Bug 889583 - ipa server install failing when realm differs from domain
ipa server install failing when realm differs from domain
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
Namita Soman
: Regression
Depends On:
Blocks: 895654
  Show dependency treegraph
Reported: 2012-12-21 14:29 EST by Scott Poore
Modified: 2015-05-12 06:48 EDT (History)
2 users (show)

See Also:
Fixed In Version: ipa-3.0.0-19.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-02-21 04:31:37 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Scott Poore 2012-12-21 14:29:57 EST
Description of problem:

I'm trying to setup IPA with testrelm.com for domain and RALEIGHREALM for the realm.  

The ipa-client-install portion of the ipa-server-install is failing.  

[root@rhel6-1 install-server-cli]# ipa-server-install --setup-dns --forwarder=  -r RALEIGHREALM -p Secret123 -P Secret123 -a Secret123 -U

...normal output skipped here...

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server rhel6-1.testrelm.com --realm RALEIGHREALM --hostname rhel6-1.testrelm.com' returned non-zero exit status 1

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
1.  run ipa-server-install as above
Actual results:
failure on ipa client install portion.

Expected results:

Additional info:

From ipaserver-install.log:

2012-12-21T18:59:30Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server rhel6-1.testrelm.com --realm RALEIGHREALM --hostname rhel6-1.testrelm.com
2012-12-21T18:59:30Z DEBUG stdout=ESC[?1034h
2012-12-21T18:59:30Z DEBUG stderr=Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 2325, in <module>
  File "/usr/sbin/ipa-client-install", line 2311, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 1676, in install
    ret = ds.search(domain=options.domain, server=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
  File "/usr/lib/python2.6/site-packages/ipaclient/ipadiscovery.py", line 212, in search
    krb_realm, kdc = self.ipadnssearchkrb(self.domain)
  File "/usr/lib/python2.6/site-packages/ipaclient/ipadiscovery.py", line 434, in ipadnssearchkrb
    kdc = ','.join(kdc)

2012-12-21T18:59:30Z INFO   File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1103, in main
    sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e))

2012-12-21T18:59:30Z INFO The ipa-server-install command failed, exception: SystemExit: Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server rhel6-1.testrelm.com --realm RALEIGHREALM --hostname rhel6-1.testrelm.com' returned non-zero exit status 1

From ipaclient-install.log:
2012-12-21T18:59:29Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': 'testrelm.com', 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'on_master': True, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': None, 'hostname': 'rhel6-1.testrelm.com', 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'realm_name': 'RALEIGHREALM', 'conf_ssh': True, 'server': ['rhel6-1.testrelm.com'], 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False}
2012-12-21T18:59:29Z DEBUG missing options might be asked for interactively later
2012-12-21T18:59:29Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2012-12-21T18:59:29Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2012-12-21T18:59:29Z DEBUG [IPA Discovery]
2012-12-21T18:59:29Z DEBUG Starting IPA discovery with domain=testrelm.com, server=['rhel6-1.testrelm.com'], hostname=rhel6-1.testrelm.com
2012-12-21T18:59:29Z DEBUG Server and domain forced
2012-12-21T18:59:29Z DEBUG [Kerberos realm search]
2012-12-21T18:59:29Z DEBUG Search DNS for TXT record of _kerberos.testrelm.com.
2012-12-21T18:59:29Z DEBUG DNS record found: DNSResult::name:_kerberos.testrelm.com.,type:16,class:1,rdata={data:RALEIGHREALM}
2012-12-21T18:59:29Z DEBUG Search DNS for SRV record of _kerberos._udp.raleighrealm.
2012-12-21T18:59:30Z DEBUG No DNS record found
2012-12-21T18:59:30Z DEBUG SRV record for KDC not found! Realm: RALEIGHREALM, SRV record: _kerberos.testrelm.com.
Comment 2 Scott Poore 2012-12-21 14:35:51 EST
Marking this one as a regression since I did confirm that the testing during 6.3 covered the same and we did not see this error.
Comment 4 Dmitri Pal 2012-12-21 18:42:39 EST
Upstream ticket:
Comment 5 Martin Kosek 2013-01-02 04:13:22 EST
We should include this one in RHEL-6.4 GA. I already have a working (small) patch which I would like to get accepted upstream today.
Comment 9 Scott Poore 2013-01-11 12:39:48 EST

Version ::


Manual Test Results ::

# ipa-server-install --setup-dns --forwarder=  -r RALEIGHREALM -p Secret123 -P Secret123 -a Secret123 -U

The log file for this installation can be found in /var/log/ipaserver-install.log
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host rhel6-1.testrelm.com
The domain name has been determined based on the host name.

Using reverse zone 122.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      rhel6-1.testrelm.com
IP address:
Domain name:   testrelm.com
Realm name:    RALEIGHREALM

BIND DNS server will be configured to serve IPA domain with:
Reverse zone:  122.168.192.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/21]: creating certificate server user
  [2/21]: creating pki-ca instance
  [3/21]: configuring certificate server instance
  [4/21]: disabling nonces
  [5/21]: creating CA agent PKCS#12 file in /root
  [6/21]: creating RA agent certificate database
  [7/21]: importing CA chain to RA certificate database
  [8/21]: fixing RA database permissions
  [9/21]: setting up signing cert profile
  [10/21]: set up CRL publishing
  [11/21]: set certificate subject base
  [12/21]: enabling Subject Key Identifier
  [13/21]: setting audit signing renewal to 2 years
  [14/21]: configuring certificate server to start on boot
  [15/21]: restarting certificate server
  [16/21]: requesting RA certificate from CA
  [17/21]: issuing RA agent certificate
  [18/21]: adding RA agent as a trusted user
  [19/21]: configure certificate renewals
  [20/21]: configure Server-Cert certificate renewal
  [21/21]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/38]: creating directory server user
  [2/38]: creating directory server instance
  [3/38]: adding default schema
  [4/38]: enabling memberof plugin
  [5/38]: enabling winsync plugin
  [6/38]: configuring replication version plugin
  [7/38]: enabling IPA enrollment plugin
  [8/38]: enabling ldapi
  [9/38]: disabling betxn plugins
  [10/38]: configuring uniqueness plugin
  [11/38]: configuring uuid plugin
  [12/38]: configuring modrdn plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: creating indices
  [16/38]: enabling referential integrity plugin
  [17/38]: configuring ssl for ds instance
  [18/38]: configuring certmap.conf
  [19/38]: configure autobind for root
  [20/38]: configure new location for managed entries
  [21/38]: restarting directory server
  [22/38]: adding default layout
  [23/38]: adding delegation layout
  [24/38]: adding replication acis
  [25/38]: creating container for managed entries
  [26/38]: configuring user private groups
  [27/38]: configuring netgroups from hostgroups
  [28/38]: creating default Sudo bind user
  [29/38]: creating default Auto Member layout
  [30/38]: adding range check plugin
  [31/38]: creating default HBAC rule allow_all
  [32/38]: Upload CA cert to the directory
  [33/38]: initializing group membership
  [34/38]: adding master entry
  [35/38]: configuring Posix uid/gid generation
  [36/38]: enabling compatibility plugin
  [37/38]: tuning directory server
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/13]: setting mod_nss port to 443
  [2/13]: setting mod_nss password file
  [3/13]: enabling mod_nss renegotiate
  [4/13]: adding URL rewriting rules
  [5/13]: configuring httpd
  [6/13]: setting up ssl
  [7/13]: setting up browser autoconfig
  [8/13]: publish CA cert
  [9/13]: creating a keytab for httpd
  [10/13]: clean up any existing httpd ccache
  [11/13]: configuring SELinux for httpd
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

Automated check Test Result (manually run) ::

# verify_bz889583 
:: [11:38:02] ::  IPA Realm and Domain differ...checking BZ 889583
:: [   PASS   ] :: File '/var/log/ipaserver-install.log' should not contain 'Configuration of client side components failed'
:: [   PASS   ] :: BZ 889583 not found
Comment 11 errata-xmlrpc 2013-02-21 04:31:37 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.