Bug 1298103 - ipa-server-upgrade fails if certmonger is not running
ipa-server-upgrade fails if certmonger is not running
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.3
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Martin Babinsky
Namita Soman
: Regression, ZStream
Depends On: 1296216
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-13 04:03 EST by Jan Kurik
Modified: 2016-02-16 05:59 EST (History)
12 users (show)

See Also:
Fixed In Version: ipa-4.2.0-15.el7_2.6
Doc Type: Bug Fix
Doc Text:
The ipa-server-upgrade utility checks for a running certmonger service at the start of the upgrade process and raises an error if the service is not running. Previously, when the Certificate System CA service was not configured, a running certmonger service was not required, and the check always failed. Consequently, this effectively prevented the upgrade of a CA-less IdM master to later versions. With this update, the certmonger service is started also when the CA service is not configured, and the upgrade of a CA-less IdM master works as expected.
Story Points: ---
Clone Of: 1296216
Environment:
Last Closed: 2016-02-16 05:59:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Kurik 2016-01-13 04:03:57 EST
This bug has been copied from bug #1296216 and has been proposed
to be backported to 7.2 z-stream (EUS).
Comment 7 Xiyang Dong 2016-01-29 13:27:49 EST
Verified on ipa-server-4.2.0-15.el7_2.5:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_upgrade_bz1298103_setup: Prepare to test BZ1298103
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.
.
.
:: [ 12:06:50 ] :: Install ca-less master
:: [  BEGIN   ] :: Running 'mkdir ~/test_ca'
:: [   PASS   ] :: Command 'mkdir ~/test_ca' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'echo 'Secret123' > ~/test_ca/pwdfile.txt'
:: [   PASS   ] :: Command 'echo 'Secret123' > ~/test_ca/pwdfile.txt' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'certutil -d ~/test_ca -N -f ~/test_ca/pwdfile.txt'
:: [   PASS   ] :: Command 'certutil -d ~/test_ca -N -f ~/test_ca/pwdfile.txt' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'head -c20 /dev/random > ~/test_ca/noise.txt'
:: [   PASS   ] :: Command 'head -c20 /dev/random > ~/test_ca/noise.txt' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'echo -e 'y
10
y
' | certutil -d ~/test_ca -S             -n 'CA'             -s 'CN=Certificate Authority'             -x -t CT,,C             -2             --keyUsage digitalSignature,nonRepudiation,certSigning             --nsCertType sslCA,smimeCA,objectSigningCA             -m 12664 -v 120             -z ~/test_ca/noise.txt             -f ~/test_ca/pwdfile.txt'


Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?
:: [   PASS   ] :: Command 'echo -e 'y\n10\ny\n' | certutil -d ~/test_ca -S             -n 'CA'             -s 'CN=Certificate Authority'             -x -t CT,,C             -2             --keyUsage digitalSignature,nonRepudiation,certSigning             --nsCertType sslCA,smimeCA,objectSigningCA             -m 12664 -v 120             -z ~/test_ca/noise.txt             -f ~/test_ca/pwdfile.txt' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'head -c20 /dev/random > ~/test_ca/noise.txt'
:: [   PASS   ] :: Command 'head -c20 /dev/random > ~/test_ca/noise.txt' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'certutil -d ~/test_ca -R             -s CN=cloud-qe-14.testrelm.test,O=IPA             -o /tmp/servercert.req             -k rsa             -g 2048             -z ~/test_ca/noise.txt             -f ~/test_ca/pwdfile.txt             -a'


Generating key.  This may take a few moments...

:: [   PASS   ] :: Command 'certutil -d ~/test_ca -R             -s CN=cloud-qe-14.testrelm.test,O=IPA             -o /tmp/servercert.req             -k rsa             -g 2048             -z ~/test_ca/noise.txt             -f ~/test_ca/pwdfile.txt             -a' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'certutil -d ~/test_ca -C             -c 'CA'             -i /tmp/servercert.req             -o /tmp/servercert.pem             --keyUsage keyEncipherment             --nsCertType sslServer             -m 12665             -v 120             -f ~/test_ca/pwdfile.txt             -a'
:: [   PASS   ] :: Command 'certutil -d ~/test_ca -C             -c 'CA'             -i /tmp/servercert.req             -o /tmp/servercert.pem             --keyUsage keyEncipherment             --nsCertType sslServer             -m 12665             -v 120             -f ~/test_ca/pwdfile.txt             -a' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'certutil -d ~/test_ca -A             -n Server-Cert             -i /tmp/servercert.pem             -t ,,             -a'
:: [   PASS   ] :: Command 'certutil -d ~/test_ca -A             -n Server-Cert             -i /tmp/servercert.pem             -t ,,             -a' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'pk12util -d ~/test_ca             -n Server-Cert             -o ~/test_ca/servercert.p12             -k ~/test_ca/pwdfile.txt             -w ~/test_ca/pwdfile.txt'
pk12util: PKCS12 EXPORT SUCCESSFUL
:: [   PASS   ] :: Command 'pk12util -d ~/test_ca             -n Server-Cert             -o ~/test_ca/servercert.p12             -k ~/test_ca/pwdfile.txt             -w ~/test_ca/pwdfile.txt' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'certutil -d ~/test_ca -L -n 'CA' -a > ~/test_ca/cacert.pem'
:: [   PASS   ] :: Command 'certutil -d ~/test_ca -L -n 'CA' -a > ~/test_ca/cacert.pem' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa-server-install -U             --setup-dns --forwarder=10.11.5.19 -r TESTRELM.TEST             -a Secret123 -p Secret123             --http-cert-file ~/test_ca/servercert.p12             --dirsrv-cert-file ~/test_ca/servercert.p12             --http-pin Secret123             --dirsrv-pin Secret123             --ca-cert-file ~/test_ca/cacert.pem'

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Warning: skipping DNS resolution of host cloud-qe-14.testrelm.test
The domain name has been determined based on the host name.

Checking DNS forwarders, please wait ...
Using reverse zone(s) 96.16.10.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:       cloud-qe-14.testrelm.test
IP address(es): 10.16.96.101
Domain name:    testrelm.test
Realm name:     TESTRELM.TEST

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    10.11.5.19
Reverse zone(s):  96.16.10.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/42]: creating directory server user
  [2/42]: creating directory server instance
  [3/42]: adding default schema
  [4/42]: enabling memberof plugin
  [5/42]: enabling winsync plugin
  [6/42]: configuring replication version plugin
  [7/42]: enabling IPA enrollment plugin
  [8/42]: enabling ldapi
  [9/42]: configuring uniqueness plugin
  [10/42]: configuring uuid plugin
  [11/42]: configuring modrdn plugin
  [12/42]: configuring DNS plugin
  [13/42]: enabling entryUSN plugin
  [14/42]: configuring lockout plugin
  [15/42]: creating indices
  [16/42]: enabling referential integrity plugin
  [17/42]: configuring certmap.conf
  [18/42]: configure autobind for root
  [19/42]: configure new location for managed entries
  [20/42]: configure dirsrv ccache
  [21/42]: enable SASL mapping fallback
  [22/42]: restarting directory server
  [23/42]: adding default layout
  [24/42]: adding delegation layout
  [25/42]: creating container for managed entries
  [26/42]: configuring user private groups
  [27/42]: configuring netgroups from hostgroups
  [28/42]: creating default Sudo bind user
  [29/42]: creating default Auto Member layout
  [30/42]: adding range check plugin
  [31/42]: creating default HBAC rule allow_all
  [32/42]: adding entries for topology management
  [33/42]: initializing group membership
  [34/42]: adding master entry
  [35/42]: initializing domain level
  [36/42]: configuring Posix uid/gid generation
  [37/42]: adding replication acis
  [38/42]: enabling compatibility plugin
  [39/42]: activating sidgen plugin
  [40/42]: activating extdom plugin
  [41/42]: tuning directory server
  [42/42]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring directory server (dirsrv). Estimated time: 10 seconds
  [1/3]: configuring ssl for ds instance
  [2/3]: restarting directory server
  [3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd). Estimated time: 1 minute
  [1/18]: setting mod_nss port to 443
  [2/18]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [3/18]: setting mod_nss password file
  [4/18]: enabling mod_nss renegotiate
  [5/18]: adding URL rewriting rules
  [6/18]: configuring httpd
  [7/18]: setting up ssl
  [8/18]: importing CA certificates from LDAP
  [9/18]: setting up browser autoconfig
  [10/18]: publish CA cert
  [11/18]: creating a keytab for httpd
  [12/18]: clean up any existing httpd ccache
  [13/18]: configuring SELinux for httpd
  [14/18]: create KDC proxy user
  [15/18]: create KDC proxy config
  [16/18]: enable KDC proxy
  [17/18]: restarting httpd
  [18/18]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Upgrading IPA:
  [1/9]: stopping directory server
  [2/9]: saving configuration
  [3/9]: disabling listeners
  [4/9]: enabling DS global lock
  [5/9]: starting directory server
  [6/9]: upgrading server
  [7/9]: stopping directory server
  [8/9]: restoring configuration
  [9/9]: starting directory server
Done.
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
  [1/12]: generating rndc key file
WARNING: Your system is running out of entropy, you may experience long delays
  [2/12]: adding DNS container
  [3/12]: setting up our zone
  [4/12]: setting up reverse zone
  [5/12]: setting up our own record
  [6/12]: setting up records for other masters
  [7/12]: adding NS record to the zones
  [8/12]: setting up CA record
  [9/12]: setting up kerberos principal
  [10/12]: setting up named.conf
  [11/12]: configuring named to start on boot
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

In order for Firefox autoconfiguration to work you will need to
use a SSL signing certificate. See the IPA documentation for more details.
:: [   PASS   ] :: Command 'ipa-server-install -U             --setup-dns --forwarder=10.11.5.19 -r TESTRELM.TEST             -a Secret123 -p Secret123             --http-cert-file ~/test_ca/servercert.p12             --dirsrv-cert-file ~/test_ca/servercert.p12             --http-pin Secret123             --dirsrv-pin Secret123             --ca-cert-file ~/test_ca/cacert.pem' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'echo Secret123|kinit admin'
Password for admin@TESTRELM.TEST: 
:: [   PASS   ] :: Command 'echo Secret123|kinit admin' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa user-find'
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 527200000
  GID: 527200000
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------
:: [   PASS   ] :: Command 'ipa user-find' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ps -ef|grep 't[o]m''
:: [   PASS   ] :: Command 'ps -ef|grep 't[o]m'' (Expected 1, got 1)
:: [  BEGIN   ] :: Running 'ps -ef|grep 'p[k]i''
:: [   PASS   ] :: Command 'ps -ef|grep 'p[k]i'' (Expected 1, got 1)
:: [  BEGIN   ] :: Running 'rhts-sync-set -s 'ipa_upgrade_bz1298103_setup.1' -m cloud-qe-14.idmqe.lab.eng.bos.redhat.com'
:: [   PASS   ] :: Command 'rhts-sync-set -s 'ipa_upgrade_bz1298103_setup.1' -m cloud-qe-14.idmqe.lab.eng.bos.redhat.com' (Expected 0, got 0)
'85f18092-87ee-44f1-9cab-069a87e4a5dd'
ipa-upgrade-bz1298103-setup-Prepare-to-test-BZ1298103 result: PASS
   metric: 0
   Log: /var/tmp/beakerlib-37743252/journal.txt
   DMesg: /mnt/testarea/dmesg.log
    Info: Searching AVC errors produced since 1454087003.51 (Fri Jan 29 12:03:23 2016)
     Searching logs...
     Fail: AVC messages found.
     Checking for errors...
     Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
     Info: No AVC messages found.
     Info: No AVC messages found.
 Writing to /mnt/testarea/tmp.ZocTsm
:
   AvcLog: /mnt/testarea/tmp.ZocTsm

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_upgrade_bz1298103_check:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 12:09:25 ] :: Machine in recipe is MASTER
:: [  BEGIN   ] :: Running ipa-server-upgrade when certmonger is not running :: actually running 'ipa-server-upgrade > /tmp/bz1298103.check.out 2>&1'
:: [   PASS   ] :: Running ipa-server-upgrade when certmonger is not running (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/bz1298103.check.out' should not contain 'Certmonger is not running. Start certmonger and run upgrade again'
Comment 8 Martin Bašti 2016-02-01 06:54:14 EST
This patch causes upgrade regression https://fedorahosted.org/freeipa/ticket/5655
Comment 9 Martin Bašti 2016-02-02 07:54:40 EST
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5655
Comment 10 Petr Vobornik 2016-02-02 08:00:36 EST
Ticket 5655 is fixed.
Comment 11 Martin Bašti 2016-02-02 08:02:39 EST
master:

612f4aa9003658f9a494ec327d50ec5a0592f7b4 always start certmonger during IPA server configuration upgrade
ipa-4-3:

d99552a8a9f855a7c5e00c4b0736061e05d6ed31 always start certmonger during IPA server configuration upgrade
ipa-4-2:

3664efa31edf0dff6dd3410e2eccd12c9cd25782 always start certmonger during IPA server configuration upgrade
Comment 13 Xiyang Dong 2016-02-02 10:03:38 EST
Verified on ipa-server-4.2.0-15.el7_2.6.x86_64:

[root@intel-lizardhead-02 yum.repos.d]# systemctl stop ipa
[root@intel-lizardhead-02 yum.repos.d]# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other services
ipa: INFO: The ipactl command was successful
[root@intel-lizardhead-02 yum.repos.d]# ipa-server-upgrade
session memcached servers not running
Upgrading IPA:
  [1/8]: saving configuration
  [2/8]: disabling listeners
  [3/8]: enabling DS global lock
  [4/8]: starting directory server
  [5/8]: updating schema
  [6/8]: upgrading server
  [7/8]: stopping directory server
  [8/8]: restoring configuration
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating mod_nss protocol versions]
Protocol versions already updated
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Exporting KRA agent PEM file]
KRA is not enabled
[Removing self-signed CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration to version 4]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Ensuring CA is using LDAPProfileSubsystem]
[Ensuring presence of included profiles]
[Add default CA ACL]
Default CA ACL already added
The IPA services were upgraded
The ipa-server-upgrade command was successful

[root@intel-lizardhead-02 yum.repos.d]# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other services
ipa: INFO: The ipactl command was successful
[root@intel-lizardhead-02 yum.repos.d]# systemctl restart ipa
[root@intel-lizardhead-02 yum.repos.d]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Comment 14 Xiyang Dong 2016-02-02 10:33:28 EST
Reverified on ipa-server-4.2.0-15.el7_2.6.x86_64:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_upgrade_bz1298103_setup: Prepare to test BZ1298103
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.
.
.
:: [ 10:23:06 ] :: Install ca-less master
:: [  BEGIN   ] :: Running 'mkdir ~/test_ca'
:: [   PASS   ] :: Command 'mkdir ~/test_ca' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'echo 'Secret123' > ~/test_ca/pwdfile.txt'
:: [   PASS   ] :: Command 'echo 'Secret123' > ~/test_ca/pwdfile.txt' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'certutil -d ~/test_ca -N -f ~/test_ca/pwdfile.txt'
:: [   PASS   ] :: Command 'certutil -d ~/test_ca -N -f ~/test_ca/pwdfile.txt' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'head -c20 /dev/random > ~/test_ca/noise.txt'
:: [   PASS   ] :: Command 'head -c20 /dev/random > ~/test_ca/noise.txt' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'echo -e 'y
10
y
' | certutil -d ~/test_ca -S             -n 'CA'             -s 'CN=Certificate Authority'             -x -t CT,,C             -2             --keyUsage digitalSignature,nonRepudiation,certSigning             --nsCertType sslCA,smimeCA,objectSigningCA             -m 26909 -v 120             -z ~/test_ca/noise.txt             -f ~/test_ca/pwdfile.txt'


Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?
:: [   PASS   ] :: Command 'echo -e 'y\n10\ny\n' | certutil -d ~/test_ca -S             -n 'CA'             -s 'CN=Certificate Authority'             -x -t CT,,C             -2             --keyUsage digitalSignature,nonRepudiation,certSigning             --nsCertType sslCA,smimeCA,objectSigningCA             -m 26909 -v 120             -z ~/test_ca/noise.txt             -f ~/test_ca/pwdfile.txt' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'head -c20 /dev/random > ~/test_ca/noise.txt'
:: [   PASS   ] :: Command 'head -c20 /dev/random > ~/test_ca/noise.txt' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'certutil -d ~/test_ca -R             -s CN=cloud-qe-22.testrelm.test,O=IPA             -o /tmp/servercert.req             -k rsa             -g 2048             -z ~/test_ca/noise.txt             -f ~/test_ca/pwdfile.txt             -a'


Generating key.  This may take a few moments...

:: [   PASS   ] :: Command 'certutil -d ~/test_ca -R             -s CN=cloud-qe-22.testrelm.test,O=IPA             -o /tmp/servercert.req             -k rsa             -g 2048             -z ~/test_ca/noise.txt             -f ~/test_ca/pwdfile.txt             -a' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'certutil -d ~/test_ca -C             -c 'CA'             -i /tmp/servercert.req             -o /tmp/servercert.pem             --keyUsage keyEncipherment             --nsCertType sslServer             -m 26910             -v 120             -f ~/test_ca/pwdfile.txt             -a'
:: [   PASS   ] :: Command 'certutil -d ~/test_ca -C             -c 'CA'             -i /tmp/servercert.req             -o /tmp/servercert.pem             --keyUsage keyEncipherment             --nsCertType sslServer             -m 26910             -v 120             -f ~/test_ca/pwdfile.txt             -a' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'certutil -d ~/test_ca -A             -n Server-Cert             -i /tmp/servercert.pem             -t ,,             -a'
:: [   PASS   ] :: Command 'certutil -d ~/test_ca -A             -n Server-Cert             -i /tmp/servercert.pem             -t ,,             -a' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'pk12util -d ~/test_ca             -n Server-Cert             -o ~/test_ca/servercert.p12             -k ~/test_ca/pwdfile.txt             -w ~/test_ca/pwdfile.txt'
pk12util: PKCS12 EXPORT SUCCESSFUL
:: [   PASS   ] :: Command 'pk12util -d ~/test_ca             -n Server-Cert             -o ~/test_ca/servercert.p12             -k ~/test_ca/pwdfile.txt             -w ~/test_ca/pwdfile.txt' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'certutil -d ~/test_ca -L -n 'CA' -a > ~/test_ca/cacert.pem'
:: [   PASS   ] :: Command 'certutil -d ~/test_ca -L -n 'CA' -a > ~/test_ca/cacert.pem' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa-server-install -U             --setup-dns --forwarder=10.11.5.19 -r TESTRELM.TEST             -a Secret123 -p Secret123             --http-cert-file ~/test_ca/servercert.p12             --dirsrv-cert-file ~/test_ca/servercert.p12             --http-pin Secret123             --dirsrv-pin Secret123             --ca-cert-file ~/test_ca/cacert.pem'

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Warning: skipping DNS resolution of host cloud-qe-22.testrelm.test
The domain name has been determined based on the host name.

Checking DNS forwarders, please wait ...
Using reverse zone(s) 96.16.10.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:       cloud-qe-22.testrelm.test
IP address(es): 10.16.96.142
Domain name:    testrelm.test
Realm name:     TESTRELM.TEST

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    10.11.5.19
Reverse zone(s):  96.16.10.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/42]: creating directory server user
  [2/42]: creating directory server instance
  [3/42]: adding default schema
  [4/42]: enabling memberof plugin
  [5/42]: enabling winsync plugin
  [6/42]: configuring replication version plugin
  [7/42]: enabling IPA enrollment plugin
  [8/42]: enabling ldapi
  [9/42]: configuring uniqueness plugin
  [10/42]: configuring uuid plugin
  [11/42]: configuring modrdn plugin
  [12/42]: configuring DNS plugin
  [13/42]: enabling entryUSN plugin
  [14/42]: configuring lockout plugin
  [15/42]: creating indices
  [16/42]: enabling referential integrity plugin
  [17/42]: configuring certmap.conf
  [18/42]: configure autobind for root
  [19/42]: configure new location for managed entries
  [20/42]: configure dirsrv ccache
  [21/42]: enable SASL mapping fallback
  [22/42]: restarting directory server
  [23/42]: adding default layout
  [24/42]: adding delegation layout
  [25/42]: creating container for managed entries
  [26/42]: configuring user private groups
  [27/42]: configuring netgroups from hostgroups
  [28/42]: creating default Sudo bind user
  [29/42]: creating default Auto Member layout
  [30/42]: adding range check plugin
  [31/42]: creating default HBAC rule allow_all
  [32/42]: adding entries for topology management
  [33/42]: initializing group membership
  [34/42]: adding master entry
  [35/42]: initializing domain level
  [36/42]: configuring Posix uid/gid generation
  [37/42]: adding replication acis
  [38/42]: enabling compatibility plugin
  [39/42]: activating sidgen plugin
  [40/42]: activating extdom plugin
  [41/42]: tuning directory server
  [42/42]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring directory server (dirsrv). Estimated time: 10 seconds
  [1/3]: configuring ssl for ds instance
  [2/3]: restarting directory server
  [3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd). Estimated time: 1 minute
  [1/18]: setting mod_nss port to 443
  [2/18]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [3/18]: setting mod_nss password file
  [4/18]: enabling mod_nss renegotiate
  [5/18]: adding URL rewriting rules
  [6/18]: configuring httpd
  [7/18]: setting up ssl
  [8/18]: importing CA certificates from LDAP
  [9/18]: setting up browser autoconfig
  [10/18]: publish CA cert
  [11/18]: creating a keytab for httpd
  [12/18]: clean up any existing httpd ccache
  [13/18]: configuring SELinux for httpd
  [14/18]: create KDC proxy user
  [15/18]: create KDC proxy config
  [16/18]: enable KDC proxy
  [17/18]: restarting httpd
  [18/18]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Upgrading IPA:
  [1/9]: stopping directory server
  [2/9]: saving configuration
  [3/9]: disabling listeners
  [4/9]: enabling DS global lock
  [5/9]: starting directory server
  [6/9]: upgrading server
  [7/9]: stopping directory server
  [8/9]: restoring configuration
  [9/9]: starting directory server
Done.
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
  [1/12]: generating rndc key file
  [2/12]: adding DNS container
  [3/12]: setting up our zone
  [4/12]: setting up reverse zone
  [5/12]: setting up our own record
  [6/12]: setting up records for other masters
  [7/12]: adding NS record to the zones
  [8/12]: setting up CA record
  [9/12]: setting up kerberos principal
  [10/12]: setting up named.conf
  [11/12]: configuring named to start on boot
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

In order for Firefox autoconfiguration to work you will need to
use a SSL signing certificate. See the IPA documentation for more details.
:: [   PASS   ] :: Command 'ipa-server-install -U             --setup-dns --forwarder=10.11.5.19 -r TESTRELM.TEST             -a Secret123 -p Secret123             --http-cert-file ~/test_ca/servercert.p12             --dirsrv-cert-file ~/test_ca/servercert.p12             --http-pin Secret123             --dirsrv-pin Secret123             --ca-cert-file ~/test_ca/cacert.pem' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'echo Secret123|kinit admin'
Password for admin@TESTRELM.TEST: 
:: [   PASS   ] :: Command 'echo Secret123|kinit admin' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa user-find'
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1307200000
  GID: 1307200000
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------
:: [   PASS   ] :: Command 'ipa user-find' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ps -ef|grep 't[o]m''
:: [   PASS   ] :: Command 'ps -ef|grep 't[o]m'' (Expected 1, got 1)
:: [  BEGIN   ] :: Running 'ps -ef|grep 'p[k]i''
:: [   PASS   ] :: Command 'ps -ef|grep 'p[k]i'' (Expected 1, got 1)
:: [  BEGIN   ] :: Running 'rhts-sync-set -s 'ipa_upgrade_bz1298103_setup.1' -m cloud-qe-22.idmqe.lab.eng.bos.redhat.com'
:: [   PASS   ] :: Command 'rhts-sync-set -s 'ipa_upgrade_bz1298103_setup.1' -m cloud-qe-22.idmqe.lab.eng.bos.redhat.com' (Expected 0, got 0)
'a2ff65ca-a9e2-4e64-885a-73fc3015ec0f'
ipa-upgrade-bz1298103-setup-Prepare-to-test-BZ1298103 result: PASS
   metric: 0
   Log: /var/tmp/beakerlib-37834343/journal.txt
   DMesg: /mnt/testarea/dmesg.log
    Info: Searching AVC errors produced since 1454426375.19 (Tue Feb  2 10:19:35 2016)
     Searching logs...
     Fail: AVC messages found.
     Checking for errors...
     Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
     Info: No AVC messages found.
     Info: No AVC messages found.
 Writing to /mnt/testarea/tmp.VbKa1d
:
   AvcLog: /mnt/testarea/tmp.VbKa1d

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_upgrade_bz1298103_check:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 10:25:40 ] :: Machine in recipe is MASTER
:: [  BEGIN   ] :: Running ipa-server-upgrade when certmonger is not running :: actually running 'ipa-server-upgrade > /tmp/bz1298103.check.out 2>&1'
:: [   PASS   ] :: Running ipa-server-upgrade when certmonger is not running (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/bz1298103.check.out' should not contain 'Certmonger is not running. Start certmonger and run upgrade again'
Comment 17 errata-xmlrpc 2016-02-16 05:59:07 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0211.html

Note You need to log in before you can comment on or make changes to this bug.