The nightly tests executed on rawhide started failing with krb5 update krb5-1.19.2-5.fc36 when they call kinit admin. See PR #1489, with for instance fedora-rawhide/automember (details, report).
kinit admin
fedora-rawhide/automember
ipa-server-install --domain ipa.test --realm IPA.TEST -a Secret123 -p Secret123 -U
# kinit admin kinit: Pre-authentication failed: Invalid argument while getting initial credentials
The command should succeed.
krb5-server-1.19.2-5.fc36.x86_64 freeipa-server-4.9.8-2.fc36.1.x86_64
The server installation produces an error message (Unable to set admin password)but exits successfully:
Unable to set admin password
# ipa-server-install --domain ipa.test --realm IPA.TEST -a Secret123 -p Secret123 -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. Version 4.9.8 This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure SID generation * Configure the KDC to enable PKINIT Trust is configured but no NetBIOS domain name found, setting it now. The IPA Master Server will be configured with: Hostname: server.ipa.test IP address(es): 10.0.137.149 Domain name: ipa.test Realm name: IPA.TEST The CA will be configured with: Subject DN: CN=Certificate Authority,O=IPA.TEST Subject base: O=IPA.TEST Chaining: self-signed Disabled p11-kit-proxy Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to sync time with chronyc. Process chronyc waitsync failed to sync time! Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network. Warning: IPA was unable to sync time with chrony! Time synchronization is required for IPA to work correctly Configuring directory server (dirsrv). Estimated time: 30 seconds [1/41]: creating directory server instance Validate installation settings ... Create file system structures ... Perform SELinux labeling ... Create database backend: dc=ipa,dc=test ... Perform post-installation tasks ... [2/41]: tune ldbm plugin [3/41]: adding default schema [4/41]: enabling memberof plugin [5/41]: enabling winsync plugin [6/41]: configure password logging [7/41]: configuring replication version plugin [8/41]: enabling IPA enrollment plugin [9/41]: configuring uniqueness plugin [10/41]: configuring uuid plugin [11/41]: configuring modrdn plugin [12/41]: configuring DNS plugin [13/41]: enabling entryUSN plugin [14/41]: configuring lockout plugin [15/41]: configuring topology plugin [16/41]: creating indices [17/41]: enabling referential integrity plugin [18/41]: configuring certmap.conf [19/41]: configure new location for managed entries [20/41]: configure dirsrv ccache and keytab [21/41]: enabling SASL mapping fallback [22/41]: restarting directory server [23/41]: adding sasl mappings to the directory [24/41]: adding default layout [25/41]: adding delegation layout [26/41]: creating container for managed entries [27/41]: configuring user private groups [28/41]: configuring netgroups from hostgroups [29/41]: creating default Sudo bind user [30/41]: creating default Auto Member layout [31/41]: adding range check plugin [32/41]: creating default HBAC rule allow_all [33/41]: adding entries for topology management [34/41]: initializing group membership [35/41]: adding master entry [36/41]: initializing domain level [37/41]: configuring Posix uid/gid generation [38/41]: adding replication acis [39/41]: activating sidgen plugin [40/41]: activating extdom plugin [41/41]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/10]: adding kerberos container to the directory [2/10]: configuring KDC [3/10]: initialize kerberos container [4/10]: adding default ACIs [5/10]: creating a keytab for the directory [6/10]: creating a keytab for the machine [7/10]: adding the password extension to the directory [8/10]: creating anonymous principal [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa-custodia [1/5]: Making sure custodia container exists [2/5]: Generating ipa-custodia config file [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/29]: configuring certificate server instance [2/29]: stopping certificate server instance to update CS.cfg [3/29]: backing up CS.cfg [4/29]: Add ipa-pki-wait-running [5/29]: secure AJP connector [6/29]: reindex attributes [7/29]: exporting Dogtag certificate store pin [8/29]: disabling nonces [9/29]: set up CRL publishing [10/29]: enable PKIX certificate path discovery and validation [11/29]: authorizing RA to modify profiles [12/29]: authorizing RA to manage lightweight CAs [13/29]: Ensure lightweight CAs container exists [14/29]: Ensuring backward compatibility [15/29]: starting certificate server instance [16/29]: configure certmonger for renewals [17/29]: requesting RA certificate from CA [18/29]: publishing the CA certificate [19/29]: adding RA agent as a trusted user [20/29]: configure certificate renewals [21/29]: Configure HTTP to proxy connections [22/29]: updating IPA configuration [23/29]: enabling CA instance [24/29]: importing IPA certificate profiles [25/29]: migrating certificate profiles to LDAP [26/29]: adding default CA ACL [27/29]: adding 'ipa' CA entry [28/29]: configuring certmonger renewal for lightweight CAs [29/29]: deploying ACME service Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: adding CA certificate entry [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [13/21]: configure certmonger for renewals [14/21]: publish CA cert [15/21]: clean up any existing httpd ccaches [16/21]: configuring SELinux for httpd [17/21]: create KDC proxy config [18/21]: enable KDC proxy [19/21]: starting httpd [20/21]: configuring httpd to start on boot [21/21]: enabling oddjobd Done configuring the web interface (httpd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Restarting the KDC Configuring SID generation [1/8]: creating samba domain object [2/8]: adding admin(group) SIDs [3/8]: adding RID bases [4/8]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [5/8]: activating sidgen task [6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [7/8]: adding fallback group [8/8]: adding SIDs to existing users and groups This step may take considerable amount of time, please wait.. Done. Unable to set admin password CalledProcessError(Command ['/usr/bin/ldappasswd', '-h', 'server.ipa.test', '-ZZ', '-x', '-D', 'cn=Directory Manager', '-y', '/var/lib/ipa/tmpp4tale3j', '-T', '/var/lib/ipa/tmpzznbx6s3', 'uid=admin,cn=users,cn=accounts,dc=ipa,dc=test'] returned non-zero exit status 1: 'ldappasswd: unrecognized option -\x00\nChange password of an LDAP user\n\nusage: ldappasswd [options] [user]\n user: the authentication identity, commonly a DN\nPassword change options:\n -E bind early\n -a secret old password\n -A prompt for old password\n -t file read file for old password\n -s secret new password\n -S prompt for new password\n -T file read file for new password\nCommon options:\n -d level set LDAP debugging level to `level\'\n -D binddn bind DN\n -e [!]<ext>[=<extparam>] general extensions (! indicates criticality)\n [!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)\n [!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")\n [!]bauthzid (RFC 3829)\n [!]chaining[=<resolveBehavior>[/<continuationBehavior>]]\n one of "chainingPreferred", "chainingRequired",\n "referralsPreferred", "referralsRequired"\n [!]manageDSAit (RFC 3296)\n [!]noop\n ppolicy\n [!]postread[=<attrs>] (RFC 4527; comma-separated attr list)\n [!]preread[=<attrs>] (RFC 4527; comma-separated attr list)\n [!]relax\n [!]sessiontracking[=<username>]\n abandon, cancel, ignore (SIGINT sends abandon/cancel,\n or ignores response; if critical, doesn\'t wait for SIGINT.\n not really controls)\n -H URI LDAP Uniform Resource Identifier(s)\n -I use SASL Interactive mode\n -n show what would be done but don\'t actually do it\n -N do not use reverse DNS to canonicalize SASL host name\n -O props SASL security properties\n -o <opt>[=<optparam>] any libldap ldap.conf options, plus\n ldif_wrap=<width> (in columns, or "no" for no wrapping)\n nettimeout=<timeout> (in seconds, or "none" or "max")\n -Q use SASL Quiet mode\n -R realm SASL realm\n -U authcid SASL authentication identity\n -v run in verbose mode (diagnostics to standard output)\n -V print version info (-VV only)\n -w passwd bind password (for simple authentication)\n -W prompt for bind password\n -x Simple authentication\n -X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")\n -y file Read password from file\n -Y mech SASL mechanism\n -Z Start TLS request (-ZZ to require successful response)\n') Configuring client side components This program will set up IPA client. Version 4.9.8 Using existing certificate '/etc/ipa/ca.crt'. Client hostname: server.ipa.test Realm: IPA.TEST DNS Domain: ipa.test IPA Server: server.ipa.test BaseDN: dc=ipa,dc=test Configured /etc/sssd/sssd.conf Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config.d/04-ipa.conf Configuring ipa.test as NIS domain. Client configuration complete. The ipa-client-install command was successful Please add records in this file to your DNS system: /tmp/ipa.system.records.ze1nvvic.db ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password The ipa-server-install command was successful
Issue also reported against fedora rawhide at https://bugzilla.redhat.com/show_bug.cgi?id=2051233
Metadata Update from @frenaud: - Issue tagged with: tracker
I think you opened wrong bug against krb5 because it is ldappasswd which failed with unknown option. I think it is a bug in openldap upgrade.
We also have 389-ds update and @adamwill opened a bug about the same against it
So I think we have a problem with ldappasswd here. @spichugi , can't you please check as well?
CalledProcessError(Command ['/usr/bin/ldappasswd', '-h', 'server.ipa.test', '-ZZ', '-x', '-D', 'cn=Directory Manager', '-y', '/var/lib/ipa/tmpp4tale3j', '-T', '/var/lib/ipa/tmpzznbx6s3', 'uid=admin,cn=users,cn=accounts,dc=ipa,dc=test'] returned non-zero exit status 1: 'ldappasswd: unrecognized option -\x00\nChange password of an LDAP user\n\nusage:
I think you opened wrong bug against krb5 because it is ldappasswd which failed with unknown option. I think it is a bug in openldap upgrade. We also have 389-ds update and @adamwill opened a bug about the same against it So I think we have a problem with ldappasswd here. @spichugi , can't you please check as well?
All client tools accept only "-H URI - LDAP Uniform Resource Identifier(s)" now. I went through official release notes but they, for some reason, haven't mentioned the exact Bug Number where it was changed...
I found the issue though - https://bugs.openldap.org/show_bug.cgi?id=8618
So it's not a bug and the usage should be changed in the tests.
Thanks. This is not usage in the tests, it broke use in FreeIPA installer. I also think this change in behavior needs to be part of the Fedora release notes.
Agree, I'll make sure it'll be included in Fedora 36 notes. Thank you!
Upstream PR: https://github.com/freeipa/freeipa/pull/6166
Metadata Update from @abbra: - Issue assigned to abbra
Metadata Update from @abbra: - Custom field changelog adjusted to OpenLDAP 2.6+ removed -h and -p options from OpenLDAP command line utilities (ldapadd/ldapmodify/...). FreeIPA now uses only -H url option to specify the target server and protocol to use. - Custom field external_tracker adjusted to https://bugs.openldap.org/show_bug.cgi?id=8618 - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6166 - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2051233
Metadata Update from @abbra: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2050921 (was: https://bugzilla.redhat.com/show_bug.cgi?id=2051233)
Since we already had a bug https://bugzilla.redhat.com/show_bug.cgi?id=2050921 opened by Adam for this issue, I closed https://bugzilla.redhat.com/show_bug.cgi?id=2051233 as a duplicate.
Metadata Update from @frenaud: - Issue untagged with: tracker
master:
ipa-4-9:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.