#5705 When user selects to configure integrated DNS, installer asks a bunch of unrelated questions before complaining about missing freeipa-server-dns
Opened 3 years ago by adelton. Modified 3 months ago

Running ipa-server-install, the very first question is

Do you want to configure integrated DNS (BIND)? [no]: yes

The installer then continues to ask various questions including Directory Manager and admin password, to only then say

ipa.ipapython.install.cli.install_tool(Server): ERROR    Integrated DNS requires 'freeipa-server-dns' package

It seems fairly user-unfriendly to ask about something and only fail based on the answer much later.

The whole interaction was:

# ipa-server-install

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Do you want to configure integrated DNS (BIND)? [no]: yes

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [ipa.example.com]:

Warning: skipping DNS resolution of host ipa.example.com
The domain name has been determined based on the host name.

Please confirm the domain name [example.com]: example.test

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [EXAMPLE.TEST]: 
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: 
Password (confirm):

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: 
Password (confirm):

ipa.ipapython.install.cli.install_tool(Server): ERROR    Integrated DNS requires 'freeipa-server-dns' package

When compared to freeipa-server-4.1.4-4.fc22.x86_64, this is a regression since there, the error was shown immediately:

# ipa-server-install

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Do you want to configure integrated DNS (BIND)? [no]: yes

BIND was not found on this system
Please install the 'bind-pkcs11' package and start the installation again
The BIND LDAP plug-in was not found on this system
Please install the 'bind-dyndb-ldap' package and start the installation again
Aborting installation

This change of behavior is bad. Unfortunately the fix is not straightforward. Given that this is not day-to-day operation for most admins, and there are more important issues to fix, fix will be postponed.

This is still broke in freeIPA 4.4.0 - exactly as above.

I'm not sure why it is thought that this is not a major bug since DNS is reqired for everything else to work.

Is there a work around?

Metadata Update from @adelton:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

2 years ago

Additionally, it might be nice to have IPA prompt to install the missing package - since it already knows what it's called...

It's a trivial fix. Just copy the check from ipaserver.install.dns.install_check to ipaserver.install.server.install right next to the comment # check bind packages are installed.

Metadata Update from @cheimes:
- Issue close_status updated to: None
- Issue tagged with: easyfix

3 months ago

Login to comment on this ticket.

Metadata