In some cases like bug https://bugzilla.redhat.com/show_bug.cgi?id=1903671 IPA server deployment fails with
Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/10]: adding kerberos container to the directory [2/10]: configuring KDC [3/10]: initialize kerberos container [4/10]: adding default ACIs [5/10]: creating a keytab for the directory [error] CalledProcessError: CalledProcessError(Command ['/usr/sbin/kadmin.local', '-q', 'addprinc -randkey ldap/ourdomain@ourdomain', '-x', 'ipa-setup-override-restrictions'] returned non-zero exit status 1: 'kadmin.local: Unsupported argument "ipa-setup-override-restrictions" for db2 while initializing kadmin.local interface\n') CalledProcessError(Command ['/usr/sbin/kadmin.local', '-q', 'addprinc -randkey ldap/ourdomain@ourdomain', '-x', 'ipa-setup-override-restrictions'] returned non-zero exit status 1: 'kadmin.local: Unsupported argument "ipa-setup-override-restrictions" for db2 while initializing kadmin.local interface\n') The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information [root@oldstorm ~]# less /var/log/ipaserver-install.log value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", line 575, in main master_install(self) File "/usr/lib/python3.9/site-packages/ipaserver/install/server/install.py", line 272, in decorated func(installer) File "/usr/lib/python3.9/site-packages/ipaserver/install/server/install.py", line 864, in install krb.create_instance(realm_name, host_name, domain_name, File "/usr/lib/python3.9/site-packages/ipaserver/install/krbinstance.py", line 212, in create_instance self.start_creation() File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 603, in start_creation run_step(full_msg, method) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 589, in run_step method() File "/usr/lib/python3.9/site-packages/ipaserver/install/krbinstance.py", line 386, in __create_ds_keytab installutils.kadmin_addprinc(ldap_principal) File "/usr/lib/python3.9/site-packages/ipaserver/install/installutils.py", line 433, in kadmin_addprinc return kadmin("addprinc -randkey " + principal) File "/usr/lib/python3.9/site-packages/ipaserver/install/installutils.py", line 422, in kadmin return ipautil.run( File "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 594, in run raise CalledProcessError( 2020-12-02T15:45:14Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: CalledProcessError(Command ['/usr/sbin/kadmin.local', '-q', 'addprinc -randkey ldap/ourdomain@ourdomain', '-x', 'ipa-setup-override-restrictions'] returned non-zero exit status 1: 'kadmin.local: Unsupported argument "ipa-setup-override-restrictions" for db2 while initializing kadmin.local interface\n') 2020-12-02T15:45:14Z ERROR CalledProcessError(Command ['/usr/sbin/kadmin.local', '-q', 'addprinc -randkey ldap/ourdomain@ourdomain', '-x', 'ipa-setup-override-restrictions'] returned non-zero exit status 1: 'kadmin.local: Unsupported argument "ipa-setup-override-restrictions" for db2 while initializing kadmin.local interface\n') The ipa-server-install command failed, exception: CalledProcessError: CalledProcessError(Command ['/usr/sbin/kadmin.local', '-q', 'addprinc -randkey ldap/ourdomain@ourdomain', '-x', 'ipa-setup-override-restrictions'] returned non-zero exit status 1: 'kadmin.local: Unsupported argument "ipa-setup-override-restrictions" for db2 while initializing kadmin.local interface\n') 2020-12-02T15:45:14Z ERROR CalledProcessError(Command ['/usr/sbin/kadmin.local', '-q', 'addprinc -randkey ldap/ourdomain@ourdomain', '-x', 'ipa-setup-override-restrictions'] returned non-zero exit status 1: 'kadmin.local: Unsupported argument "ipa-setup-override-restrictions" for db2 while initializing kadmin.local interface\n')
The reason for this is that on top of /etc/krb5.conf that IPA server installer generates, there are configuration snippets in /etc/krb5.conf.d/ that modify libkrb5 defaults. In particular, default_realm is set to some value that is different from the realm used by IPA server.
/etc/krb5.conf
/etc/krb5.conf.d/
libkrb5
default_realm
As result, kadmin.local assumes we are dealing with that different realm and doesn't load IPA KDB driver as it is not defined for the other realm.
kadmin.local
IPA server installer should do pre-check to verify that default_realm value in libkrb5 is not contradicting our expectations. If that happens, it should produce an error and suggest to review both /etc/krb5.conf and snippets in /etc/krb5.conf.d/ which redefine defaults to a different realm.
The check can be achieved with python-gssapi:
python-gssapi
import gssapi name = gssapi.Name('host', name_type=gssapi.raw.NameType.hostbased_service) canonical_name = name.canonicalize(gssapi.raw.MechType.kerberos) principal = canonical_name.display_as(gssapi.raw.NameType.hostbased_service) realm = principal.split('@')[-1]
Login to comment on this ticket.