Red Hat Bugzilla – Bug 1437953
Server CA-less impossible option check
Last modified: 2017-08-01 05:47:49 EDT
Cloned from upstream: https://pagure.io/freeipa/issue/6807 When CA-less server-install is run only with `--dirsrv-cert-file` and `--http-cert-file`, obviously the below message is shown: ``` ipa-server-install: error: --dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file or --no-pkinit are required if any key file options are used. ``` Alright, seems like we need to add `--pkinit-cert-file`. Now, we get: ``` ERROR Cannot create KDC PKINIT certificate and use provided external PKINIT certificate at the same time. Please choose one of them. ``` By looking in `ipaserver/install/server/install.py` around line 515, we are doing this check: ``` if options.pkinit_cert_files: if not options.no_pkinit: ``` which by itself is non-sensical as `no_pkinit` cannot be specified along with `pkinit_cert_files`. But lets' give it a chance and add `--no-pkinit`. We get: ``` ipa-server-install: error: --no-pkinit and --pkinit-cert-file cannot be specified together ```
Upstream ticket: https://pagure.io/freeipa/issue/6807
Fixed upstream master: https://pagure.io/freeipa/c/1160dc5d8bacea42a7ada45a10bf1019a3af5aca ipa-4-5: https://pagure.io/freeipa/c/1eb681ec7d4f6f42e733463f29374f0fecee4e68
1. Try to install CA-less ipa-server without both "--pkinit-cert-file" and "no_pkinit" [root@master ~]# ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U --dirsrv-cert-file=./server.p12 --http-cert-file=./server.p12 --dirsrv-pin XXX --http-pin XXX Checking DNS domain testrelm.test, please wait ... Usage: ipa-server-install [options] ipa-server-install: error: --dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file or --no-pkinit are required if any key file options are used. ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information [root@master ~]# 2. Install CA-less server with pkinit [root@master ~]# ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U --dirsrv-cert-file=./server.p12 --http-cert-file=./server.p12 --dirsrv-pin XXX --http-pin XXX --pkinit-cert-file=./pkinit-server.p12 --pkinit-pin XXX Checking DNS domain testrelm.test, please wait ... The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) * Configure the KDC to enable PKINIT WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Warning: skipping DNS resolution of host master.testrelm.test Checking DNS domain testrelm.test., please wait ... Checking DNS forwarders, please wait ... The IPA Master Server will be configured with: Hostname: master.testrelm.test IP address(es): 192.168.222.10 Domain name: testrelm.test Realm name: TESTRELM.TEST BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.222.1 Forward policy: only Reverse zone(s): No reverse zone Adding [192.168.222.10 master.testrelm.test] to your /etc/hosts file Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/45]: creating directory server instance [2/45]: enabling ldapi [3/45]: configure autobind for root [4/45]: stopping directory server [5/45]: updating configuration in dse.ldif [6/45]: starting directory server [7/45]: adding default schema [8/45]: enabling memberof plugin [9/45]: enabling winsync plugin [10/45]: configuring replication version plugin [11/45]: enabling IPA enrollment plugin [12/45]: configuring uniqueness plugin [13/45]: configuring uuid plugin [14/45]: configuring modrdn plugin [15/45]: configuring DNS plugin [16/45]: enabling entryUSN plugin [17/45]: configuring lockout plugin [18/45]: configuring topology plugin [19/45]: creating indices [20/45]: enabling referential integrity plugin [21/45]: configuring certmap.conf [22/45]: configure new location for managed entries [23/45]: configure dirsrv ccache [24/45]: enabling SASL mapping fallback [25/45]: restarting directory server [26/45]: adding sasl mappings to the directory [27/45]: adding default layout [28/45]: adding delegation layout [29/45]: creating container for managed entries [30/45]: configuring user private groups [31/45]: configuring netgroups from hostgroups [32/45]: creating default Sudo bind user [33/45]: creating default Auto Member layout [34/45]: adding range check plugin [35/45]: creating default HBAC rule allow_all [36/45]: adding entries for topology management [37/45]: initializing group membership [38/45]: adding master entry [39/45]: initializing domain level [40/45]: configuring Posix uid/gid generation [41/45]: adding replication acis [42/45]: activating sidgen plugin [43/45]: activating extdom plugin [44/45]: tuning directory server [45/45]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/10]: adding kerberos container to the directory [2/10]: configuring KDC [3/10]: initialize kerberos container [4/10]: adding default ACIs [5/10]: creating a keytab for the directory [6/10]: creating a keytab for the machine [7/10]: adding the password extension to the directory [8/10]: creating anonymous principal [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: adding CA certificate entry [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring ipa-custodia [1/5]: Generating ipa-custodia config file [2/5]: Making sure custodia container exists [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring the web interface (httpd) [1/20]: stopping httpd [2/20]: setting mod_nss port to 443 [3/20]: setting mod_nss cipher suite [4/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [5/20]: setting mod_nss password file [6/20]: enabling mod_nss renegotiate [7/20]: adding URL rewriting rules [8/20]: configuring httpd [9/20]: setting up httpd keytab [10/20]: configuring Gssproxy [11/20]: setting up ssl [12/20]: importing CA certificates from LDAP [13/20]: publish CA cert [14/20]: clean up any existing httpd ccaches [15/20]: configuring SELinux for httpd [16/20]: create KDC proxy config [17/20]: enable KDC proxy [18/20]: starting httpd [19/20]: configuring httpd to start on boot [20/20]: enabling oddjobd Done configuring the web interface (httpd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Restarting the KDC Configuring DNS (named) [1/11]: generating rndc key file [2/11]: adding DNS container [3/11]: setting up our zone [4/11]: setting up our own record [5/11]: setting up records for other masters [6/11]: adding NS record to the zones [7/11]: setting up kerberos principal [8/11]: setting up named.conf [9/11]: setting up server configuration [10/11]: configuring named to start on boot [11/11]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Client hostname: master.testrelm.test Realm: TESTRELM.TEST DNS Domain: testrelm.test IPA Server: master.testrelm.test BaseDN: dc=testrelm,dc=test Skipping synchronizing time with NTP server. New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying https://master.testrelm.test/ipa/json Forwarding 'schema' to json server 'https://master.testrelm.test/ipa/json' trying https://master.testrelm.test/ipa/session/json Forwarding 'ping' to json server 'https://master.testrelm.test/ipa/session/json' Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/session/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://master.testrelm.test/ipa/session/json' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring testrelm.test as NIS domain. Client configuration complete. The ipa-client-install command was successful ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. In order for Firefox autoconfiguration to work you will need to use a SSL signing certificate. See the IPA documentation for more details. [root@master ~]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304