#3783 ipa-server-install fails if --subject parameter is other than default realm.
Closed: Fixed None Opened 7 years ago by rcritten.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 983075

Created attachment 771587
log files

Description of problem:
IPA Server installation with --subject parameter other than default realm fails
on RHEL 7.0 . Earlier on RHEL 6.4, it was successful.

Version-Release number of selected component (if applicable):

[root@rhel70-ipa-master ~]# rpm -q ipa-server pki-base
[root@rhel70-ipa-master ~]#

How reproducible:

Steps to Reproduce:
1.Install IPA with --subject other than default realm

Actual results:
Installation failed.

[root@rhel70-ipa-master ~]# ipa-server-install --setup-dns
--forwarder=  -r TESTRELM.COM -p xxxxxxx -P xxxxxxx -a xxxxxxx
--subject=O=CUPCAKE -U

The log file for this installation can be found in
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

Warning: skipping DNS resolution of host rhel70-ipa-master.testrelm.com
The domain name has been determined based on the host name.

Using reverse zone 207.65.10.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      rhel70-ipa-master.testrelm.com
IP address:
Domain name:   testrelm.com
Realm name:    TESTRELM.COM

BIND DNS server will be configured to serve IPA domain with:
Reverse zone:  207.65.10.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 31 minutes
  [1/37]: creating directory server user
  [2/37]: creating directory server instance
  [3/37]: adding default schema
  [4/37]: enabling memberof plugin
  [5/37]: enabling winsync plugin
  [6/37]: configuring replication version plugin
  [7/37]: enabling IPA enrollment plugin
  [8/37]: enabling ldapi
  [9/37]: configuring uniqueness plugin
  [10/37]: configuring uuid plugin
  [11/37]: configuring modrdn plugin
  [12/37]: configuring DNS plugin
  [13/37]: enabling entryUSN plugin
  [14/37]: configuring lockout plugin
  [15/37]: creating indices
  [16/37]: enabling referential integrity plugin
  [17/37]: configuring certmap.conf
  [18/37]: configure autobind for root
  [19/37]: configure new location for managed entries
  [20/37]: configure dirsrv ccache
  [21/37]: restarting directory server
  [22/37]: adding default layout
  [23/37]: adding delegation layout
  [24/37]: creating container for managed entries
  [25/37]: configuring user private groups
  [26/37]: configuring netgroups from hostgroups
  [27/37]: creating default Sudo bind user
  [28/37]: creating default Auto Member layout
  [29/37]: adding range check plugin
  [30/37]: creating default HBAC rule allow_all
  [31/37]: initializing group membership
  [32/37]: adding master entry
  [33/37]: configuring Posix uid/gid generation
  [34/37]: adding replication acis
  [35/37]: enabling compatibility plugin
  [36/37]: tuning directory server
  [37/37]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 33 minutes 30
  [1/20]: creating certificate server user
  [2/20]: configuring certificate server instance
  [3/20]: disabling nonces
  [4/20]: creating RA agent certificate database
  [5/20]: importing CA chain to RA certificate database
  [6/20]: fixing RA database permissions
  [7/20]: setting up signing cert profile
  [8/20]: set up CRL publishing
  [9/20]: set certificate subject base
  [10/20]: enabling Subject Key Identifier
  [11/20]: enabling CRL and OCSP extensions for certificates
  [12/20]: setting audit signing renewal to 2 years
  [13/20]: configuring certificate server to start on boot
  [14/20]: restarting certificate server
  [15/20]: requesting RA certificate from CA
  [16/20]: issuing RA agent certificate
  [17/20]: adding RA agent as a trusted user
  [18/20]: configure certificate renewals
  [19/20]: configure Server-Cert certificate renewal
  [20/20]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 minutes 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd): Estimated time 31 minutes
  [1/15]: disabling mod_ssl in httpd
  [2/15]: setting mod_nss port to 443
  [3/15]: setting mod_nss password file
  [4/15]: enabling mod_nss renegotiate
  [5/15]: adding URL rewriting rules
  [6/15]: configuring httpd
  [7/15]: setting up ssl
Unexpected error - see /var/log/ipaserver-install.log for details:
CertificateOperationError: Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)
[root@rhel70-ipa-master ~]#

Expected results:
Installation should be successful.

Additional info:
1. Please find the attached tar which contains following log files.
   ipaserver-install.log, ca's debug log and dirsrv's errors log

Moving all non-critical bugs to 3.3.x bug fixing bucket (FreeIPA 3.3 final was released).

Metadata Update from @rcritten:
- Issue assigned to akrivoka
- Issue set to the milestone: FreeIPA 3.3.x - 2013/08 (bug fixing)

4 years ago

Login to comment on this ticket.