1241941 – kdc component installation of IPA failed

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1241941 - kdc component installation of IPA failed

Summary: kdc component installation of IPA failed

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1260097
TreeView+	depends on / blocked

Reported:	2015-07-10 13:10 UTC by Kaleem
Modified:	2015-11-19 12:04 UTC (History)
CC List:	11 users (show)
Fixed In Version:	ipa-4.2.0-2.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1260097 (view as bug list)
Environment:
Last Closed:	2015-11-19 12:04:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2362	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2015-11-19 10:40:46 UTC

Description Kaleem 2015-07-10 13:10:21 UTC

Description of problem:
While installing IPA, saw following

Configuring directory server (dirsrv). Estimated time: 10 seconds
  [1/3]: configuring ssl for ds instance
  [2/3]: restarting directory server
  [3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
Failed to initialize the realm container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [error] CalledProcessError: Command ''kadmin.local' '-q' 'addprinc -randkey ldap/nocp6.idm.lab.eng.rdu2.redhat.com.ENG.RDU2.REDHAT.COM' '-x' 'ipa-setup-override-restrictions'' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(Server): ERROR    Command ''kadmin.local' '-q' 'addprinc -randkey ldap/nocp6.idm.lab.eng.rdu2.redhat.com.ENG.RDU2.REDHAT.COM' '-x' 'ipa-setup-override-restrictions'' returned non-zero exit status 1

Version-Release number of selected component (if applicable):
[root@nocp6 ~]# rpm -q ipa-server krb5-server python-krbV
ipa-server-4.2.0-1.el7.x86_64
krb5-server-1.13.2-3.el7.x86_64
python-krbV-1.0.90-8.el7.x86_64
[root@nocp6 ~]#

How reproducible:
Always

Additional info:
(1) No avc denial
(2) Nothing in /var/log/kadmind.log

Comment 2 Kaleem 2015-07-10 13:29:46 UTC

On locally that beaker machine shows no avc denial

[root@nocp6 ~]# ausearch -m AVC -ts today
<no matches>
[root@nocp6 ~]# cat /var/log/audit/audit.log |audit2allow
Nothing to do
[root@nocp6 ~]#

But strange, beaker logs showing following avc denial

time->Fri Jul 10 07:15:27 2015
type=PATH msg=audit(1436526927.841:91): item=0 name="/var/lib/kdcproxy" inode=203270270 dev=fd:00 mode=040000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=NORMAL
type=CWD msg=audit(1436526927.841:91):  cwd="/"
type=SYSCALL msg=audit(1436526927.841:91): arch=c000003e syscall=92 success=no exit=-13 a0=7ffc32b96189 a1=3e0 a2=3dd a3=65726373662f7274 items=1 ppid=15690 pid=15697 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="useradd" exe="/usr/sbin/useradd" subj=system_u:unconfined_r:useradd_t:s0 key=(null)
type=AVC msg=audit(1436526927.841:91): avc:  denied  { setattr } for  pid=15697 comm="useradd" name="kdcproxy" dev="dm-0" ino=203270270 scontext=system_u:unconfined_r:useradd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
----
time->Fri Jul 10 07:15:27 2015
type=PATH msg=audit(1436526927.841:92): item=0 name="/var/lib/kdcproxy" inode=203270270 dev=fd:00 mode=040000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=NORMAL
type=CWD msg=audit(1436526927.841:92):  cwd="/"
type=SYSCALL msg=audit(1436526927.841:92): arch=c000003e syscall=90 success=no exit=-13 a0=7ffc32b96189 a1=1c0 a2=0 a3=3f items=1 ppid=15690 pid=15697 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="useradd" exe="/usr/sbin/useradd" subj=system_u:unconfined_r:useradd_t:s0 key=(null)
type=AVC msg=audit(1436526927.841:92): avc:  denied  { setattr } for  pid=15697 comm="useradd" name="kdcproxy" dev="dm-0" ino=203270270 scontext=system_u:unconfined_r:useradd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
----
time->Fri Jul 10 07:15:27 2015
type=PATH msg=audit(1436526927.843:94): item=1 name="/var/lib/kdcproxy/.bash_logout" objtype=CREATE
type=PATH msg=audit(1436526927.843:94): item=0 name="/var/lib/kdcproxy/" inode=203270270 dev=fd:00 mode=040000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT
type=CWD msg=audit(1436526927.843:94):  cwd="/"
type=SYSCALL msg=audit(1436526927.843:94): arch=c000003e syscall=2 success=no exit=-13 a0=7f876dd12210 a1=241 a2=1a4 a3=65726373662f7274 items=2 ppid=15690 pid=15697 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="useradd" exe="/usr/sbin/useradd" subj=system_u:unconfined_r:useradd_t:s0 key=(null)
type=AVC msg=audit(1436526927.843:94): avc:  denied  { create } for  pid=15697 comm="useradd" name=".bash_logout" scontext=system_u:unconfined_r:useradd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

Comment 4 Petr Vobornik 2015-07-10 15:15:15 UTC

moving to IPA, it was not build against correct version of krb5

more info:
>>>> kadmin.local: Unsupported argument "ipa-setup-override-restrictions" for
>>>> db2 while initializing kadmin.local interface
>>>>
>>>> And also when trying to start kadmin.service, there is:
>>>> kadmind: kadmind: Database module does not match KDC version while
>>>> initializing, aborting
>>>
>>> What MIT krb packages version has IPA been built against ?
>>> Has it change since the build ?
>>>
>>> The KDB Driver interface is private and changes from release to release,
>>> so there are safeguards to prevent loading the module if the MIT version
>>> changes.
>>>
>>> Simo.
>>>
>>
>> In build root.log from yesterday
>> there is:
>> DEBUG util.py:257:  Installed:
>>    ...
>>    krb5-devel.x86_64 0:1.12.2-14.el7
>>
>> Latest RHEL7.2 package is: krb5-1.13.2-3.el7(2015-06-01).
>>
>> krb5-1.12.2-14.el7 is a RHEL 7.1 package.
>>
>> Version installed on the test machine is krb5-server-1.13.2-3.el7.x86_64.
>
> At the very least the RHEL packages will need a strict version
> dependency on the krb5 package both at build time and install time.
>
> I suggest in RHEL you add
> BuildRequires >= 1.13.0 < 1.14.0
> Requires >= 1.13.0 < 1.14.0
>
> Simo.

Comment 12 Jan Cholasta 2015-07-15 10:23:55 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5132

Comment 13 Jan Cholasta 2015-07-15 11:03:07 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d6e701a79333c0d732323a1f4250aa698625e889
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/5678e211af604af5ed20df5d4282df8a0275aa14

Comment 15 Rich Megginson 2015-07-16 02:55:02 UTC

from which repositories did you install to get this to work?  I'm using the following repos:

    rhel7:
        name: rhel7
        baseurl: http://download.eng.bos.redhat.com/composes/nightly/latest-RHEL-7/compose/Server/x86_64/os/
        enabled: true
        gpgcheck: false
    rhel7-optional:
        name: rhel7-optional
        baseurl: http://download.eng.bos.redhat.com/composes/nightly/latest-RHEL-7/compose/Server-optional/x86_64/os/
        enabled: true
        gpgcheck: false

I tried the following:
yum -y install http://download.eng.bos.redhat.com/brewroot/packages/ipa/4.2.0/2.el7/x86_64/ipa-admintools-4.2.0-2.el7.x86_64.rpm \
    http://download.eng.bos.redhat.com/brewroot/packages/ipa/4.2.0/2.el7/x86_64/ipa-client-4.2.0-2.el7.x86_64.rpm \
    http://download.eng.bos.redhat.com/brewroot/packages/ipa/4.2.0/2.el7/x86_64/ipa-debuginfo-4.2.0-2.el7.x86_64.rpm \
    http://download.eng.bos.redhat.com/brewroot/packages/ipa/4.2.0/2.el7/x86_64/ipa-python-4.2.0-2.el7.x86_64.rpm \
    http://download.eng.bos.redhat.com/brewroot/packages/ipa/4.2.0/2.el7/x86_64/ipa-server-4.2.0-2.el7.x86_64.rpm \
    http://download.eng.bos.redhat.com/brewroot/packages/ipa/4.2.0/2.el7/x86_64/ipa-server-trust-ad-4.2.0-2.el7.x86_64.rpm


I got the following error:
Error: Package: ipa-python-4.2.0-2.el7.x86_64.rpm
   Requires: python-cryptography

Comment 16 Jamie Lennox 2015-07-20 00:45:09 UTC

rich: i've noticed python-cryptography missing from other nightlys as well. It appears to be there in the latest.

Comment 17 Kaleem 2015-07-20 18:12:39 UTC

Verified.

IPA version:
============
[root@vm-idm-001 ~]# rpm -q ipa-server
ipa-server-4.2.0-2.el7.x86_64
[root@vm-idm-001 ~]# 


[root@vm-idm-001 ~]# /usr/sbin/ipa-server-install --setup-dns --forwarder=10.65.201.89 --hostname=vm-idm-001.testrelm.test -r TESTRELM.TEST -n testrelm.test -p xxxxxxxx -a xxxxxxxx --ip-address=10.65.206.135 -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

..
...
....
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
[root@vm-idm-001 ~]#

Comment 18 errata-xmlrpc 2015-11-19 12:04:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html

Note You need to log in before you can comment on or make changes to this bug.