+++ This bug was initially created as a clone of Bug #1197290 +++ Recent packaging enhancements to SSSD resulted in the 'sssd' metapackage only pulling in the python 3 version of python-sssdconfig, which cannot be used by authconfig/realmd in Fedora 22. Recommendation is to require python-sssdconfig instead of python3-sssdconfig in Fedora 22. In Fedora 23, it is fine to make the switch. Description of problem: Version-Release number of selected component: anaconda-22.20.1-1 The following was filed automatically by anaconda: anaconda 22.20.1-1 exception report Traceback (most recent call first): File "/usr/lib64/python2.7/site-packages/pyanaconda/kickstart.py", line 569, in execute rc = iutil.execWithRedirect("realm", argv)[0] File "/usr/lib64/python2.7/site-packages/pyanaconda/install.py", line 112, in doConfiguration ksdata.realm.execute(storage, ksdata, instClass) File "/usr/lib64/python2.7/threading.py", line 766, in run self.__target(*self.__args, **self.__kwargs) File "/usr/lib64/python2.7/site-packages/pyanaconda/threads.py", line 238, in run threading.Thread.run(self, *args, **kwargs) TypeError: 'int' object has no attribute '__getitem__' Additional info: addons: com_redhat_kdump cmdline: /usr/bin/python2 /sbin/anaconda cmdline_file: method=http://dl.fedoraproject.org/pub/alt/stage/22_Alpha_TC7/Server/x86_64/os/ ks=file:/fedora0.ks console=tty0 console=ttyS0,115200 executable: /sbin/anaconda hashmarkername: anaconda kernel: 4.0.0-0.rc1.git0.1.fc22.x86_64 product: Fedora" release: Cannot get release name. type: anaconda version: Fedora --- Additional comment from Scott Poore on 2015-02-27 22:24:20 EST --- --- Additional comment from Scott Poore on 2015-02-27 22:24:21 EST --- --- Additional comment from Scott Poore on 2015-02-27 22:24:22 EST --- --- Additional comment from Scott Poore on 2015-02-27 22:24:23 EST --- --- Additional comment from Scott Poore on 2015-02-27 22:24:24 EST --- --- Additional comment from Scott Poore on 2015-02-27 22:24:25 EST --- --- Additional comment from Scott Poore on 2015-02-27 22:24:26 EST --- --- Additional comment from Scott Poore on 2015-02-27 22:24:27 EST --- --- Additional comment from Scott Poore on 2015-02-27 22:24:28 EST --- --- Additional comment from Scott Poore on 2015-02-27 22:24:29 EST --- --- Additional comment from Scott Poore on 2015-02-27 22:24:31 EST --- --- Additional comment from Scott Poore on 2015-02-27 22:24:32 EST --- --- Additional comment from Scott Poore on 2015-02-27 22:24:33 EST --- --- Additional comment from Scott Poore on 2015-02-27 22:24:34 EST --- --- Additional comment from Scott Poore on 2015-02-27 23:08:29 EST --- Failure occurred testing kickstart with realm join. I am able to join successfully after a kickstart but, not when realm is included in ks.cfg. Something to note (not sure if it's related though) is that when I do successfully join an IPA domain using realmd after kickstart, I do have to install python-sssdconfig. [root@fedora0 ~]# realm join -v --one-time-password=MyPassword example.test * Resolving: _ldap._tcp.example.test * Performing LDAP DSE lookup on: 192.168.122.201 * Successfully discovered: example.test * Required files: /usr/sbin/ipa-client-install, /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd * LANG=C /usr/sbin/ipa-client-install --domain example.test --realm EXAMPLE.TEST --mkhomedir --enable-dns-updates --unattended --force-join --password MyPassword --force-ntpd There was a problem importing one of the required Python modules. The error was: No module named SSSDConfig ! Running ipa-client-install failed realm: Couldn't join realm: Running ipa-client-install failed [root@fedora0 ~]# dnf -y install python-sssdconfig Using metadata from Sat Feb 28 03:46:08 2015 Dependencies resolved. ======================================================================================================= Package Arch Version Repository Size ======================================================================================================= Installing: python-sssdconfig noarch 1.12.4-2.fc22 updates-testing 96 k Transaction Summary ======================================================================================================= Install 1 Package Total download size: 96 k Installed size: 219 k Downloading Packages: python-sssdconfig-1.12.4-2.fc22.noarch.rpm 13 kB/s | 96 kB 00:07 ------------------------------------------------------------------------------------------------------- Total 1.5 kB/s | 96 kB 01:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Installing : python-sssdconfig-1.12.4-2.fc22.noarch 1/1 Verifying : python-sssdconfig-1.12.4-2.fc22.noarch 1/1 Installed: python-sssdconfig.noarch 1.12.4-2.fc22 Complete! [root@fedora0 ~]# realm join -v --one-time-password=MyPassword example.test * Resolving: _ldap._tcp.example.test * Performing LDAP DSE lookup on: 192.168.122.201 * Successfully discovered: example.test * Required files: /usr/sbin/ipa-client-install, /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd * LANG=C /usr/sbin/ipa-client-install --domain example.test --realm EXAMPLE.TEST --mkhomedir --enable-dns-updates --unattended --force-join --password MyPassword --force-ntpd Discovery was successful! Hostname: fedora0.example.test Realm: EXAMPLE.TEST DNS Domain: example.test IPA Server: vm1.example.test BaseDN: dc=example,dc=test Synchronizing time with KDC... Downloading the CA certificate via HTTP, this is INSECURE Successfully retrieved CA cert Subject: CN=Certificate Authority,O=EXAMPLE.TEST Issuer: CN=Certificate Authority,O=EXAMPLE.TEST Valid From: Wed Feb 11 23:46:12 2015 UTC Valid Until: Sun Feb 11 23:46:12 2035 UTC Enrolled in IPA realm EXAMPLE.TEST Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.TEST trying https://vm1.example.test/ipa/json Forwarding 'ping' to json server 'https://vm1.example.test/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://vm1.example.test/ipa/json' Systemwide CA database updated. Added CA certificates to the default NSS database. DNS server record set to: fedora0.example.test -> 192.168.122.30 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://vm1.example.test/ipa/json' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring example.test as NIS domain. Client configuration complete. * /usr/bin/systemctl enable sssd.service * /usr/bin/systemctl restart sssd.service * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service * Successfully enrolled machine in realm [root@fedora0 ~]# id admin uid=252400000(admin) gid=252400000(admins) groups=252400000(admins) [root@fedora0 ~]# --- Additional comment from Scott Poore on 2015-03-02 11:19:56 EST --- I forgot to mention that this was seen running the kickstart via virt-install. I don't think that affects things but, it's more information. qemu-img create -f qcow2 -o preallocation=metadata $DISKIMAGE 8G virt-install --connect=qemu:///system \ --network=bridge:virbr0 \ --initrd-inject=/tmp/${VMNAME}.ks \ --extra-args="ks=file:/${VMNAME}.ks $EXTRAARGS" \ --name=$VMNAME \ --disk path=$DISKIMAGE,format=qcow2,size=8 \ --ram 1024 \ --vcpus=1 \ --check-cpu \ --hvm \ --location=$OSIMG \ --nographics with ${VMNAME}.ks being the ks.cfg included from comment #6.
(In reply to Stephen Gallagher from comment #0) > +++ This bug was initially created as a clone of Bug #1197290 +++ > > Recent packaging enhancements to SSSD resulted in the 'sssd' metapackage > only pulling in the python 3 version of python-sssdconfig, which cannot be > used by authconfig/realmd in Fedora 22. Recommendation is to require > python-sssdconfig instead of python3-sssdconfig in Fedora 22. In Fedora 23, > it is fine to make the switch. > > > > > Description of problem: > > > Version-Release number of selected component: > anaconda-22.20.1-1 > > The following was filed automatically by anaconda: > anaconda 22.20.1-1 exception report > Traceback (most recent call first): > File "/usr/lib64/python2.7/site-packages/pyanaconda/kickstart.py", line > 569, in execute > rc = iutil.execWithRedirect("realm", argv)[0] > File "/usr/lib64/python2.7/site-packages/pyanaconda/install.py", line 112, > in doConfiguration > ksdata.realm.execute(storage, ksdata, instClass) > File "/usr/lib64/python2.7/threading.py", line 766, in run > self.__target(*self.__args, **self.__kwargs) > File "/usr/lib64/python2.7/site-packages/pyanaconda/threads.py", line 238, > in run > threading.Thread.run(self, *args, **kwargs) > TypeError: 'int' object has no attribute '__getitem__' > > Additional info: > addons: com_redhat_kdump > cmdline: /usr/bin/python2 /sbin/anaconda > cmdline_file: > method=http://dl.fedoraproject.org/pub/alt/stage/22_Alpha_TC7/Server/x86_64/ > os/ ks=file:/fedora0.ks console=tty0 console=ttyS0,115200 > executable: /sbin/anaconda > hashmarkername: anaconda > kernel: 4.0.0-0.rc1.git0.1.fc22.x86_64 > product: Fedora" > release: Cannot get release name. > type: anaconda > version: Fedora > > --- Additional comment from Scott Poore on 2015-02-27 22:24:20 EST --- > > > > --- Additional comment from Scott Poore on 2015-02-27 22:24:21 EST --- > > > > --- Additional comment from Scott Poore on 2015-02-27 22:24:22 EST --- > > > > --- Additional comment from Scott Poore on 2015-02-27 22:24:23 EST --- > > > > --- Additional comment from Scott Poore on 2015-02-27 22:24:24 EST --- > > > > --- Additional comment from Scott Poore on 2015-02-27 22:24:25 EST --- > > > > --- Additional comment from Scott Poore on 2015-02-27 22:24:26 EST --- > > > > --- Additional comment from Scott Poore on 2015-02-27 22:24:27 EST --- > > > > --- Additional comment from Scott Poore on 2015-02-27 22:24:28 EST --- > > > > --- Additional comment from Scott Poore on 2015-02-27 22:24:29 EST --- > > > > --- Additional comment from Scott Poore on 2015-02-27 22:24:31 EST --- > > > > --- Additional comment from Scott Poore on 2015-02-27 22:24:32 EST --- > > > > --- Additional comment from Scott Poore on 2015-02-27 22:24:33 EST --- > > > > --- Additional comment from Scott Poore on 2015-02-27 22:24:34 EST --- > > > > --- Additional comment from Scott Poore on 2015-02-27 23:08:29 EST --- > > Failure occurred testing kickstart with realm join. I am able to join > successfully after a kickstart but, not when realm is included in ks.cfg. > > Something to note (not sure if it's related though) is that when I do > successfully join an IPA domain using realmd after kickstart, I do have to > install python-sssdconfig. > > [root@fedora0 ~]# realm join -v --one-time-password=MyPassword example.test > * Resolving: _ldap._tcp.example.test > * Performing LDAP DSE lookup on: 192.168.122.201 > * Successfully discovered: example.test > * Required files: /usr/sbin/ipa-client-install, /usr/sbin/oddjobd, > /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd > * LANG=C /usr/sbin/ipa-client-install --domain example.test --realm > EXAMPLE.TEST --mkhomedir --enable-dns-updates --unattended --force-join > --password MyPassword --force-ntpd > There was a problem importing one of the required Python modules. The > error was: > > No module named SSSDConfig > > ! Running ipa-client-install failed > realm: Couldn't join realm: Running ipa-client-install failed FreeIPA will not be ported to python2 very soon therefore package freeipa-client should explicitly require python-sssdconfig.
*** This bug has been marked as a duplicate of bug 1197218 ***
This is the Fedora Release Alpha Criteria that I think applies to this bug: https://fedoraproject.org/wiki/Fedora_22_Alpha_Release_Criteria#Remote_authentication
This is just for keeping things in order and for the case if this bug would be reopened and unduped. Discussed at today's blocker review meeting [1]. This bug was accepted as Alpha Blocker - This bug is a clear violation of the Alpha criterion: "It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install, and the system must respect the identity, authentication and access control configuration provided by the domain." http://meetbot.fedoraproject.org/fedora-blocker-review/2015-03-02/