Bug 739089 - Unable to add ipa user on IPv6 machine.
Summary: Unable to add ipa user on IPv6 machine.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: x86_64
OS: Linux
high
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-16 14:38 UTC by Gowrishankar Rajaiyan
Modified: 2015-01-04 23:51 UTC (History)
4 users (show)

Fixed In Version: ipa-2.1.2-1.el6
Doc Type: Bug Fix
Doc Text:
Do not document
Clone Of:
Environment:
Last Closed: 2011-12-06 18:31:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Gowrishankar Rajaiyan 2011-09-16 14:38:46 UTC
Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.1.1-1.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. [root@ratchet ~]# ipa-server-install --setup-dns

2. [root@ratchet ~]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING

3. [root@ratchet ~]# nslookup -type=AAAA ratchet.lab.eng.pnq.redhat.com
Server:		2620:52:0:41c9:5054:ff:fea6:ec8
Address:	2620:52:0:41c9:5054:ff:fea6:ec8#53

ratchet.lab.eng.pnq.redhat.com	has AAAA address 2620:52:0:41c9:5054:ff:fea6:ec8

4. [root@ratchet ~]# nslookup 2620:52:0:41c9:5054:ff:fea6:ec8
Server:		2620:52:0:41c9:5054:ff:fea6:ec8
Address:	2620:52:0:41c9:5054:ff:fea6:ec8#53

8.c.e.0.6.a.e.f.f.f.0.0.4.5.0.5.9.c.1.4.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa	name = ratchet.lab.eng.pnq.redhat.com.

5. [root@ratchet ~]# ipa user-add shanks
  
Actual results:
[root@ratchet ~]# ipa user-add shanks
ipa: ERROR: cannot connect to 'any of the configured servers': https://ratchet.lab.eng.pnq.redhat.com/ipa/xml, https://ratchet.lab.eng.pnq.redhat.com/ipa/xml

Expected results:
user should be added successfuly. 

Additional info:

[root@ratchet ~]# ipa -d user-add shanks
ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/entitle.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: args=klist -V
ipa: DEBUG: stdout=Kerberos 5 version 1.9

ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
ipa: INFO: trying https://ratchet.lab.eng.pnq.redhat.com/ipa/xml
ipa: DEBUG: NSSConnection init ratchet.lab.eng.pnq.redhat.com
ipa: DEBUG: connect_socket_family: host=ratchet.lab.eng.pnq.redhat.com port=443 family=PR_AF_INET
ipa: DEBUG: connect_socket_family: host=ratchet.lab.eng.pnq.redhat.com port=443 family=PR_AF_INET6
ipa: DEBUG: connecting: [2620:52:0:41c9:5054:ff:fea6:ec8]:443
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
    Data:
        Version: 3 (0x2)
        Serial Number: 10 (0xa)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: CN=Certificate Authority,O=LAB.ENG.PNQ.REDHAT.COM
        Validity:
            Not Before: Fri Sep 16 20:47:35 2011 UTC
            Not After : Mon Sep 16 20:47:35 2013 UTC
        Subject: CN=ratchet.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
                RSA Public Key:
                    Modulus:
                        95:e4:ed:80:59:42:b6:24:a3:15:ce:d6:31:c4:d4:02:
                        69:ab:d5:0b:ba:5d:38:f9:cd:d0:b1:5e:62:f0:76:5b:
                        57:69:4e:20:f9:5c:4b:cb:96:6e:23:a7:75:17:35:de:
                        2b:5d:63:b1:e9:aa:41:89:f8:15:9c:0b:98:71:f7:8d:
                        7f:b9:64:69:fd:f8:da:92:d7:05:80:89:0a:4b:62:bc:
                        b9:87:dd:75:23:3d:82:82:9b:74:55:7c:77:3b:96:3a:
                        ea:e4:c0:3e:85:ab:08:48:ef:c0:4b:7a:9d:69:4b:7e:
                        8e:0b:b8:f0:48:b3:57:b7:3e:df:67:bc:6f:2a:ff:fc:
                        ab:47:83:4d:de:db:10:81:3f:97:f6:d8:29:a4:02:e5:
                        b1:46:b4:ee:55:dd:c5:7c:3f:a6:d3:d8:2f:53:cf:dc:
                        42:df:37:80:bd:a8:0a:be:39:5f:1f:62:99:fd:09:c5:
                        1e:c1:ea:2d:ca:84:1a:86:c2:3e:2f:18:e9:c2:04:8f:
                        25:a3:ca:79:5d:a0:27:55:f5:f1:0f:15:59:d4:66:1c:
                        b7:0f:25:90:b5:4e:63:69:99:1e:6e:39:98:52:69:6d:
                        39:a8:5d:79:ae:ad:bc:92:e5:68:a2:73:ca:cb:6c:1c:
                        b4:4b:c0:90:f7:ee:82:07:62:da:bd:bb:78:28:de:0f
                    Exponent: 65537 (0x10001)
    Signed Extensions: (4)
        Name: Certificate Authority Key Identifier
        Critical: False
        Key ID:
            8e:87:7f:68:a3:86:16:5f:16:3a:b2:8d:36:6e:d4:4e:
            9b:b2:33:0a
        Serial Number: None
        General Names: [0 total]

        Name: Authority Information Access
        Critical: False

        Name: Certificate Key Usage
        Critical: True
        Usages:
            Digital Signature
            Non-Repudiation
            Key Encipherment
            Data Encipherment

        Name: Extended Key Usage
        Critical: False
        Usages:
            TLS Web Server Authentication Certificate
            TLS Web Client Authentication Certificate

    Fingerprint (MD5):
        5f:ba:ca:71:a5:fb:53:d2:ef:0d:04:87:0d:94:42:0d
    Fingerprint (SHA1):
        6d:fb:e3:e9:4c:d8:22:42:bd:8f:7f:98:22:fc:65:37:
        af:60:3c:26
    Signature:
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Signature Data:
            9f:f4:61:6a:23:05:3b:8b:10:27:b0:42:0f:c5:ba:88:
            a6:e6:12:b2:3e:84:11:51:8f:75:7c:86:90:1a:d3:ea:
            cb:c1:fc:65:38:b5:1b:87:14:cf:51:58:2f:98:63:c8:
            e6:ba:f0:70:e4:ee:9b:0e:cc:7c:0f:a6:e7:0a:4c:be:
            ce:2d:d8:a9:e7:b0:e1:2b:6b:49:6c:e8:56:2d:04:a9:
            cf:a4:af:2f:6c:26:f2:f6:9d:8d:5c:4d:4e:85:3d:f3:
            f8:6a:bf:65:ea:1e:17:b8:04:37:cd:7c:8c:8b:1d:13:
            34:da:4d:a4:1b:57:14:cb:73:ba:cb:66:e2:bd:54:0f:
            09:d8:7c:85:aa:fd:0a:09:5c:75:5f:85:75:95:69:12:
            e2:6d:ae:11:4e:42:f2:d4:d4:be:43:50:fc:81:f0:6a:
            94:64:b4:af:11:ef:ff:39:03:4c:d3:99:bf:ec:3e:79:
            6d:ac:87:a1:c5:0e:cf:b1:7f:35:f6:2e:a6:ec:19:89:
            69:ef:d0:0d:0e:09:18:e6:80:70:55:82:92:91:dc:b3:
            e5:80:a3:3c:58:36:a4:b0:ed:df:fc:64:56:cd:31:3a:
            cb:19:4b:00:78:5c:d6:c0:49:fb:ae:85:fb:ff:f4:9e:
            68:e4:e7:bb:43:f9:40:b6:57:10:b0:1d:13:fb:7a:9e
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=ratchet.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM"
ipa: DEBUG: handshake complete, peer = [2620:52:0:41c9:5054:ff:fea6:ec8]:443
ipa: INFO: trying https://ratchet.lab.eng.pnq.redhat.com/ipa/xml
ipa: DEBUG: NSSConnection init ratchet.lab.eng.pnq.redhat.com
ipa: ERROR: cannot connect to 'any of the configured servers': https://ratchet.lab.eng.pnq.redhat.com/ipa/xml, https://ratchet.lab.eng.pnq.redhat.com/ipa/xml
[root@ratchet ~]#

Comment 2 Martin Kosek 2011-09-16 14:55:46 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1807

Comment 3 Martin Kosek 2011-09-19 09:31:23 UTC
I configured an IPv6-only environment and IPA server installation worked for me:


# ipa user-add -d --first=User --last=Test utest
Usage: ipa [global-options] user-add LOGIN [options]

ipa: error: no such option: -d
[root@vm-120 ~]# man ipa
[root@vm-120 ~]# ipa -d user-add --first=User --last=Test utest
ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: args=klist -V
ipa: DEBUG: stdout=Kerberos 5 version 1.9.1

ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/xmlclient.py'
ipa: INFO: trying https://vm-120.idm.lab.bos.redhat.com/ipa/xml
ipa: DEBUG: NSSConnection init vm-120.idm.lab.bos.redhat.com
ipa: DEBUG: connect_socket_family: host=vm-120.idm.lab.bos.redhat.com port=443 family=PR_AF_INET
ipa: DEBUG: connect_socket_family: host=vm-120.idm.lab.bos.redhat.com port=443 family=PR_AF_INET6
ipa: DEBUG: connecting: [fec0:0:a10:4c00:216:3eff:fe2d:4818]:443
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
    Data:
        Version: 3 (0x2)
        Serial Number: 1003 (0x3eb)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: CN=IDM.LAB.BOS.REDHAT.COM Certificate Authority
        Validity:
            Not Before: Mon Sep 19 09:11:22 2011 UTC
            Not After : Sun Sep 19 09:11:22 2021 UTC
        Subject: CN=vm-120.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
                RSA Public Key:
                    Modulus:
                        cc:a1:ed:19:98:b6:84:eb:82:b8:88:42:61:c2:cf:92:
                        72:7a:11:55:97:d0:cc:8a:4a:ae:0a:1c:28:0e:2c:06:
                        e1:47:02:f9:a8:48:f1:85:25:76:09:f5:0f:7b:d0:7f:
                        7f:82:43:94:46:73:46:f9:ef:d6:3c:00:fb:75:f1:01:
                        36:5f:73:0f:e0:71:c9:b5:cb:6c:2a:ff:fe:42:ea:57:
                        d6:95:a0:35:22:2e:ad:17:31:38:9c:28:67:36:9e:a3:
                        c1:9b:94:c4:10:e3:d3:04:f8:e2:b0:b0:a1:13:f7:a4:
                        4f:83:08:43:86:22:bf:21:2c:b9:8d:7f:29:e0:23:e5:
                        04:41:40:b4:ee:bd:17:70:63:f3:cc:52:1c:39:e1:ba:
                        55:0a:15:d8:67:4c:d4:f6:af:76:f8:cc:b0:8c:73:c6:
                        1b:5a:ae:ec:a1:22:1c:90:e7:50:af:09:65:74:1a:84:
                        4c:68:63:14:39:83:4a:0d:c0:54:8e:50:8f:d3:7c:9a:
                        9b:d9:97:73:9f:ed:6c:35:3b:65:0c:b4:7a:68:06:fe:
                        ef:55:90:d2:98:de:0d:b9:90:b7:07:53:a8:71:24:1f:
                        98:3c:19:38:93:5d:3d:e9:56:88:3b:a2:55:b4:bd:e0:
                        d9:60:e0:dc:4d:a1:ea:b1:f0:34:41:5f:f0:96:73:47
                    Exponent: 65537 (0x10001)
    Signed Extensions: (2)
        Name: Certificate Type
        Critical: False

        Name: Certificate Key Usage
        Critical: False
        Usages:
            Key Encipherment

    Fingerprint (MD5):
        75:2b:db:c9:95:fa:f2:ad:ab:88:de:59:9f:7f:bd:75
    Fingerprint (SHA1):
        16:68:e5:4c:d7:67:37:49:40:06:cf:44:bb:d9:57:64:
        ba:94:83:dc
    Signature:
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Signature Data:
            a4:7e:6b:30:55:32:32:b7:4d:5e:1b:eb:0b:e9:07:30:
            7f:f4:f5:d4:c0:f0:64:f0:ed:d0:c9:24:94:ae:54:c5:
            57:e5:c3:e4:f1:16:0b:bd:72:96:68:89:36:1e:18:6f:
            da:3f:fd:a5:f3:d7:7f:45:f7:1d:b9:b2:16:18:ba:d1:
            28:20:85:a2:9f:31:fc:ad:74:f5:b1:3b:d8:31:71:47:
            0a:2a:8c:4c:84:fe:92:38:ea:67:a4:83:c0:74:b7:f8:
            8e:44:99:e6:86:31:2c:ed:6c:7e:2d:b0:ba:3c:c3:f2:
            f9:c1:04:71:c9:bb:77:26:b3:ce:15:9c:79:9c:2b:ba
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=vm-120.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM"
ipa: DEBUG: handshake complete, peer = [fec0:0:a10:4c00:216:3eff:fe2d:4818]:443
ipa: DEBUG: Created connection context.xmlclient
ipa: DEBUG: raw: user_add(u'utest', givenname=u'User', sn=u'Test', noprivate=False, all=False, raw=False, version=u'2.11')
ipa: DEBUG: user_add(u'utest', givenname=u'User', sn=u'Test', cn=u'User Test', displayname=u'User Test', initials=u'UT', gecos=u'User Test', krbprincipalname=u'utest@IDM.LAB.BOS.REDHAT.COM', uidnumber=999, noprivate=False, all=False, raw=False, version=u'2.11')
ipa: INFO: Forwarding 'user_add' to server u'https://vm-120.idm.lab.bos.redhat.com/ipa/xml'
ipa: DEBUG: NSSConnection init vm-120.idm.lab.bos.redhat.com
ipa: DEBUG: connect_socket_family: host=vm-120.idm.lab.bos.redhat.com port=443 family=PR_AF_INET
ipa: DEBUG: connect_socket_family: host=vm-120.idm.lab.bos.redhat.com port=443 family=PR_AF_INET6
ipa: DEBUG: connecting: [fec0:0:a10:4c00:216:3eff:fe2d:4818]:443
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
    Data:
        Version: 3 (0x2)
        Serial Number: 1003 (0x3eb)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: CN=IDM.LAB.BOS.REDHAT.COM Certificate Authority
        Validity:
            Not Before: Mon Sep 19 09:11:22 2011 UTC
            Not After : Sun Sep 19 09:11:22 2021 UTC
        Subject: CN=vm-120.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
                RSA Public Key:
                    Modulus:
                        cc:a1:ed:19:98:b6:84:eb:82:b8:88:42:61:c2:cf:92:
                        72:7a:11:55:97:d0:cc:8a:4a:ae:0a:1c:28:0e:2c:06:
                        e1:47:02:f9:a8:48:f1:85:25:76:09:f5:0f:7b:d0:7f:
                        7f:82:43:94:46:73:46:f9:ef:d6:3c:00:fb:75:f1:01:
                        36:5f:73:0f:e0:71:c9:b5:cb:6c:2a:ff:fe:42:ea:57:
                        d6:95:a0:35:22:2e:ad:17:31:38:9c:28:67:36:9e:a3:
                        c1:9b:94:c4:10:e3:d3:04:f8:e2:b0:b0:a1:13:f7:a4:
                        4f:83:08:43:86:22:bf:21:2c:b9:8d:7f:29:e0:23:e5:
                        04:41:40:b4:ee:bd:17:70:63:f3:cc:52:1c:39:e1:ba:
                        55:0a:15:d8:67:4c:d4:f6:af:76:f8:cc:b0:8c:73:c6:
                        1b:5a:ae:ec:a1:22:1c:90:e7:50:af:09:65:74:1a:84:
                        4c:68:63:14:39:83:4a:0d:c0:54:8e:50:8f:d3:7c:9a:
                        9b:d9:97:73:9f:ed:6c:35:3b:65:0c:b4:7a:68:06:fe:
                        ef:55:90:d2:98:de:0d:b9:90:b7:07:53:a8:71:24:1f:
                        98:3c:19:38:93:5d:3d:e9:56:88:3b:a2:55:b4:bd:e0:
                        d9:60:e0:dc:4d:a1:ea:b1:f0:34:41:5f:f0:96:73:47
                    Exponent: 65537 (0x10001)
    Signed Extensions: (2)
        Name: Certificate Type
        Critical: False

        Name: Certificate Key Usage
        Critical: False
        Usages:
            Key Encipherment

    Fingerprint (MD5):
        75:2b:db:c9:95:fa:f2:ad:ab:88:de:59:9f:7f:bd:75
    Fingerprint (SHA1):
        16:68:e5:4c:d7:67:37:49:40:06:cf:44:bb:d9:57:64:
        ba:94:83:dc
    Signature:
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Signature Data:
            a4:7e:6b:30:55:32:32:b7:4d:5e:1b:eb:0b:e9:07:30:
            7f:f4:f5:d4:c0:f0:64:f0:ed:d0:c9:24:94:ae:54:c5:
            57:e5:c3:e4:f1:16:0b:bd:72:96:68:89:36:1e:18:6f:
            da:3f:fd:a5:f3:d7:7f:45:f7:1d:b9:b2:16:18:ba:d1:
            28:20:85:a2:9f:31:fc:ad:74:f5:b1:3b:d8:31:71:47:
            0a:2a:8c:4c:84:fe:92:38:ea:67:a4:83:c0:74:b7:f8:
            8e:44:99:e6:86:31:2c:ed:6c:7e:2d:b0:ba:3c:c3:f2:
            f9:c1:04:71:c9:bb:77:26:b3:ce:15:9c:79:9c:2b:ba
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=vm-120.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM"
ipa: DEBUG: handshake complete, peer = [fec0:0:a10:4c00:216:3eff:fe2d:4818]:443
ipa: DEBUG: Destroyed connection context.xmlclient
------------------
Added user "utest"
------------------
  User login: utest
  First name: User
  Last name: Test
  Full name: User Test
  Display name: User Test
  Initials: UT
  Home directory: /home/utest
  GECOS field: User Test
  Login shell: /bin/sh
  Kerberos principal: utest@IDM.LAB.BOS.REDHAT.COM
  UID: 945800004
  GID: 945800001
  Keytab: False
  Password: False




Can you please provide:

1) contents of /etc/hosts file
2) All configured DNS zones: ipa dnszone-find
3) All configured forward records: ipa dnsrecord-find lab.eng.pnq.redhat.com
4) All configured reverse records: ipa dnsrecord-find $REVERSE_ZONE

Comment 4 Gowrishankar Rajaiyan 2011-09-19 10:05:05 UTC
1. # cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost6 localhost6.localdomain6
2620:52:0:41c9:5054:ff:fea6:ec8 ratchet.lab.eng.pnq.redhat.com

2. # ipa dnszone-find
  Zone name: 9.c.1.4.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.
  Authoritative nameserver: ratchet.lab.eng.pnq.redhat.com.
  Administrator e-mail address: root.9.c.1.4.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.
  SOA serial: 2011160901
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE

  Zone name: lab.eng.pnq.redhat.com
  Authoritative nameserver: ratchet.lab.eng.pnq.redhat.com.
  Administrator e-mail address: root.ratchet.lab.eng.pnq.redhat.com.
  SOA serial: 2011160901
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
----------------------------
Number of entries returned 2
----------------------------

3. # ipa dnsrecord-find lab.eng.pnq.redhat.com
  Record name: @
  NS record: ratchet.lab.eng.pnq.redhat.com.

  Record name: _kerberos
  TXT record: LAB.ENG.PNQ.REDHAT.COM

  Record name: _kerberos-master._tcp
  SRV record: 0 100 88 ratchet

  Record name: _kerberos-master._udp
  SRV record: 0 100 88 ratchet

  Record name: _kerberos._tcp
  SRV record: 0 100 88 ratchet

  Record name: _kerberos._udp
  SRV record: 0 100 88 ratchet

  Record name: _kpasswd._tcp
  SRV record: 0 100 464 ratchet

  Record name: _kpasswd._udp
  SRV record: 0 100 464 ratchet

  Record name: _ldap._tcp
  SRV record: 0 100 389 ratchet

  Record name: _ntp._udp
  SRV record: 0 100 123 ratchet

  Record name: ratchet
  AAAA record: 2620:52:0:41c9:5054:ff:fea6:ec8
-----------------------------
Number of entries returned 11
-----------------------------

4. # ipa  dnsrecord-find 9.c.1.4.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.
  Record name: 8.c.e.0.6.a.e.f.f.f.0.0.4.5.0.5
  PTR record: ratchet.lab.eng.pnq.redhat.com.

  Record name: @
  NS record: ratchet.lab.eng.pnq.redhat.com.
----------------------------
Number of entries returned 2
----------------------------

Comment 5 Martin Kosek 2011-09-19 11:15:40 UTC
Everything seems to be configured OK. My best bet here would be that some service was not running.

IPv6 connection to apache was probably OK since at least SSL cert was received. We should make sure that we have a valid Kerberos ticket and that "service ipa status" reports all services to be running.

Comment 6 Martin Kosek 2011-09-19 12:35:23 UTC
After investigation on ratchet machine, I found out that `kinit` was not run when the server was (re)installed which caused Authorization Error in /usr/bin/ipa.

It seems to me that the only problem here is that the error message is not helpful and states that it "cannot connect to 'any of the configured servers'" instead of Authorization Error related error message.

Comment 7 Martin Kosek 2011-09-19 16:21:47 UTC
I have created a separate ticket to fix duplicate master IPA server in the server list:

https://fedorahosted.org/freeipa/ticket/1817

This would let /usr/bin/ipa try connecting to all IPA masters just once and not print confusing server list like:

# ipa user-show admin
...
ipa: ERROR: cannot connect to 'any of the configured servers':
https://ratchet.lab.eng.pnq.redhat.com/ipa/xml,
https://ratchet.lab.eng.pnq.redhat.com/ipa/xml

Comment 8 Martin Kosek 2011-09-22 13:11:09 UTC
Duplicate master in the server list (ticket 1817) has been fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/ffd760c1002cfe6b27d140affa8e0608696d3668
ipa-2-1: https://fedorahosted.org/freeipa/changeset/798490ffb6b83bf9cf1a5bdbddefca441b9421f9

Comment 9 Martin Kosek 2011-09-23 08:53:48 UTC
Ticket 1807 (NSS database not shutting down between requests) has been fixed upstream as well:
master: https://fedorahosted.org/freeipa/changeset/a90e50cdf759a1b436381f0e9e91caf2d4288636
ipa-2-1: https://fedorahosted.org/freeipa/changeset/b8461e8d5661fbae86e0fb9c6dc85554704a4f0a

Now, when running /usr/bin/ipa without valid credentials cache, the error message should explicitly mention Authorization Error.

Comment 13 Martin Kosek 2011-11-01 09:49:35 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document

Comment 14 Gowrishankar Rajaiyan 2011-11-01 14:04:56 UTC
[root@jetfire ~]# ipa-server-install  --setup-dns --no-forwarder --hostname=jetfire.testrelm -r TESTRELM -n testrelm -p Secret123 -P Secret123 -a Secret123 -U 

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host jetfire.testrelm
The IPA Master Server will be configured with
Hostname:    jetfire.testrelm
IP address:  2620:52:0:41c9:5054:ff:fea8:b669
Domain name: testrelm

Using reverse zone 9.c.1.4.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/17]: creating certificate server user
  [2/17]: creating pki-ca instance
  [3/17]: configuring certificate server instance
  [4/17]: disabling nonces
  [5/17]: creating CA agent PKCS#12 file in /root
  [6/17]: creating RA agent certificate database
  [7/17]: importing CA chain to RA certificate database
  [8/17]: fixing RA database permissions
  [9/17]: setting up signing cert profile
  [10/17]: set up CRL publishing
  [11/17]: set certificate subject base
  [12/17]: configuring certificate server to start on boot
  [13/17]: restarting certificate server
  [14/17]: requesting RA certificate from CA
  [15/17]: issuing RA agent certificate
  [16/17]: adding RA agent as a trusted user
  [17/17]: Configure HTTP to proxy connections
done configuring pki-cad.
Configuring directory server: Estimated time 1 minute
  [1/35]: creating directory server user
  [2/35]: creating directory server instance
  [3/35]: adding default schema
  [4/35]: enabling memberof plugin
  [5/35]: enabling referential integrity plugin
  [6/35]: enabling winsync plugin
  [7/35]: configuring replication version plugin
  [8/35]: enabling IPA enrollment plugin
  [9/35]: enabling ldapi
  [10/35]: configuring uniqueness plugin
  [11/35]: configuring uuid plugin
  [12/35]: configuring modrdn plugin
  [13/35]: enabling entryUSN plugin
  [14/35]: configuring lockout plugin
  [15/35]: creating indices
  [16/35]: configuring ssl for ds instance
  [17/35]: configuring certmap.conf
  [18/35]: configure autobind for root
  [19/35]: configure new location for managed entries
  [20/35]: restarting directory server
  [21/35]: adding default layout
  [22/35]: adding delegation layout
  [23/35]: adding replication acis
  [24/35]: creating container for managed entries
  [25/35]: configuring user private groups
  [26/35]: configuring netgroups from hostgroups
  [27/35]: creating default Sudo bind user
  [28/35]: creating default Auto Member layout
  [29/35]: creating default HBAC rule allow_all
  [30/35]: initializing group membership
  [31/35]: adding master entry
  [32/35]: configuring Posix uid/gid generation
  [33/35]: enabling compatibility plugin
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
  [34/35]: tuning directory server
  [35/35]: configuring directory to start on boot
done configuring dirsrv.
Configuring Kerberos KDC: Estimated time 30 seconds
  [1/14]: setting KDC account password
  [2/14]: adding sasl mappings to the directory
  [3/14]: adding kerberos entries to the DS
  [4/14]: adding default ACIs
  [5/14]: configuring KDC
  [6/14]: adding default keytypes
  [7/14]: adding default password policy
  [8/14]: creating a keytab for the directory
  [9/14]: creating a keytab for the machine
  [10/14]: exporting the kadmin keytab
  [11/14]: adding the password extension to the directory
  [12/14]: adding the kerberos master key to the directory
  [13/14]: starting the KDC
  [14/14]: configuring KDC to start on boot
done configuring krb5kdc.
Configuring ipa_kpasswd
  [1/2]: starting ipa_kpasswd 
  [2/2]: configuring ipa_kpasswd to start on boot
done configuring ipa_kpasswd.
Configuring the web interface: Estimated time 1 minute
  [1/13]: disabling mod_ssl in httpd
  [2/13]: setting mod_nss port to 443
  [3/13]: setting mod_nss password file
  [4/13]: enabling mod_nss renegotiate
  [5/13]: adding URL rewriting rules
  [6/13]: configuring httpd
  [7/13]: setting up ssl
  [8/13]: setting up browser autoconfig
  [9/13]: publish CA cert
  [10/13]: creating a keytab for httpd
  [11/13]: configuring SELinux for httpd
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
Restarting the directory server
Restarting the KDC
Restarting the web server
Configuring named:
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
done configuring named.
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
[root@jetfire ~]# 

[root@jetfire ~]# ipa user-show admin
ipa: ERROR: cannot connect to u'https://jetfire.testrelm/ipa/xml': Authorization Required
[root@jetfire ~]# 


[root@jetfire ~]# ipa user-add shanks --first=s --last=r
ipa: ERROR: cannot connect to u'https://jetfire.testrelm/ipa/xml': Authorization Required
[root@jetfire ~]# 


[root@jetfire ~]# kinit admin
Password for admin@TESTRELM: 
[root@jetfire ~]#

[root@jetfire ~]# ipa user-add shanks --first=s --last=r
-------------------
Added user "shanks"
-------------------
  User login: shanks
  First name: s
  Last name: r
  Full name: s r
  Display name: s r
  Initials: sr
  Home directory: /home/shanks
  GECOS field: s r
  Login shell: /bin/sh
  Kerberos principal: shanks@TESTRELM
  UID: 831600003
  GID: 831600003
  Keytab: False
  Password: False


Verified in version: ipa-server-2.1.3-7.el6.x86_64

Comment 15 errata-xmlrpc 2011-12-06 18:31:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.