Hide Forgot
Description of problem: Running ipa-server-install in fedora:rawhide container fails in/after the [5/9]: creating a keytab for the directory step. Version-Release number of selected component (if applicable): freeipa-server-4.4.2-2.fc26.x86_64 krb5-server-1.15-3.fc26.beta2.0.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. Have Dockerfile FROM fedora:rawhide RUN mkdir -p /run/lock && dnf upgrade -y && dnf install -y freeipa-server freeipa-server-dns freeipa-server-trust-ad initscripts && dnf clean all # This is to workaround https://fedorahosted.org/freeipa/ticket/6518 RUN sed -i 's/getaddrinfo(fqdn/getaddrinfo(fqdn.rstrip(".")/' /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py && python -m compileall /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py 2. Build image: docker build -t ipa-rh . 3. Run container: docker run --rm -ti --name ipa -h ipa.example.test -e container=docker ipa-rh /usr/sbin/init 4. In another terminal, run ipa-server-install in the container: docker exec -ti ipa ipa-server-install -U -r EXAMPLE.TEST -a Secret123 -p Secret123 Actual results: The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) The domain name has been determined based on the host name. The IPA Master Server will be configured with: Hostname: ipa.example.test IP address(es): 172.17.0.2 Domain name: example.test Realm name: EXAMPLE.TEST Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/47]: creating directory server user [2/47]: creating directory server instance [3/47]: updating configuration in dse.ldif [4/47]: restarting directory server [5/47]: adding default schema [6/47]: enabling memberof plugin [7/47]: enabling winsync plugin [8/47]: configuring replication version plugin [9/47]: enabling IPA enrollment plugin [10/47]: enabling ldapi [11/47]: configuring uniqueness plugin [12/47]: configuring uuid plugin [13/47]: configuring modrdn plugin [14/47]: configuring DNS plugin [15/47]: enabling entryUSN plugin [16/47]: configuring lockout plugin [17/47]: configuring topology plugin [18/47]: creating indices [19/47]: enabling referential integrity plugin [20/47]: configuring certmap.conf [21/47]: configure autobind for root [22/47]: configure new location for managed entries [23/47]: configure dirsrv ccache [24/47]: enabling SASL mapping fallback [25/47]: restarting directory server [26/47]: adding sasl mappings to the directory [27/47]: adding default layout [28/47]: adding delegation layout [29/47]: creating container for managed entries [30/47]: configuring user private groups [31/47]: configuring netgroups from hostgroups [32/47]: creating default Sudo bind user [33/47]: creating default Auto Member layout [34/47]: adding range check plugin [35/47]: creating default HBAC rule allow_all [36/47]: adding sasl mappings to the directory [37/47]: adding entries for topology management [38/47]: initializing group membership [39/47]: adding master entry [40/47]: initializing domain level [41/47]: configuring Posix uid/gid generation [42/47]: adding replication acis [43/47]: enabling compatibility plugin [44/47]: activating sidgen plugin [45/47]: activating extdom plugin [46/47]: tuning directory server [47/47]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/31]: creating certificate server user [2/31]: configuring certificate server instance [3/31]: stopping certificate server instance to update CS.cfg [4/31]: backing up CS.cfg [5/31]: disabling nonces [6/31]: set up CRL publishing [7/31]: enable PKIX certificate path discovery and validation [8/31]: starting certificate server instance [9/31]: creating RA agent certificate database [10/31]: importing CA chain to RA certificate database [11/31]: fixing RA database permissions [12/31]: setting up signing cert profile [13/31]: setting audit signing renewal to 2 years [14/31]: restarting certificate server [15/31]: requesting RA certificate from CA [16/31]: issuing RA agent certificate [17/31]: adding RA agent as a trusted user [18/31]: authorizing RA to modify profiles [19/31]: authorizing RA to manage lightweight CAs [20/31]: Ensure lightweight CAs container exists [21/31]: configure certmonger for renewals [22/31]: configure certificate renewals [23/31]: configure RA certificate renewal [24/31]: configure Server-Cert certificate renewal [25/31]: Configure HTTP to proxy connections [26/31]: restarting certificate server [27/31]: migrating certificate profiles to LDAP [28/31]: importing IPA certificate profiles [29/31]: adding default CA ACL [30/31]: adding 'ipa' CA entry [31/31]: updating IPA configuration Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv). Estimated time: 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/9]: adding kerberos container to the directory [2/9]: configuring KDC [3/9]: initialize kerberos container Failed to initialize the realm container [4/9]: adding default ACIs [5/9]: creating a keytab for the directory [error] CalledProcessError: Command 'kadmin.local -q addprinc -randkey ldap/ipa.example.test -x ipa-setup-override-restrictions' returned non-zero exit status -11 ipa.ipapython.install.cli.install_tool(Server): ERROR Command 'kadmin.local -q addprinc -randkey ldap/ipa.example.test -x ipa-setup-override-restrictions' returned non-zero exit status -11 ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The log file ends with 2016-11-29T08:55:01Z DEBUG [5/9]: creating a keytab for the directory 2016-11-29T08:55:01Z DEBUG Starting external process 2016-11-29T08:55:01Z DEBUG args=kadmin.local -q addprinc -randkey ldap/ipa.example.test -x ipa-setup-override-restrictions 2016-11-29T08:55:02Z DEBUG Process finished, return code=-11 2016-11-29T08:55:02Z DEBUG stdout= 2016-11-29T08:55:02Z DEBUG stderr= 2016-11-29T08:55:02Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 327, in __create_ds_keytab installutils.kadmin_addprinc(ldap_principal) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 454, in kadmin_addprinc kadmin("addprinc -randkey " + principal) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 451, in kadmin "-x", "ipa-setup-override-restrictions"]) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 515, in run raise CalledProcessError(p.returncode, arg_string, str(output)) CalledProcessError: Command 'kadmin.local -q addprinc -randkey ldap/ipa.example.test -x ipa-setup-override-restrictions' returned non-zero exit status -11 2016-11-29T08:55:02Z DEBUG [error] CalledProcessError: Command 'kadmin.local -q addprinc -randkey ldap/ipa.example.test -x ipa-setup-override-restrictions' returned non-zero exit status -11 2016-11-29T08:55:02Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 334, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 376, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 405, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 395, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 366, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 363, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 597, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 376, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 405, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 460, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 395, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 457, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 395, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 366, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 363, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1372, in main install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 270, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 807, in install subject_base=options.subject) File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 167, in create_instance self.start_creation(runtime=30) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 327, in __create_ds_keytab installutils.kadmin_addprinc(ldap_principal) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 454, in kadmin_addprinc kadmin("addprinc -randkey " + principal) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 451, in kadmin "-x", "ipa-setup-override-restrictions"]) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 515, in run raise CalledProcessError(p.returncode, arg_string, str(output)) 2016-11-29T08:55:02Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command 'kadmin.local -q addprinc -randkey ldap/ipa.example.test -x ipa-setup-override-restrictions' returned non-zero exit status -11 2016-11-29T08:55:02Z ERROR Command 'kadmin.local -q addprinc -randkey ldap/ipa.example.test -x ipa-setup-override-restrictions' returned non-zero exit status -11 2016-11-29T08:55:02Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Expected results: No error, FreeIPA server properly configured. Additional info:
I wonder if new build freeipa-4.4.2-3.fc26 http://koji.fedoraproject.org/koji/buildinfo?buildID=821068 fixes it. It was originally a fix for bug 1389866
I'll recheck it once samba gets rebuilt so that freeipa-server actually installs in rawhide.
I confirm that latest rawhide containers get past this error.