Bug 751597 - ipa-server-install --hostname fails at step configuring certificate server instance
Summary: ipa-server-install --hostname fails at step configuring certificate server in...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks: 756082
TreeView+ depends on / blocked
 
Reported: 2011-11-06 03:51 UTC by Namita Soman
Modified: 2012-06-20 13:16 UTC (History)
3 users (show)

Fixed In Version: ipa-2.2.0-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: When IPA server is installed with a custom hostname which is not properly resolvable in DNS, an IP address for the custom hostname is requested from the user and a host record is added to /etc/hosts so that the custom hostname is resolvable and the installation can continue. However, the record is not added when the IP address is passed as an option (--ip-address). Consequence: Installation fails because subsequent steps cannot resolve the machine IP address. Fix: Host record in /etc/hosts is now added even when IP address is passed via CLI option --ip-address. Result: Installation with a nonresolvable hostname now succeeds with no regards to how the IP address is passed to the installer (interactively or via CLI option).
Clone Of:
Environment:
Last Closed: 2012-06-20 13:16:42 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0819 normal SHIPPED_LIVE ipa bug fix and enhancement update 2012-06-19 20:34:17 UTC

Description Namita Soman 2011-11-06 03:51:42 UTC
Description of problem:
I start with machine, whose hostname is ipa-replica.testrelm, with ip 10.16.19.135
# ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname ipaserver.testrelm -r TESTRELM -n testrelm -p Secret123 -P Secret123 -a Secret123 --ip-address 10.16.19.135

This fails with:
  [3/17]: configuring certificate server instance
CRITICAL:root:failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipaserver.testrelm' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-Ychuf6' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'AIYjmiNBjk4DZ4G18R6C' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=TESTRELM' '-ldap_host' 'ipaserver.testrelm' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=TESTRELM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=TESTRELM' '-ca_server_cert_subject_name' 'CN=ipaserver.testrelm,O=TESTRELM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=TESTRELM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=TESTRELM' '-external' 'false' '-clone' 'false'' returned non-zero exit status 255
root        : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipaserver.testrelm' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-Ychuf6' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'AIYjmiNBjk4DZ4G18R6C' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=TESTRELM' '-ldap_host' 'ipaserver.testrelm' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=TESTRELM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=TESTRELM' '-ca_server_cert_subject_name' 'CN=ipaserver.testrelm,O=TESTRELM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=TESTRELM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=TESTRELM' '-external' 'false' '-clone' 'false'' returned non-zero exit status 255
Unexpected error - see ipaserver-install.log for details:
 Configuration of CA failed


Version-Release number of selected component (if applicable):
ipa-server-2.1.3-8.el6.x86_64
bind-dyndb-ldap-0.2.0-7.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1.use ipa-server-install with a different hostname than the current hostname
as indicated above

  
Actual results:
error as indicated above

Expected results:
install to be successful

Additional info:

Env before install:
# hostname
ipa-replica.testrelm

# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
#10.16.19.135  ipa-replica.testrelm ipa-replica

# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=ipa-replica.testrelm

# cat /etc/resolv.conf 
# Generated by NetworkManager
domain bos.redhat.com
search bos.redhat.com redhat.com testrelm
nameserver 10.16.255.2
nameserver 10.16.255.3
nameserver 10.11.255.155


Env after install:
# hostname
ipaserver.testrelm

# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=ipaserver.testrelm

Comment 2 Martin Kosek 2011-11-07 16:39:43 UTC
There are 2 ways how to workaround this:

1) Pass IP address interactively (omit --ip-address option in CLI call)

2) Add host record to /etc/hosts in a proper format before you install:
$IP_ADDRESS $HOSTNAME $SHORT_NAME

where $IP_ADDRESS is the value you pass to --ip-address, $HOSTNAME is the value you pass to --hostname and $SHORT_NAME is first part of the $HOSTNAME.

For example, if you install IPA this way:
ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname
ipaserver.testrelm -r TESTRELM -n testrelm -p Secret123 -P Secret123 -a
Secret123 --ip-address 10.16.19.135

and add this record to /etc/hosts:
10.16.19.135 ipaserver.testrelm ipaserver

before you run ipa-server-install, the installation should be OK.

Comment 5 Martin Kosek 2011-11-07 16:42:39 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2074

Comment 6 Rob Crittenden 2011-11-11 19:05:57 UTC
Fixed upstream.

master: 0165a03694db76462b62ca06cdc2b3f88312a154

Comment 8 Namita Soman 2012-04-02 14:48:51 UTC
Using:
ipa-server-2.2.0-7.el6.x86_64

# hostname
margo.testrelm.com
# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=margo.testrelm.com
# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.16.96.50 margo.testrelm.com margo
# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search idm.lab.bos.redhat.com
nameserver 10.16.78.150

Installed using command:
# ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname ipaserver.testrelm.com -r TESTRELM.COM -n testrelm -p Secret123 -P Secret123 -a Secret123 --ip-address 10.16.96.50

Failed with:
Configuring named:
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
done configuring named.

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm --server ipaserver.testrelm.com --realm TESTRELM.COM --hostname ipaserver.testrelm.com' returned non-zero exit status 1

/var/log/ipaserver-install.log has:
2012-04-02T14:39:16Z DEBUG Changing admin password
2012-04-02T14:39:16Z DEBUG args=/usr/bin/ldappasswd -h ipaserver.testrelm.com -ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmpjjJRzL -T /var/lib/ipa/tmp_K_Zxx uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com
2012-04-02T14:39:16Z DEBUG stdout=
2012-04-02T14:39:16Z DEBUG stderr=
2012-04-02T14:39:16Z DEBUG ldappasswd done
2012-04-02T14:39:18Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm --server ipaserver.testrelm.com --realm TESTRELM.COM --hostname ipaserver.testrelm.com
2012-04-02T14:39:18Z DEBUG stdout=^[[?1034hDiscovery was successful!
Hostname: ipaserver.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm
IPA Server: ipaserver.testrelm.com
BaseDN: dc=testrelm,dc=com


Configured /etc/sssd/sssd.conf

2012-04-02T14:39:18Z DEBUG stderr=DNS domain 'testrelm.com' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 1534, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 1521, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 1358, in install
    api.Backend.xmlclient.connect()
  File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect
    conn = self.create_connection(*args, **kw)
  File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection
    raise errors.KerberosError(major=str(krberr), minor='')
ipalib.errors.KerberosError: Kerberos error: Service u'HTTP@ipaserver.testrelm' not found in Kerberos database/



After install:
# hostname
ipaserver.testrelm.com

Comment 9 Martin Kosek 2012-04-02 15:27:11 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2602

Comment 10 Rob Crittenden 2012-04-02 15:39:08 UTC
I'm glad Martin opened a new ticket, this seems to be a different issue.

In this case you set the DNS for testrelm and set server name to testrelm.com. No wonder it isn't resolvable.

Comment 11 Namita Soman 2012-04-02 17:01:52 UTC
Yes - my mistake. I missed passing testrelm.com for domain name. I retried the install with correct paremeters as in - 
ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname ipaserver.testrelm.com --ip-address 10.16.96.50

And was able to install on a machine where hostname before install was margo.testrelm.com

Comment 12 Namita Soman 2012-04-02 17:35:55 UTC
Verified this bug using ipa-server-2.2.0-7.el6.x86_64
Opened new bug 809190 for the error installer ran into when domain name is not resolvable.

Comment 13 Martin Kosek 2012-04-03 07:45:32 UTC
Ok, thanks. I will link the upstream ticket to the new Bugzilla.

Comment 14 Martin Kosek 2012-04-19 11:53:50 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When IPA server is installed with a custom hostname which is not properly resolvable in DNS, an IP address for the custom hostname is requested from the user and a host record is added to /etc/hosts so that the custom hostname is resolvable and the installation can continue. However, the record is not added when the IP address is passed as an option (--ip-address).
Consequence: Installation fails because subsequent steps cannot resolve the machine IP address.
Fix: Host record in /etc/hosts is now added even when IP address is passed via CLI option --ip-address.
Result: Installation with a nonresolvable hostname now succeeds with no regards to how the IP address is passed to the installer (interactively or via CLI option).

Comment 16 errata-xmlrpc 2012-06-20 13:16:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html


Note You need to log in before you can comment on or make changes to this bug.