Bug 728614
| Summary: | el61 - ipa-replica-install does not check for dbus, fails on certmonger | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Marc Sauton <msauton> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.1 | CC: | benl, dpal, grajaiya, jgalipea, mkosek |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.1.1-1.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: ipa-replica-install does not ensure that the dbus service is running so tracking certificates with certmonger returns an error.
Consequence: Replica installation fails.
Fix: Make sure messagebus is running prior to starting certmonger.
Result: Replica installation succeeds.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 18:29:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
master: 1ec531469ee0cf91ed9e150307d93e5ab12aa2a6 ipa-2-1: 704732630cbb466c00b0d49a88a016ed7f861c63
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause: ipa-replica-install does not ensure that the dbus service is running so tracking certificates with certmonger returns an error.
Consequence: Replica installation fails.
Fix: Make sure messagebus is running prior to starting certmonger.
Result: Replica installation succeeds.
IPA SERVER1: [root@ipaqavma ~]# ipa-server-install --realm=IDM.LAB.BOS.REDHAT.COM --domain=idm.lab.bos.redhat.com --ds-password=Secret123 --master-password=Secret123 --admin-password=Secret123 --hostname=ipaqavma.idm.lab.bos.redhat.com --ip-address=10.16.98.178 --setup-dns --forwarder=10.14.7.221 --zonemgr=gsr --idstart=100 --unattended [root@ipaqavma ~]# ipa-replica-prepare ipaqavmc.idm.lab.bos.redhat.com --ip-address=10.16.98.180 Directory Manager (existing master) password: Preparing replica for ipaqavmc.idm.lab.bos.redhat.com from ipaqavma.idm.lab.bos.redhat.com Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-ipaqavmc.idm.lab.bos.redhat.com.gpg Adding DNS records for ipaqavmc.idm.lab.bos.redhat.com Using reverse zone 98.16.10.in-addr.arpa. [root@ipaqavma ~]# IPA SERVER2: [root@ipaqavmc ~]# ipa-replica-install /var/lib/ipa/replica-info-ipaqavmc.idm.lab.bos.redhat.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'ipaqavma.idm.lab.bos.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: port 80 (80): OK HTTP Server: port 443(https) (443): OK Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin.BOS.REDHAT.COM password: Execute check on remote master Check connection from master to remote replica 'ipaqavmc.idm.lab.bos.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: port 80 (80): OK HTTP Server: port 443(https) (443): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/29]: creating directory server user [2/29]: creating directory server instance [3/29]: adding default schema [4/29]: enabling memberof plugin [5/29]: enabling referential integrity plugin [6/29]: enabling winsync plugin [7/29]: configuring replication version plugin [8/29]: enabling IPA enrollment plugin [9/29]: enabling ldapi [10/29]: configuring uniqueness plugin [11/29]: configuring uuid plugin [12/29]: configuring modrdn plugin [13/29]: enabling entryUSN plugin [14/29]: configuring lockout plugin [15/29]: creating indices [16/29]: configuring ssl for ds instance [17/29]: configuring certmap.conf [18/29]: configure autobind for root [19/29]: configure new location for managed entries [20/29]: restarting directory server [21/29]: setting up initial replication Starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [22/29]: adding replication acis [23/29]: setting Auto Member configuration [24/29]: initializing group membership [25/29]: adding master entry [26/29]: configuring Posix uid/gid generation [27/29]: enabling compatibility plugin Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. [28/29]: tuning directory server [29/29]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC: Estimated time 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication [8/9]: starting the KDC [9/9]: configuring KDC to start on boot done configuring krb5kdc. Configuring ipa_kpasswd [1/2]: starting ipa_kpasswd [2/2]: configuring ipa_kpasswd to start on boot done configuring ipa_kpasswd. Configuring the web interface: Estimated time 1 minute [1/12]: disabling mod_ssl in httpd [2/12]: setting mod_nss port to 443 [3/12]: setting mod_nss password file [4/12]: enabling mod_nss renegotiate [5/12]: adding URL rewriting rules [6/12]: configuring httpd [7/12]: setting up ssl [8/12]: publish CA cert [9/12]: creating a keytab for httpd [10/12]: configuring SELinux for httpd [11/12]: restarting httpd [12/12]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. [root@ipaqavmc ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING HTTP Service: RUNNING [root@ipaqavmc ~]# [root@ipaqavmc ~]# grep messagebus /var/log/* /var/log/ipareplica-install.log:2011-11-08 01:54:34,987 DEBUG args=/sbin/service messagebus start /var/log/ipareplica-install.log:2011-11-08 01:55:29,506 DEBUG args=/sbin/service messagebus start [root@ipaqavmc ~]# /etc/init.d/messagebus status messagebus (pid 1355) is running... [root@ipaqavmc ~]# [root@ipaqavmc ~]# ipa user-add shanks --first=shanks --last=r --password Password: Enter Password again to verify: ------------------- Added user "shanks" ------------------- User login: shanks First name: shanks Last name: r Full name: shanks r Display name: shanks r Initials: sr Home directory: /home/shanks GECOS field: shanks r Login shell: /bin/sh Kerberos principal: shanks.BOS.REDHAT.COM UID: 100100 GID: 100100 Keytab: True Password: True [root@ipaqavmc ~]# IPA SERVER1: [root@ipaqavma ~]# ipa user-find shanks -------------- 1 user matched -------------- User login: shanks First name: shanks Last name: r Home directory: /home/shanks Login shell: /bin/sh UID: 100100 GID: 100100 Account disabled: False Keytab: True Password: True ---------------------------- Number of entries returned 1 ---------------------------- [root@ipaqavma ~]# Verified. [root@ipaqavma ~]# rpm -qi ipa-server | head Name : ipa-server Relocations: (not relocatable) Version : 2.1.3 Vendor: Red Hat, Inc. Release : 9.el6 Build Date: Mon 07 Nov 2011 03:00:54 PM EST Install Date: Tue 08 Nov 2011 01:32:36 AM EST Build Host: x86-001.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.1.3-9.el6.src.rpm Size : 3382131 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server [root@ipaqavma ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |
Description of problem: Just an annoyance to be able to get a clean replica installation when one forget to check this: /usr/sbin/ipa-replica-install does not check for dbus, fails on certmonger but /usr/sbin/ipa-server-install do check and starts dbus. could we add the same sanity check for requirements in /usr/sbin/ipa-replica-install? Version-Release number of selected component (if applicable): Red Hat Enterprise Linux Server release 6.1 (Santiago) Linux ipaserver2.example.com 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux ipa-pki-common-theme-9.0.3-6.el6.noarch ipa-server-2.0.0-23.el6_1.1.x86_64 ipa-pki-ca-theme-9.0.3-6.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.0.0-23.el6_1.1.x86_64 ipa-client-2.0.0-23.el6_1.1.x86_64 ipa-server-selinux-2.0.0-23.el6_1.1.x86_64 ipa-admintools-2.0.0-23.el6_1.1.x86_64 How reproducible: always Steps to Reproduce: 1. have a first system installed with RHEL 6.1, ipaserver1.example.com 2. have RHN repo access 3. have this first system with a ipa server installed, on ipaserver1.example.com: ipa-server-install --realm=EXAMPLE.COM --domain=example.com --ds-password=password --master-password=password --admin-password=password --hostname=ipaserver1.example.com --ip-address=10.14.5.16 --setup-dns --forwarder=10.14.7.221 --zonemgr=msauton --idstart=100 --unattended 4. prepare an ipa replica, with adding dns entries in ipaserver1: ipa-replica-prepare ipaserver2.example.com --ip-address 10.14.5.15 3. have a second system installed with RHEL 6.1, ipaserver2.example.com 4. make ipaserver2.example.com an ipa replica with ipaserver1.example.com: ipa-replica-install /var/lib/ipa/replica-info-ipaserver2.example.com.gpg Actual results: Directory Manager (existing master) password: Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. creation of replica failed: Command '/sbin/service certmonger start ' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Expected results: Additional info: Have no problems installing and running ipaserver1, messagebus has been up and running, was started after creating some certs and before configuring DS: [root@ipaserver1 ~]# grep messagebus /var/log/* /var/log/ipaserver-install.log:2011-08-04 19:08:41,298 DEBUG args=/sbin/service messagebus start less /usr/sbin/ipa-server-install ... # Now put the CA cert where other instances exepct it ca.publish_ca_cert("/etc/ipa/ca.crt") service.start('messagebus') # Create a directory server instance ... But not on replica after running ipa-replica-install: [root@ipaserver2 ~]# /etc/init.d/messagebus status messagebus is stopped [root@ipaserver2 ~]# grep messagebus /var/log/* [root@ipaserver2 ~]#