Bug 448287 - ipa-server-install fails on ldapmodify
ipa-server-install fails on ldapmodify
Product: Fedora
Classification: Fedora
Component: ipa (Show other bugs)
i386 Linux
low Severity low
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-05-25 09:45 EDT by Fred Wittekind IV
Modified: 2008-05-29 09:57 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-29 09:57:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
/var/log/ipaserver-install.log (20.22 KB, text/plain)
2008-05-25 09:45 EDT, Fred Wittekind IV
no flags Details

  None (edit)
Description Fred Wittekind IV 2008-05-25 09:45:16 EDT
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible: 100%

Steps to Reproduce:
1. Run ipa-server-install
2. Follow prompts.
Actual results:

[root@twister log]# ipa-server-install 

The log file for this installation can be found in /var/log/ipaserver-install.log
This program will setup the FreeIPA Server.

This includes:
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure TurboGears

To accept the default shown in brackets, press the Enter key.

An existing Directory Server has been detected.
Do you wish to remove it and create a new one? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
Example: master.example.com.

Server host name [twister.dragon]: 

The domain name has been calculated based on the host name.

Please confirm the domain name [dragon]: 

The IPA Master Server will be configured with
Hostname:    twister.dragon
IP address:
Domain name: dragon

The server must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user).  The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.

A user account named 'dirsrv' already exists. This is the user id
that the Directory Server will run as.

Do you want to use the existing 'dirsrv' account? [yes]: 

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [DRAGON]: 

Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: 
Password (confirm): 

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: 
Password (confirm): 

The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server:
  [1/16]: creating directory server user
  [2/16]: creating directory server instance
  [3/16]: adding default schema
  [4/16]: enabling memberof plugin
  [5/16]: enabling referential integrity plugin
  [6/16]: enabling distributed numeric assignment plugin
  [7/16]: configuring uniqueness plugin
  [8/16]: creating indices
  [9/16]: configuring ssl for ds instance
  [10/16]: configuring certmap.conf
  [11/16]: restarting directory server
  [12/16]: adding default layout
root        : CRITICAL Failed to load bootstrap-template.ldif: Command
'/usr/bin/ldapmodify -h -xv -D cn=Directory Manager -w password -f
/tmp/tmpe1aE3t' returned non-zero exit status 32
  [13/16]: configuring Posix uid/gid generation as first master
  [14/16]: adding master entry as first master
root        : CRITICAL Failed to load master-entry.ldif: Command
'/usr/bin/ldapmodify -h -xv -D cn=Directory Manager -w password -f
/tmp/tmp4v3SSm' returned non-zero exit status 32
  [15/16]: initializing group membership
  [16/16]: configuring directory to start on boot
done configuring dirsrv.
Configuring Kerberos KDC
  [1/13]: setting KDC account password
  [2/13]: adding sasl mappings to the directory
  [3/13]: adding kerberos entries to the DS
root        : CRITICAL Failed to load kerberos.ldif: Command
'/usr/bin/ldapmodify -h -xv -D cn=Directory Manager -w password -f
/tmp/tmpH5fnLJ' returned non-zero exit status 32
  [4/13]: adding default ACIs
root        : CRITICAL Failed to load default-aci.ldif: Command
'/usr/bin/ldapmodify -h -xv -D cn=Directory Manager -w password -f
/tmp/tmp9nrwWW' returned non-zero exit status 32
  [5/13]: configuring KDC
Failed to populate the realm structure in kerberos Command
'/usr/kerberos/sbin/kdb5_ldap_util -D uid=kdc,cn=sysaccounts,cn=etc,dc=dragon -w
NBKMHPEQKYRE create -s -P WFXVGYJUQDSK -r DRAGON -subtrees dc=dragon -sscope
sub' returned non-zero exit status 1
  [6/13]: adding default keytypes
root        : CRITICAL Failed to load default-keytypes.ldif: Command
'/usr/bin/ldapmodify -h -xv -D cn=Directory Manager -w password -f
/tmp/tmp4YBU8I' returned non-zero exit status 32
  [7/13]: creating a keytab for the directory
Unexpected error - see ipaserver-install.log for details:
 Command '/usr/kerberos/sbin/kadmin.local -q addprinc -randkey
ldap/twister.dragon@DRAGON' returned non-zero exit status 1
[root@twister log]#

Expected results:
Successful setup of FreeIPA (no error messages)

Additional info:
Comment 1 Fred Wittekind IV 2008-05-25 09:45:16 EDT
Created attachment 306616 [details]
Comment 2 Rob Crittenden 2008-05-27 09:24:24 EDT
There is a bug in the set up code (that I believe is fixed in the tip) where a
single-valued domain name won't work. Try dragon.SOMETHING (dragon.net,
dragon.com, etc) as the domain name.
Comment 3 Fred Wittekind IV 2008-05-28 20:21:39 EDT
Is there any estimate of when this bug fix will be released?

Does it help the FreeIPA project by my trying a domain name with two values
(dragon.SOMETHING), or is that just a work-around for my benefit?  If it has
value for the FreeIPA project, I'll do it, if not, I might wait.
Comment 4 Rob Crittenden 2008-05-29 09:57:08 EDT
There are some more fixes that need to be made upstream before we pull in a new
tarball for a new Fedora release. Hopefully in the next couple of weeks.

The domain name with two values is a workaround. All testing has value. Using a
2-domain name for now will let you get some practical experience with IPA. You
can always re-install once an update is released.

I'm going to go ahead and close this.

Note You need to log in before you can comment on or make changes to this bug.