Martin Kosek wrote:
On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote:
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.

ticket 1052

rob

I have to NACK this again. I have a problem communicating with IPA on a
master machine. I reproduced in on 2 different machines. Please, correct
my steps if I am wrong, I do the following procedure

1) I prepare a fresh minimal F-15
2) Install freeipa-server (current master with your patches)
3) Add custom hostname to /etc/hosts
4) Install IPA server:
ipa-server-install -p secret123 -a secret123 --hostname 
ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2
5) # kinit admin
Password for ad...@idm.lab.bos.redhat.com:
6) # ipa user-show admin
ipa: ERROR: cannot connect to 'any of the configured servers':
https://ipa.idm.lab.bos.redhat.com/ipa/xml,
https://ipa.idm.lab.bos.redhat.com/ipa/xml

# ping -c 1 ipa.idm.lab.bos.redhat.com
PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data.
64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1
ttl=64 time=0.049 ms

Apache error_log shows relevant errors:

[Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to 
retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI 
Error: Unspecified GSS failure.  Minor code may provide more information 
(Permission denied)
[Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to 
retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI 
Error: Unspecified GSS failure.  Minor code may provide more information 
(Permission denied)
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>  ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>  ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>  ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>  ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>  ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>  ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>  ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>  ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>  ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>  ignored
[Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down
[Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd running as 
context system_u:system_r:kernel_t:s0
[Wed May 25 06:43:57 2011] [notice] Digest: generating secret for digest 
authentication ...
[Wed May 25 06:43:57 2011] [notice] Digest: done
[Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2 
mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.7.1 
configured -- resuming normal operations
[Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START ***
[Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START ***
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5192): 
Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback (most recent 
call last):
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]   File 
"/usr/share/ipa/wsgi.py", line 48, in application
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]     return 
api.Backend.session(environ, start_response)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]   File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 141, in __call__
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]     
self.create_context(ccache=environ.get('KRB5CCNAME'))
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]   File 
"/usr/lib/python2.7/site-packages/ipalib/backend.py", line 110, in 
create_context
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]     
self.Backend.ldap2.connect(ccache=ccache)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]   File 
"/usr/lib/python2.7/site-packages/ipalib/backend.py", line 62, in connect
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]     conn = 
self.create_connection(*args, **kw)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]   File 
"/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 188, in new_f
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]     return 
f(*new_args, **kwargs)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]   File 
"/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 337, in 
create_connection
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]     _handle_errors(e, 
**{})
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]   File 
"/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 118, in 
_handle_errors
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]     raise 
errors.DatabaseError(desc=desc, info=info)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] DatabaseError: Local 
error: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied 
(Hostname cannot be canonicalized)
[Wed May 25 06:45:26 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5193): 
Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.


You can check the problem on vm-140.idm.lab.bos.redhat.com if you want to.

Martin


The LDAP connection was still using the system hostname value. I added a conn.set_option(_ldap.OPT_HOST_NAME, api.env.host) in the two places we initialize an LDAP connection and that seems to have fixed it.

Updated patch attached

rob
>From acb59d090d147aa81521c6fc93e66fe2629caeaa Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Wed, 25 May 2011 11:24:08 -0400
Subject: [PATCH] Let the framework be able to override the hostname.

The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.

ticket 1052
---
 install/tools/ipa-replica-install |    1 +
 install/tools/ipa-server-install  |    1 +
 ipalib/config.py                  |    4 ----
 ipalib/constants.py               |   12 ++++++++++--
 ipaserver/plugins/ldap2.py        |    2 ++
 tests/test_ipalib/test_config.py  |    1 -
 6 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 49df7fe..6cd213f 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -421,6 +421,7 @@ def main():
     # Note: We must do this before bootstraping and finalizing ipalib.api
     fd = open("/etc/ipa/default.conf", "w")
     fd.write("[global]\n")
+    fd.write("host=" + config.host_name + "\n")
     fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n")
     fd.write("realm=" + config.realm_name + "\n")
     fd.write("domain=" + config.domain_name + "\n")
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 00b1334..1ff9f68 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -691,6 +691,7 @@ def main():
     # Create the management framework config file and finalize api
     fd = open("/etc/ipa/default.conf", "w")
     fd.write("[global]\n")
+    fd.write("host=" + host_name + "\n")
     fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
     fd.write("realm=" + realm_name + "\n")
     fd.write("domain=" + domain_name + "\n")
diff --git a/ipalib/config.py b/ipalib/config.py
index 888785a..410e5f0 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -447,7 +447,6 @@ class Env(object):
         self.__doing('_bootstrap')
 
         # Set run-time variables (cannot be overridden):
-        self.host = getfqdn()
         self.ipalib = path.dirname(path.abspath(__file__))
         self.site_packages = path.dirname(self.ipalib)
         self.script = path.abspath(sys.argv[0])
@@ -550,9 +549,6 @@ class Env(object):
         if 'log' not in self:
             self.log = self._join('logdir', '%s.log' % self.context)
 
-        # FIXME: move into ca plugin
-        if 'ca_host' not in self:
-            self.ca_host = self.host
         self._merge(**defaults)
 
     def _finalize(self, **lastchance):
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 202f5fa..23e8025 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -21,6 +21,14 @@
 """
 All constants centralised in one file.
 """
+import socket
+try:
+    FQDN = socket.getfqdn()
+except:
+    try:
+        FQDN = socket.gethostname()
+    except:
+        FQDN = None
 
 # The parameter system treats all these values as None:
 NULLS = (None, '', u'', tuple(), [])
@@ -127,7 +135,7 @@ DEFAULT_CONFIG = (
     ('mode', 'production'),
 
     # CA plugin:
-    ('ca_host', object),  # Set in Env._finalize_core()
+    ('ca_host', FQDN),  # Set in Env._finalize_core()
     ('ca_port', 9180),
     ('ca_agent_port', 9443),
     ('ca_ee_port', 9444),
@@ -160,7 +168,7 @@ DEFAULT_CONFIG = (
     # raised.
 
     # Non-overridable vars set in Env._bootstrap():
-    ('host', object),
+    ('host', FQDN),
     ('ipalib', object),  # The directory containing ipalib/__init__.py
     ('site_packages', object),  # The directory contaning ipalib
     ('script', object),  # sys.argv[0]
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 5556773..6be8e3c 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -160,6 +160,7 @@ def get_schema(url, conn=None):
 
         if conn is None:
             conn = _ldap.initialize(url)
+            conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
             conn.sasl_interactive_bind_s('', SASL_AUTH)
 
         schema_entry = conn.search_s(
@@ -321,6 +322,7 @@ class ldap2(CrudBackend, Encoder):
 
         try:
             conn = _ldap.initialize(self.ldap_uri)
+            conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
             if ccache is not None:
                 os.environ['KRB5CCNAME'] = ccache
                 conn.sasl_interactive_bind_s('', SASL_AUTH)
diff --git a/tests/test_ipalib/test_config.py b/tests/test_ipalib/test_config.py
index 97d7548..e729a62 100644
--- a/tests/test_ipalib/test_config.py
+++ b/tests/test_ipalib/test_config.py
@@ -441,7 +441,6 @@ class test_Env(ClassChecker):
         (o, home) = self.new()
         o._bootstrap()
         ipalib = path.dirname(path.abspath(config.__file__))
-        assert o.host == socket.gethostname()
         assert o.ipalib == ipalib
         assert o.site_packages == path.dirname(ipalib)
         assert o.script == path.abspath(sys.argv[0])
-- 
1.7.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to