freeipa

Clone
Source Code
GIT

#6299 ipa-replica-install --setup-ca --setup-dns crashes on CCacheError
Closed: Invalid None Opened 7 years ago by mbabinsk.

Closed: Invalid
Reopen Issue

When installing 4.4 replica against upgraded master I have observed the following error during CA installation:

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/24]: creating certificate server user
  [2/24]: creating certificate server db
  [3/24]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded

  [4/24]: creating installation admin user
  [5/24]: setting up certificate server
  [6/24]: stopping instance to update CS.cfg
  [7/24]: backing up CS.cfg
  [8/24]: disabling nonces
  [9/24]: set up CRL publishing
  [10/24]: enable PKIX certificate path discovery and validation
  [11/24]: set up client auth to db
  [12/24]: destroying installation admin user
  [13/24]: starting instance
  [14/24]: importing CA chain to RA certificate database
  [15/24]: fixing RA database permissions
  [16/24]: setting up signing cert profile
  [17/24]: setting audit signing renewal to 2 years
  [18/24]: configure certificate renewals
  [19/24]: configure Server-Cert certificate renewal
  [20/24]: Configure HTTP to proxy connections
  [21/24]: updating IPA configuration
  [22/24]: Restart HTTP server to pick up changes
  [23/24]: enabling CA instance
  [24/24]: Updating DNS CA records
  [error] CCacheError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (39756044): Credential cache is empty
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (39756044): Credential cache is empty
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

The following traceback can be seen in error log:

2016-09-06T08:55:45Z DEBUG   [24/24]: Updating DNS CA records
2016-09-06T08:55:45Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket from SchemaCache
2016-09-06T08:55:45Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2ff48fad40>
2016-09-06T08:55:46Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2016-09-06T08:55:46Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2016-09-06T08:55:46Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 447, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 437, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1299, in __update_ca_records
    bind.add_ipa_ca_dns_records(api.env.host, api.env.domain)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 1086, in add_ipa_ca_dns_records
    self.api.Backend.ldap2.connect(autobind=True)
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect
    conn = self.create_connection(*args, **kw)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 199, in create_connection
    principal = krb_utils.get_principal(ccache_name=ccache)
  File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 185, in get_principal
    raise errors.CCacheError(message=unicode(e))
CCacheError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (39756044): Credential cache is empty

indeed there are no tickets in the credential cache:

[root@replica1 ~]# klist
klist: Credentials cache keyring 'persistent:0:0' not found

This is probably caused by flawed heuristics in create_connection method; when autobind=True is passed to ldap2.connect(), the code still tries to perform GSSAPI bind even if the user is root and local directory server instance is listening on LDAPI socket.

Steps to reproduce:

1.) install 4.4 master or upgrade from 4.3.x master in domain level 1
2.) run ipa-replica-install -P admin -w <admin_password> --setup-ca

Expected outcome:

A replica w/ CA should be installed successfully

Actual outcome:

The installation crashes on the error described above

Closing as invalid, was caused by incorrect environment setup.

Reopening as the issue was reproduced on FreeIPA 4.3.2:

1.) set up IPA master

2.) on a wannabe replica, run ipa-replica-install -U --setup-ca --setup-dns --forwarder=<forwarder_ip> -P admin -w Secret123

Expected result:

Replica installation finished successfuly

Actual results:

Replica fails with the aforementioned error.

Note that the combination of --setup-dns and --setup-ca is needed to trigger the bug.

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1373883 (Fedora)

The fix is needed only for ipa-4-3 branch, ipa-4-4 and master are unaffected due to DNS record generation refactoring done as a part of #2008

After more thorough investigation of the issue we decided that the fix is non-trivial to implement and the risk of it causing additional regression is high. Since the issue is fixed in FreeIPA 4.4.x and there is a clearly documented workaround procedure (see the following comment in linked Fedora BZ) closing as wontfix.

Metadata Update from @mbabinsk:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.3.3
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
critical
None
None
None
None
defect
None
None
IPA
None
None
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1373883
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.