Red Hat Bugzilla – Bug 1437951
Remove pkinit-related options from server/replica-install on DL0
Last modified: 2017-08-01 05:47:49 EDT
Cloned from upstream: https://pagure.io/freeipa/issue/6801 pkinit is not allowed on DL0 so new master/replica installations should not allow any PKINIT options to be set and should force `--no-pkinit`.
Upstream ticket: https://pagure.io/freeipa/issue/6801
master: 6cda1509a68d7a21578280d381a6b9e994fd4f49 Fix the order of cert-files check 9e3ae785ac9b62b8e0809a4aa56363c458316135 Don't allow setting pkinit-related options on DL0 8af884d0489d5d57895959d27ca6eb8815c6c922 replica-prepare man: remove pkinit option refs fe7cf1e854b7dc28861455011091df3cbe45abe9 Remove redundant option check for cert files ipa-4-5: 497e766427b3ced865ff88a51cd0c2c96e8b24f9 Fix the order of cert-files check a1ad1ffa3540da4b5d5c1963b3818d9c9260e1a2 Don't allow setting pkinit-related options on DL0 85720b6bdc764b98dd471799ccc1045e1379709e replica-prepare man: remove pkinit option refs 8f7b6c349f4e81e88ef36f014e26de6b1f3f3e41 Remove redundant option check for cert files
How can I attempt to install a master with DL0 with pkinit options? I thought those weren't introduced until 4.5. So can I attempt a DL0 Master install somehow with those or is this really just for replica installs? Thanks, Scott
Testing on a replica. Just checking that this is the intended behavior? I setup a RHEL6.9 IPA Master and ran [root@rhel6-1 ~]# ipa-replica-prepare --ip-address=192.168.122.73 --reverse-zone=122.168.192.in-addr.arpa. rhel7-3.example.com Directory Manager (existing master) password: Preparing replica for rhel7-3.example.com from rhel6-1.example.com Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-rhel7-3.example.com.gpg Adding DNS records for rhel7-3.example.com Using reverse zone 122.168.192.in-addr.arpa. ... Checking that pkinit options don't work for [root@rhel7-3 ~]# ipa-replica-install --setup-ca --setup-dns --forwarder=192.168.122.1 -w Secret123 -n example.com -r EXAMPLE.COM -P Secret123 --pkinit-cert-file=/dev/null --pkinit-pin=123456 --pkinit-cert-name=KDC /var/lib/ipa/replica-info-rhel7-3.example.com.gpg Usage: ipa-replica-install [options] [REPLICA_FILE] ipa-replica-install: error: pkinit on domain level 0 is not supported. Please don't use any pkinit-related options. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Domain level 0 master can also be a IPA 4.5 upgraded from IPA 4.2 or IPA 4.4 (which was still on domain level 0). Alternative, quick, but not supported option is to use undocumented '--domain-level 0' option to test this without upgrading.
Verified. Version :: ipa-server-4.5.0-13.el7.x86_64 Results :: Since we can't run ipa-server-install on IPA 4.5 after it was already run on 4.2 and then upgraded, we are focused here on the replica-install on domain level 0. See comment #6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304