Bug 1732620 - FreeIPA enrolment via kickstart fails since Fedora-Rawhide-20190722.n.1 (anaconda-31.20-1.fc31), 'realm join' step not run at all
Summary: FreeIPA enrolment via kickstart fails since Fedora-Rawhide-20190722.n.1 (anac...
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Vendula Poncova
QA Contact: Fedora Extras Quality Assurance
Whiteboard: openqa
Depends On:
Blocks: BetaBlocker, F31BetaBlocker
TreeView+ depends on / blocked
Reported: 2019-07-23 22:04 UTC by Adam Williamson
Modified: 2019-07-26 21:02 UTC (History)
7 users (show)

Fixed In Version: anaconda-31.21-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-07-26 21:02:34 UTC

Attachments (Terms of Use)

Description Adam Williamson 2019-07-23 22:04:47 UTC
Since anaconda-31.20 appeared in Fedora-Rawhide-20190722.n.1, the openQA test for enrolling to a FreeIPA domain via kickstart has been failing. The install completes successfully, but the system is not actually enrolled to the FreeIPA domain at all.

From program.log , it looks like anaconda just never actually attempts to run 'realm join'. Here's an extract from program.log from when this tested passed, in the previous compose:


21:30:45,876 INF program: Running... realm discover --verbose ipa001.domain.local
21:30:46,063 INF program: domain.local
21:30:46,064 INF program: type: kerberos
21:30:46,064 INF program: realm-name: DOMAIN.LOCAL
21:30:46,064 INF program: domain-name: domain.local
21:30:46,064 INF program: configured: no
21:30:46,064 INF program: server-software: ipa
21:30:46,064 INF program: client-software: sssd
21:30:46,064 INF program: required-package: freeipa-client
21:30:46,064 INF program: required-package: oddjob
21:30:46,064 INF program: required-package: oddjob-mkhomedir
21:30:46,065 INF program: required-package: sssd
21:30:46,065 INF program: * Resolving: _ldap._tcp.ipa001.domain.local
21:30:46,065 INF program: * Resolving: ipa001.domain.local
21:30:46,065 INF program: * Performing LDAP DSE lookup on:
21:30:46,065 INF program: * Successfully discovered: domain.local
21:30:46,066 DBG program: Return code: 0
21:36:17,009 INF program: Running... realm join --install /mnt/sysroot --verbose --one-time-password=monkeys ipa001.do
21:36:36,373 INF program: * Resolving: _ldap._tcp.ipa001.domain.local
21:36:36,374 INF program: * Resolving: ipa001.domain.local
21:36:36,374 INF program: * Performing LDAP DSE lookup on:
21:36:36,374 INF program: * Successfully discovered: domain.local
21:36:36,374 INF program: * Assuming packages are installed
21:36:36,374 INF program: * LANG=C /usr/sbin/ipa-client-install --domain domain.local --realm DOMAIN.LOCAL --mkhomedir --enable-dns-updates --unattended --force-join --server ipa001.domain.local --fixed-primary --password monkeys --force-ntpd
21:36:36,375 INF program: Option --force-ntpd has been deprecated and will be removed in a future release.
21:36:36,375 INF program: Client hostname: client001.domain.local
21:36:36,375 INF program: Realm: DOMAIN.LOCAL
21:36:36,375 INF program: DNS Domain: domain.local
21:36:36,375 INF program: IPA Server: ipa001.domain.local
21:36:36,375 INF program: BaseDN: dc=domain,dc=local
21:36:36,375 INF program: Synchronizing time
21:36:36,375 INF program: No SRV records of NTP servers found and no NTP server or pool address was provided.
21:36:36,375 INF program: Attempting to sync time with chronyc.
21:36:36,375 INF program: Time synchronization was successful.
21:36:36,375 INF program: Downloading the CA certificate via HTTP, this is INSECURE
21:36:36,376 INF program: Successfully retrieved CA cert
21:36:36,376 INF program: Subject:     CN=Certificate Authority,O=DOMAIN.LOCAL
21:36:36,376 INF program: Issuer:      CN=Certificate Authority,O=DOMAIN.LOCAL
21:36:36,376 INF program: Valid From:  2019-07-23 01:24:55
21:36:36,376 INF program: Valid Until: 2039-07-23 01:24:55
21:36:36,376 INF program: 
21:36:36,376 INF program: Enrolled in IPA realm DOMAIN.LOCAL


From the failed 20190722.n.1 test, this part of the log looks the same:


17:27:18,605 INF program: Running... realm discover --verbose ipa001.domain.local
17:27:18,692 INF program: domain.local
17:27:18,693 INF program: type: kerberos
17:27:18,693 INF program: realm-name: DOMAIN.LOCAL
17:27:18,693 INF program: domain-name: domain.local
17:27:18,693 INF program: configured: no
17:27:18,693 INF program: server-software: ipa
17:27:18,694 INF program: client-software: sssd
17:27:18,694 INF program: required-package: freeipa-client
17:27:18,694 INF program: required-package: oddjob
17:27:18,695 INF program: required-package: oddjob-mkhomedir
17:27:18,695 INF program: required-package: sssd
17:27:18,695 INF program: * Resolving: _ldap._tcp.ipa001.domain.local
17:27:18,695 INF program: * Resolving: ipa001.domain.local
17:27:18,695 INF program: * Performing LDAP DSE lookup on:
17:27:18,697 INF program: * Successfully discovered: domain.local
17:27:18,697 DBG program: Return code: 0


i.e. the 'realm discover' step is run...but the later 'realm join' step simply does not appear in the log at all, it doesn't seem to be tried at all.

Proposing as a Beta blocker as a violation of Basic criterion "It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install..." - https://fedoraproject.org/wiki/Basic_Release_Criteria#Remote_authentication

Comment 1 Vendula Poncova 2019-07-24 10:21:30 UTC
Fixed in a pull request: https://github.com/rhinstaller/anaconda/pull/2052

Comment 2 Adam Williamson 2019-07-26 21:02:34 UTC
The test passed in most recent compose, so this does indeed seem fixed. Thanks!

Note You need to log in before you can comment on or make changes to this bug.