freeipa

Clone
Source Code
GIT

#7627 ipa-replica-install --setup-kra broken on DL0 with latest version
Closed: fixed 5 years ago Opened 5 years ago by frenaud.

Closed: fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1596629

Description of problem:
ipa-replica-install --setup-kra broken on DL0 with latest version

Version-Release number of selected component (if applicable):
ipa-server-4.6.4-2.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup IPA at DL0
2. Setup Replica with KRA at DL0
3. Check ipareplica-install.log

Actual results:
ipa-replica installation fails

Expected results:
ipa-replica-installation with KRA should be successful

Additional info:
The issue is not observed in RHEL75z testing

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1596629
5 years ago

Bug analysis

Valid bug: yes
Regression: yes
Regression introduction: 389-ds-base-1.3.7 with the 389-ds patch for 49599
Affected versions: RHEL 7.6
Use cases (reproduction steps):

  • install replica with KRA in domain level 0:
    • install ipa server in dl 0 with ca and kra (--domain-level 0 --setup-kra)
    • prepare replica with ipa-replica-prepare
    • install replica with ipa-replica-install --setup-ca --setup-kra /path/to/replica-file

Cause: pkispawn is failing when configuring the replication for CA.
During repl setup, pkispawn is reading the attribute nsds5replicaLastInitStatus in cn=masterAgreement1-$hostname-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config in order to find the replication status.
The new format (in 389-ds-base-1.3.7) for this attribute is "Error (0) Total update succeeded" but pkispawn is expecting "0 Total update succeeded" (see the code ).

Consequence: ipa-server-install fails in pkispawn step.
Workaround: None

The BZ has been moved to pki component, we can keep this issue as a tracker (as we will need to bump pki version in spec file when a pki patch is available).
Edited 5 years ago by frenaud

Metadata Update from @frenaud:
- Issue tagged with: tracker
5 years ago

FYI, Dogtag ticket 3043 tracks the pki issue.
Same issue as 7622 Replica CA instance creation fails in DL0

Patches pushed to PKI upstream:

  • master: 8147769f8bc8a41afa77dfcd97464dc736d61935
  • DOGTAG_10_5_BRANCH: 151ecf63106425cada104d141a81722570ba2b28
Edited 5 years ago by ftweedal

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2425
5 years ago

Metadata Update from @frenaud:
- Issue assigned to frenaud
5 years ago

ipa-4-6:

  • 1183cbb Bump requires for pki
  • 885da73 Fixing tests on TestReplicaManageDel

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
5 years ago

Login to comment on this ticket.

Metadata

tracker

None
None
None
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/2425
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1596629
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.