Replica installation on domain level 0 fails on adding dogtag principal.
389-ds-base x86_64 1.3.5.6-1.fc24 krb5-pkinit x86_64 1.14.1-6.fc24 krb5-server x86_64 1.14.1-6.fc24 krb5-workstation x86_64 1.14.1-6.fc24 pki-base noarch 10.3.2-4.fc24
2016-06-16T08:17:16Z INFO [Set up lightweight CA key retrieval] 2016-06-16T08:17:16Z INFO Creating principal 2016-06-16T08:17:16Z DEBUG Starting external process 2016-06-16T08:17:16Z DEBUG args=kadmin.local -q addprinc -randkey dogtag/vm-058-211.testdomain.com@DOM-191.TESTDOMAIN.COM -x ipa-setup-override-restrictions 2016-06-16T08:17:16Z DEBUG Process finished, return code=1 2016-06-16T08:17:16Z DEBUG stdout= 2016-06-16T08:17:16Z DEBUG stderr=kadmin.local: unable to get default realm 2016-06-16T08:17:16Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1649, in main install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 365, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 801, in install ca.install(False, config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 119, in install install_step_1(standalone, replica_config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 205, in install_step_1 ca.setup_lightweight_ca_key_retrieval() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1378, in setup_lightweight_ca_key_retrieval self.__setup_lightweight_ca_key_retrieval_kerberos() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1400, in __setup_lightweight_ca_key_retrieval_kerberos installutils.kadmin_addprinc(principal) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 434, in kadmin_addprinc kadmin("addprinc -randkey " + principal) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 431, in kadmin "-x", "ipa-setup-override-restrictions"]) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 466, in run raise CalledProcessError(p.returncode, arg_string, str(output)) 2016-06-16T08:17:16Z DEBUG The ipa-replica-install command failed, exception: CalledProcessError: Command 'kadmin.local -q addprinc -randkey dogtag/vm-058-211.testdomain.com@DOM-191.TESTDOMAIN.COM -x ipa-setup-override-restrictions' returned non-zero exit status 1 2016-06-16T08:17:16Z ERROR Command 'kadmin.local -q addprinc -randkey dogtag/vm-058-211.testdomain.com@DOM-191.TESTDOMAIN.COM -x ipa-setup-override-restrictions' returned non-zero exit status 1 2016-06-16T08:17:16Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
The problem lies in the fact that self.__setup_lightweight_ca_key_retrieval_kerberos method creates the service principal via kadmin.local interface which works on the first master and domain level 1 replica (because we actually have a local kadmin server set up to talk to).
self.__setup_lightweight_ca_key_retrieval_kerberos
It will, however, not work on domain level 0 replica because kadmin server is not yet set up, hence the crash.
Taking ownership
There are a few issues with replica installation on domain level 0, in addition to the immediate issue with kadmin.
I'm working through them; hopefully get a patch out before weekend.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1200731 (Red Hat Enterprise Linux 7)
master:
Metadata Update from @mkubik: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.4
Login to comment on this ticket.