Issue #7234: ipa-restore does not enable/start oddjobd - freeipa

freeipa

#7234 ipa-restore does not enable/start oddjobd

Closed: fixed 6 years ago Opened 6 years ago by frenaud.

After running ipa-restore, the service oddjobd is not restarted. This means that domain-level1 replica installation will fail during ipa-replica-conncheck because this step is using oddjob to start the process ipa-replica-conncheck on the master.

How to reproduce:
1. install ipa server with ipa-server-install
2. perform a backup with ipa-backup
3. uninstall the server with ipa-server-install --uninstall -U
4. restore the server with ipa-restore /path/to/backup
5. try to configure a replica with ipa-replica-install --server $MASTER

The replica installation fails in the conncheck step with the following output:

[...]
Client configuration complete.
The ipa-client-install command was successful

Checking DNS forwarders, please wait ...
Run connection check to master
Removing client side components
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.
The ipa-client-install command was successful

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    Connection check failed!
See /var/log/ipareplica-conncheck.log for more information.
If the check results are not valid it can be skipped with --skip-conncheck parameter.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Content of ipareplication-install.log:

2017-11-02T09:25:35Z DEBUG Starting external process
2017-11-02T09:25:35Z DEBUG args=/usr/sbin/ipa-replica-conncheck --master master.domain.com --auto-master-check --realm DOMAIN.COM --hostname replica.domain.com --principal admin --password XXXXXXXX --ca-cert-file /etc/ipa/ca.crt
2017-11-02T09:25:39Z DEBUG Process finished, return code=1
2017-11-02T09:25:39Z DEBUG stdout=
2017-11-02T09:25:39Z DEBUG stderr=Check connection from replica to remote master 'master.domain.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocoland would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Check RPC connection to remote master
trying https://master.domain.com/ipa/json
[try 1]: Forwarding 'ping/1' to json server 'https://master.domain.com/ipa/json'
Execute check on remote master
[try 1]: Forwarding 'server_conncheck' to json server 'https://master.domain.com/ipa/json'
ERROR: Remote master check failed with following error message(s):
an internal error has occurred

2017-11-02T09:25:39Z DEBUG Starting external process
2017-11-02T09:25:39Z DEBUG args=/usr/sbin/ipa-client-install --unattended --uninstall
[...]

If the service oddjobd is manually restarted + enabled on the master (with systemctl enable oddjobd and systemctl start oddjobd), the replica-conncheck step succeeds.