ipa-client-install?
Comment 1 Martin Kosek 2013-10-01 06:07:10 EDT
That's true, IPA client installation is run as a part of IPA server installation.

Normally, the client installation works correctly without waiting for you to deploy the DNS configuration to external DNS. In your case, I think the whole issue was caused by Bug 1011399.

Normally, when a hostname is not resolvable in installation phase, ipa-server-install will refuse to install unless you specify the following flag to workaround it:

    --no-host-dns       Do not use DNS for hostname lookup during installation

Worked for me:

# hostname ipa.is.not.resolvable.test
# host ipa.is.not.resolvable.test
Host ipa.is.not.resolvable.test not found: 3(NXDOMAIN)

# ipa-server-install -p Secret123 -a Secret123 --no-host-dns

The log file for this installation can be found in /var/log/ipaserver-install.log
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Do you want to configure integrated DNS (BIND)? [no]: 

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
Example: master.example.com.

Server host name [ipa.is.not.resolvable.test]: 

Warning: skipping DNS resolution of host ipa.is.not.resolvable.test
The domain name has been determined based on the host name.

Please confirm the domain name [is.not.resolvable.test]: 

Unable to resolve IP address for host name
Please provide the IP address to be used for this host name:
Adding [ ipa.is.not.resolvable.test] to your /etc/hosts file
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [IS.NOT.RESOLVABLE.TEST]: 

The IPA Master Server will be configured with:
Hostname:      ipa.is.not.resolvable.test
IP address:
Domain name:   is.not.resolvable.test

Continue to configure the system with these values? [no]: y

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [15/15]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Sample zone file for bind has been created in /tmp/sample.zone.R1Bkc3.db
Restarting the web server
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		UDP Ports:
		  * 88, 464: kerberos
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

Currently, I am planning to close this one as a dup to Bug 1011399 unless we find a real bug in the installer.
Comment 2 Adam Williamson 2013-10-01 08:56:41 EDT
I'm not sure it is a dupe, but it might be a bit tricky to re-create the exact circumstances I hit :/ I *think* at the time I ran it, I had the case where 'hostname' returned 'id', and 'hostname -f' returned 'id.happyassassin.net'. I believe both of those were listed on a line in /etc/hosts:

192.168.XX.YY id.happyassassin.net id

so that may have satisfied the 'resolve' requirement. But none of the auto-discovery stuff was present in the DNS record for happyassassin.net, so the auto-discovery stuff in the client install failed. IIRC, anyway. It's been a busy week :/
Comment 3 Adam Williamson 2013-10-01 08:57:44 EDT
Note that I hit 1011399 on a *different* machine, the first actual separate client I tried to configure. I'm about 99.5% sure I didn't hit exactly that on the server, or else I wouldn't ever have been able to get *past* it without IRC help.
Comment 4 Martin Kosek 2013-10-01 09:54:52 EDT
I tried to reproduce the issues, but I was not successful so far.

It would be great to get ipaserver-install.log and ipaclient-install.log from the failing machine, it should give us more answers what was happening and what actually failed. Without that in place, I am not sure what could have failed.
Comment 5 Adam Williamson 2013-10-01 11:49:04 EDT
Sure, I can grab those, just a sec.
Comment 6 Adam Williamson 2013-10-01 11:59:24 EDT
https://www.happyassassin.net/extras/ipaserver-install.log.xz (compressed as it's huge, for some reason)
Comment 7 Martin Kosek 2013-10-02 03:20:41 EDT
Thanks Adam! Though this particular ipaserver-install.log won't help us as it got apparently overridden by a successful server (and client) installation you did after the failing one.

2013-09-23T22:23:12Z DEBUG Starting external process
2013-09-23T22:23:12Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain           happyassassin.net --server id.happyassassin.net --realm HAPPYASSASSIN.NET --hostname id.happyassassin.net
2013-09-23T22:23:20Z DEBUG Process finished, return code=0
2013-09-23T22:23:20Z DEBUG stdout=

2013-09-23T22:23:20Z DEBUG stderr=Hostname: id.happyassassin.net
DNS Domain: happyassassin.net
IPA Server: id.happyassassin.net
BaseDN: dc=happyassassin,dc=net
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
2013-09-23T22:23:21Z INFO The ipa-server-install command was successful

Any chance you backed up the old log or any other data that could help us recreate the issue or find the root cause of the problem?
Comment 8 Adam Williamson 2013-10-02 08:22:01 EDT
didn't have backups configured on the system at the time as it was a brand new VM (I use single-purpose VMs for all my servers), so there was no point really :/ sorry. Can't really think of anything else to suggest ATM. When I get back home I may be able to spin up a new dummy VM and try to reproduce my process, but for now maybe we'll just have to close this.
Comment 9 Martin Kosek 2013-10-02 08:52:17 EDT
Ok. Let's just close hits Bugzilla then. If you find any information that could help us get to the root of the issue and fix it, please just reopen or file a new  bug.

Anyway, thanks for testing and reporting!

Note You need to log in before you can comment on or make changes to this bug.