Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1490233
Description of problem: When user try to install replica using OTP password which is generated using `ipa host-add --random` command. Replica fails to install in FIPS mode using OTP password. ipaserver01 # cat /proc/sys/crypto/fips_enabled 1 ipaserver01 # echo Passw0rd1 | kinit admin Password for admin@TESTRELM.TEST: ipaserver01 # ipa dnsrecord-add Record name: ipareplica01 Zone name: testrelm.test Please choose a type of DNS resource record to be added The most common types for this type of zone are: A, AAAA DNS resource record type: A A IP Address: 192.168.10.48 Record name: ipareplica01 A record: 192.168.10.48 ipaserver01 # ipa host-add ipareplica01.testrelm.test --random ------------------------------------------- Added host "ipareplica01.testrelm.test" ------------------------------------------- Host name: ipareplica01.testrelm.test Random password: 8Vg}GRyyiPmL_T26<f6+MT Password: True Keytab: False Managed by: ipareplica01.testrelm.test ipaserver01 # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [root@ipareplica01 ~]# ipa-replica-install -P admin -w '8Vg}GRyyiPmL_T26<f6+MT' WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Configuring client side components Discovery was successful! Client hostname: ipareplica01.testrelm.test Realm: TESTRELM.TEST DNS Domain: testrelm.test IPA Server: ipaserver01.testrelm.test BaseDN: dc=testrelm,dc=test Skipping synchronizing time with NTP server. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Installation failed. Rolling back changes. Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1 Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. Kerberos authentication failed: kinit: Password incorrect while getting initial credentials The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information Removing client side components IPA client is not configured on this system. The ipa-client-install command failed. See /var/log/ipaclient-uninstall.log for more information Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Configuration of client side components failed! ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Version-Release number of selected component (if applicable): ipa-server-4.5.0-21.el7_4.1.x86_64 How reproducible: 100% Steps to Reproduce: 1. Enable FIPS mode for IPA Server and Replica server 2. Install IPA server 3. Add IPA replica host and generate random password 4. Use Random OTP to install IPA Replica Actual results: Installation fails with above mentioned error Expected results: Installation should be successful.
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1490233
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)
The one-step replica installation options may be a little bit misleading, as it can be seen as 2 different steps with different requirements: - the client installation can be done: - with OTP if -p is provided - with admin/admin_pwd if -P principal -w principal_pwd are provided - the promotion from client to replica requires -P principal -w principal_pwd
In this ticket description, the options are: -P admin -w '8Vg}GRyyiPmL_T26<f6+MT' i.e. the installer does not use the OTP password but rather the enrollment with admin and admin password. As the password is provided with -w option, the installer considers it is the admin password, hence the failure.
If you retry with '-P admin -w $admin_pwd -p $otp_password' the installation will succeed. Hence closing this issue as CLOSED / NOTABUG.
Note: I agree that using OTP in one-step replica installation makes little sense, since OTP is usually chosen for client installations when the administrator does not want to provide his own credentials, but here the admin credentials are required for promotion. There is already an issue opened to track this: 6353 During one step replica install the command accepts both OTP and Admin password simultaneously
Metadata Update from @frenaud: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.