Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 983075
Created attachment 771587 log files Description of problem: IPA Server installation with --subject parameter other than default realm fails on RHEL 7.0 . Earlier on RHEL 6.4, it was successful. Version-Release number of selected component (if applicable): [root@rhel70-ipa-master ~]# rpm -q ipa-server pki-base ipa-server-3.2.1-1.el7.x86_64 pki-base-10.0.3-2.el7.noarch [root@rhel70-ipa-master ~]# How reproducible: Always Steps to Reproduce: 1.Install IPA with --subject other than default realm Actual results: Installation failed. [root@rhel70-ipa-master ~]# ipa-server-install --setup-dns --forwarder=10.65.201.89 -r TESTRELM.COM -p xxxxxxx -P xxxxxxx -a xxxxxxx --subject=O=CUPCAKE -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) Warning: skipping DNS resolution of host rhel70-ipa-master.testrelm.com The domain name has been determined based on the host name. Using reverse zone 207.65.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: rhel70-ipa-master.testrelm.com IP address: 10.65.207.14 Domain name: testrelm.com Realm name: TESTRELM.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: 10.65.201.89 Reverse zone: 207.65.10.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 31 minutes [1/37]: creating directory server user [2/37]: creating directory server instance [3/37]: adding default schema [4/37]: enabling memberof plugin [5/37]: enabling winsync plugin [6/37]: configuring replication version plugin [7/37]: enabling IPA enrollment plugin [8/37]: enabling ldapi [9/37]: configuring uniqueness plugin [10/37]: configuring uuid plugin [11/37]: configuring modrdn plugin [12/37]: configuring DNS plugin [13/37]: enabling entryUSN plugin [14/37]: configuring lockout plugin [15/37]: creating indices [16/37]: enabling referential integrity plugin [17/37]: configuring certmap.conf [18/37]: configure autobind for root [19/37]: configure new location for managed entries [20/37]: configure dirsrv ccache [21/37]: restarting directory server [22/37]: adding default layout [23/37]: adding delegation layout [24/37]: creating container for managed entries [25/37]: configuring user private groups [26/37]: configuring netgroups from hostgroups [27/37]: creating default Sudo bind user [28/37]: creating default Auto Member layout [29/37]: adding range check plugin [30/37]: creating default HBAC rule allow_all [31/37]: initializing group membership [32/37]: adding master entry [33/37]: configuring Posix uid/gid generation [34/37]: adding replication acis [35/37]: enabling compatibility plugin [36/37]: tuning directory server [37/37]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 33 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance [3/20]: disabling nonces [4/20]: creating RA agent certificate database [5/20]: importing CA chain to RA certificate database [6/20]: fixing RA database permissions [7/20]: setting up signing cert profile [8/20]: set up CRL publishing [9/20]: set certificate subject base [10/20]: enabling Subject Key Identifier [11/20]: enabling CRL and OCSP extensions for certificates [12/20]: setting audit signing renewal to 2 years [13/20]: configuring certificate server to start on boot [14/20]: restarting certificate server [15/20]: requesting RA certificate from CA [16/20]: issuing RA agent certificate [17/20]: adding RA agent as a trusted user [18/20]: configure certificate renewals [19/20]: configure Server-Cert certificate renewal [20/20]: Configure HTTP to proxy connections Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc): Estimated time 30 minutes 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd): Estimated time 31 minutes [1/15]: disabling mod_ssl in httpd [2/15]: setting mod_nss port to 443 [3/15]: setting mod_nss password file [4/15]: enabling mod_nss renegotiate [5/15]: adding URL rewriting rules [6/15]: configuring httpd [7/15]: setting up ssl Unexpected error - see /var/log/ipaserver-install.log for details: CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) [root@rhel70-ipa-master ~]# Expected results: Installation should be successful. Additional info: 1. Please find the attached tar which contains following log files. ipaserver-install.log, ca's debug log and dirsrv's errors log 2.
Moving all non-critical bugs to 3.3.x bug fixing bucket (FreeIPA 3.3 final was released).
master: da2605c[[BR]] ipa-3-3: bc1ac9f
Metadata Update from @rcritten: - Issue assigned to akrivoka - Issue set to the milestone: FreeIPA 3.3.x - 2013/08 (bug fixing)
Login to comment on this ticket.