1170695 – krb5kdc crash in ldap_pvt_search

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1170695 - krb5kdc crash in ldap_pvt_search

Summary: krb5kdc crash in ldap_pvt_search

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-12-04 15:51 UTC by Scott Poore
Modified:	2015-03-12 15:44 UTC (History)
CC List:	10 users (show)
Fixed In Version:	ipa-4.1.0-13.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:18:48 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
abrt output email for the crash (86.16 KB, text/plain) 2014-12-04 15:54 UTC, Scott Poore	no flags	Details
backtrace (11.99 KB, text/plain) 2014-12-11 18:55 UTC, Scott Poore	no flags	Details
Fix a crash bug in the ipa kdb driver (1.87 KB, patch) 2014-12-12 19:06 UTC, Simo Sorce	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	0	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 14:50:39 UTC

Description Scott Poore 2014-12-04 15:51:55 UTC

Description of problem:

time:           Thu 04 Dec 2014 05:05:49 AM EST
cmdline:        /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 8
uid:            0 (root)
abrt_version:   2.1.11
backtrace_rating: 4
crash_function: ldap_pvt_search
event_log:      
executable:     /usr/sbin/krb5kdc
hostname:       qe-blade-12.testrelm.test
kernel:         3.10.0-206.el7.x86_64
last_occurrence: 1417687549
pid:            24830
pkg_arch:       x86_64
pkg_epoch:      0
pkg_name:       krb5-server
pkg_release:    8.el7
pkg_version:    1.12.2
pwd:            /
runlevel:       N 3
username:       root

Version-Release number of selected component (if applicable):
krb5-server-1.12.2-8.el7.x86_64


How reproducible:
unknown

Steps to Reproduce:
1.  setup ipa server
2.  exact reproduction currently unknown
3.

Actual results:
abrt crash report generated.  will attach.

Expected results:


Additional info:

Comment 1 Scott Poore 2014-12-04 15:54:06 UTC

Created attachment 964731 [details]
abrt output email for the crash

Comment 5 Roland Mainz 2014-12-09 14:18:03 UTC

(In reply to Scott Poore from comment #1)
> Created attachment 964731 [details]
> abrt output email for the crash

The "crash" is actually a failed |assert()| in libldap_r (libldap_r-2.4.so.2) code... but I can't reproduce it on my side... ;-(
erno=ENEEDMOREDATA...

Scott:
Is there anything special in your ipa setup ?

Comment 6 Sumit Bose 2014-12-09 14:42:25 UTC

The component is wrong, it is a crash in FreeIPA's KDB driver, re-assigning to ipa component.

Comment 7 Scott Poore 2014-12-09 14:42:59 UTC

Roland,

No, nothing special.  I think it may have occurred during debugging of bug #1167964 but, I don't know if that "caused" it.  I don't think we've seen this in our automated tests.

Thanks,
Scott

Comment 8 Simo Sorce 2014-12-09 15:24:46 UTC

Can we get a backtrace with the exact version of ipa-debuginfo and openldap-debuginfo packages installed ?
I can see where this is happening but w/o the debuginfo packages we got no stack contents in the printed backtrace.

Comment 9 Petr Vobornik 2014-12-11 09:18:46 UTC

Scott, could you provide traceback which Simo requested in comment 8? Thanks

Comment 10 Scott Poore 2014-12-11 17:23:53 UTC

Petr, Simo,

Sorry for the delay.  I thought I'd replied to this one a couple days ago.

Unfortunately, we no longer have the servers available where this crash occurred.  And, due to the yum repo configs used for the build, it's difficult to recreate.

The debuginfo rpms for ipa and openldap should match versions with the normal rpms right?

If that's right, can we extrapolate and get that from the abrt files I attached and if we get the right debuginfo rpms?

I do still have the logs from the test job run showing rpm versions:

openldap-2.4.39-5.el7.x86_64
ipa-server-4.1.0-10.el7.x86_64

Would that help at all?

Would I just have to get a RHEL7 host with those versions installed, and their debuginfo to get the backtrace you're looking for?

Comment 11 Scott Poore 2014-12-11 18:55:33 UTC

Created attachment 967364 [details]
backtrace

I generated this from another server built with what I think is the same versions of rpms as where we saw the crash.  

Let me know if this helps.

Comment 12 Simo Sorce 2014-12-12 18:37:03 UTC

Thank you Scott, now I know what happened, trying to find out why, and come up with a patch.

We'll probably need an upstream ticket too.

Comment 13 Simo Sorce 2014-12-12 19:06:19 UTC

Created attachment 967807 [details]
Fix a crash bug in the ipa kdb driver

This patch should fix the problem, would you be able to test it ?

I think it should be easy to reproduce the problem.

Install ipa, run some test that keeps performing kerberos operations, for example run kinit as a user every 30 seconds.
Stop DS.
Let the test run for at least 2 minutes, after 2 minutes you should see a crash.

There is some caching involved that may prevent the problem from showing if the test has not crashed the KDC after a few minutes then we'll need to get a little more creative.

Comment 14 Scott Poore 2014-12-12 21:33:53 UTC

yeah let me take a look.  I'll try that and the patch.

Thanks

Comment 15 Scott Poore 2014-12-13 01:25:05 UTC

well, I guess we might need to get more creative.  I let it run for a while with DS off and I didn't see a crash. 

[root@vm9 shared]# while true; do
> kdestroy -A 
> echo Secret123 | kinit user1
> sleep 30
> done
Password for user1: 
kinit: Generic error (see e-text) while getting initial credentials
kinit: Generic error (see e-text) while getting initial credentials
kinit: Generic error (see e-text) while getting initial credentials
...

And in /var/log/krb5kdc.log:

Dec 12 19:22:47 vm9.example.test krb5kdc[4130](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.209: LOOKING_UP_CLIENT: user1 for krbtgt/EXAMPLE.TEST, Server error

Comment 16 Simo Sorce 2014-12-13 18:26:53 UTC

Let's try one more test, restart krb5kdc while DS is down. And then do the kinit stuff for a few minutes.

Comment 17 Martin Kosek 2014-12-15 12:00:01 UTC

Given it is already confirmed this is a bug in FreeIPA (and we have a patch candidate), I will clone an upstream ticket.

Comment 18 Martin Kosek 2014-12-15 12:00:58 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4810

Comment 20 Scott Poore 2014-12-18 22:01:16 UTC

Simo,

I can't restart krb5kdc when dirsrv is down.  Or did I misunderstand?

[root@vm9 x86_64]# systemctl restart krb5kdc
Job for krb5kdc.service failed. See 'systemctl status krb5kdc.service' and 'journalctl -xn' for details.

[root@vm9 x86_64]# systemctl status krb5kdc.service -l
krb5kdc.service - Kerberos 5 KDC
   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled)
   Active: failed (Result: exit-code) since Thu 2014-12-18 15:50:51 CST; 30s ago
  Process: 4521 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE)
 Main PID: 2089 (code=exited, status=0/SUCCESS)

Dec 18 15:50:51 vm9.example.test systemd[1]: Starting Kerberos 5 KDC...
Dec 18 15:50:51 vm9.example.test krb5kdc[4521]: krb5kdc: cannot initialize realm EXAMPLE.TEST - see log file for details
Dec 18 15:50:51 vm9.example.test systemd[1]: krb5kdc.service: control process exited, code=exited status=1
Dec 18 15:50:51 vm9.example.test systemd[1]: Failed to start Kerberos 5 KDC.
Dec 18 15:50:51 vm9.example.test systemd[1]: Unit krb5kdc.service entered failed state.

Thanks,
Scott

Comment 21 Simo Sorce 2014-12-19 18:51:05 UTC

(In reply to Scott Poore from comment #20)
> Simo,
> 
> I can't restart krb5kdc when dirsrv is down.  Or did I misunderstand?

Uhmm, I forgot that we cannot start without DS being up ...
it is possible this can be triggered only during a small race condition window when setting up IPA.
Not helpful, I know, but at least the patch definitely should deal with this specific crash. Not sure if there may be any other lurking, but seems unlikely.

Unless we can reproduce easily on ipa setup, I guess we'll need to do sanity only validation.

Comment 22 Scott Poore 2014-12-22 14:49:00 UTC

I think this occurred on a server after IPA was setup.

Yes, I think at this point it's going to be sanity only.

Comment 23 Scott Poore 2014-12-22 14:59:42 UTC

Verified.

Version ::

ipa-server-4.1.0-13.el7.x86_64

Results ::

Marking this one sanity only since we are unable to reproduce the crash.

I tested just now with two scenarios.  One rhel7.1 replica with rhel6.6 master as where this was originally seen as mentioned in comment #7.  The second scenario was a standard master install test.

Scenario 1: RHEL6.6 master and RHEL7.1 replica:

[root@rhel7-1 ~]# scp /usr/share/ipa/copy-schema-to-ca.py root@rhel6-1:/root
The authenticity of host 'rhel6-1 (192.168.122.61)' can't be established.
RSA key fingerprint is eb:ba:02:b8:ca:50:f6:36:41:43:d9:ee:4a:69:6f:a2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rhel6-1,192.168.122.61' (RSA) to the list of known hosts.
root@rhel6-1's password: 
copy-schema-to-ca.py                                                 100% 2612     2.6KB/s   00:00    

[root@rhel7-1 ~]# ssh root@rhel6-1 "python /root/copy-schema-to-ca.py"
root@rhel6-1's password: 
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/60kerberos.ldif
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/60samba.ldif
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/60ipaconfig.ldif
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/60basev2.ldif
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/60basev3.ldif
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/60ipadns.ldif
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/61kerberos-ipav3.ldif
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/65ipasudo.ldif
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/05rfc2247.ldif
ipa         : INFO     Restarting CA DS
ipa         : INFO     Schema updated successfully

[root@rhel7-1 ~]# ipa-replica-install --setup-ca --setup-dns --forwarder=192.168.122.1 -p Secret123 -w Secret123 /root/replica-info-rhel7-1.example.com.gpg
Checking forwarders, please wait ...
WARNING: DNS forwarder 192.168.122.1 does not return DNSSEC signatures in answers
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive "dnssec-enable yes;" to "options {}")
WARNING: DNSSEC validation will be disabled
Run connection check to master
Check connection from replica to remote master 'rhel6-1.example.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'rhel7-1.example.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

Connection from master to replica is OK.

Connection check OK
Using reverse zone(s) 122.168.192.in-addr.arpa.
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/35]: creating directory server user
  [2/35]: creating directory server instance
  [3/35]: adding default schema
  [4/35]: enabling memberof plugin
  [5/35]: enabling winsync plugin
  [6/35]: configuring replication version plugin
  [7/35]: enabling IPA enrollment plugin
  [8/35]: enabling ldapi
  [9/35]: configuring uniqueness plugin
  [10/35]: configuring uuid plugin
  [11/35]: configuring modrdn plugin
  [12/35]: configuring DNS plugin
  [13/35]: enabling entryUSN plugin
  [14/35]: configuring lockout plugin
  [15/35]: creating indices
  [16/35]: enabling referential integrity plugin
  [17/35]: configuring ssl for ds instance
  [18/35]: configuring certmap.conf
  [19/35]: configure autobind for root
  [20/35]: configure new location for managed entries
  [21/35]: configure dirsrv ccache
  [22/35]: enable SASL mapping fallback
  [23/35]: restarting directory server
  [24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded

  [25/35]: updating schema
  [26/35]: setting Auto Member configuration
  [27/35]: enabling S4U2Proxy delegation
  [28/35]: importing CA certificates from LDAP
  [29/35]: initializing group membership
  [30/35]: adding master entry
  [31/35]: configuring Posix uid/gid generation
  [32/35]: adding replication acis
  [33/35]: enabling compatibility plugin
  [34/35]: tuning directory server
  [35/35]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/22]: creating certificate server user
  [2/22]: configuring certificate server instance
  [3/22]: stopping certificate server instance to update CS.cfg
  [4/22]: backing up CS.cfg
  [5/22]: disabling nonces
  [6/22]: set up CRL publishing
  [7/22]: enable PKIX certificate path discovery and validation
  [8/22]: starting certificate server instance
  [9/22]: creating RA agent certificate database
  [10/22]: importing CA chain to RA certificate database
  [11/22]: fixing RA database permissions
  [12/22]: setting up signing cert profile
  [13/22]: set certificate subject base
  [14/22]: enabling Subject Key Identifier
  [15/22]: enabling Subject Alternative Name
  [16/22]: enabling CRL and OCSP extensions for certificates
  [17/22]: setting audit signing renewal to 2 years
  [18/22]: configuring certificate server to start on boot
  [19/22]: configure certmonger for renewals
  [20/22]: configure certificate renewals
  [21/22]: configure Server-Cert certificate renewal
  [22/22]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Restarting the directory and certificate servers
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/9]: adding sasl mappings to the directory
  [2/9]: writing stash file from DS
  [3/9]: configuring KDC
  [4/9]: creating a keytab for the directory
  [5/9]: creating a keytab for the machine
  [6/9]: adding the password extension to the directory
  [7/9]: enable GSSAPI for replication
  [8/9]: starting the KDC
  [9/9]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/14]: setting mod_nss port to 443
  [2/14]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [3/14]: setting mod_nss password file
  [4/14]: enabling mod_nss renegotiate
  [5/14]: adding URL rewriting rules
  [6/14]: configuring httpd
  [7/14]: setting up ssl
  [8/14]: importing CA certificates from LDAP
  [9/14]: publish CA cert
  [10/14]: creating a keytab for httpd
  [11/14]: clean up any existing httpd ccache
  [12/14]: configuring SELinux for httpd
  [13/14]: restarting httpd
  [14/14]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Applying LDAP updates
Restarting Directory server to apply updates
  [1/2]: stopping directory server
  [2/2]: starting directory server
Done.
Restarting the directory server
Restarting the KDC
Restarting the certificate server
Configuring DNS (named)
  [1/9]: generating rndc key file
  [2/9]: setting up reverse zone
  [3/9]: setting up our own record
  [4/9]: adding NS record to the zones
  [5/9]: setting up CA record
  [6/9]: setting up kerberos principal
  [7/9]: setting up named.conf
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Restarting named

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server

[root@rhel7-1 ~]# kinit admin
Password for admin: 

[root@rhel7-1 ~]# ipa user-find
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1289600000
  GID: 1289600000
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------

[root@rhel7-1 ~]# ssh root@rhel6-1 "echo ^C

[root@rhel7-1 ~]# ADMINPW=Secret123

[root@rhel7-1 ~]# ssh root@rhel6-1 "echo $ADMINPW|kinit admin; ipa user-find"
root@rhel6-1's password: 
Password for admin: 
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1289600000
  GID: 1289600000
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------


Scenario 2:  RHEL7.1 master

[root@rhel7-2 ~]# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r EXAMPLE.COM -a Secret123 -p Secret123 -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

Warning: skipping DNS resolution of host rhel7-2.example.com
The domain name has been determined based on the host name.

Checking forwarders, please wait ...
WARNING: DNS forwarder 192.168.122.1 does not return DNSSEC signatures in answers
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive "dnssec-enable yes;" to "options {}")
WARNING: DNSSEC validation will be disabled
Using reverse zone(s) 122.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:       rhel7-2.example.com
IP address(es): 192.168.122.72
Domain name:    example.com
Realm name:     EXAMPLE.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    192.168.122.1
Reverse zone(s):  122.168.192.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/38]: creating directory server user
  [2/38]: creating directory server instance
  [3/38]: adding default schema
  [4/38]: enabling memberof plugin
  [5/38]: enabling winsync plugin
  [6/38]: configuring replication version plugin
  [7/38]: enabling IPA enrollment plugin
  [8/38]: enabling ldapi
  [9/38]: configuring uniqueness plugin
  [10/38]: configuring uuid plugin
  [11/38]: configuring modrdn plugin
  [12/38]: configuring DNS plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: creating indices
  [16/38]: enabling referential integrity plugin
  [17/38]: configuring certmap.conf
  [18/38]: configure autobind for root
  [19/38]: configure new location for managed entries
  [20/38]: configure dirsrv ccache
  [21/38]: enable SASL mapping fallback
  [22/38]: restarting directory server
  [23/38]: adding default layout
  [24/38]: adding delegation layout
  [25/38]: creating container for managed entries
  [26/38]: configuring user private groups
  [27/38]: configuring netgroups from hostgroups
  [28/38]: creating default Sudo bind user
  [29/38]: creating default Auto Member layout
  [30/38]: adding range check plugin
  [31/38]: creating default HBAC rule allow_all
  [32/38]: initializing group membership
  [33/38]: adding master entry
  [34/38]: configuring Posix uid/gid generation
  [35/38]: adding replication acis
  [36/38]: enabling compatibility plugin
  [37/38]: tuning directory server
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/27]: creating certificate server user
  [2/27]: configuring certificate server instance
  [3/27]: stopping certificate server instance to update CS.cfg
  [4/27]: backing up CS.cfg
  [5/27]: disabling nonces
  [6/27]: set up CRL publishing
  [7/27]: enable PKIX certificate path discovery and validation
  [8/27]: starting certificate server instance
  [9/27]: creating RA agent certificate database
  [10/27]: importing CA chain to RA certificate database
  [11/27]: fixing RA database permissions
  [12/27]: setting up signing cert profile
  [13/27]: set certificate subject base
  [14/27]: enabling Subject Key Identifier
  [15/27]: enabling Subject Alternative Name
  [16/27]: enabling CRL and OCSP extensions for certificates
  [17/27]: setting audit signing renewal to 2 years
  [18/27]: configuring certificate server to start on boot
  [19/27]: restarting certificate server
  [20/27]: requesting RA certificate from CA
  [21/27]: issuing RA agent certificate
  [22/27]: adding RA agent as a trusted user
  [23/27]: configure certmonger for renewals
  [24/27]: configure certificate renewals
  [25/27]: configure RA certificate renewal
  [26/27]: configure Server-Cert certificate renewal
  [27/27]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv): Estimated time 10 seconds
  [1/3]: configuring ssl for ds instance
  [2/3]: restarting directory server
  [3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/15]: setting mod_nss port to 443
  [2/15]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [3/15]: setting mod_nss password file
  [4/15]: enabling mod_nss renegotiate
  [5/15]: adding URL rewriting rules
  [6/15]: configuring httpd
  [7/15]: setting up ssl
  [8/15]: importing CA certificates from LDAP
  [9/15]: setting up browser autoconfig
  [10/15]: publish CA cert
  [11/15]: creating a keytab for httpd
  [12/15]: clean up any existing httpd ccache
  [13/15]: configuring SELinux for httpd
  [14/15]: restarting httpd
  [15/15]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting Directory server to apply updates
  [1/2]: stopping directory server
  [2/2]: starting directory server
Done.
Restarting the directory server
Restarting the KDC
Restarting the certificate server
Configuring DNS (named)
  [1/12]: generating rndc key file
  [2/12]: adding DNS container
  [3/12]: setting up our zone
  [4/12]: setting up reverse zone
  [5/12]: setting up our own record
  [6/12]: setting up records for other masters
  [7/12]: adding NS record to the zones
  [8/12]: setting up CA record
  [9/12]: setting up kerberos principal
  [10/12]: setting up named.conf
  [11/12]: configuring named to start on boot
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting named

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

[root@rhel7-2 ~]# kinit admin
Password for admin: 

[root@rhel7-2 ~]# ipa user-find
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1375600000
  GID: 1375600000
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------

[root@rhel7-2 ~]# ipa-replica-manage list
rhel7-2.example.com: master

Comment 24 Martin Kosek 2015-01-08 10:56:32 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/730b472db123e97a0c158b626e9f7c3f0b13e2ca
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/7a901060d3e9a23e44cb4b5c84ad436e4db49ea2

Comment 26 errata-xmlrpc 2015-03-05 10:18:48 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.