Red Hat Bugzilla – Bug 1013043
ipa-server-install should warn you to do DNS configuration before proceeding to ipa-client-install
Last modified: 2013-10-02 08:52:17 EDT
I can't swear to this _absolutely_, but I'm pretty sure when I deployed my new FreeIPA server, it ran ipa-client-install for me 'automatically' once ipa-server-install was done.
Only problem, I was using external DNS, so client-install wouldn't work.
If you select external DNS during ipa-server-install, perhaps as well as generating the sample Bind config (which is very helpful), it should explicitly warn you to put your DNS config in order with a 'Press a key when your DNS config is done' message or something before proceeding to ipa-client-install?
That's true, IPA client installation is run as a part of IPA server installation.
Normally, the client installation works correctly without waiting for you to deploy the DNS configuration to external DNS. In your case, I think the whole issue was caused by Bug 1011399.
Normally, when a hostname is not resolvable in installation phase, ipa-server-install will refuse to install unless you specify the following flag to workaround it:
--no-host-dns Do not use DNS for hostname lookup during installation
Worked for me:
# hostname ipa.is.not.resolvable.test
# host ipa.is.not.resolvable.test
Host ipa.is.not.resolvable.test not found: 3(NXDOMAIN)
# ipa-server-install -p Secret123 -a Secret123 --no-host-dns
The log file for this installation can be found in /var/log/ipaserver-install.log
This program will set up the FreeIPA Server.
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
To accept the default shown in brackets, press the Enter key.
WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd
Do you want to configure integrated DNS (BIND)? [no]:
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
Server host name [ipa.is.not.resolvable.test]:
Warning: skipping DNS resolution of host ipa.is.not.resolvable.test
The domain name has been determined based on the host name.
Please confirm the domain name [is.not.resolvable.test]:
Unable to resolve IP address for host name
Please provide the IP address to be used for this host name: 10.1.2.3
Adding [10.1.2.3 ipa.is.not.resolvable.test] to your /etc/hosts file
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [IS.NOT.RESOLVABLE.TEST]:
The IPA Master Server will be configured with:
IP address: 10.1.2.3
Domain name: is.not.resolvable.test
Realm name: IS.NOT.RESOLVABLE.TEST
Continue to configure the system with these values? [no]: y
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[15/15]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Sample zone file for bind has been created in /tmp/sample.zone.R1Bkc3.db
Restarting the web server
1. You must make sure these network ports are open:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 88, 464: kerberos
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
Currently, I am planning to close this one as a dup to Bug 1011399 unless we find a real bug in the installer.
I'm not sure it is a dupe, but it might be a bit tricky to re-create the exact circumstances I hit :/ I *think* at the time I ran it, I had the case where 'hostname' returned 'id', and 'hostname -f' returned 'id.happyassassin.net'. I believe both of those were listed on a line in /etc/hosts:
192.168.XX.YY id.happyassassin.net id
so that may have satisfied the 'resolve' requirement. But none of the auto-discovery stuff was present in the DNS record for happyassassin.net, so the auto-discovery stuff in the client install failed. IIRC, anyway. It's been a busy week :/
Note that I hit 1011399 on a *different* machine, the first actual separate client I tried to configure. I'm about 99.5% sure I didn't hit exactly that on the server, or else I wouldn't ever have been able to get *past* it without IRC help.
I tried to reproduce the issues, but I was not successful so far.
It would be great to get ipaserver-install.log and ipaclient-install.log from the failing machine, it should give us more answers what was happening and what actually failed. Without that in place, I am not sure what could have failed.
Sure, I can grab those, just a sec.
https://www.happyassassin.net/extras/ipaserver-install.log.xz (compressed as it's huge, for some reason)
Thanks Adam! Though this particular ipaserver-install.log won't help us as it got apparently overridden by a successful server (and client) installation you did after the failing one.
2013-09-23T22:23:12Z DEBUG Starting external process
2013-09-23T22:23:12Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain happyassassin.net --server id.happyassassin.net --realm HAPPYASSASSIN.NET --hostname id.happyassassin.net
2013-09-23T22:23:20Z DEBUG Process finished, return code=0
2013-09-23T22:23:20Z DEBUG stdout=
2013-09-23T22:23:20Z DEBUG stderr=Hostname: id.happyassassin.net
DNS Domain: happyassassin.net
IPA Server: id.happyassassin.net
New SSSD config will be created
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Could not update DNS SSHFP records.
Client configuration complete.
2013-09-23T22:23:21Z INFO The ipa-server-install command was successful
Any chance you backed up the old log or any other data that could help us recreate the issue or find the root cause of the problem?
didn't have backups configured on the system at the time as it was a brand new VM (I use single-purpose VMs for all my servers), so there was no point really :/ sorry. Can't really think of anything else to suggest ATM. When I get back home I may be able to spin up a new dummy VM and try to reproduce my process, but for now maybe we'll just have to close this.
Ok. Let's just close hits Bugzilla then. If you find any information that could help us get to the root of the issue and fix it, please just reopen or file a new bug.
Anyway, thanks for testing and reporting!