freeipa replica crashes near end of basic install

Bug #1853863 reported by Harry Coin
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
freeipa (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Just trying to see if freeipa works on Ubuntu, I installed freeipa-server on one system, then tried to install the freeipa-replica on another. The two system setup works just fine on Fedora, but I need to standardize on one distro so I'm evaluating Ubuntu hoping that Canonical doesn't push out patches without at least testing whether basic installs will or won't work. After installing the server, I found that the GUI was unusable because the font necessary to show such things as 'next' and 'back' and so on misconfigured. Pretty big 'bug' to miss. So I put in the time to figure out a work around and report a bug. OK. Now I go to do the basic installation of a replica. It gets near to the end of the install, then crashes with something as basic as https auth access. My hunch is some difference to do with mod_nss and mod_ssl in apache2, but that's just a guess. The debug log follows. But two 'crashes on install attempt' bugs on a major package meant to operate at the core of a large-user-count installation? How can this be trusted going forward? Is my understanding of 'release' about Ubuntu wrong, are my expectations what's wrong here?

Here's the debug log. I trimmed most of the lead which was entirely normal, no bug reports. I pick it up near the end, the whole traceback is at the very end.

2019-11-25T05:06:29Z DEBUG [4/4]: configuring ipa-custodia to start on boot
2019-11-25T05:06:29Z DEBUG Starting external process
2019-11-25T05:06:29Z DEBUG args=['/bin/systemctl', 'is-enabled', 'ipa-custodia.service']
2019-11-25T05:06:29Z DEBUG Process finished, return code=1
2019-11-25T05:06:29Z DEBUG stdout=disabled
2019-11-25T05:06:29Z DEBUG stderr=
2019-11-25T05:06:29Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2019-11-25T05:06:29Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2019-11-25T05:06:29Z DEBUG Starting external process
2019-11-25T05:06:29Z DEBUG args=['/bin/systemctl', 'disable', 'ipa-custodia.service']
2019-11-25T05:06:32Z DEBUG Process finished, return code=0
2019-11-25T05:06:33Z DEBUG stdout=
2019-11-25T05:06:33Z DEBUG stderr=
2019-11-25T05:06:33Z DEBUG step duration: ipa-custodia __enable 3.54 sec
2019-11-25T05:06:33Z DEBUG Done configuring ipa-custodia.
2019-11-25T05:06:33Z DEBUG service duration: ipa-custodia 9.01 sec
2019-11-25T05:06:33Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2019-11-25T05:06:33Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state'
2019-11-25T05:06:33Z DEBUG Waiting up to 300 seconds to see our keys appear on host ldap://registry1.1.quietfountain.com
2019-11-25T05:06:34Z DEBUG Starting external process
2019-11-25T05:06:34Z DEBUG args=['/usr/bin/certutil', '-d', '/tmp/tmpjou8ki45', '-N', '-f', '/tmp/tmpjou8ki45/pwdfile.txt', '-@', '/tmp/tmpjou8ki45/pwdfile.txt']
2019-11-25T05:06:36Z DEBUG Process finished, return code=0
2019-11-25T05:06:36Z DEBUG stdout=
2019-11-25T05:06:36Z DEBUG stderr=
2019-11-25T05:06:36Z DEBUG Starting external process
2019-11-25T05:06:36Z DEBUG args=['/usr/sbin/selinuxenabled']
2019-11-25T05:06:36Z DEBUG Process finished, return code=1
2019-11-25T05:06:36Z DEBUG stdout=
2019-11-25T05:06:36Z DEBUG stderr=
2019-11-25T05:06:36Z DEBUG Starting external process
2019-11-25T05:06:36Z DEBUG args=['/usr/sbin/selinuxenabled']
2019-11-25T05:06:36Z DEBUG Process finished, return code=1
2019-11-25T05:06:36Z DEBUG stdout=
2019-11-25T05:06:36Z DEBUG stderr=
2019-11-25T05:06:36Z DEBUG Starting external process
2019-11-25T05:06:36Z DEBUG args=['/usr/sbin/selinuxenabled']
2019-11-25T05:06:36Z DEBUG Process finished, return code=1
2019-11-25T05:06:36Z DEBUG stdout=
2019-11-25T05:06:36Z DEBUG stderr=
2019-11-25T05:06:36Z DEBUG Starting external process
2019-11-25T05:06:36Z DEBUG args=['/usr/sbin/selinuxenabled']
2019-11-25T05:06:36Z DEBUG Process finished, return code=1
2019-11-25T05:06:36Z DEBUG stdout=
2019-11-25T05:06:36Z DEBUG stderr=
2019-11-25T05:06:36Z DEBUG Starting external process
2019-11-25T05:06:36Z DEBUG args=['/usr/sbin/selinuxenabled']
2019-11-25T05:06:36Z DEBUG Process finished, return code=1
2019-11-25T05:06:36Z DEBUG stdout=
2019-11-25T05:06:36Z DEBUG stderr=
2019-11-25T05:06:37Z DEBUG Starting new HTTPS connection (1): registry1.1.quietfountain.com:443
2019-11-25T05:06:38Z DEBUG https://registry1.1.quietfountain.com:443 "GET /ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.vVfnmgMupDM_t2QzYxhIoRZa-ElXWmt3-5OXMc99vYqwk20cIRKkQeZsUWRfdcNlF5hg0P45Q_4JnPlP5Yn7DIezA0Z-KblB9Pjgy8kGd-clCKIjeP7orXQ8sb4G9OycL76oy2k8pYMpMNwxUnyvhMYIlIR4CtVnhs7qFtXja0ndM8XSYMmZT1eKubIfjCh8lgJjDcI7Kqd-KcWyr7UqCvsFaRa5Otn545B3_lf1LN--ifL21Dqwr2uWUO9q7Tzv3Qc520xRQ68ZIDbiaAtpNN5Qdd8VeEhTiFfMn5qLKxqTnsf2BXRbTTvgSbOX4ycMxY-u_8aaxxjAQDb3WjeLZw.pb1fXA_HXjbL2R6xLlZV8A.n_iumseHFHeuUDFMz95U6uZ9YGHalYfWjsB0sfWCG_0blak4wuL88Cfr-CDf0Dtd_JyMhm-DkiLG3O541MZmnvznRdyTLiTwlneFrK1sNO_f-jlK6hiSgUTWVoBSkJiLCdnfxg6GOboOw5kGnWyxIctN1K__RDHd2UL9hjXJSA-D1DDf0QPg4z0PASWc-gP3uutBGL3vzP6UVMQBWlEvcMZGZ9mexO9PowWpfEVPkoXR5jM13Toyw5p0bp7DhejiIsWp8b6FuMJHytoknv6QqjFCkd8l7rDnaOz-Wjefr55DTyTb9UoSd40QekvavcGZsL9iq47zf7xjN07KRdkcIAkQIriHsMk8K7GhxKu6IWvbIzvTEXcFrzez2t1p2ua2XesRwWaTxKdH73zXLPgnmrHmUntcRCgLh4X_IcwXkrC2f7Rc3HV-kadDC46TrIyT4cT3mR1DtFOTGaT4MUBB39A8JxkMhJ2YsJL424pfZLYTJ5kfqGBLzaNtMeumNDuzGqhv9FBXf6_vLKvOwFu_1fijnsTgqoiJla6V1noVlv6uY-wOb1uwJ23UE9KIjHK_WXUfNv6P1PPTYeBVPijSzk6hLyWd_DVptm8DaxLVvVnrkvas4FzMAg8RB8xhq1WPOO3-DHlHTgfqTWE34Zy8uFHBPrSzoc9V5sbc3_lQwyiJaAEFCHvq5rwCQZUKq4Y4.DJQjkneZsFbJFWScoh11KW_15bvk8Ph_MNDFsujqoBE HTTP/1.1" 404 447
2019-11-25T05:06:38Z DEBUG File "/usr/lib/python3/dist-packages/ipapython/admintool.py", line 179, in execute
return_value = self.run()
File "/usr/lib/python3/dist-packages/ipapython/install/cli.py", line 340, in run
return cfgr.run()
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3/dist-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3/dist-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3/dist-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3/dist-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3/dist-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3/dist-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3/dist-packages/ipaserver/install/server/__init__.py", line 590, in main
replica_install(self)
File "/usr/lib/python3/dist-packages/ipaserver/install/server/replicainstall.py", line 402, in decorated
func(installer)
File "/usr/lib/python3/dist-packages/ipaserver/install/server/replicainstall.py", line 1281, in install
ca.install(False, config, options, custodia=custodia)
File "/usr/lib/python3/dist-packages/ipaserver/install/ca.py", line 270, in install
install_step_0(standalone, replica_config, options, custodia=custodia)
File "/usr/lib/python3/dist-packages/ipaserver/install/ca.py", line 308, in install_step_0
replica_config.dirman_password)
File "/usr/lib/python3/dist-packages/ipaserver/install/custodiainstance.py", line 305, in get_ca_keys
self._get_keys(cacerts_file, cacerts_pwd, data)
File "/usr/lib/python3/dist-packages/ipaserver/install/custodiainstance.py", line 271, in _get_keys
value = cli.fetch_key(os.path.join(prefix, nickname), False)
File "/usr/lib/python3/dist-packages/ipaserver/secrets/client.py", line 120, in fetch_key
r.raise_for_status()
File "/usr/lib/python3/dist-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
2019-11-25T05:06:38Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 404 Client Error: Not Found for url: https://registry1.1.quietfountain.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.vVfnmgMupDM_t2QzYxhIoRZa-ElXWmt3-5OXMc99vYqwk20cIRKkQeZsUWRfdcNlF5hg0P45Q_4JnPlP5Yn7DIezA0Z-KblB9Pjgy8kGd-clCKIjeP7orXQ8sb4G9OycL76oy2k8pYMpMNwxUnyvhMYIlIR4CtVnhs7qFtXja0ndM8XSYMmZT1eKubIfjCh8lgJjDcI7Kqd-KcWyr7UqCvsFaRa5Otn545B3_lf1LN--ifL21Dqwr2uWUO9q7Tzv3Qc520xRQ68ZIDbiaAtpNN5Qdd8VeEhTiFfMn5qLKxqTnsf2BXRbTTvgSbOX4ycMxY-u_8aaxxjAQDb3WjeLZw.pb1fXA_HXjbL2R6xLlZV8A.n_iumseHFHeuUDFMz95U6uZ9YGHalYfWjsB0sfWCG_0blak4wuL88Cfr-CDf0Dtd_JyMhm-DkiLG3O541MZmnvznRdyTLiTwlneFrK1sNO_f-jlK6hiSgUTWVoBSkJiLCdnfxg6GOboOw5kGnWyxIctN1K__RDHd2UL9hjXJSA-D1DDf0QPg4z0PASWc-gP3uutBGL3vzP6UVMQBWlEvcMZGZ9mexO9PowWpfEVPkoXR5jM13Toyw5p0bp7DhejiIsWp8b6FuMJHytoknv6QqjFCkd8l7rDnaOz-Wjefr55DTyTb9UoSd40QekvavcGZsL9iq47zf7xjN07KRdkcIAkQIriHsMk8K7GhxKu6IWvbIzvTEXcFrzez2t1p2ua2XesRwWaTxKdH73zXLPgnmrHmUntcRCgLh4X_IcwXkrC2f7Rc3HV-kadDC46TrIyT4cT3mR1DtFOTGaT4MUBB39A8JxkMhJ2YsJL424pfZLYTJ5kfqGBLzaNtMeumNDuzGqhv9FBXf6_vLKvOwFu_1fijnsTgqoiJla6V1noVlv6uY-wOb1uwJ23UE9KIjHK_WXUfNv6P1PPTYeBVPijSzk6hLyWd_DVptm8DaxLVvVnrkvas4FzMAg8RB8xhq1WPOO3-DHlHTgfqTWE34Zy8uFHBPrSzoc9V5sbc3_lQwyiJaAEFCHvq5rwCQZUKq4Y4.DJQjkneZsFbJFWScoh11KW_15bvk8Ph_MNDFsujqoBE
2019-11-25T05:06:38Z ERROR 404 Client Error: Not Found for url: https://registry1.1.quietfountain.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.vVfnmgMupDM_t2QzYxhIoRZa-ElXWmt3-5OXMc99vYqwk20cIRKkQeZsUWRfdcNlF5hg0P45Q_4JnPlP5Yn7DIezA0Z-KblB9Pjgy8kGd-clCKIjeP7orXQ8sb4G9OycL76oy2k8pYMpMNwxUnyvhMYIlIR4CtVnhs7qFtXja0ndM8XSYMmZT1eKubIfjCh8lgJjDcI7Kqd-KcWyr7UqCvsFaRa5Otn545B3_lf1LN--ifL21Dqwr2uWUO9q7Tzv3Qc520xRQ68ZIDbiaAtpNN5Qdd8VeEhTiFfMn5qLKxqTnsf2BXRbTTvgSbOX4ycMxY-u_8aaxxjAQDb3WjeLZw.pb1fXA_HXjbL2R6xLlZV8A.n_iumseHFHeuUDFMz95U6uZ9YGHalYfWjsB0sfWCG_0blak4wuL88Cfr-CDf0Dtd_JyMhm-DkiLG3O541MZmnvznRdyTLiTwlneFrK1sNO_f-jlK6hiSgUTWVoBSkJiLCdnfxg6GOboOw5kGnWyxIctN1K__RDHd2UL9hjXJSA-D1DDf0QPg4z0PASWc-gP3uutBGL3vzP6UVMQBWlEvcMZGZ9mexO9PowWpfEVPkoXR5jM13Toyw5p0bp7DhejiIsWp8b6FuMJHytoknv6QqjFCkd8l7rDnaOz-Wjefr55DTyTb9UoSd40QekvavcGZsL9iq47zf7xjN07KRdkcIAkQIriHsMk8K7GhxKu6IWvbIzvTEXcFrzez2t1p2ua2XesRwWaTxKdH73zXLPgnmrHmUntcRCgLh4X_IcwXkrC2f7Rc3HV-kadDC46TrIyT4cT3mR1DtFOTGaT4MUBB39A8JxkMhJ2YsJL424pfZLYTJ5kfqGBLzaNtMeumNDuzGqhv9FBXf6_vLKvOwFu_1fijnsTgqoiJla6V1noVlv6uY-wOb1uwJ23UE9KIjHK_WXUfNv6P1PPTYeBVPijSzk6hLyWd_DVptm8DaxLVvVnrkvas4FzMAg8RB8xhq1WPOO3-DHlHTgfqTWE34Zy8uFHBPrSzoc9V5sbc3_lQwyiJaAEFCHvq5rwCQZUKq4Y4.DJQjkneZsFbJFWScoh11KW_15bvk8Ph_MNDFsujqoBE
2019-11-25T05:06:38Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: freeipa-server 4.8.1-2ubuntu1 [modified: usr/share/ipa/html/ca.crt usr/share/ipa/html/krb.con usr/share/ipa/html/krb5.ini usr/share/ipa/html/krbrealm.con]
ProcVersionSignature: Ubuntu 5.3.0-23.25-generic 5.3.7
Uname: Linux 5.3.0-23-generic x86_64
ApportVersion: 2.20.11-0ubuntu8.2
Architecture: amd64
Date: Mon Nov 25 09:03:43 2019
InstallationDate: Installed on 2019-11-01 (23 days ago)
InstallationMedia: Ubuntu-MATE 19.10 "Eoan Ermine" - Release amd64 (20191017)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: freeipa
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Harry Coin (hcoin) wrote :
Revision history for this message
Harry Coin (hcoin) wrote :

Both registry1 and registry2 are 'vanilla' eoan mate vms.
Host registry1... has a working freeipa-server based on eoan installed. No other packages. It does include the dns support. registry2 is the attempt to install a replica. No other packages.

Revision history for this message
Harry Coin (hcoin) wrote :
Download full text (5.6 KiB)

Here's the shell script log

root@registry2:~# kinit admin
Password for admin@1.QUIETFOUNTAIN.COM:
root@registry2:~# ipa-replica-install --setup-dns --no-forwarders
WARNING: conflicting time&date synchronization service 'ntp' will
be disabled in favor of chronyd
Lookup failed: Preferred host registry2.1.quietfountain.com does not provide DNS.
Run connection check to master
Connection check OK
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
Starting installation...
Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv@1-QUIETFOUNTAIN-COM.service → /lib/systemd/system/dirsrv@.service.
Allocate local instance <class 'lib389.DirSrv'> with ldapi://%2fvar%2frun%2fslapd-1-QUIETFOUNTAIN-COM.socket
[2/41]: configure autobind for root
[3/41]: stopping directory server
[4/41]: updating configuration in dse.ldif
[5/41]: starting directory server
[6/41]: adding default schema
[7/41]: enabling memberof plugin
[8/41]: enabling winsync plugin
[9/41]: configure password logging
[10/41]: configuring replication version plugin
[11/41]: enabling IPA enrollment plugin
[12/41]: configuring uniqueness plugin
[13/41]: configuring uuid plugin
[14/41]: configuring modrdn plugin
[15/41]: configuring DNS plugin
[16/41]: enabling entryUSN plugin
[17/41]: configuring lockout plugin
[18/41]: configuring topology plugin
[19/41]: creating indices
[20/41]: enabling referential integrity plugin
[21/41]: configuring certmap.conf
[22/41]: configure new location for managed entries
[23/41]: configure dirsrv ccache and keytab
[24/41]: enabling SASL mapping fallback
[25/41]: restarting directory server
[26/41]: creating DS keytab
[27/41]: ignore time skew for initial replication
[28/41]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 62 seconds elapsed
Update succeeded
[29/41]: prevent time skew after initial replication
[30/41]: adding sasl mappings to the directory
[31/41]: updating schema
[32/41]: setting Auto Member configuration
[33/41]: enabling S4U2Proxy delegation
[34/41]: initializing group membership
[35/41]: adding master entry
[36/41]: initializing domain level
[37/41]: configuring Posix uid/gid generation
[38/41]: adding replication acis
[39/41]: activating sidgen plugin
[40/41]: activating extdom plugin
[41/41]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/5]: configuring KDC
[2/5]: adding the password extension to the directory
[3/5]: creating anonymous principal
[4/5]: starting the KDC
[5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: importing CA certificates from LDAP
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl prot...

Read more...

Revision history for this message
Harry Coin (hcoin) wrote :

Of some interest, a curl of exactly the same link works (kinit admin in effect, just after failure above).
root@registry2:/tmp# curl https://registry1.1.quietfountain.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.FjcSSiXUpFmdUiDGjqSx6RqQviY_rVOkMuskX-QRUx6boPUox9KvoadV9s9odZc8slpnLF974ew-L_UQ-udd5aO2CD2m0meTVwqLymJOpnjSmD-wFIOxvWYH4lPZiZPPnN6DmGmbDc0kFI5O43eL9z3HocN3nYsTNjg-obhZuCVwNsS7xhUqthosBC8XzFadu0N4c800u13SPLAgmFBuXH3_ICMGsf3E9bGppqEo3BZWSiyBYacMSP40etk9YQaxzknWM4hCxIzH_UALuhubTvnrHswUlqpuQFfCxYAGt-RswwYCkjG1B_UJ1-YKmcSPdw7dePgvxd8aHs-CeztU-g.tXofwhux7QSRKzYBB6ek9w.UNrq-g-MfjRsJ8ZGSdPGvQjIKEw9vk4wp04bG0ZZ7AzvsRT1Tf1bwKHqcWWtC5c0FuQ6YB3j1jvObjJOjoD176S710XpGg_DucL1rvDBSCPTQTHH06QDaE_LwcUIpLZH3bjyyAh9L3yh07-6WCCYDvuHQgfkASeWb916Q7-yTyGuKxk6Tg6wf27gFQS2_q91vllv4g148DX2cREaDb60HOhdkAn3BdWuyomoT3tdwLXX2kUavc-UmUth2WWqPICBaCFXbE1pNVxOMB0cMHD43WPxBzQqQgHV7Xz7QlpyAYJmjJZj0KSu4K4AzXZzX7DPCmBkjReuJvcIOL_zOmn-E38G-ApKLdzXFpr_GFJamzKx5A2AiTzQkivnN_1mwZK65si7NM1wi-10BRQcUL3cz5u2uDxBQZHA0eN26uOHS_OFXke37zuKjqw319GQnXfw_Mlys6Cxilnc0vcjmk6vpx4gJFoQbobbtfaFgzfmYtI3sACLXJLhS8yNQgv03d3zbAaFrZHc7LLv6iKQ_w-jBFxBQf_PepLIaoeebtA1Fld0r3OqZokXAE1vaFfN0nVBAhh4sx-BD3gHpVopCZQHsoeZvKZF23xCbXQCKMAe_8rgNEtuhig2dgXY_3vL2V0xbD_7c2eNcsvutBm-9DGkGiotCOJhrUR2riXCvSIPb-Vt-G2WDg_U8z44JfyvkVHo.3nNEjhuACxacf-BrFl5aN5F0XNUbsF-plMhJ6Sbzt5c
[1] 4501
root@registry2:/tmp# <!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>IPA: Identity Policy Audit</title>
<script type="text/javascript" src="../ui/js/libs/loader.js"></script>
<script type="text/javascript">
var dojoConfig = {
baseUrl: "../ui/js",
has: {
'dojo-firebug': false,
'dojo-debug-messages': true
},
parseOnLoad: false,
async: true,
packages: [
{
name:'dojo',
location:'dojo'
},
{
name: 'freeipa',
location: 'freeipa'
}
]
};
(function() {
var icons = [
'../ui/favicon.ico'
];
var styles = [
'../ui/css/patternfly.css',
'../ui/css/ipa.css'
];
var scripts = [
'../ui/js/libs/jquery.js',
'../ui/js/libs/jquery.ordered-map.js',
'../ui/js/dojo/dojo.js'
];
ipa_loader.scripts(scripts, function() {
require([
'dojo/dom',
'freeipa/core',
'dojo/domReady!'
],
function(dom) {
var text = require('freeipa/text');
var msg = text.get('@i18n:unauthorized-page');
if (msg) {
dom.byId('unauthorized-msg').innerHTML=msg;
}
});
});
ipa_loader.styles(styles);
ipa_loader.icons(icons);
})();
</script>
</head>
<body class="info-page">
<nav class="navbar navbar-default navbar-pf" role="navigation">
<div class="navbar-header">
<a class="brand" href="../ui/index.html"><img src="../ui/images/header-logo.png" alt="FreeIPA"></a>
</div>
</nav>
<div class="container-fluid">
<div class="row">
<div class="col-sm-12">
<div id="unauthorized-msg">
<noscript>
<h1>Unable to verify your Kerberos credentials</h1>
<p>
Please make sure that you have valid Kerberos tickets (obtainable via <strong>kinit</strong>), and that you have configured your browser correctly.
</p>
<h2>Browser configuration</h2>
<div id="first-time">
<p>
If this is your first time, please <a href="ssbrowser.html">configure your browser</a>.
</p>
</div>
</noscript>
</div>
</div>
</div>
</div>
</body>
</html>

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

replica install is untested, not surprising to see it being broken

and freeipa is in universe and not officially supported

Revision history for this message
Harry Coin (hcoin) wrote : Re: [Bug 1853863] Re: freeipa replica crashes near end of basic install

Timo,

Thank you.  I didn't understand freeipa wasn't supported on Ubuntu.  You
can consider this matter closed, I have to move to a different distro.

On 11/25/19 2:20 PM, Timo Aaltonen wrote:
> replica install is untested, not surprising to see it being broken
>
> and freeipa is in universe and not officially supported
>

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

'community' supported, by me essentially as time permits, and the next LTS isn't here yet

But yes, for critical systems probably use a distro that has official support. Or buy UA and demand it ;)

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

The error here could be due to a race, where the first server isn't serving yet when the replica install tries to connect. Also, no mod_nss should be used anywhere anymore, just mod_ssl.

Revision history for this message
Harry Coin (hcoin) wrote :

I appreciate your efforts. The thing is folks who use freeipa put it in the same 'has-got-to-work' 'no-regressions' category as the kernel. While it might lack a feature or need work in this or that area, it just can't 'not install' or have some major user-facing thing like the 'here's how you change your password' UI just not work after an 'upgrade'. There are so many moving parts and subsystems in freeipa I can't imagine how one person could possibly take on keeping up with it.

FYI, I put a 30 second sleep just before the query that failed, and it failed the same way so I don't think it was a race issue.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

for the record, ipa-replica-install works fine on the debian vm's that I have set up for this (and finally had a go at replicating 4.8)

my goal is to eventually have it all tested with a CI system somewhere, and not rely just on the autopkgtests which can't run ipa-replica-install

Revision history for this message
Harry Coin (hcoin) wrote :

Good to know.  I was using ubuntu eoan.

On 11/27/19 11:18 AM, Timo Aaltonen wrote:
> for the record, ipa-replica-install works fine on the debian vm's that I
> have set up for this (and finally had a go at replicating 4.8)
>
> my goal is to eventually have it all tested with a CI system somewhere,
> and not rely just on the autopkgtests which can't run ipa-replica-
> install
>

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

this is fixed in 4.8.2, I was able to reproduce it on eoan, and then installed 4.8.3 from a ppa (ppa:freeipa/staging) and ipa-replica-install succeeded

focal now has 4.8.3 so marking the bug as fixed

Changed in freeipa (Ubuntu):
status: New → Fix Released
Revision history for this message
Harry Coin (hcoin) wrote :

Using the ppa, the upgrade to the primary server was successful. Then the replica install was successful, other than, at the end:
...
Restarting named
Updating DNS system records
DNS query for registry1.1.quietfountain.com. 1 failed: All nameservers failed to answer the query registry1.1.quietfountain.com. IN A: Server ::1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server ::1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server ::1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered SERVFAIL; Server ::1 UDP port 53 answered SERVFAIL
DNS query for registry1.1.quietfountain.com. 1 failed: All nameservers failed to answer the query registry1.1.quietfountain.com. IN A: Server ::1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server ::1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server ::1 UDP port 53 answered SERVFAIL; Server 127.0.0.1 UDP port 53 answered SERVFAIL
unable to resolve host name registry1.1.quietfountain.com. to IP address, ipa-ca DNS record will be incomplete
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files
DNS query for registry1.1.quietfountain.com. 1 failed: All nameservers failed to answer the query registry1.1.quietfountain.com. IN A: Server ::1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server ::1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server ::1 UDP port 53 answered SERVFAIL; Server 127.0.0.1 UDP port 53 answered SERVFAIL
DNS query for registry1.1.quietfountain.com. 1 failed: All nameservers failed to answer the query registry1.1.quietfountain.com. IN A: Server ::1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server ::1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server ::1 UDP port 53 answered SERVFAIL; Server 127.0.0.1 UDP port 53 answered SERVFAIL
unable to resolve host name registry1.1.quietfountain.com. to IP address, ipa-ca DNS record will be incomplete
WARNING: The CA service is only installed on one server (registry1.1.quietfountain.com).
It is strongly recommended to install it on another server.
Run ipa-ca-install(1) on another master to accomplish this.
The ipa-replica-install command was successful
...

The following ipa-ca-install proceeded without error.
I suggest that as ubuntu has embraced ceph, it should consider, and for the same reasons, supporting freeipa.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

I didn't have a DNS setup, so that part remains untested. Also, Fedora/Redhat is still on opendnssec 1.4.x while Debian (and Ubuntu) moved to 2.x some years ago, things like that will still have bugs.

Someone with a support contract (and probably more than one customer) should require freeipa support, doubt it will happen otherwise.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.