1015242 – ipa-client-install faill with ldapi (during ipa-server-install)

Bug 1015242 - ipa-client-install faill with ldapi (during ipa-server-install)

Summary: ipa-client-install faill with ldapi (during ipa-server-install)

Keywords:
Status:	CLOSED DUPLICATE of bug 1015206
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	freeipa
Sub Component:
Version:	20
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Rob Crittenden
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-10-03 17:44 UTC by Artur Szymczak
Modified:	2014-01-17 18:39 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-10-04 06:53:34 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Artur Szymczak 2013-10-03 17:44:13 UTC

Description of problem:
I am installing ipa-server (ipa-server-install -r AJS7 -n ajs7 --hostname=serwer.ajs7 --idstart=7000000 --no_hbac_allow --ssh-trust-dns --setup-dns --forwarder=62.179.1.62 --forwarder=62.179.1.63 --zonemgr=artur@....), and this command in one moment is configuring my server station, to act as client, but this fail:
  [11/11]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain ajs7 --server serwer.ajs7 --realm AJS7 --hostname serwer.ajs7 --ssh-trust-dns' returned non-zero exit status 1

So I started this command by hand:
# /usr/sbin/ipa-client-install --on-master --unattended --domain ajs7 --server serwer.ajs7 --realm AJS7 --hostname serwer.ajs7 --ssh-trust-dns
Hostname: serwer.ajs7
Realm: AJS7
DNS Domain: ajs7
IPA Server: serwer.ajs7
BaseDN: dc=ajs7

Domain ajs7 is already configured in existing SSSD config, creating a new one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 2565, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 2551, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 2349, in install
    remote_env = api.Command['env'](server=True)['result']
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1103, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 782, in forward
    return self.Backend.xmlclient.forward(self.name, *args, **kw)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 712, in forward
    raise error(message=e.faultString)
ipalib.errors.NetworkError: cannot connect to 'ldapi://%2fvar%2frun%2fslapd-AJS7.socket': 

In /var/log/ipaclient-install.log:
2013-10-03T17:37:24Z DEBUG approved_usage = SSL Server intended_usage = SSL Server
2013-10-03T17:37:24Z DEBUG cert valid True for "CN=serwer.ajs7,O=AJS7"
2013-10-03T17:37:24Z DEBUG handshake complete, peer = 10.0.0.254:443
2013-10-03T17:37:24Z DEBUG Caught fault 907 from server https://serwer.ajs7/ipa/xml: cannot connect to 'ldapi://%2fvar%2frun%2fslapd-AJS7.socket':


Version-Release number of selected component (if applicable):
freeipa-client-3.3.1-1.fc20.i686

How reproducible:
Always

Steps to Reproduce:
1. configure ipa-server as mentioned above
2.
3.

Actual results:
as above

Expected results:
should work

Additional info:

Comment 1 Rob Crittenden 2013-10-03 17:51:08 UTC

Are you in SELinux enforcing mode? Can you see if there are any AVCs? ausearch -m AVC.

Comment 2 Artur Szymczak 2013-10-03 18:09:16 UTC

Yes, I am in enforcing mode, and there are AVC:
# ausearch -m avc
----
time->Thu Oct  3 18:28:34 2013
type=SYSCALL msg=audit(1380817714.902:273): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=b483d870 a2=b60ce000 a3=0 items=0 ppid=7884 pid=7907 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380817714.902:273): avc:  denied  { name_connect } for  pid=7907 comm="httpd" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
----
time->Thu Oct  3 19:37:24 2013
type=SYSCALL msg=audit(1380821844.920:281): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=b483d870 a2=b60ce000 a3=0 items=0 ppid=7884 pid=7907 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380821844.920:281): avc:  denied  { name_connect } for  pid=7907 comm="httpd" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket


Btw, I reported a bug related to this AVCs: #1015206

Comment 3 Martin Kosek 2013-10-04 06:53:34 UTC

These AVCs are the reason of this failure. Note that there was a very similar case in Bug 1007606, in other distribution, but leading to the exactly same issue.

Fixing Bug 1015206 in selinux-policy will fix this bug as well. Closing as duplicate.

*** This bug has been marked as a duplicate of bug 1015206 ***

Note You need to log in before you can comment on or make changes to this bug.