Bug 1247247
| Summary: | ipa-server-install with custom hostname fails on named-pkcs11 restart | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | ksiddiqu, mbasti, mkosek, pvoborni, rcritten, spoore |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-05 14:25:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Scott Poore
2015-07-27 15:55:25 UTC
Ok, more details on setup to help reproduce: I'm seeing the issue on a VM but I would expect to see it anywhere you're trying to change hostname on ipa-server-install command line. My KVM host is running dnsmasq to serve my guests. This is the entry there: $ grep 192.168.122.71 /etc/hosts 192.168.122.71 rhel7-1.example.com rhel7-1 $ ps -ef|grep dnsmasq nobody 3045 1 0 06:02 ? 00:00:00 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --dhcp-script=/usr/libexec/libvirt_leaseshelper root 3046 3045 0 06:02 ? 00:00:00 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --dhcp-script=/usr/libexec/libvirt_leaseshelper spoore 15909 15869 0 08:49 pts/3 00:00:00 grep --color=auto dnsmasq My guest does resolve itself as rhel7-1.example.com: [root@rhel7-1 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 [root@rhel7-1 ~]# cat /etc/hostname rhel7-1.example.com [root@rhel7-1 ~]# hostname rhel7-1.example.com [root@rhel7-1 ~]# hostname -i 192.168.122.71 [root@rhel7-1 ~]# host rhel7-1.example.com rhel7-1.example.com has address 192.168.122.71 [root@rhel7-1 ~]# host 192.168.122.71 71.122.168.192.in-addr.arpa domain name pointer rhel7-1.example.com. When I did the rpm installs, I just ran: yum -y install ipa-server yum install ipa-server-dns Then after failure on ipa-server-install: [root@rhel7-1 ~]# journalctl -xe|tail -20 -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit dirsrv has finished shutting down. Jul 28 09:09:01 rhel7-1.example.com ipactl[5946]: Aborting ipactl Jul 28 09:09:01 rhel7-1.example.com ipactl[5946]: Starting Directory Service Jul 28 09:09:01 rhel7-1.example.com ipactl[5946]: Starting krb5kdc Service Jul 28 09:09:01 rhel7-1.example.com ipactl[5946]: Starting kadmin Service Jul 28 09:09:01 rhel7-1.example.com ipactl[5946]: Starting named Service Jul 28 09:09:01 rhel7-1.example.com systemd[1]: ipa.service: main process exited, code=exited, status=1/FAILURE Jul 28 09:09:01 rhel7-1.example.com systemd[1]: Failed to start Identity, Policy, Audit. -- Subject: Unit ipa.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit ipa.service has failed. -- -- The result is failed. Jul 28 09:09:01 rhel7-1.example.com systemd[1]: Unit ipa.service entered failed state. Jul 28 09:09:01 rhel7-1.example.com systemd[1]: ipa.service failed. Jul 28 09:09:01 rhel7-1.example.com polkitd[727]: Unregistered Authentication Agent for unix-process:5941:132668 (system bus name :1.86, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) [root@rhel7-1 ~]# systemctl status named-pkcs11 -l ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Tue 2015-07-28 09:08:59 CDT; 2min 50s ago Process: 5964 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS (code=exited, status=1/FAILURE) Process: 5962 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Jul 28 09:08:59 rhel7-1.example.com named-pkcs11[5967]: LDAP error: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/EXAMPLE.COM not found in Kerberos database): bind to LDAP server failed Jul 28 09:08:59 rhel7-1.example.com named-pkcs11[5967]: couldn't establish connection in LDAP connection pool: failure Jul 28 09:08:59 rhel7-1.example.com named-pkcs11[5967]: dynamic database 'ipa' configuration failed: failure Jul 28 09:08:59 rhel7-1.example.com named-pkcs11[5967]: loading configuration: failure Jul 28 09:08:59 rhel7-1.example.com named-pkcs11[5967]: exiting (due to fatal error) Jul 28 09:08:59 rhel7-1.example.com systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 Jul 28 09:08:59 rhel7-1.example.com systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. Jul 28 09:08:59 rhel7-1.example.com systemd[1]: Unit named-pkcs11.service entered failed state. Jul 28 09:08:59 rhel7-1.example.com systemd[1]: named-pkcs11.service failed. Jul 28 09:08:59 rhel7-1.example.com systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with native PKCS#11. Upstream ticket: https://fedorahosted.org/freeipa/ticket/4741 Is this a duplicate of bug 1249784? No, this is different issue I'm marking this one closed currentrelease. It appears that I can no longer reproduce the issue with the latest RHEL7.2 install. I ran this on 10 systems and did not see the issue. I was seeing the issue pretty consistently but, I do not see it anymore.
For reference here's my verification:
Version::
ipa-server-4.2.0-15.el7.x86_64
Results ::
[root@cloud-qe-14 ~]# NS=$(grep ^nameserver /etc/resolv.conf|head -1|awk '{print $2}')
[root@cloud-qe-14 ~]# IP=$(hostname -i)
[root@cloud-qe-14 ~]# ipa-server-install --setup-dns --forwarder=$NS --hostname master.testrelm.test --ip-address=$IP -n testrelm.test -r TESTRELM.TEST -a Secret123 -p Secret123 -U
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd
Warning: skipping DNS resolution of host master.testrelm.test
Warning: hostname master.testrelm.test does not match system hostname cloud-qe-14.idmqe.lab.eng.bos.redhat.com.
System hostname will be updated during the installation process
to prevent service failures.
Checking DNS forwarders, please wait ...
Using reverse zone(s) 96.16.10.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: master.testrelm.test
IP address(es): 10.16.96.101
Domain name: testrelm.test
Realm name: TESTRELM.TEST
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 10.16.101.41
Reverse zone(s): 96.16.10.in-addr.arpa.
Adding [10.16.96.101 master.testrelm.test] to your /etc/hosts file
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
[1/43]: creating directory server user
[2/43]: creating directory server instance
[3/43]: adding default schema
[4/43]: enabling memberof plugin
[5/43]: enabling winsync plugin
[6/43]: configuring replication version plugin
[7/43]: enabling IPA enrollment plugin
[8/43]: enabling ldapi
[9/43]: configuring uniqueness plugin
[10/43]: configuring uuid plugin
[11/43]: configuring modrdn plugin
[12/43]: configuring DNS plugin
[13/43]: enabling entryUSN plugin
[14/43]: configuring lockout plugin
[15/43]: creating indices
[16/43]: enabling referential integrity plugin
[17/43]: configuring certmap.conf
[18/43]: configure autobind for root
[19/43]: configure new location for managed entries
[20/43]: configure dirsrv ccache
[21/43]: enable SASL mapping fallback
[22/43]: restarting directory server
[23/43]: adding default layout
[24/43]: adding delegation layout
[25/43]: creating container for managed entries
[26/43]: configuring user private groups
[27/43]: configuring netgroups from hostgroups
[28/43]: creating default Sudo bind user
[29/43]: creating default Auto Member layout
[30/43]: adding range check plugin
[31/43]: creating default HBAC rule allow_all
[32/43]: creating default CA ACL rule
[33/43]: adding entries for topology management
[34/43]: initializing group membership
[35/43]: adding master entry
[36/43]: initializing domain level
[37/43]: configuring Posix uid/gid generation
[38/43]: adding replication acis
[39/43]: enabling compatibility plugin
[40/43]: activating sidgen plugin
[41/43]: activating extdom plugin
[42/43]: tuning directory server
[43/43]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
[1/25]: creating certificate server user
[2/25]: configuring certificate server instance
[3/25]: stopping certificate server instance to update CS.cfg
[4/25]: backing up CS.cfg
[5/25]: disabling nonces
[6/25]: set up CRL publishing
[7/25]: enable PKIX certificate path discovery and validation
[8/25]: starting certificate server instance
[9/25]: creating RA agent certificate database
[10/25]: importing CA chain to RA certificate database
[11/25]: fixing RA database permissions
[12/25]: setting up signing cert profile
[13/25]: setting audit signing renewal to 2 years
[14/25]: restarting certificate server
[15/25]: requesting RA certificate from CA
[16/25]: issuing RA agent certificate
[17/25]: adding RA agent as a trusted user
[18/25]: authorizing RA to modify profiles
[19/25]: configure certmonger for renewals
[20/25]: configure certificate renewals
[21/25]: configure RA certificate renewal
[22/25]: configure Server-Cert certificate renewal
[23/25]: Configure HTTP to proxy connections
[24/25]: restarting certificate server
[25/25]: Importing IPA certificate profiles
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv). Estimated time: 10 seconds
[1/3]: configuring ssl for ds instance
[2/3]: restarting directory server
[3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
[1/10]: adding sasl mappings to the directory
[2/10]: adding kerberos container to the directory
[3/10]: configuring KDC
[4/10]: initialize kerberos container
[5/10]: adding default ACIs
[6/10]: creating a keytab for the directory
[7/10]: creating a keytab for the machine
[8/10]: adding the password extension to the directory
[9/10]: starting the KDC
[10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
[1/2]: starting ipa_memcached
[2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd). Estimated time: 1 minute
[1/19]: setting mod_nss port to 443
[2/19]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
[3/19]: setting mod_nss password file
[4/19]: enabling mod_nss renegotiate
[5/19]: adding URL rewriting rules
[6/19]: configuring httpd
[7/19]: configure certmonger for renewals
[8/19]: setting up ssl
[9/19]: importing CA certificates from LDAP
[10/19]: setting up browser autoconfig
[11/19]: publish CA cert
[12/19]: creating a keytab for httpd
[13/19]: clean up any existing httpd ccache
[14/19]: configuring SELinux for httpd
[15/19]: create KDC proxy user
[16/19]: create KDC proxy config
[17/19]: enable KDC proxy
[18/19]: restarting httpd
[19/19]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Upgrading IPA:
[1/9]: stopping directory server
[2/9]: saving configuration
[3/9]: disabling listeners
[4/9]: enabling DS global lock
[5/9]: starting directory server
[6/9]: upgrading server
[7/9]: stopping directory server
[8/9]: restoring configuration
[9/9]: starting directory server
Done.
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
[1/12]: generating rndc key file
[2/12]: adding DNS container
[3/12]: setting up our zone
[4/12]: setting up reverse zone
[5/12]: setting up our own record
[6/12]: setting up records for other masters
[7/12]: adding NS record to the zones
[8/12]: setting up CA record
[9/12]: setting up kerberos principal
[10/12]: setting up named.conf
[11/12]: configuring named to start on boot
[12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Restarting the web server
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
|