RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1623486 - PKINIT configuration did not succeed message is received during Replica-install
Summary: PKINIT configuration did not succeed message is received during Replica-install
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.6
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 1626379 1633061
TreeView+ depends on / blocked
 
Reported: 2018-08-29 13:26 UTC by Nikhil Dehadrai
Modified: 2018-10-30 11:01 UTC (History)
6 users (show)

Fixed In Version: ipa-4.6.4-9.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1626379 1633061 (view as bug list)
Environment:
Last Closed: 2018-10-30 11:00:22 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3187 0 None None None 2018-10-30 11:01:37 UTC

Description Nikhil Dehadrai 2018-08-29 13:26:44 UTC 
Description of problem:
PKINIT configuration did not succeed message is received during Replica-install.

Version-Release number of selected component (if applicable):
ipa-server-4.6.4-6.el7.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Setup IPA-Master 
2. Setup IPA-Replica against this MASTER
3. Notice the console log during replica install

Actual results:
1. IPA-replica install is successful.
2. While Configuring Kerberos KDC (krb5kdc) Step, following message is received:
  [1/1]: installing X509 Certificate for PKINIT
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server

Expected results:
No message should be observed during replica installation.

Additional info:
The issue is not observed in RHEL 7.5.update4 replica installation
Comment 4 Florence Blanc-Renaud 2018-09-04 07:20:37 UTC 
Issue reproducible with ipa-server-4.6.4-6.el7.x86_64 or ipa-server-4.6.4-7.el7.x86_64

When the replica installer is performing the step 'installing X509 Certificate for PKINIT', it is contacting certmonger in order to get a certificate for PKINIT. certmonger in turn connects to the Apache server and performs a cert_request operation. This operation starts by validation steps, including checking if the hostname corresponds to a server where the KDC service is enabled (by reading the attribute ipaConfigString of the entry cn=KDC,cn=<hostname>,cn=masters,cn=ipa,cn=etc,$BASEDN).

With recent changes (commit 7284097 Delay enabling services until end of installer), ipaconfigstring contains configuredService instead of enabledService and the check fails.
Comment 5 Florence Blanc-Renaud 2018-09-04 08:19:33 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7655
Comment 6 Nikhil Dehadrai 2018-09-04 09:09:40 UTC 
The issue is now reproducible with latest RHEL 7.5update4 version: ipa-server-4.5.4-10.el7_5.4.3.x86_64, but the issue is not observed in RHEL 7.5up4 older version :ipa-server-4.5.4-10.el7_5.4.2.x86_64
Comment 7 Thomas Woerner 2018-09-05 10:17:30 UTC 
@Nikhil: Are you sure that ipa 4.5.4-10.el7.4.2 is not affected?
Comment 9 Florence Blanc-Renaud 2018-09-06 10:02:40 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/2a227c240fae802d3625805e0905a8ce71706b2f
https://pagure.io/freeipa/c/bcfd18f336d752483dffc048e1d9c0edac1628fd
Comment 10 Florence Blanc-Renaud 2018-09-06 12:25:13 UTC 
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/2ff9684f14c14bcdf4a520c5e00cfe4030868143
https://pagure.io/freeipa/c/5b8531eb8f91c689cba1313dd2a7387f7bb5b5fa

ipa-4-6:
https://pagure.io/freeipa/c/e02041d9797c2478da27bace65bfc6853afcb638
https://pagure.io/freeipa/c/2a2fd0829e7b768974365b01ea540dc16e705199

ipa-4-7:
https://pagure.io/freeipa/c/09c78a1e07056eea1036d974bcdfd8c00a254733
https://pagure.io/freeipa/c/5ea8f8ae9d250b86d66d20df95293a71dc40eb46
Comment 11 Florence Blanc-Renaud 2018-09-06 12:54:44 UTC 
As this is a regression also present in 4.5.4, proposing for 7.5.z stream.
Comment 12 Florence Blanc-Renaud 2018-09-06 12:57:04 UTC 
Automation available in test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1::test_one_command_installation
Comment 17 Nikhil Dehadrai 2018-09-20 08:49:41 UTC 
Version: ipa-server-4.6.4-10.el7.x86_64

Verified the bug on the basis of following observations:
1. Verified that the message mentioned 'PKINIT configuration did not succeed message is received during Replica-install' is no more observed during installation of replica.
2. The replica installation is successful

Console:
----------
# /usr/sbin/ipa-replica-install -U --setup-ca --setup-dns --forwarder=10.x.x.x -- ip-address=10.x.x.x -P admin -w Secret123


Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: disabling Schema Compat
  [6/10]: starting directory server
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
Configuring DNS (named)

[root@auto-hv-01-guest01 ~]# rpm -q ipa-server
ipa-server-4.6.4-10.el7.x86_64
[root@auto-hv-01-guest01 ~]# grep "PKINIT configuration did not succeed message is received during Replica-install" /var/log/ipareplica-install.log 
[root@auto-hv-01-guest01 ~]# tail -1 /var/log/ipareplica-install.log 
2018-09-20T08:40:17Z INFO The ipa-replica-install command was successful
[root@auto-hv-01-guest01 ~]# grep -rn "FAIL" /var/log/ipareplica-install.log 
[root@auto-hv-01-guest01 ~]#

Thus on the basis of above observations, marking the status of bug to 'VERIFIED'.
Comment 19 errata-xmlrpc 2018-10-30 11:00:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187
Note You need to log in before you can comment on or make changes to this bug.