How to reproduce: 1. install master 1. install kra on master 1. ipa-replica-prepare 1. install replica (without CA) 1. ipa-ca-install 1. ipa-kra-install
Result of ipa-kra-install on replica:
# ipa-kra-install /root/ipatests/replica-info.gpg -p Secret123 -U =================================================================== This program will setup Dogtag KRA for the FreeIPA Server. Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds [1/7]: configuring KRA instance [2/7]: restarting KRA [3/7]: configure certmonger for renewals [4/7]: configure certificate renewals [5/7]: configure HTTP to proxy connections [6/7]: add vault container [7/7]: apply LDAP updates Failed to load vault.ldif: Command ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpcuO7cy' '-H' 'ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmp74Y4AY'' returned non-zero exit status 68 Done configuring KRA server (pki-tomcatd). Restarting the directory and KRA servers Restarting the directory server The ipa-kra-install command was successful
It blows up at adding KRA container:
2015-10-06T19:39:40Z DEBUG [6/7]: add vault container 2015-10-06T19:39:40Z DEBUG Starting external process 2015-10-06T19:39:40Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpZM0et9' '-H' 'ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpq0gJZ0' 2015-10-06T19:39:40Z DEBUG Process finished, return code=68 2015-10-06T19:39:40Z DEBUG stdout=add objectClass: top nsContainer add cn: kra adding new entry "cn=kra,dc=ipa,dc=test" 2015-10-06T19:39:40Z DEBUG stderr=ldap_initialize( ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket/??base ) ldap_add: Already exists (68) 2015-10-06T19:39:40Z CRITICAL Failed to load vault.ldif: Command ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpZM0et9' '-H' 'ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket' '-x' '-D' 'cn=Director y Manager' '-y' '/tmp/tmpq0gJZ0'' returned non-zero exit status 68 2015-10-06T19:39:40Z DEBUG duration: 0 seconds
This is caused by ipa-kra-install trying to add the container unconditionally, even if the container already exists (it resides in the replicated part of the tree). Fix is to try to add the container only if it does not exist.
FreeIPA 4.2.3 was released, moving to next bug fixing milestone.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283430
master:
ipa-4-2:
Metadata Update from @mbasti: - Issue assigned to mbabinsk - Issue set to the milestone: FreeIPA 4.2.4
Login to comment on this ticket.