Bug 1694623
| Summary: | ipa-kra-install failing with invalid 'role_servrole': must be Unicode text error | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Sumedh Sidhaye <ssidhaye> | ||||
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.7 | CC: | cheimes, frenaud, ndehadra, pvoborni, rcritten, tscherf | ||||
| Target Milestone: | rc | Keywords: | Regression, TestBlocker | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | ipa-4.6.5-3.el7 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-08-06 13:09:37 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Upstream ticket: https://pagure.io/freeipa/issue/7897 Fixed upstream master: https://pagure.io/freeipa/c/23ae171d97198de0c959201871eb81ad8b83405b Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/cf3e617dc5b8dd9a83d0b8e5cabf6ccaaaeb4374 Build used for verification: [root@master ~]# rpm -qa ipa-server ipa-server-4.6.5-3.el7.x86_64 [root@master ~]# ipa-server-install --setup-dns --forwarder 10.68.5.26 --domain testrelm.test --realm TESTRELM.TEST --admin-password Secret123 --ds-password Secret123 -U --reverse-zone 9.1.10.in-addr.arpa. --allow-zone-overlap --domain-level=1 The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) * Configure the KDC to enable PKINIT WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Warning: skipping DNS resolution of host master.testrelm.test Checking DNS domain testrelm.test., please wait ... Checking DNS forwarders, please wait ... Using reverse zone(s) 9.1.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: master.testrelm.test IP address(es): 10.19.34.24 Domain name: testrelm.test Realm name: TESTRELM.TEST BIND DNS server will be configured to serve IPA domain with: Forwarders: 10.68.5.26 Forward policy: only Reverse zone(s): 9.1.10.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/44]: creating directory server instance [2/44]: enabling ldapi [3/44]: configure autobind for root [4/44]: stopping directory server [5/44]: updating configuration in dse.ldif [6/44]: starting directory server [7/44]: adding default schema [8/44]: enabling memberof plugin [9/44]: enabling winsync plugin [10/44]: configuring replication version plugin [11/44]: enabling IPA enrollment plugin [12/44]: configuring uniqueness plugin [13/44]: configuring uuid plugin [14/44]: configuring modrdn plugin [15/44]: configuring DNS plugin [16/44]: enabling entryUSN plugin [17/44]: configuring lockout plugin [18/44]: configuring topology plugin [19/44]: creating indices [20/44]: enabling referential integrity plugin [21/44]: configuring certmap.conf [22/44]: configure new location for managed entries [23/44]: configure dirsrv ccache [24/44]: enabling SASL mapping fallback [25/44]: restarting directory server [26/44]: adding sasl mappings to the directory [27/44]: adding default layout [28/44]: adding delegation layout [29/44]: creating container for managed entries [30/44]: configuring user private groups [31/44]: configuring netgroups from hostgroups [32/44]: creating default Sudo bind user [33/44]: creating default Auto Member layout [34/44]: adding range check plugin [35/44]: creating default HBAC rule allow_all [36/44]: adding entries for topology management [37/44]: initializing group membership [38/44]: adding master entry [39/44]: initializing domain level [40/44]: configuring Posix uid/gid generation [41/44]: adding replication acis [42/44]: activating sidgen plugin [43/44]: activating extdom plugin [44/44]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/10]: adding kerberos container to the directory [2/10]: configuring KDC [3/10]: initialize kerberos container [4/10]: adding default ACIs [5/10]: creating a keytab for the directory [6/10]: creating a keytab for the machine [7/10]: adding the password extension to the directory [8/10]: creating anonymous principal [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa-custodia [1/5]: Making sure custodia container exists [2/5]: Generating ipa-custodia config file [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/29]: configuring certificate server instance [2/29]: reindex attributes [3/29]: exporting Dogtag certificate store pin [4/29]: stopping certificate server instance to update CS.cfg [5/29]: backing up CS.cfg [6/29]: disabling nonces [7/29]: set up CRL publishing [8/29]: enable PKIX certificate path discovery and validation [9/29]: starting certificate server instance [10/29]: configure certmonger for renewals [11/29]: requesting RA certificate from CA [12/29]: setting audit signing renewal to 2 years [13/29]: restarting certificate server [14/29]: publishing the CA certificate [15/29]: adding RA agent as a trusted user [16/29]: authorizing RA to modify profiles [17/29]: authorizing RA to manage lightweight CAs [18/29]: Ensure lightweight CAs container exists [19/29]: configure certificate renewals [20/29]: configure Server-Cert certificate renewal [21/29]: Configure HTTP to proxy connections [22/29]: restarting certificate server [23/29]: updating IPA configuration [24/29]: enabling CA instance [25/29]: migrating certificate profiles to LDAP [26/29]: importing IPA certificate profiles [27/29]: adding default CA ACL [28/29]: adding 'ipa' CA entry [29/29]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: adding CA certificate entry [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: setting mod_nss port to 443 [3/22]: setting mod_nss cipher suite [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [5/22]: setting mod_nss password file [6/22]: enabling mod_nss renegotiate [7/22]: disabling mod_nss OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd [10/22]: setting up httpd keytab [11/22]: configuring Gssproxy [12/22]: setting up ssl [13/22]: configure certmonger for renewals [14/22]: importing CA certificates from LDAP [15/22]: publish CA cert [16/22]: clean up any existing httpd ccaches [17/22]: configuring SELinux for httpd [18/22]: create KDC proxy config [19/22]: enable KDC proxy [20/22]: starting httpd [21/22]: configuring httpd to start on boot [22/22]: enabling oddjobd Done configuring the web interface (httpd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Restarting the KDC Configuring DNS (named) [1/12]: generating rndc key file [2/12]: adding DNS container [3/12]: setting up our zone [4/12]: setting up reverse zone [5/12]: setting up our own record [6/12]: setting up records for other masters [7/12]: adding NS record to the zones [8/12]: setting up kerberos principal [9/12]: setting up named.conf [10/12]: setting up server configuration [11/12]: configuring named to start on boot [12/12]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Client hostname: master.testrelm.test Realm: TESTRELM.TEST DNS Domain: testrelm.test IPA Server: master.testrelm.test BaseDN: dc=testrelm,dc=test Skipping synchronizing time with NTP server. New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying https://master.testrelm.test/ipa/json [try 1]: Forwarding 'schema' to json server 'https://master.testrelm.test/ipa/json' trying https://master.testrelm.test/ipa/session/json [try 1]: Forwarding 'ping' to json server 'https://master.testrelm.test/ipa/session/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/session/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://master.testrelm.test/ipa/session/json' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring testrelm.test as NIS domain. Client configuration complete. The ipa-client-install command was successful ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password [root@master ~]# ipa-kra-install -U -p Secret123 Starting new HTTPS connection (1): master.testrelm.test =================================================================== This program will setup Dogtag KRA for the IPA Server. Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes [1/10]: configuring KRA instance [2/10]: create KRA agent [3/10]: enabling ephemeral requests [4/10]: restarting KRA [5/10]: configure certmonger for renewals [6/10]: configure certificate renewals [7/10]: configure HTTP to proxy connections [8/10]: add vault container [9/10]: apply LDAP updates [10/10]: enabling KRA instance Done configuring KRA server (pki-tomcatd). Restarting the directory server The ipa-kra-install command was successful Since ipa-kra-install is successful now, marking this BZ verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2241 |
Created attachment 1550411 [details] ipa-kra-install log Description of problem: ipa-kra-install -U -p <password> fails with the error invalid 'role_servrole': must be Unicode text Version-Release number of selected component (if applicable): [root@ipaqavme ~]# rpm -qa ipa-server ipa-server-4.6.5-2.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Install IPA master ipa-server-install --setup-dns --forwarder 10.68.5.26 --domain testrelm.test --realm TESTRELM.TEST --admin-password Secret123 --ds-password Secret123 -U --reverse-zone 9.1.10.in-addr.arpa. --allow-zone-overlap --domain-level=1 2. Install KRA ipa-kra-install -U -p Secret123 Actual results: ipa-kra-install fails with the following error: [root@ipaqavme ~]# ipa-kra-install -U -p Secret123 Starting new HTTPS connection (1): master.testrelm.test =================================================================== This program will setup Dogtag KRA for the IPA Server. Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes [1/10]: configuring KRA instance [2/10]: create KRA agent [3/10]: enabling ephemeral requests [4/10]: restarting KRA [5/10]: configure certmonger for renewals [6/10]: configure certificate renewals [7/10]: configure HTTP to proxy connections [8/10]: add vault container [9/10]: apply LDAP updates [10/10]: enabling KRA instance Done configuring KRA server (pki-tomcatd). Restarting the directory server invalid 'role_servrole': must be Unicode text Expected results: ipa-kra-install should succeed Additional info: Attaching install log for additional details