freeipa

Clone
Source Code
GIT

#7005 ipa-server-install fails while configuring Kerberos KDC
Closed: duplicate 6 years ago Opened 6 years ago by dmoluguw.

Closed: duplicate
Reopen Issue

While setting up server using ipa-server-install command, it fails while configuring Kerberos KDC.

The following version is being used freeipa-server-4.5.1.dev201706071713+git728e2f6-0.fc25.x86_64

Following is the console output:

ipa-server-install \
        -r $REALM \
        -n $DOMAIN \
        --hostname="${FQDN}" \
        --ds-password="${DMPASSWORD}" \
        --admin-password="${PASSWORD}" \
        --setup-dns --auto-forwarders --auto-reverse \
        --unattended

Checking DNS domain dom-080.abc.idm.lab.eng.brq.redhat.com, please wait ...
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.    
This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
  * Configure the KDC to enable PKINIT

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd    
Warning: skipping DNS resolution of host xxx
Checking DNS domain dom-xxx.com., please wait ...

 WARNING: No network interface matches the IP address xx.yy.zz.80

 Checking DNS forwarders, please wait ...

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       10.34.78.1, 10.34.140.10
Forward policy:   only
Reverse zone(s):  No reverse zone

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/45]: creating directory server instance
  [2/45]: enabling ldapi
  [3/45]: configure autobind for root
  [4/45]: stopping directory server
  [5/45]: updating configuration in dse.ldif
  [6/45]: starting directory server
  [7/45]: adding default schema
  [8/45]: enabling memberof plugin
  [9/45]: enabling winsync plugin
  [10/45]: configuring replication version plugin
  [11/45]: enabling IPA enrollment plugin
  [12/45]: configuring uniqueness plugin
  [13/45]: configuring uuid plugin
  [14/45]: configuring modrdn plugin
  [15/45]: configuring DNS plugin
  [16/45]: enabling entryUSN plugin
  [17/45]: configuring lockout plugin
  [18/45]: configuring topology plugin
  [19/45]: creating indices
  [20/45]: enabling referential integrity plugin
  [21/45]: configuring certmap.conf
  [22/45]: configure new location for managed entries
  [23/45]: configure dirsrv ccache
  [24/45]: enabling SASL mapping fallback
  [25/45]: restarting directory server
  [26/45]: adding sasl mappings to the directory
  [27/45]: adding default layout
  [28/45]: adding delegation layout
  [29/45]: creating container for managed entries
  [30/45]: configuring user private groups
  [31/45]: configuring netgroups from hostgroups
  [32/45]: creating default Sudo bind user
  [33/45]: creating default Auto Member layout
  [34/45]: adding range check plugin
  [35/45]: creating default HBAC rule allow_all
  [36/45]: adding entries for topology management
  [37/45    ]: initializing group membership
  [38/45]: adding master entry
  [39/45]: initializing domain level
  [40/45]: configuring Posix uid/gid generation
  [41/45]: adding replication acis
  [42/45]: activating sidgen plugin
  [43/45]: activating extdom plugin
  [44/45]: tuning directory server
  [45/45]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/10]: adding kerberos container to the directory
  [2/10]: configuring KDC
  [3/10]: initialize kerberos container
  [4/10]: adding default ACIs
  [5/10]: creating a keytab for the directory
  [6/10]: creating a keytab for the machine
  [7/10]: adding the password extension to the directory
  [8/10]: creating anonymous principal
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/29]: configuring certificate server instance
  [2/29]: exporting Dogtag certificate store pin
  [3/29]: stopping certificate server instance to update CS.cfg
  [4/29]: backing up CS.cfg
  [5/29]: disabling nonces
  [6/29]: set up CRL publishing
  [7/29]: enable PKIX certificate path discovery and validation
  [8/29]: starting certificate server instance
  [9/29]: configure certmonger for renewals
  [10/29]: requesting RA certificate from CA
  [11/29]: setting up signing cert profile
  [12/29]: setting audit signing renewal to 2 years
  [13/29]: restarting certificate server
  [14/29]: publishing the CA certificate
  [15/29]: adding RA agent as a trusted user
  [16/29]: authorizing RA to modify profiles
  [17/29]: authorizing RA to manage lightweight CAs
  [18/29]: Ensure lightweight CAs container exists
  [19/29]: configure certificate renewals
  [20/29]: configure Server-Cert certificate renewal
  [21/29]: Configure HTTP to proxy connections
  [22/29]: restarting certificate server
  [23/29]: updating IPA configuration
  [24/29]: enabling CA instance
  [25/29]: migrating certificate profiles to LDAP
  [26/29]: importing IPA certificate profiles
  [27/29]: adding default CA ACL
  [28/29]: adding 'ipa' CA entry
  [29/29]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [2/3]: adding CA certificate entry
  [3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
  [1/5]: Generating ipa-custodia config file
  [2/5]: Making sure custodia container exists
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring the web interface (httpd)
  [1/22]: stopping httpd
  [2/22]: setting mod_nss port to 443
  [3/22]: setting mod_nss cipher suite
  [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [5/22]: setting mod_nss password file
  [6/22]: enabling mod_nss renegotiate
  [7/22]: disabling mod_nss OCSP
  [8/22]: adding URL rewriting rules
  [9/22]: configuring httpd
  [10/22]: setting up httpd keytab
  [11/22]: configuring Gssproxy
  [12/22]: setting up ssl
  [13/22]: configure certmonger for renewals
  [14/22]: importing CA certificates from LDAP
  [15/22]: publish CA cert
  [16/22]: clean up any existing httpd ccaches
  [17/22]: configuring SELinux for httpd
  [18/22]: create KDC proxy config
  [19/22]: enable KDC proxy
  [20/22]: starting httpd
  [21/22]: configuring httpd to start on boot
  [22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
ipa         : ERROR    PKINIT certificate request failed: request timed out
ipa         : ERROR    Failed to configure PKINIT
  [error] RuntimeError: request timed out
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    request timed out
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

The log from /var/log/ipaserver-install.log

 2017-06-07T18:31:08Z DEBUG Configuring Kerberos KDC (krb5kdc)
 2017-06-07T18:31:08Z DEBUG   [1/1]: installing X509 Certificate for PKINIT
 2017-06-07T18:31:08Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
 2017-06-07T18:31:13Z DEBUG certmonger request is in state dbus.String(u'NEED_KEY_GEN_PERMS', variant_level=1)
 2017-06-07T18:31:18Z DEBUG certmonger request is in state dbus.String(u'NEED_KEY_GEN_PERMS', variant_level=1)
 2017-06-07T18:31:23Z DEBUG certmonger request is in state dbus.String(u'NEED_KEY_GEN_PERMS', variant_level=1)

 ...
 2017-06-07T18:36:09Z ERROR PKINIT certificate request failed: request timed out
 2017-06-07T18:36:09Z ERROR Failed to configure PKINIT

I encountered this issue yesterday. I put SELinux into permissive mode
and then it worked. I did not investigate further (yet).

I encountered this issue yesterday. I put SELinux into permissive mode
and then it worked. I did not investigate further (yet).

Yes. It works in permissive mode. But, is it the desired mode?
Edited 6 years ago by dmoluguw

No, we want to be SELinux enforced clean. However, you are testing FreeIPA git master on Fedora 25. Fedora 25 is not a target for FreeIPA 4.5.x, and SELinux team is not going to fix SELinux policy there for packages that will not appear in Fedora 25. Fedora 25 is released already.

So we want this to be fixed in Fedora 27 which is what FreeIPA 4.5.x is targetting.

The error should be fixed in F27 policy. FreeIPA currently doesn't to bring its own policy so it doesn't work well on other version of Fedora than the one where it is released officially. This limitation will be fixed with RFE #6891

Metadata Update from @pvoborni:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)
6 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.