When installing 4.4 replica against upgraded master I have observed the following error during CA installation:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/24]: creating certificate server user [2/24]: creating certificate server db [3/24]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 4 seconds elapsed Update succeeded [4/24]: creating installation admin user [5/24]: setting up certificate server [6/24]: stopping instance to update CS.cfg [7/24]: backing up CS.cfg [8/24]: disabling nonces [9/24]: set up CRL publishing [10/24]: enable PKIX certificate path discovery and validation [11/24]: set up client auth to db [12/24]: destroying installation admin user [13/24]: starting instance [14/24]: importing CA chain to RA certificate database [15/24]: fixing RA database permissions [16/24]: setting up signing cert profile [17/24]: setting audit signing renewal to 2 years [18/24]: configure certificate renewals [19/24]: configure Server-Cert certificate renewal [20/24]: Configure HTTP to proxy connections [21/24]: updating IPA configuration [22/24]: Restart HTTP server to pick up changes [23/24]: enabling CA instance [24/24]: Updating DNS CA records [error] CCacheError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (39756044): Credential cache is empty Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (39756044): Credential cache is empty ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
The following traceback can be seen in error log:
2016-09-06T08:55:45Z DEBUG [24/24]: Updating DNS CA records 2016-09-06T08:55:45Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket from SchemaCache 2016-09-06T08:55:45Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2ff48fad40> 2016-09-06T08:55:46Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-09-06T08:55:46Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-09-06T08:55:46Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 447, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 437, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1299, in __update_ca_records bind.add_ipa_ca_dns_records(api.env.host, api.env.domain) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 1086, in add_ipa_ca_dns_records self.api.Backend.ldap2.connect(autobind=True) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 199, in create_connection principal = krb_utils.get_principal(ccache_name=ccache) File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 185, in get_principal raise errors.CCacheError(message=unicode(e)) CCacheError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (39756044): Credential cache is empty
indeed there are no tickets in the credential cache:
[root@replica1 ~]# klist klist: Credentials cache keyring 'persistent:0:0' not found
This is probably caused by flawed heuristics in create_connection method; when autobind=True is passed to ldap2.connect(), the code still tries to perform GSSAPI bind even if the user is root and local directory server instance is listening on LDAPI socket.
create_connection
autobind=True
ldap2.connect()
Steps to reproduce:
1.) install 4.4 master or upgrade from 4.3.x master in domain level 1 2.) run ipa-replica-install -P admin -w <admin_password> --setup-ca
ipa-replica-install -P admin -w <admin_password> --setup-ca
Expected outcome:
A replica w/ CA should be installed successfully
Actual outcome:
The installation crashes on the error described above
Closing as invalid, was caused by incorrect environment setup.
Reopening as the issue was reproduced on FreeIPA 4.3.2:
1.) set up IPA master
2.) on a wannabe replica, run ipa-replica-install -U --setup-ca --setup-dns --forwarder=<forwarder_ip> -P admin -w Secret123
ipa-replica-install -U --setup-ca --setup-dns --forwarder=<forwarder_ip> -P admin -w Secret123
Expected result:
Replica installation finished successfuly
Actual results:
Replica fails with the aforementioned error.
Note that the combination of --setup-dns and --setup-ca is needed to trigger the bug.
--setup-dns
--setup-ca
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1373883 (Fedora)
The fix is needed only for ipa-4-3 branch, ipa-4-4 and master are unaffected due to DNS record generation refactoring done as a part of #2008
After more thorough investigation of the issue we decided that the fix is non-trivial to implement and the risk of it causing additional regression is high. Since the issue is fixed in FreeIPA 4.4.x and there is a clearly documented workaround procedure (see the following comment in linked Fedora BZ) closing as wontfix.
Metadata Update from @mbabinsk: - Issue assigned to mbabinsk - Issue set to the milestone: FreeIPA 4.3.3
Login to comment on this ticket.