Hide Forgot
Description of problem: When verifying bug 751597, saw the issue below - When installing using a new hostname, specify a domain name that is not resolvable, and the install starts. It fails later at the step when configuring named. But installer should have caught this, and not started the install. If the domain name of the host isn't resolvable OR the zone being created for IPA then we can fail https://fedorahosted.org/freeipa/ticket/2602 was opened when working on bug 751597. Version-Release number of selected component (if applicable): ipa-server-2.2.0-7.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Install ipaserver as: ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname ipaserver.testrelm.com -r TESTRELM.COM -n testrelm -p Secret123 -P Secret123 -a Secret123 --ip-address 10.16.96.50 where # hostname margo.testrelm.com # cat /etc/sysconfig/network NETWORKING=yes HOSTNAME=margo.testrelm.com # cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 #10.16.96.50 margo.testrelm.com margo # cat /etc/resolv.conf ; generated by /sbin/dhclient-script search idm.lab.bos.redhat.com nameserver 10.16.78.150 Actual results: Install fails with: Configuration of client side components failed! Expected results: If domain name is not resolvable, installer should have caught it, and not started the install. Additional info: Failed with: Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm --server ipaserver.testrelm.com --realm TESTRELM.COM --hostname ipaserver.testrelm.com' returned non-zero exit status 1 /var/log/ipaserver-install.log has: 2012-04-02T14:39:16Z DEBUG Changing admin password 2012-04-02T14:39:16Z DEBUG args=/usr/bin/ldappasswd -h ipaserver.testrelm.com -ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmpjjJRzL -T /var/lib/ipa/tmp_K_Zxx uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com 2012-04-02T14:39:16Z DEBUG stdout= 2012-04-02T14:39:16Z DEBUG stderr= 2012-04-02T14:39:16Z DEBUG ldappasswd done 2012-04-02T14:39:18Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm --server ipaserver.testrelm.com --realm TESTRELM.COM --hostname ipaserver.testrelm.com 2012-04-02T14:39:18Z DEBUG stdout=^[[?1034hDiscovery was successful! Hostname: ipaserver.testrelm.com Realm: TESTRELM.COM DNS Domain: testrelm IPA Server: ipaserver.testrelm.com BaseDN: dc=testrelm,dc=com Configured /etc/sssd/sssd.conf 2012-04-02T14:39:18Z DEBUG stderr=DNS domain 'testrelm.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1534, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 1521, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 1358, in install api.Backend.xmlclient.connect() File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: Service u'HTTP' not found in Kerberos database/
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2602
master: 184a066f4abc0ef83434f8cebbec87028258db65 ipa-2-2: 173f4ae073502f9f1b1adb1e1cc8f063693c5c31
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed.
verified using ipa-server-2.2.0-12.el6.x86_64 Was able to successfully install when server hostname was not in a default domain Verified cli works...added user, modified permission etc Verified UI, logged in, added host, where dropdown listed both testrelm, and testrelm.com..added one in each Also verified DNS records...the record for the domain, the host is not in, included fqdn for the host # ipa dnsrecord-find testrelm Record name: @ NS record: ipaserver.testrelm.com. Record name: _kerberos TXT record: TESTRELM.COM Record name: _kerberos-master._tcp SRV record: 0 100 88 ipaserver.testrelm.com. Record name: _kerberos-master._udp SRV record: 0 100 88 ipaserver.testrelm.com. Record name: _kerberos._tcp SRV record: 0 100 88 ipaserver.testrelm.com. Record name: _kerberos._udp SRV record: 0 100 88 ipaserver.testrelm.com. Record name: _kpasswd._tcp SRV record: 0 100 464 ipaserver.testrelm.com. Record name: _kpasswd._udp SRV record: 0 100 464 ipaserver.testrelm.com. Record name: _ldap._tcp SRV record: 0 100 389 ipaserver.testrelm.com. Record name: _ntp._udp SRV record: 0 100 123 ipaserver.testrelm.com. ----------------------------- Number of entries returned 10 ----------------------------- # ipa dnsrecord-find testrelm.com Record name: @ NS record: ipaserver.testrelm.com. Record name: ipaserver A record: 10.16.187.114 SSHFP record: 1 1 C67DE264098040A0C6F8005DBCCDCB3C5DB8186C, 2 1 A20F9E13B7741CD82E2CBBDC44A4EED29B22AAEA ---------------------------- Number of entries returned 2 ---------------------------- Verified krb5.con has entries for both domains: # cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TESTRELM.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] TESTRELM.COM = { kdc = ipaserver.testrelm.com:88 admin_server = ipaserver.testrelm.com:749 default_domain = testrelm pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .testrelm = TESTRELM.COM testrelm = TESTRELM.COM .testrelm.com = TESTRELM.COM testrelm.com = TESTRELM.COM [dbmodules] TESTRELM.COM = { db_library = ipadb.so }
Also verified setup where: Installed master on ipamaster.us.testrelm.com #ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname ipamaster.us.testrelm.com -r TESTRELM.COM -n testrelm.com -p Secret123 -P Secret123 -a Secret123 --ip-address 10.16.96.83 Then one replica on - ipareplica1.eu.testrelm.com And a second replica on - ipareplica3.aus.example.com was able to kinit, and add users from any system, and find it on the other. # ipa-replica-manage list ipamaster.us.testrelm.com: master ipareplica1.eu.testrelm.com: master ipareplica3.aus.example.com: master
Created attachment 582678 [details] outputs from dnszone-find dnsrecord-find
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html