Hide Forgot
+++ This bug was initially created as a clone of Bug #1589558 +++ Description of problem: Trying to setup a FreeIPA replica with the --setup-adtrust command line option setup, makes the setup fail due to the missing freeipa-server-trust-ad package (not pulled automatically for any package) Version-Release number of selected component (if applicable): freeipa-server-4.6.90.pre2 How reproducible: Steps to Reproduce: 1. dnf install freeipa-server 2. ipa-replica-install --setup-adtrust Actual results: It fails in the end when it tries to restart smb, and the logs show "No builtin nor plugin backend for ipasam found" Expected results: Replica should be installed sucessfully --- Additional comment from Alexander Bokovoy on 2018-06-10 19:00:48 UTC --- We do the check at https://pagure.io/freeipa/blob/master/f/ipaserver/install/adtrustinstance.py#_67-77 but it doesn't include checking for 'freeipa-server-trust-ad' package being installed -- like we supposed to do with 'freeipa-server-dns' in https://pagure.io/freeipa/blob/master/f/ipaserver/install/dns.py#_118-120 A freeipa-server-trust-ad package has following content: --- $ rpm -ql freeipa-server-trust-ad /etc/dbus-1/system.d/oddjob-ipa-trust.conf /etc/oddjobd.conf.d/oddjobd-ipa-trust.conf /usr/lib/.build-id /usr/lib/.build-id/10 /usr/lib/.build-id/10/d4038f6015541ee8685be9238d46328c7d869e /usr/lib64/krb5/plugins/libkrb5/winbind_krb5_locator.so /usr/lib64/samba/pdb/ipasam.so /usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains /usr/sbin/ipa-adtrust-install /usr/share/doc/freeipa-server-trust-ad /usr/share/doc/freeipa-server-trust-ad/Contributors.txt /usr/share/doc/freeipa-server-trust-ad/README.md /usr/share/ipa/smb.conf.empty /usr/share/licenses/freeipa-server-trust-ad /usr/share/licenses/freeipa-server-trust-ad/COPYING /usr/share/man/man1/ipa-adtrust-install.1.gz --- In a way similar to DNS check, we can depend on /usr/share/ipa/smb.conf.empty which is only packaged in freeipa-server-trust-ad. --- Additional comment from Florence Blanc-Renaud on 2018-06-25 15:21:13 UTC --- Upstream ticket: https://pagure.io/freeipa/issue/7602 --- Additional comment from Florence Blanc-Renaud on 2018-10-24 12:22:04 UTC --- Fixed upstream master: https://pagure.io/freeipa/c/4600e62b6b4547c16eee085e216a56478dd8dd50 --- Additional comment from Christian Heimes on 2018-10-24 14:23:23 UTC --- Fixed upstream ipa-4-7: https://pagure.io/freeipa/c/be968ea01adf1721b0afd7393872a8d311d89d0c ipa-4-6: https://pagure.io/freeipa/c/0c2bdcb1184cf034f62e523c88045f9efcb8c302
Thomas Woerner, How this can be verified?
(In reply to anuja from comment #2) > Thomas Woerner, > How this can be verified? Description of problem: Trying to setup a FreeIPA replica with the --setup-adtrust command line option setup, makes the setup fail due to the missing freeipa-server-trust-ad package (not pulled automatically for any package) Version-Release number of selected component (if applicable): freeipa-server-4.6.90.pre2 How reproducible: Steps to Reproduce: 1. dnf install freeipa-server 2. ipa-replica-install --setup-adtrust Actual results: It fails in the end when it tries to restart smb, and the logs show "No builtin nor plugin backend for ipasam found" Expected results: Replica should be installed sucessfully --- Additionally from https://pagure.io/freeipa/c/be968ea01adf1721b0afd7393872a8d311d89d0c ipaserver/install/adtrustinstance.py: + # Check that ipa-server-trust-ad package is installed, + # by looking for the file /usr/share/ipa/smb.conf.empty + if not os.path.exists(os.path.join(paths.USR_SHARE_IPA_DIR, + "smb.conf.empty")): + print("AD Trust requires the '%s' package" % + constants.IPA_ADTRUST_PACKAGE_NAME) + print("Please install the package and start the installation again") + return False That means that the fixed version will fail early and print a message.
Verified using : ipa-server-4.7.1-10.module+el8+2699+aa606a46.x86_64 ipa-server-trust-ad-4.7.1-10.module+el8+2699+aa606a46.x86_64 Verification Steps: 1: dnf module install idm:DL1/dns 2: yum install ipa-server-trust-ad 3: ipa-replica-install --setup-adtrust Console Output : # ipa-replica-install --ip-address= -P admin -w --server --domain --setup-adtrust -U Configuring client side components This program will set up IPA client. Version 4.7.1 [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Finalize replication settings Restarting the KDC Configuring CIFS [1/23]: validate server hostname [2/23]: stopping smbd [3/23]: creating samba domain object [4/23]: creating samba config registry [5/23]: writing samba config file [6/23]: adding cifs Kerberos principal [7/23]: adding cifs and host Kerberos principals to the adtrust agents group [8/23]: check for cifs services defined on other replicas [9/23]: adding cifs principal to S4U2Proxy targets [10/23]: adding admin(group) SIDs [11/23]: adding RID bases [12/23]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [13/23]: activating CLDAP plugin [14/23]: activating sidgen task [15/23]: map BUILTIN\Guests to nobody group [16/23]: configuring smbd to start on boot [17/23]: adding special DNS service records [18/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [19/23]: adding fallback group [20/23]: adding Default Trust View [21/23]: setting SELinux booleans [22/23]: starting CIFS services [23/23]: restarting smbd Done configuring CIFS. WARNING: The CA service is only installed on one server (vm-idm-040.replica.test). It is strongly recommended to install it on another server. Run ipa-ca-install(1) on another master to accomplish this.
Based on comment #4 marking bz as verified.