Bug 809190 - ipa-server-install fails when domain name is not resolvable
ipa-server-install fails when domain name is not resolvable
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
Depends On:
  Show dependency treegraph
Reported: 2012-04-02 13:34 EDT by Namita Soman
Modified: 2012-06-20 09:26 EDT (History)
2 users (show)

See Also:
Fixed In Version: ipa-2.2.0-9.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Story Points: ---
Clone Of:
Last Closed: 2012-06-20 09:26:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
outputs from dnszone-find dnsrecord-find (4.96 KB, text/plain)
2012-05-07 10:06 EDT, Namita Soman
no flags Details

  None (edit)
Description Namita Soman 2012-04-02 13:34:22 EDT
Description of problem:
When verifying bug 751597, saw the issue below - 
When installing using a new hostname, specify a domain name that is not resolvable, and the install starts. It fails later at the step when configuring named. But installer should have caught this, and not started the install.

If the domain name of the host isn't resolvable OR the zone being created for IPA then we can fail
https://fedorahosted.org/freeipa/ticket/2602 was opened when working on bug 751597.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install ipaserver as:
ipa-server-install --setup-dns --forwarder= --hostname
ipaserver.testrelm.com -r TESTRELM.COM -n testrelm -p Secret123 -P Secret123 -a
Secret123 --ip-address
# hostname
# cat /etc/sysconfig/network
# cat /etc/hosts   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
# margo.testrelm.com margo
# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search idm.lab.bos.redhat.com

Actual results:
Install fails with:
Configuration of client side components failed!

Expected results:
If domain name is not resolvable, installer should have caught it, and not started the install.

Additional info:
Failed with:
Configuring named:
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
done configuring named.

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master
--unattended --domain testrelm --server ipaserver.testrelm.com --realm
TESTRELM.COM --hostname ipaserver.testrelm.com' returned non-zero exit status 1

/var/log/ipaserver-install.log has:
2012-04-02T14:39:16Z DEBUG Changing admin password
2012-04-02T14:39:16Z DEBUG args=/usr/bin/ldappasswd -h ipaserver.testrelm.com
-ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmpjjJRzL -T
/var/lib/ipa/tmp_K_Zxx uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com
2012-04-02T14:39:16Z DEBUG stdout=
2012-04-02T14:39:16Z DEBUG stderr=
2012-04-02T14:39:16Z DEBUG ldappasswd done
2012-04-02T14:39:18Z DEBUG args=/usr/sbin/ipa-client-install --on-master
--unattended --domain testrelm --server ipaserver.testrelm.com --realm
TESTRELM.COM --hostname ipaserver.testrelm.com
2012-04-02T14:39:18Z DEBUG stdout=^[[?1034hDiscovery was successful!
Hostname: ipaserver.testrelm.com
DNS Domain: testrelm
IPA Server: ipaserver.testrelm.com
BaseDN: dc=testrelm,dc=com

Configured /etc/sssd/sssd.conf

2012-04-02T14:39:18Z DEBUG stderr=DNS domain 'testrelm.com' is not configured
for automatic KDC address lookup.
KDC address will be set to fixed value.

Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 1534, in <module>
  File "/usr/sbin/ipa-client-install", line 1521, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 1358, in install
  File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in
    conn = self.create_connection(*args, **kw)
  File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in
    raise errors.KerberosError(major=str(krberr), minor='')
ipalib.errors.KerberosError: Kerberos error: Service u'HTTP@ipaserver.testrelm'
not found in Kerberos database/
Comment 2 Martin Kosek 2012-04-03 03:46:52 EDT
Upstream ticket:
Comment 3 Rob Crittenden 2012-04-09 13:44:30 EDT
master: 184a066f4abc0ef83434f8cebbec87028258db65

ipa-2-2: 173f4ae073502f9f1b1adb1e1cc8f063693c5c31
Comment 7 Martin Kosek 2012-04-25 07:21:25 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    New Contents:
No documentation needed.
Comment 8 Namita Soman 2012-05-03 10:48:35 EDT
verified using ipa-server-2.2.0-12.el6.x86_64

Was able to successfully install when server hostname was not in a default domain

Verified cli works...added user, modified permission etc
Verified UI, logged in, added host, where dropdown listed both testrelm, and testrelm.com..added one in each

Also verified DNS records...the record for the domain, the host is not in, included fqdn for the host
# ipa dnsrecord-find  testrelm
  Record name: @
  NS record: ipaserver.testrelm.com.

  Record name: _kerberos

  Record name: _kerberos-master._tcp
  SRV record: 0 100 88 ipaserver.testrelm.com.

  Record name: _kerberos-master._udp
  SRV record: 0 100 88 ipaserver.testrelm.com.

  Record name: _kerberos._tcp
  SRV record: 0 100 88 ipaserver.testrelm.com.

  Record name: _kerberos._udp
  SRV record: 0 100 88 ipaserver.testrelm.com.

  Record name: _kpasswd._tcp
  SRV record: 0 100 464 ipaserver.testrelm.com.

  Record name: _kpasswd._udp
  SRV record: 0 100 464 ipaserver.testrelm.com.

  Record name: _ldap._tcp
  SRV record: 0 100 389 ipaserver.testrelm.com.

  Record name: _ntp._udp
  SRV record: 0 100 123 ipaserver.testrelm.com.
Number of entries returned 10

# ipa dnsrecord-find  testrelm.com
  Record name: @
  NS record: ipaserver.testrelm.com.

  Record name: ipaserver
  A record:
  SSHFP record: 1 1 C67DE264098040A0C6F8005DBCCDCB3C5DB8186C, 2 1
Number of entries returned 2

Verified krb5.con has entries for both domains:
# cat /etc/krb5.conf 
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = TESTRELM.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes

  kdc = ipaserver.testrelm.com:88
  admin_server = ipaserver.testrelm.com:749
  default_domain = testrelm
  pkinit_anchors = FILE:/etc/ipa/ca.crt

 .testrelm = TESTRELM.COM
 testrelm = TESTRELM.COM
 .testrelm.com = TESTRELM.COM
 testrelm.com = TESTRELM.COM

    db_library = ipadb.so
Comment 9 Namita Soman 2012-05-07 09:59:36 EDT
Also verified setup where:

Installed master on ipamaster.us.testrelm.com 
#ipa-server-install --setup-dns --forwarder= --hostname ipamaster.us.testrelm.com -r TESTRELM.COM -n testrelm.com -p Secret123 -P Secret123 -a Secret123 --ip-address

Then one replica on - ipareplica1.eu.testrelm.com
And a second replica on - ipareplica3.aus.example.com 

was able to kinit, and add users from any system, and find it on the other.

# ipa-replica-manage list
ipamaster.us.testrelm.com: master
ipareplica1.eu.testrelm.com: master
ipareplica3.aus.example.com: master
Comment 10 Namita Soman 2012-05-07 10:06:21 EDT
Created attachment 582678 [details]
outputs from dnszone-find dnsrecord-find
Comment 12 errata-xmlrpc 2012-06-20 09:26:26 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.