Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 983463
Description of problem: When you try to install an ipa replica server they try to contact it's ipa server master with openssh-clients tools (like ssh) Version-Release number of selected component (if applicable): [root@itpvsldaps002 ~]# rpm -qa | grep ipa ipa-admintools-3.0.0-26.el6_4.4.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.9.2-82.7.el6_4.x86_64 ipa-python-3.0.0-26.el6_4.4.x86_64 ipa-client-3.0.0-26.el6_4.4.x86_64 ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-1.9.2-82.7.el6_4.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-server-3.0.0-26.el6_4.4.x86_64 [root@itpvsldaps002 ~]# How reproducible: 1. Install ipa server master 2. Install rhel host that will become ipa replica with only @core packages (without openss-clients installed!) 3. Install ipa-server packages on ipa replica host (but without launch ipa-server-install) 4. Launch ipa-replica-prepare on ipa master 5. Transfer gpg with sftp client and not with scp client (because scp will fail due to ipa replica server doesn' has scp program!) 6. Launch ipa-replica-install on ip replica server and you got: # ipa-replica-install --setup-ca -p foopw -w foopw /var/lib/ipa/replica-info-XXXXX.gpg Run connection check to master Check connection from replica to remote master 'YYYYYYY': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master Execute check on remote master Traceback (most recent call last): File "/usr/sbin/ipa-replica-conncheck", line 392, in <module> sys.exit(main()) File "/usr/sbin/ipa-replica-conncheck", line 371, in main raiseonerr=False) File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 295, in run close_fds=True, env=env, cwd=cwd) File "/usr/lib64/python2.6/subprocess.py", line 639, in __init__ errread, errwrite) File "/usr/lib64/python2.6/subprocess.py", line 1228, in _execute_child raise child_exception OSError: [Errno 2] No such file or directory Connection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter. 7. Install openssh-clients on ipa replica host 8. Re-Launch ipa-replica-install and all works fine! Steps to Reproduce: Same as above Actual results: No openssh-clients dependencies when install ipa-server packages Expected results: openssh-clients dependencies when install ipa-server packages Additional info:
https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=784f484cad5f823d0a56dbcaa8f71d1fef4286b9
Nathaniel, as I said on this week's meeting, I do not think that this fixes the issue. ipa-replica-conncheck runs ssh to run other part of the connection check, see ipareplica-conncheck.log:
ipa-replica-conncheck
ssh
2013-05-23T20:55:55Z DEBUG args=ssh -v -o StrictHostKeychecking=no -o UserKnownHostsFile=/tmp/tmpP71IcA admin@vm-037.idm.lab.bos.redhat.com echo OK
As ssh is not present, ssh of course cannot be called, thus this exception. I think we need to rather update ipa-replica-conncheck to check at the beginning to see if ssh is installed, if not, report "WARNING: cannot proceed with connection check due to missing ssh command" (or similar) and return.
Any update on this one?
Nathaniel, what is current status with this ticket?
Untested patch submitted to the list. Either someone can test it, or I will test it when I get back from Flock.
Moving all non-critical bugs to 3.3.x bug fixing bucket (FreeIPA 3.3 final was released).
master: fb95f37[[BR]] ipa-3-3: 44d6c85
Metadata Update from @rcritten: - Issue assigned to npmccallum - Issue set to the milestone: FreeIPA 3.3.x - 2013/08 (bug fixing)
Log in to comment on this ticket.