While setting up server using ipa-server-install command, it fails while configuring Kerberos KDC.
ipa-server-install
The following version is being used freeipa-server-4.5.1.dev201706071713+git728e2f6-0.fc25.x86_64
freeipa-server-4.5.1.dev201706071713+git728e2f6-0.fc25.x86_64
Following is the console output:
ipa-server-install \ -r $REALM \ -n $DOMAIN \ --hostname="${FQDN}" \ --ds-password="${DMPASSWORD}" \ --admin-password="${PASSWORD}" \ --setup-dns --auto-forwarders --auto-reverse \ --unattended Checking DNS domain dom-080.abc.idm.lab.eng.brq.redhat.com, please wait ... The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) * Configure the KDC to enable PKINIT WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Warning: skipping DNS resolution of host xxx Checking DNS domain dom-xxx.com., please wait ... WARNING: No network interface matches the IP address xx.yy.zz.80 Checking DNS forwarders, please wait ... BIND DNS server will be configured to serve IPA domain with: Forwarders: 10.34.78.1, 10.34.140.10 Forward policy: only Reverse zone(s): No reverse zone Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/45]: creating directory server instance [2/45]: enabling ldapi [3/45]: configure autobind for root [4/45]: stopping directory server [5/45]: updating configuration in dse.ldif [6/45]: starting directory server [7/45]: adding default schema [8/45]: enabling memberof plugin [9/45]: enabling winsync plugin [10/45]: configuring replication version plugin [11/45]: enabling IPA enrollment plugin [12/45]: configuring uniqueness plugin [13/45]: configuring uuid plugin [14/45]: configuring modrdn plugin [15/45]: configuring DNS plugin [16/45]: enabling entryUSN plugin [17/45]: configuring lockout plugin [18/45]: configuring topology plugin [19/45]: creating indices [20/45]: enabling referential integrity plugin [21/45]: configuring certmap.conf [22/45]: configure new location for managed entries [23/45]: configure dirsrv ccache [24/45]: enabling SASL mapping fallback [25/45]: restarting directory server [26/45]: adding sasl mappings to the directory [27/45]: adding default layout [28/45]: adding delegation layout [29/45]: creating container for managed entries [30/45]: configuring user private groups [31/45]: configuring netgroups from hostgroups [32/45]: creating default Sudo bind user [33/45]: creating default Auto Member layout [34/45]: adding range check plugin [35/45]: creating default HBAC rule allow_all [36/45]: adding entries for topology management [37/45 ]: initializing group membership [38/45]: adding master entry [39/45]: initializing domain level [40/45]: configuring Posix uid/gid generation [41/45]: adding replication acis [42/45]: activating sidgen plugin [43/45]: activating extdom plugin [44/45]: tuning directory server [45/45]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/10]: adding kerberos container to the directory [2/10]: configuring KDC [3/10]: initialize kerberos container [4/10]: adding default ACIs [5/10]: creating a keytab for the directory [6/10]: creating a keytab for the machine [7/10]: adding the password extension to the directory [8/10]: creating anonymous principal [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/29]: configuring certificate server instance [2/29]: exporting Dogtag certificate store pin [3/29]: stopping certificate server instance to update CS.cfg [4/29]: backing up CS.cfg [5/29]: disabling nonces [6/29]: set up CRL publishing [7/29]: enable PKIX certificate path discovery and validation [8/29]: starting certificate server instance [9/29]: configure certmonger for renewals [10/29]: requesting RA certificate from CA [11/29]: setting up signing cert profile [12/29]: setting audit signing renewal to 2 years [13/29]: restarting certificate server [14/29]: publishing the CA certificate [15/29]: adding RA agent as a trusted user [16/29]: authorizing RA to modify profiles [17/29]: authorizing RA to manage lightweight CAs [18/29]: Ensure lightweight CAs container exists [19/29]: configure certificate renewals [20/29]: configure Server-Cert certificate renewal [21/29]: Configure HTTP to proxy connections [22/29]: restarting certificate server [23/29]: updating IPA configuration [24/29]: enabling CA instance [25/29]: migrating certificate profiles to LDAP [26/29]: importing IPA certificate profiles [27/29]: adding default CA ACL [28/29]: adding 'ipa' CA entry [29/29]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: adding CA certificate entry [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring ipa-custodia [1/5]: Generating ipa-custodia config file [2/5]: Making sure custodia container exists [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: setting mod_nss port to 443 [3/22]: setting mod_nss cipher suite [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [5/22]: setting mod_nss password file [6/22]: enabling mod_nss renegotiate [7/22]: disabling mod_nss OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd [10/22]: setting up httpd keytab [11/22]: configuring Gssproxy [12/22]: setting up ssl [13/22]: configure certmonger for renewals [14/22]: importing CA certificates from LDAP [15/22]: publish CA cert [16/22]: clean up any existing httpd ccaches [17/22]: configuring SELinux for httpd [18/22]: create KDC proxy config [19/22]: enable KDC proxy [20/22]: starting httpd [21/22]: configuring httpd to start on boot [22/22]: enabling oddjobd Done configuring the web interface (httpd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT ipa : ERROR PKINIT certificate request failed: request timed out ipa : ERROR Failed to configure PKINIT [error] RuntimeError: request timed out ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR request timed out ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The log from /var/log/ipaserver-install.log
/var/log/ipaserver-install.log
2017-06-07T18:31:08Z DEBUG Configuring Kerberos KDC (krb5kdc) 2017-06-07T18:31:08Z DEBUG [1/1]: installing X509 Certificate for PKINIT 2017-06-07T18:31:08Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2017-06-07T18:31:13Z DEBUG certmonger request is in state dbus.String(u'NEED_KEY_GEN_PERMS', variant_level=1) 2017-06-07T18:31:18Z DEBUG certmonger request is in state dbus.String(u'NEED_KEY_GEN_PERMS', variant_level=1) 2017-06-07T18:31:23Z DEBUG certmonger request is in state dbus.String(u'NEED_KEY_GEN_PERMS', variant_level=1) ... 2017-06-07T18:36:09Z ERROR PKINIT certificate request failed: request timed out 2017-06-07T18:36:09Z ERROR Failed to configure PKINIT
I encountered this issue yesterday. I put SELinux into permissive mode and then it worked. I did not investigate further (yet).
Yes. It works in permissive mode. But, is it the desired mode?
No, we want to be SELinux enforced clean. However, you are testing FreeIPA git master on Fedora 25. Fedora 25 is not a target for FreeIPA 4.5.x, and SELinux team is not going to fix SELinux policy there for packages that will not appear in Fedora 25. Fedora 25 is released already.
So we want this to be fixed in Fedora 27 which is what FreeIPA 4.5.x is targetting.
The error should be fixed in F27 policy. FreeIPA currently doesn't to bring its own policy so it doesn't work well on other version of Fedora than the one where it is released officially. This limitation will be fixed with RFE #6891
Metadata Update from @pvoborni: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.