Description of problem: Version-Release number of selected component (if applicable): fedora-ds-1.1.1-3.fc9.i386 openldap-clients-2.4.8-3.fc9.i386 ipa-server-1.0.0-6.fc9.i386 How reproducible: 100% Steps to Reproduce: 1. Run ipa-server-install 2. Follow prompts. Actual results: [root@twister log]# ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup the FreeIPA Server. This includes: * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure TurboGears To accept the default shown in brackets, press the Enter key. An existing Directory Server has been detected. Do you wish to remove it and create a new one? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [twister.dragon]: The domain name has been calculated based on the host name. Please confirm the domain name [dragon]: The IPA Master Server will be configured with Hostname: twister.dragon IP address: 10.17.1.1 Domain name: dragon The server must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user). The setup procedure will give this user/group some permissions in specific paths/files to perform server-specific operations. A user account named 'dirsrv' already exists. This is the user id that the Directory Server will run as. Do you want to use the existing 'dirsrv' account? [yes]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [DRAGON]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: [1/16]: creating directory server user [2/16]: creating directory server instance [3/16]: adding default schema [4/16]: enabling memberof plugin [5/16]: enabling referential integrity plugin [6/16]: enabling distributed numeric assignment plugin [7/16]: configuring uniqueness plugin [8/16]: creating indices [9/16]: configuring ssl for ds instance [10/16]: configuring certmap.conf [11/16]: restarting directory server [12/16]: adding default layout root : CRITICAL Failed to load bootstrap-template.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -w password -f /tmp/tmpe1aE3t' returned non-zero exit status 32 [13/16]: configuring Posix uid/gid generation as first master [14/16]: adding master entry as first master root : CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -w password -f /tmp/tmp4v3SSm' returned non-zero exit status 32 [15/16]: initializing group membership [16/16]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC [1/13]: setting KDC account password [2/13]: adding sasl mappings to the directory [3/13]: adding kerberos entries to the DS root : CRITICAL Failed to load kerberos.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -w password -f /tmp/tmpH5fnLJ' returned non-zero exit status 32 [4/13]: adding default ACIs root : CRITICAL Failed to load default-aci.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -w password -f /tmp/tmp9nrwWW' returned non-zero exit status 32 [5/13]: configuring KDC Failed to populate the realm structure in kerberos Command '/usr/kerberos/sbin/kdb5_ldap_util -D uid=kdc,cn=sysaccounts,cn=etc,dc=dragon -w NBKMHPEQKYRE create -s -P WFXVGYJUQDSK -r DRAGON -subtrees dc=dragon -sscope sub' returned non-zero exit status 1 [6/13]: adding default keytypes root : CRITICAL Failed to load default-keytypes.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -w password -f /tmp/tmp4YBU8I' returned non-zero exit status 32 [7/13]: creating a keytab for the directory Unexpected error - see ipaserver-install.log for details: Command '/usr/kerberos/sbin/kadmin.local -q addprinc -randkey ldap/twister.dragon@DRAGON' returned non-zero exit status 1 [root@twister log]# Expected results: Successful setup of FreeIPA (no error messages) Additional info:
Created attachment 306616 [details] /var/log/ipaserver-install.log
There is a bug in the set up code (that I believe is fixed in the tip) where a single-valued domain name won't work. Try dragon.SOMETHING (dragon.net, dragon.com, etc) as the domain name.
Is there any estimate of when this bug fix will be released? Does it help the FreeIPA project by my trying a domain name with two values (dragon.SOMETHING), or is that just a work-around for my benefit? If it has value for the FreeIPA project, I'll do it, if not, I might wait.
There are some more fixes that need to be made upstream before we pull in a new tarball for a new Fedora release. Hopefully in the next couple of weeks. The domain name with two values is a workaround. All testing has value. Using a 2-domain name for now will let you get some practical experience with IPA. You can always re-install once an update is released. I'm going to go ahead and close this.