RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 809190 - ipa-server-install fails when domain name is not resolvable
Summary: ipa-server-install fails when domain name is not resolvable
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-02 17:34 UTC by Namita Soman
Modified: 2012-06-20 13:26 UTC (History)
2 users (show)

Fixed In Version: ipa-2.2.0-9.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Environment:
Last Closed: 2012-06-20 13:26:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
outputs from dnszone-find dnsrecord-find (4.96 KB, text/plain)
2012-05-07 14:06 UTC, Namita Soman 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0819 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2012-06-19 20:34:17 UTC

Description Namita Soman 2012-04-02 17:34:22 UTC 
Description of problem:
When verifying bug 751597, saw the issue below - 
When installing using a new hostname, specify a domain name that is not resolvable, and the install starts. It fails later at the step when configuring named. But installer should have caught this, and not started the install.

If the domain name of the host isn't resolvable OR the zone being created for IPA then we can fail
https://fedorahosted.org/freeipa/ticket/2602 was opened when working on bug 751597.

Version-Release number of selected component (if applicable):
ipa-server-2.2.0-7.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install ipaserver as:
ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname
ipaserver.testrelm.com -r TESTRELM.COM -n testrelm -p Secret123 -P Secret123 -a
Secret123 --ip-address 10.16.96.50
where
# hostname
margo.testrelm.com
# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=margo.testrelm.com
# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
#10.16.96.50 margo.testrelm.com margo
# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search idm.lab.bos.redhat.com
nameserver 10.16.78.150

Actual results:
Install fails with:
Configuration of client side components failed!

Expected results:
If domain name is not resolvable, installer should have caught it, and not started the install.

Additional info:
Failed with:
Configuring named:
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
done configuring named.

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master
--unattended --domain testrelm --server ipaserver.testrelm.com --realm
TESTRELM.COM --hostname ipaserver.testrelm.com' returned non-zero exit status 1

/var/log/ipaserver-install.log has:
2012-04-02T14:39:16Z DEBUG Changing admin password
2012-04-02T14:39:16Z DEBUG args=/usr/bin/ldappasswd -h ipaserver.testrelm.com
-ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmpjjJRzL -T
/var/lib/ipa/tmp_K_Zxx uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com
2012-04-02T14:39:16Z DEBUG stdout=
2012-04-02T14:39:16Z DEBUG stderr=
2012-04-02T14:39:16Z DEBUG ldappasswd done
2012-04-02T14:39:18Z DEBUG args=/usr/sbin/ipa-client-install --on-master
--unattended --domain testrelm --server ipaserver.testrelm.com --realm
TESTRELM.COM --hostname ipaserver.testrelm.com
2012-04-02T14:39:18Z DEBUG stdout=^[[?1034hDiscovery was successful!
Hostname: ipaserver.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm
IPA Server: ipaserver.testrelm.com
BaseDN: dc=testrelm,dc=com


Configured /etc/sssd/sssd.conf

2012-04-02T14:39:18Z DEBUG stderr=DNS domain 'testrelm.com' is not configured
for automatic KDC address lookup.
KDC address will be set to fixed value.

Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 1534, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 1521, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 1358, in install
    api.Backend.xmlclient.connect()
  File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in
connect
    conn = self.create_connection(*args, **kw)
  File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in
create_connection
    raise errors.KerberosError(major=str(krberr), minor='')
ipalib.errors.KerberosError: Kerberos error: Service u'HTTP'
not found in Kerberos database/
Comment 2 Martin Kosek 2012-04-03 07:46:52 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2602
Comment 3 Rob Crittenden 2012-04-09 17:44:30 UTC 
master: 184a066f4abc0ef83434f8cebbec87028258db65

ipa-2-2: 173f4ae073502f9f1b1adb1e1cc8f063693c5c31
Comment 7 Martin Kosek 2012-04-25 11:21:25 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 8 Namita Soman 2012-05-03 14:48:35 UTC 
verified using ipa-server-2.2.0-12.el6.x86_64

Was able to successfully install when server hostname was not in a default domain

Verified cli works...added user, modified permission etc
Verified UI, logged in, added host, where dropdown listed both testrelm, and testrelm.com..added one in each


Also verified DNS records...the record for the domain, the host is not in, included fqdn for the host
# ipa dnsrecord-find  testrelm
  Record name: @
  NS record: ipaserver.testrelm.com.

  Record name: _kerberos
  TXT record: TESTRELM.COM

  Record name: _kerberos-master._tcp
  SRV record: 0 100 88 ipaserver.testrelm.com.

  Record name: _kerberos-master._udp
  SRV record: 0 100 88 ipaserver.testrelm.com.

  Record name: _kerberos._tcp
  SRV record: 0 100 88 ipaserver.testrelm.com.

  Record name: _kerberos._udp
  SRV record: 0 100 88 ipaserver.testrelm.com.

  Record name: _kpasswd._tcp
  SRV record: 0 100 464 ipaserver.testrelm.com.

  Record name: _kpasswd._udp
  SRV record: 0 100 464 ipaserver.testrelm.com.

  Record name: _ldap._tcp
  SRV record: 0 100 389 ipaserver.testrelm.com.

  Record name: _ntp._udp
  SRV record: 0 100 123 ipaserver.testrelm.com.
-----------------------------
Number of entries returned 10
-----------------------------


# ipa dnsrecord-find  testrelm.com
  Record name: @
  NS record: ipaserver.testrelm.com.

  Record name: ipaserver
  A record: 10.16.187.114
  SSHFP record: 1 1 C67DE264098040A0C6F8005DBCCDCB3C5DB8186C, 2 1
                A20F9E13B7741CD82E2CBBDC44A4EED29B22AAEA
----------------------------
Number of entries returned 2
----------------------------

Verified krb5.con has entries for both domains:
# cat /etc/krb5.conf 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TESTRELM.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 TESTRELM.COM = {
  kdc = ipaserver.testrelm.com:88
  admin_server = ipaserver.testrelm.com:749
  default_domain = testrelm
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
 .testrelm = TESTRELM.COM
 testrelm = TESTRELM.COM
 .testrelm.com = TESTRELM.COM
 testrelm.com = TESTRELM.COM

[dbmodules]
  TESTRELM.COM = {
    db_library = ipadb.so
  }
Comment 9 Namita Soman 2012-05-07 13:59:36 UTC 
Also verified setup where:

Installed master on ipamaster.us.testrelm.com 
#ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname ipamaster.us.testrelm.com -r TESTRELM.COM -n testrelm.com -p Secret123 -P Secret123 -a Secret123 --ip-address 10.16.96.83

Then one replica on - ipareplica1.eu.testrelm.com
And a second replica on - ipareplica3.aus.example.com 

was able to kinit, and add users from any system, and find it on the other.

# ipa-replica-manage list
ipamaster.us.testrelm.com: master
ipareplica1.eu.testrelm.com: master
ipareplica3.aus.example.com: master
Comment 10 Namita Soman 2012-05-07 14:06:21 UTC 
Created attachment 582678 [details]
outputs from dnszone-find dnsrecord-find
Comment 12 errata-xmlrpc 2012-06-20 13:26:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html
Note You need to log in before you can comment on or make changes to this bug.