Hide Forgot
Description of problem: I start with machine, whose hostname is ipa-replica.testrelm, with ip 10.16.19.135 # ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname ipaserver.testrelm -r TESTRELM -n testrelm -p Secret123 -P Secret123 -a Secret123 --ip-address 10.16.19.135 This fails with: [3/17]: configuring certificate server instance CRITICAL:root:failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipaserver.testrelm' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-Ychuf6' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'AIYjmiNBjk4DZ4G18R6C' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=TESTRELM' '-ldap_host' 'ipaserver.testrelm' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=TESTRELM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=TESTRELM' '-ca_server_cert_subject_name' 'CN=ipaserver.testrelm,O=TESTRELM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=TESTRELM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=TESTRELM' '-external' 'false' '-clone' 'false'' returned non-zero exit status 255 root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipaserver.testrelm' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-Ychuf6' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'AIYjmiNBjk4DZ4G18R6C' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=TESTRELM' '-ldap_host' 'ipaserver.testrelm' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=TESTRELM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=TESTRELM' '-ca_server_cert_subject_name' 'CN=ipaserver.testrelm,O=TESTRELM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=TESTRELM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=TESTRELM' '-external' 'false' '-clone' 'false'' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed Version-Release number of selected component (if applicable): ipa-server-2.1.3-8.el6.x86_64 bind-dyndb-ldap-0.2.0-7.el6.x86_64 How reproducible: always Steps to Reproduce: 1.use ipa-server-install with a different hostname than the current hostname as indicated above Actual results: error as indicated above Expected results: install to be successful Additional info: Env before install: # hostname ipa-replica.testrelm # cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 #10.16.19.135 ipa-replica.testrelm ipa-replica # cat /etc/sysconfig/network NETWORKING=yes HOSTNAME=ipa-replica.testrelm # cat /etc/resolv.conf # Generated by NetworkManager domain bos.redhat.com search bos.redhat.com redhat.com testrelm nameserver 10.16.255.2 nameserver 10.16.255.3 nameserver 10.11.255.155 Env after install: # hostname ipaserver.testrelm # cat /etc/sysconfig/network NETWORKING=yes HOSTNAME=ipaserver.testrelm
There are 2 ways how to workaround this: 1) Pass IP address interactively (omit --ip-address option in CLI call) 2) Add host record to /etc/hosts in a proper format before you install: $IP_ADDRESS $HOSTNAME $SHORT_NAME where $IP_ADDRESS is the value you pass to --ip-address, $HOSTNAME is the value you pass to --hostname and $SHORT_NAME is first part of the $HOSTNAME. For example, if you install IPA this way: ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname ipaserver.testrelm -r TESTRELM -n testrelm -p Secret123 -P Secret123 -a Secret123 --ip-address 10.16.19.135 and add this record to /etc/hosts: 10.16.19.135 ipaserver.testrelm ipaserver before you run ipa-server-install, the installation should be OK.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2074
Fixed upstream. master: 0165a03694db76462b62ca06cdc2b3f88312a154
Using: ipa-server-2.2.0-7.el6.x86_64 # hostname margo.testrelm.com # cat /etc/sysconfig/network NETWORKING=yes HOSTNAME=margo.testrelm.com # cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.16.96.50 margo.testrelm.com margo # cat /etc/resolv.conf ; generated by /sbin/dhclient-script search idm.lab.bos.redhat.com nameserver 10.16.78.150 Installed using command: # ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname ipaserver.testrelm.com -r TESTRELM.COM -n testrelm -p Secret123 -P Secret123 -a Secret123 --ip-address 10.16.96.50 Failed with: Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm --server ipaserver.testrelm.com --realm TESTRELM.COM --hostname ipaserver.testrelm.com' returned non-zero exit status 1 /var/log/ipaserver-install.log has: 2012-04-02T14:39:16Z DEBUG Changing admin password 2012-04-02T14:39:16Z DEBUG args=/usr/bin/ldappasswd -h ipaserver.testrelm.com -ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmpjjJRzL -T /var/lib/ipa/tmp_K_Zxx uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com 2012-04-02T14:39:16Z DEBUG stdout= 2012-04-02T14:39:16Z DEBUG stderr= 2012-04-02T14:39:16Z DEBUG ldappasswd done 2012-04-02T14:39:18Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm --server ipaserver.testrelm.com --realm TESTRELM.COM --hostname ipaserver.testrelm.com 2012-04-02T14:39:18Z DEBUG stdout=^[[?1034hDiscovery was successful! Hostname: ipaserver.testrelm.com Realm: TESTRELM.COM DNS Domain: testrelm IPA Server: ipaserver.testrelm.com BaseDN: dc=testrelm,dc=com Configured /etc/sssd/sssd.conf 2012-04-02T14:39:18Z DEBUG stderr=DNS domain 'testrelm.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1534, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 1521, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 1358, in install api.Backend.xmlclient.connect() File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: Service u'HTTP' not found in Kerberos database/ After install: # hostname ipaserver.testrelm.com
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2602
I'm glad Martin opened a new ticket, this seems to be a different issue. In this case you set the DNS for testrelm and set server name to testrelm.com. No wonder it isn't resolvable.
Yes - my mistake. I missed passing testrelm.com for domain name. I retried the install with correct paremeters as in - ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname ipaserver.testrelm.com --ip-address 10.16.96.50 And was able to install on a machine where hostname before install was margo.testrelm.com
Verified this bug using ipa-server-2.2.0-7.el6.x86_64 Opened new bug 809190 for the error installer ran into when domain name is not resolvable.
Ok, thanks. I will link the upstream ticket to the new Bugzilla.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: When IPA server is installed with a custom hostname which is not properly resolvable in DNS, an IP address for the custom hostname is requested from the user and a host record is added to /etc/hosts so that the custom hostname is resolvable and the installation can continue. However, the record is not added when the IP address is passed as an option (--ip-address). Consequence: Installation fails because subsequent steps cannot resolve the machine IP address. Fix: Host record in /etc/hosts is now added even when IP address is passed via CLI option --ip-address. Result: Installation with a nonresolvable hostname now succeeds with no regards to how the IP address is passed to the installer (interactively or via CLI option).
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html