Bug 889583
| Summary: | ipa server install failing when realm differs from domain | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Scott Poore <spoore> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.4 | CC: | mkosek, tlavigne |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-3.0.0-19.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 09:31:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 895654 | ||
Marking this one as a regression since I did confirm that the testing during 6.3 covered the same and we did not see this error. Upstream ticket: https://fedorahosted.org/freeipa/ticket/3316 We should include this one in RHEL-6.4 GA. I already have a working (small) patch which I would like to get accepted upstream today. Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/cbb12c7cc56ba8d9ee48d261fc86ddef5e323c34 ipa-3-1: https://fedorahosted.org/freeipa/changeset/b6c81f21f566303bbc37033c2a7f06e11a5bcf42 ipa-3-0: https://fedorahosted.org/freeipa/changeset/5e831f1abddb5a6961fb2c534c7ea43a855ed832 Verified. Version :: ipa-server-3.0.0-19.el6.x86_64 Manual Test Results :: # ipa-server-install --setup-dns --forwarder=192.168.122.1 -r RALEIGHREALM -p Secret123 -P Secret123 -a Secret123 -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: skipping DNS resolution of host rhel6-1.testrelm.com The domain name has been determined based on the host name. Using reverse zone 122.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: rhel6-1.testrelm.com IP address: 192.168.122.61 Domain name: testrelm.com Realm name: RALEIGHREALM BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.122.1 Reverse zone: 122.168.192.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: creating pki-ca instance [3/21]: configuring certificate server instance [4/21]: disabling nonces [5/21]: creating CA agent PKCS#12 file in /root [6/21]: creating RA agent certificate database [7/21]: importing CA chain to RA certificate database [8/21]: fixing RA database permissions [9/21]: setting up signing cert profile [10/21]: set up CRL publishing [11/21]: set certificate subject base [12/21]: enabling Subject Key Identifier [13/21]: setting audit signing renewal to 2 years [14/21]: configuring certificate server to start on boot [15/21]: restarting certificate server [16/21]: requesting RA certificate from CA [17/21]: issuing RA agent certificate [18/21]: adding RA agent as a trusted user [19/21]: configure certificate renewals [20/21]: configure Server-Cert certificate renewal [21/21]: Configure HTTP to proxy connections Done configuring certificate server (pki-cad). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: disabling betxn plugins [10/38]: configuring uniqueness plugin [11/38]: configuring uuid plugin [12/38]: configuring modrdn plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring ssl for ds instance [18/38]: configuring certmap.conf [19/38]: configure autobind for root [20/38]: configure new location for managed entries [21/38]: restarting directory server [22/38]: adding default layout [23/38]: adding delegation layout [24/38]: adding replication acis [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: Upload CA cert to the directory [33/38]: initializing group membership [34/38]: adding master entry [35/38]: configuring Posix uid/gid generation [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd): Estimated time 1 minute [1/13]: setting mod_nss port to 443 [2/13]: setting mod_nss password file [3/13]: enabling mod_nss renegotiate [4/13]: adding URL rewriting rules [5/13]: configuring httpd [6/13]: setting up ssl [7/13]: setting up browser autoconfig [8/13]: publish CA cert [9/13]: creating a keytab for httpd [10/13]: clean up any existing httpd ccache [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Configuring DNS (named) [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves Done configuring DNS (named). Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password Automated check Test Result (manually run) :: # verify_bz889583 :: [11:38:02] :: IPA Realm and Domain differ...checking BZ 889583 :: [ PASS ] :: File '/var/log/ipaserver-install.log' should not contain 'Configuration of client side components failed' :: [ PASS ] :: BZ 889583 not found Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html |
Description of problem: I'm trying to setup IPA with testrelm.com for domain and RALEIGHREALM for the realm. The ipa-client-install portion of the ipa-server-install is failing. [root@rhel6-1 install-server-cli]# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r RALEIGHREALM -p Secret123 -P Secret123 -a Secret123 -U ...normal output skipped here... Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server rhel6-1.testrelm.com --realm RALEIGHREALM --hostname rhel6-1.testrelm.com' returned non-zero exit status 1 Version-Release number of selected component (if applicable): ipa-server-3.0.0-17.el6.x86_64 How reproducible: always Steps to Reproduce: 1. run ipa-server-install as above 2. 3. Actual results: failure on ipa client install portion. Expected results: works? Additional info: From ipaserver-install.log: 2012-12-21T18:59:30Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server rhel6-1.testrelm.com --realm RALEIGHREALM --hostname rhel6-1.testrelm.com 2012-12-21T18:59:30Z DEBUG stdout=ESC[?1034h 2012-12-21T18:59:30Z DEBUG stderr=Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 2325, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 2311, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 1676, in install ret = ds.search(domain=options.domain, server=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file)) File "/usr/lib/python2.6/site-packages/ipaclient/ipadiscovery.py", line 212, in search krb_realm, kdc = self.ipadnssearchkrb(self.domain) File "/usr/lib/python2.6/site-packages/ipaclient/ipadiscovery.py", line 434, in ipadnssearchkrb kdc = ','.join(kdc) TypeError 2012-12-21T18:59:30Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-server-install", line 1103, in main sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e)) 2012-12-21T18:59:30Z INFO The ipa-server-install command failed, exception: SystemExit: Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server rhel6-1.testrelm.com --realm RALEIGHREALM --hostname rhel6-1.testrelm.com' returned non-zero exit status 1 From ipaclient-install.log: 2012-12-21T18:59:29Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': 'testrelm.com', 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'on_master': True, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': None, 'hostname': 'rhel6-1.testrelm.com', 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'realm_name': 'RALEIGHREALM', 'conf_ssh': True, 'server': ['rhel6-1.testrelm.com'], 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False} 2012-12-21T18:59:29Z DEBUG missing options might be asked for interactively later 2012-12-21T18:59:29Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2012-12-21T18:59:29Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2012-12-21T18:59:29Z DEBUG [IPA Discovery] 2012-12-21T18:59:29Z DEBUG Starting IPA discovery with domain=testrelm.com, server=['rhel6-1.testrelm.com'], hostname=rhel6-1.testrelm.com 2012-12-21T18:59:29Z DEBUG Server and domain forced 2012-12-21T18:59:29Z DEBUG [Kerberos realm search] 2012-12-21T18:59:29Z DEBUG Search DNS for TXT record of _kerberos.testrelm.com. 2012-12-21T18:59:29Z DEBUG DNS record found: DNSResult::name:_kerberos.testrelm.com.,type:16,class:1,rdata={data:RALEIGHREALM} 2012-12-21T18:59:29Z DEBUG Search DNS for SRV record of _kerberos._udp.raleighrealm. 2012-12-21T18:59:30Z DEBUG No DNS record found 2012-12-21T18:59:30Z DEBUG SRV record for KDC not found! Realm: RALEIGHREALM, SRV record: _kerberos.testrelm.com.