Martin Kosek wrote:
On Wed, 2011-05-25 at 11:29 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote:
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.

ticket 1052

rob

I have to NACK this again. I have a problem communicating with IPA on a
master machine. I reproduced in on 2 different machines. Please, correct
my steps if I am wrong, I do the following procedure

1) I prepare a fresh minimal F-15
2) Install freeipa-server (current master with your patches)
3) Add custom hostname to /etc/hosts
4) Install IPA server:
ipa-server-install -p secret123 -a secret123 --hostname 
ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2
5) # kinit admin
Password for ad...@idm.lab.bos.redhat.com:
6) # ipa user-show admin
ipa: ERROR: cannot connect to 'any of the configured servers':
https://ipa.idm.lab.bos.redhat.com/ipa/xml,
https://ipa.idm.lab.bos.redhat.com/ipa/xml

# ping -c 1 ipa.idm.lab.bos.redhat.com
PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data.
64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1
ttl=64 time=0.049 ms

Apache error_log shows relevant errors:

[Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to 
retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI 
Error: Unspecified GSS failure.  Minor code may provide more information 
(Permission denied)
[Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to 
retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI 
Error: Unspecified GSS failure.  Minor code may provide more information 
(Permission denied)
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>   ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>   ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>   ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>   ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>   ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>   ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>   ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>   ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>   ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) 
in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'>   ignored
[Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down
[Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd running as 
context system_u:system_r:kernel_t:s0
[Wed May 25 06:43:57 2011] [notice] Digest: generating secret for digest 
authentication ...
[Wed May 25 06:43:57 2011] [notice] Digest: done
[Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2 
mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.7.1 
configured -- resuming normal operations
[Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START ***
[Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START ***
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5192): 
Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback (most recent 
call last):
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]   File 
"/usr/share/ipa/wsgi.py", line 48, in application
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]     return 
api.Backend.session(environ, start_response)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]   File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 141, in __call__
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]     
self.create_context(ccache=environ.get('KRB5CCNAME'))
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]   File 
"/usr/lib/python2.7/site-packages/ipalib/backend.py", line 110, in 
create_context
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]     
self.Backend.ldap2.connect(ccache=ccache)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]   File 
"/usr/lib/python2.7/site-packages/ipalib/backend.py", line 62, in connect
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]     conn = 
self.create_connection(*args, **kw)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]   File 
"/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 188, in new_f
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]     return 
f(*new_args, **kwargs)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]   File 
"/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 337, in 
create_connection
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]     _handle_errors(e, 
**{})
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]   File 
"/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 118, in 
_handle_errors
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]     raise 
errors.DatabaseError(desc=desc, info=info)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] DatabaseError: Local 
error: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied 
(Hostname cannot be canonicalized)
[Wed May 25 06:45:26 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5193): 
Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.


You can check the problem on vm-140.idm.lab.bos.redhat.com if you want to.

Martin


The LDAP connection was still using the system hostname value. I added a
conn.set_option(_ldap.OPT_HOST_NAME, api.env.host) in the two places we
initialize an LDAP connection and that seems to have fixed it.

Updated patch attached

rob

NACK. The problem on a master is gone. However, now ipa-replica-install
is failing:

# ipa-replica-install 
/home/mkosek/replica-info-vm-027.idm.lab.bos.redhat.com.gpg
Directory Manager (existing master) password:

creation of replica failed: Can't contact LDAP server:


I found out that the root cause of the failure is in the change you just
made in ldap2.py:

    def create_connection(self, ccache=None, bind_dn='', bind_pw='',
             tls_cacertfile=None, tls_certfile=None, tls_keyfile=None,
             debug_level=0):
...
         try:
             conn = _ldap.initialize(self.ldap_uri)
             conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)<--
             if ccache is not None:
                 os.environ['KRB5CCNAME'] = ccache
...

because api.env.host points to the local host and not the remote master.
When I commented this line out, installation continued OK. Then, it
crashed again with our "favorite" dogtag's "invalid clone_uri"
exception.

Since we see this error also in other scenarios (not only custom
--hostname) and the root cause is not in your patch I can ACK you patch
762 once the replica install bug is fixed.

Martin


Fixed both of these. We only need to set the hostname when using an ldapi URI, so fixed both of those.

I also fixed the Invalid clone_uri bug. The problem was we weren't passing our new hostname to pkicreate so it was creating a CA for whatever the value of `hostname` was. There is an environment variable in pkicreate to pass in the hostname and doing that has fixed the problem.

rob
>From cc19a279044eed9c84374c9cd2de3d5b2c107345 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Fri, 27 May 2011 10:47:54 -0400
Subject: [PATCH] Let the framework be able to override the hostname.

The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.

ticket 1052
---
 install/tools/ipa-replica-install |    1 +
 install/tools/ipa-server-install  |    1 +
 ipalib/config.py                  |    4 ----
 ipalib/constants.py               |   12 ++++++++++--
 ipaserver/install/cainstance.py   |    2 +-
 ipaserver/plugins/ldap2.py        |    4 ++++
 tests/test_ipalib/test_config.py  |    1 -
 7 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 293a0a0..273ff51 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -406,6 +406,7 @@ def main():
     # Note: We must do this before bootstraping and finalizing ipalib.api
     fd = open("/etc/ipa/default.conf", "w")
     fd.write("[global]\n")
+    fd.write("host=" + config.host_name + "\n")
     fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n")
     fd.write("realm=" + config.realm_name + "\n")
     fd.write("domain=" + config.domain_name + "\n")
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 3ad623e..5a1ad8d 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -669,6 +669,7 @@ def main():
     # Create the management framework config file and finalize api
     fd = open("/etc/ipa/default.conf", "w")
     fd.write("[global]\n")
+    fd.write("host=" + host_name + "\n")
     fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
     fd.write("realm=" + realm_name + "\n")
     fd.write("domain=" + domain_name + "\n")
diff --git a/ipalib/config.py b/ipalib/config.py
index 888785a..410e5f0 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -447,7 +447,6 @@ class Env(object):
         self.__doing('_bootstrap')
 
         # Set run-time variables (cannot be overridden):
-        self.host = getfqdn()
         self.ipalib = path.dirname(path.abspath(__file__))
         self.site_packages = path.dirname(self.ipalib)
         self.script = path.abspath(sys.argv[0])
@@ -550,9 +549,6 @@ class Env(object):
         if 'log' not in self:
             self.log = self._join('logdir', '%s.log' % self.context)
 
-        # FIXME: move into ca plugin
-        if 'ca_host' not in self:
-            self.ca_host = self.host
         self._merge(**defaults)
 
     def _finalize(self, **lastchance):
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 202f5fa..23e8025 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -21,6 +21,14 @@
 """
 All constants centralised in one file.
 """
+import socket
+try:
+    FQDN = socket.getfqdn()
+except:
+    try:
+        FQDN = socket.gethostname()
+    except:
+        FQDN = None
 
 # The parameter system treats all these values as None:
 NULLS = (None, '', u'', tuple(), [])
@@ -127,7 +135,7 @@ DEFAULT_CONFIG = (
     ('mode', 'production'),
 
     # CA plugin:
-    ('ca_host', object),  # Set in Env._finalize_core()
+    ('ca_host', FQDN),  # Set in Env._finalize_core()
     ('ca_port', 9180),
     ('ca_agent_port', 9443),
     ('ca_ee_port', 9444),
@@ -160,7 +168,7 @@ DEFAULT_CONFIG = (
     # raised.
 
     # Non-overridable vars set in Env._bootstrap():
-    ('host', object),
+    ('host', FQDN),
     ('ipalib', object),  # The directory containing ipalib/__init__.py
     ('site_packages', object),  # The directory contaning ipalib
     ('script', object),  # sys.argv[0]
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 2e11ee7..082284b 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -556,7 +556,7 @@ class CAInstance(service.Service):
                 '-redirect', 'conf=/etc/pki-ca',
                 '-redirect', 'logs=/var/log/pki-ca',
         ]
-        ipautil.run(args)
+        ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
 
     def __enable(self):
         self.backup_state("enabled", self.is_enabled())
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 5556773..2af3255 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -160,6 +160,8 @@ def get_schema(url, conn=None):
 
         if conn is None:
             conn = _ldap.initialize(url)
+            if url.startswith('ldapi://'):
+                conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
             conn.sasl_interactive_bind_s('', SASL_AUTH)
 
         schema_entry = conn.search_s(
@@ -321,6 +323,8 @@ class ldap2(CrudBackend, Encoder):
 
         try:
             conn = _ldap.initialize(self.ldap_uri)
+            if self.ldap_uri.startswith('ldapi://'):
+                conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
             if ccache is not None:
                 os.environ['KRB5CCNAME'] = ccache
                 conn.sasl_interactive_bind_s('', SASL_AUTH)
diff --git a/tests/test_ipalib/test_config.py b/tests/test_ipalib/test_config.py
index 97d7548..e729a62 100644
--- a/tests/test_ipalib/test_config.py
+++ b/tests/test_ipalib/test_config.py
@@ -441,7 +441,6 @@ class test_Env(ClassChecker):
         (o, home) = self.new()
         o._bootstrap()
         ipalib = path.dirname(path.abspath(config.__file__))
-        assert o.host == socket.gethostname()
         assert o.ipalib == ipalib
         assert o.site_packages == path.dirname(ipalib)
         assert o.script == path.abspath(sys.argv[0])
-- 
1.7.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to