Created attachment 737236 [details] ipaserver-install.log Description of problem: ipa-server-install --setup-dns failed with [root@server ~]# ipa-server-install --setup-dns The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Existing BIND configuration detected, overwrite? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [server.ipa.example.org]: Warning: skipping DNS resolution of host server.ipa.example.org The domain name has been determined based on the host name. Please confirm the domain name [ipa.example.org]: The server hostname resolves to more than one address: fe80::5054:ff:fef3:a8bf%eth0 2000:dead:beef:a:5054:ff:fef3:a8bf%2 192.168.100.30 Please provide the IP address to be used for this host name: 192.168.100.30 The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [IPA.EXAMPLE.ORG]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password must be at least 8 characters long Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): Do you want to configure DNS forwarders? [yes]: yes Enter the IP address of DNS forwarder to use, or press Enter to finish. Enter IP address for a DNS forwarder: 192.168.100.1 DNS forwarder 192.168.100.1 added Enter IP address for a DNS forwarder: Do you want to configure the reverse zone? [yes]: no The IPA Master Server will be configured with: Hostname: server.ipa.example.org IP address: 192.168.100.30 Domain name: ipa.example.org Realm name: IPA.EXAMPLE.ORG BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.100.1 Reverse zone: No reverse zone Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/36]: creating directory server user [2/36]: creating directory server instance [3/36]: adding default schema [4/36]: enabling memberof plugin [5/36]: enabling winsync plugin [6/36]: configuring replication version plugin [7/36]: enabling IPA enrollment plugin [8/36]: enabling ldapi [9/36]: configuring uniqueness plugin [10/36]: configuring uuid plugin [11/36]: configuring modrdn plugin [12/36]: configuring DNS plugin [13/36]: enabling entryUSN plugin [14/36]: configuring lockout plugin [15/36]: creating indices [16/36]: enabling referential integrity plugin [17/36]: configuring certmap.conf [18/36]: configure autobind for root [19/36]: configure new location for managed entries [20/36]: restarting directory server [21/36]: adding default layout [22/36]: adding delegation layout [23/36]: creating container for managed entries [24/36]: configuring user private groups [25/36]: configuring netgroups from hostgroups [26/36]: creating default Sudo bind user [27/36]: creating default Auto Member layout [28/36]: adding range check plugin [29/36]: creating default HBAC rule allow_all [30/36]: initializing group membership [31/36]: adding master entry [32/36]: configuring Posix uid/gid generation [33/36]: adding replication acis [34/36]: enabling compatibility plugin [35/36]: tuning directory server [36/36]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance [3/20]: disabling nonces [4/20]: creating RA agent certificate database [5/20]: importing CA chain to RA certificate database [6/20]: fixing RA database permissions [7/20]: setting up signing cert profile [8/20]: set up CRL publishing [9/20]: set certificate subject base [10/20]: enabling Subject Key Identifier [11/20]: enabling CRL and OCSP extensions for certificates [12/20]: setting audit signing renewal to 2 years [13/20]: configuring certificate server to start on boot [14/20]: restarting certificate server [15/20]: requesting RA certificate from CA [16/20]: issuing RA agent certificate Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command '/usr/bin/sslget -v -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-FZ8Q_8 -r /ca/agent/ca/profileReview?requestId=7 server.ipa.example.org:8443' returned non-zero exit status 6 [root@server ~]# Version-Release number of selected component (if applicable): [root@server ~]# rpm -qa|grep -e ipa -e tomcat | sort freeipa-admintools-3.2.0-0.2.beta1.fc19.x86_64 freeipa-client-3.2.0-0.2.beta1.fc19.x86_64 freeipa-python-3.2.0-0.2.beta1.fc19.x86_64 freeipa-server-3.2.0-0.2.beta1.fc19.x86_64 freeipa-server-selinux-3.2.0-0.2.beta1.fc19.x86_64 libipa_hbac-1.10.0-2.fc19.alpha1.x86_64 libipa_hbac-python-1.10.0-2.fc19.alpha1.x86_64 python-iniparse-0.4-7.fc19.noarch tomcat-7.0.37-2.fc19.noarch tomcat-el-2.2-api-7.0.37-2.fc19.noarch tomcat-jsp-2.2-api-7.0.37-2.fc19.noarch tomcatjss-7.1.0-2.fc19.noarch tomcat-lib-7.0.37-2.fc19.noarch tomcat-servlet-3.0-api-7.0.37-2.fc19.noarch
Created attachment 737238 [details] catalina.out
There AVC vwere logged too during the install, but re-install in permissive mode did not help, so they probably are not related. type=USER_AVC msg=audit(1366273781.489:566): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1366274196.519:578): avc: denied { read } for pid=2546 comm="ns-slapd" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC msg=audit(1366274203.995:582): avc: denied { read } for pid=2640 comm="ns-slapd" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC msg=audit(1366274240.783:586): avc: denied { read } for pid=2722 comm="ns-slapd" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC msg=audit(1366274246.363:589): avc: denied { read } for pid=2959 comm="java" name="hsperfdata_root" dev="tmpfs" ino=20455 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir type=AVC msg=audit(1366274246.365:590): avc: denied { write } for pid=2959 comm="java" name="hsperfdata_root" dev="tmpfs" ino=20455 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir type=AVC msg=audit(1366274328.032:592): avc: denied { read } for pid=3201 comm="java" name="hsperfdata_root" dev="tmpfs" ino=20455 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir type=AVC msg=audit(1366274328.034:593): avc: denied { write } for pid=3201 comm="java" name="hsperfdata_root" dev="tmpfs" ino=20455 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir type=AVC msg=audit(1366274329.678:595): avc: denied { read } for pid=3390 comm="java" name="hsperfdata_root" dev="tmpfs" ino=20455 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir type=AVC msg=audit(1366274329.679:596): avc: denied { write } for pid=3390 comm="java" name="hsperfdata_root" dev="tmpfs" ino=20455 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
I found that this issue is caused by dogtag Bug 859043. Keeping the FreeIPA bug as reference, I will not clone to upstream Trac yet.
The following links may be beneficial: * https://developer.mozilla.org/en-US/docs/NSPR_API_Reference (NSPR docs) * https://bugzilla.mozilla.org/query.cgi (NSPR bugs) * http://mxr.mozilla.org/nspr/ (online NSPR src viewer) * http://0pointer.de/lennart/projects/nss-myhostname/ (nsswitch.conf myhostname) In looking at the Description of Bugzilla Bug #859043, the error code returned by 'sslget' is 6 which corresponds to this call: prStatus = PR_Connect(tcp_sock, addr, PR_SecondsToInterval(3)); In looking at the feedback of Bugzilla Bug #859043 in Comment #3, we noticed the following: The '/etc/hosts' was re-configured to look like this: 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.100.30: fi fi.lan In the documented failure case, it was noticed that family=10 (which appears to be PR_AF_INET6 which is associated with IPv6 addresses), even though the IP address (192.168.100.30) as placed into the /etc/hosts file is an IPv4 address. The error returned appears to be this one documented in '/usr/include/nspr4/prerr.h': /* Invalid function argument */ #define PR_INVALID_ARGUMENT_ERROR (-5987L) The only parameter in PR_Connect() that appears to be questionable is the 'addr' passed-in as the second argument, especially as it appears to have a mis-match between the IPv4 address and the IPv6 family. It would be helpful to know the output of 'ifconfig' and the contents of the following files: * /etc/nsswitch.conf (if different from 'hosts: files dns myhostname') * /etc/hosts (if different from above) * /etc/resolv.conf * /etc/networks * /etc/sysconfig/network * /etc/sysconfig/network-scripts/ifcfg-<interfaces output by 'ifconfig'> In the meantime, we will try to replicate this condition on one of our local machines.
(In reply to comment #4) > The following links may be beneficial: > > * https://developer.mozilla.org/en-US/docs/NSPR_API_Reference (NSPR docs) > * https://bugzilla.mozilla.org/query.cgi (NSPR bugs) > * http://mxr.mozilla.org/nspr/ (online NSPR src viewer) > * http://0pointer.de/lennart/projects/nss-myhostname/ (nsswitch.conf > myhostname) > > In looking at the Description of Bugzilla Bug #859043, the error code > returned by 'sslget' is 6 which corresponds to this call: > > prStatus = PR_Connect(tcp_sock, addr, PR_SecondsToInterval(3)); > > In looking at the feedback of Bugzilla Bug #859043 in Comment #3, we noticed > the following: > > The '/etc/hosts' was re-configured to look like this: > > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 > 192.168.100.30: fi fi.lan > In the documented failure case, it was noticed that family=10 (which > appears > to be PR_AF_INET6 which is associated with IPv6 addresses), even though > the IP address (192.168.100.30) as placed into the /etc/hosts file is an > IPv4 > address. > > The error returned appears to be this one documented in > '/usr/include/nspr4/prerr.h': > > /* Invalid function argument */ > #define PR_INVALID_ARGUMENT_ERROR (-5987L) > > The only parameter in PR_Connect() that appears to be questionable is the > 'addr' > passed-in as the second argument, especially as it appears to have a > mis-match > between the IPv4 address and the IPv6 family. > > It would be helpful to know the output of 'ifconfig' and the contents of > the > following files: > > * /etc/nsswitch.conf (if different from 'hosts: files dns myhostname') > * /etc/hosts (if different from above) * /etc/hostname > * /etc/resolv.conf > * /etc/networks > * /etc/sysconfig/network > * /etc/sysconfig/network-scripts/ifcfg-<interfaces output by > 'ifconfig'> > > In the meantime, we will try to replicate this condition on one of our > local machines.
Created attachment 740186 [details] Fix sslget to skip link local addresses
(In reply to comment #6) > Created attachment 740186 [details] > Fix sslget to skip link local addresses ACKed patch was committed to pki master: * commit 7ca438db07efb122bc93efd0471be7a2be34b663
(In reply to comment #7) > (In reply to comment #6) > > Created attachment 740186 [details] > > Fix sslget to skip link local addresses > > ACKed patch was committed to pki master: > * commit 7ca438db07efb122bc93efd0471be7a2be34b663 I've patched pki-core-10.0.1-2.1.fc19.src with this patch and it helped; thanks.
freeipa-3.2.0-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/freeipa-3.2.0-1.fc19
Appears to be fixed. I didn't see an error there: Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password
Package freeipa-3.2.0-1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.2.0-1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7911/freeipa-3.2.0-1.fc19 then log in and leave karma (feedback).
freeipa-3.2.0-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.