Rob Crittenden wrote:
Martin Kosek wrote:
On Fri, 2011-05-27 at 15:39 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Wed, 2011-05-25 at 11:29 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote:
The hostname is passed in during the server installation. We
should use
this hostname for the resulting server as well. It was being
discarded
and we always used the system hostname value.

ticket 1052

rob

I have to NACK this again. I have a problem communicating with IPA
on a
master machine. I reproduced in on 2 different machines. Please,
correct
my steps if I am wrong, I do the following procedure

1) I prepare a fresh minimal F-15
2) Install freeipa-server (current master with your patches)
3) Add custom hostname to /etc/hosts
4) Install IPA server:
ipa-server-install -p secret123 -a secret123 --hostname
ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2
5) # kinit admin
Password for ad...@idm.lab.bos.redhat.com:
6) # ipa user-show admin
ipa: ERROR: cannot connect to 'any of the configured servers':
https://ipa.idm.lab.bos.redhat.com/ipa/xml,
https://ipa.idm.lab.bos.redhat.com/ipa/xml

# ping -c 1 ipa.idm.lab.bos.redhat.com
PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data.
64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1
ttl=64 time=0.049 ms

Apache error_log shows relevant errors:

[Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start
IPA: Unable to retrieve LDAP schema: Invalid credentials:
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Permission denied)
[Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start
IPA: Unable to retrieve LDAP schema: Invalid credentials:
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Permission denied)
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in<module 'threading' from
'/usr/lib64/python2.7/threading.pyc'> ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in<module 'threading' from
'/usr/lib64/python2.7/threading.pyc'> ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in<module 'threading' from
'/usr/lib64/python2.7/threading.pyc'> ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in<module 'threading' from
'/usr/lib64/python2.7/threading.pyc'> ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in<module 'threading' from
'/usr/lib64/python2.7/threading.pyc'> ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in<module 'threading' from
'/usr/lib64/python2.7/threading.pyc'> ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in<module 'threading' from
'/usr/lib64/python2.7/threading.pyc'> ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in<module 'threading' from
'/usr/lib64/python2.7/threading.pyc'> ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in<module 'threading' from
'/usr/lib64/python2.7/threading.pyc'> ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in<module 'threading' from
'/usr/lib64/python2.7/threading.pyc'> ignored
[Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down
[Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd
running as context system_u:system_r:kernel_t:s0
[Wed May 25 06:43:57 2011] [notice] Digest: generating secret for
digest authentication ...
[Wed May 25 06:43:57 2011] [notice] Digest: done
[Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2
mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2
Python/2.7.1 configured -- resuming normal operations
[Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START ***
[Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START ***
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi
(pid=5192): Exception occurred processing WSGI script
'/usr/share/ipa/wsgi.py'.
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback
(most recent call last):
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
"/usr/share/ipa/wsgi.py", line 48, in application
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return
api.Backend.session(environ, start_response)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line
141, in __call__
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]
self.create_context(ccache=environ.get('KRB5CCNAME'))
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
"/usr/lib/python2.7/site-packages/ipalib/backend.py", line 110, in
create_context
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]
self.Backend.ldap2.connect(ccache=ccache)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
"/usr/lib/python2.7/site-packages/ipalib/backend.py", line 62, in
connect
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] conn =
self.create_connection(*args, **kw)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
"/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 188, in
new_f
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return
f(*new_args, **kwargs)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
line 337, in create_connection
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]
_handle_errors(e, **{})
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
line 118, in _handle_errors
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] raise
errors.DatabaseError(desc=desc, info=info)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]
DatabaseError: Local error: SASL(-1): generic failure: GSSAPI
Error: An invalid name was supplied (Hostname cannot be
canonicalized)
[Wed May 25 06:45:26 2011] [error] [client 10.16.78.140] mod_wsgi
(pid=5193): Exception occurred processing WSGI script
'/usr/share/ipa/wsgi.py'.


You can check the problem on vm-140.idm.lab.bos.redhat.com if you
want to.

Martin


The LDAP connection was still using the system hostname value. I
added a
conn.set_option(_ldap.OPT_HOST_NAME, api.env.host) in the two
places we
initialize an LDAP connection and that seems to have fixed it.

Updated patch attached

rob

NACK. The problem on a master is gone. However, now ipa-replica-install
is failing:

# ipa-replica-install
/home/mkosek/replica-info-vm-027.idm.lab.bos.redhat.com.gpg
Directory Manager (existing master) password:

creation of replica failed: Can't contact LDAP server:


I found out that the root cause of the failure is in the change you
just
made in ldap2.py:

def create_connection(self, ccache=None, bind_dn='', bind_pw='',
tls_cacertfile=None, tls_certfile=None, tls_keyfile=None,
debug_level=0):
...
try:
conn = _ldap.initialize(self.ldap_uri)
conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)<--
if ccache is not None:
os.environ['KRB5CCNAME'] = ccache
...

because api.env.host points to the local host and not the remote
master.
When I commented this line out, installation continued OK. Then, it
crashed again with our "favorite" dogtag's "invalid clone_uri"
exception.

Since we see this error also in other scenarios (not only custom
--hostname) and the root cause is not in your patch I can ACK you patch
762 once the replica install bug is fixed.

Martin


Fixed both of these. We only need to set the hostname when using an
ldapi URI, so fixed both of those.

I also fixed the Invalid clone_uri bug. The problem was we weren't
passing our new hostname to pkicreate so it was creating a CA for
whatever the value of `hostname` was. There is an environment variable
in pkicreate to pass in the hostname and doing that has fixed the
problem.

rob

Yes, this issue was fixed. It's good you find a way how to deal with
clone_uri problem. However, I still hit some issues:

1) I think we have some Kerberos related problems when the custom
hostname is used (ipa.idm.lab.bos.redhat.com on a
vm-096.idm.lab.bos.redhat.com). Named and SSSD refuses to start on the
system.

/var/log/messages:
May 30 05:04:35 vm-096 named[13932]: listening on IPv4 interface eth0,
10.16.78.96#53
May 30 05:04:35 vm-096 named[13932]: generating session key for
dynamic DNS
May 30 05:04:36 vm-096 named[13932]: Failed to init credentials
(Preauthentication failed)
May 30 05:04:36 vm-096 named[13932]: loading configuration: failure
May 30 05:04:36 vm-096 named[13932]: exiting (due to fatal error)
May 30 05:04:36 vm-096 systemd[1]: named.service: control process
exited, code=exited status=7
May 30 05:04:36 vm-096 systemd[1]: Unit named.service entered failed
state.
May 30 05:07:41 vm-096 sssd: Starting up
May 30 05:07:41 vm-096 sssd[be[idm.lab.bos.redhat.com]]: Starting up
May 30 05:07:41 vm-096 sssd[be[idm.lab.bos.redhat.com]]: Error
processing keytab file [(null)]: Principal
[host/vm-096.idm.lab.bos.redhat....@idm.lab.bos.redhat.com] was not
found. Unable to create GSSAPI-encrypted LDAP connection.

For the named issue I filed a bug against bind-dyndb-ldap for this,
https://bugzilla.redhat.com/show_bug.cgi?id=710261

This is a similar problem I ran into where when you do an ldapi bind it
defaults to using the system hostname value.

To fix the sssd problem we just need to set the ipa_hostname option
(they have lots of nice tuning options!). We just need to decide if we
always set this value or only at install time when the hostnames differ.

2) My dogtag powered replica still refuses to install (happened to me on
2 fresh VMs) with "creation of replica failed: Configuration of CA
failed".

I investigated the ipareplica-install.log, I found a error that may be
relevant. Maybe Ade will recognize some of them.

#############################################
Attempting to connect to: vm-028.idm.lab.bos.redhat.com:9445
Connected.
Posting Query =
https://vm-028.idm.lab.bos.redhat.com:9445//ca/admin/console/config/wizard?p=9&op=next&xml=true&host=vm-028.idm.lab.bos.redhat.com&port=7389&binddn=cn%3DDirectory+Manager&__bindpwd=XXXXXXXX&basedn=o%3Dipaca&database=ipaca&display=%24displayStr&cloneStartTLS=on

RESPONSE STATUS: HTTP/1.1 200 OK
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8
RESPONSE HEADER: Date: Mon, 30 May 2011 11:26:29 GMT
RESPONSE HEADER: Connection: close
...
<response>
<panel>admin/console/config/databasepanel.vm</panel>
<clone>clone</clone>
<res/>
<portStr>7389</portStr>
<bindpwd>(sensitive)</bindpwd>
<cloneStartTLS>on</cloneStartTLS>
<hostname>vm-028.idm.lab.bos.redhat.com</hostname>
<errorString>Master and clone should have the same base DN</errorString>


The CA installation fails few error messages later.

Providing excerpt of CA logs as they may be relevant:

/var/log/pki-ca/catalina.out:
...
CMS Warning: FAILURE: Cannot build CA chain. Error
java.security.cert.CertificateException: Certificate is not a PKCS #11
certificate|FAILURE: authz instance DirAclAuthz initialization failed
and skipped, error=Property internaldb.ldapconn.port missing value|
...
[Fatal Error] :2:15: Open quote is expected for attribute "BGCOLOR"
associated with an element type "BODY".

/var/log/pki-ca/system:
2893.main - [30/May/2011:07:25:47 EDT] [3] [3] Cannot build CA chain.
Error java.security.cert.CertificateException: Certificate is not a
PKCS #11 certificate
2893.main - [30/May/2011:07:25:47 EDT] [13] [3] authz instance
DirAclAuthz initialization failed and skipped, error=Property
internaldb.ldapconn.port missing value

Martin


Haven't had a chance to explore this one yet. It sure would be nice if
dogtag would tell us what the two differing base DNs are though...

This patch should resolve the remaining issues. It requires a patch to bind-dyndb-ldap, I have a candidate patch in https://bugzilla.redhat.com/show_bug.cgi?id=710261

rob
>From 5dcbfd2ca6c5ac2e8d5c85c2c82de920a4df3376 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Wed, 22 Jun 2011 08:46:25 -0400
Subject: [PATCH] Let the framework be able to override the hostname.

The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.

Important changes:
- configure ipa_hostname in sssd on masters
- set PKI_HOSTNAME so the hostname is passed to dogtag installer
- set the hostname when doing ldapi binds

This also reorders some things in the dogtag installer to eliminate an
unnecessary restart. We were restarting the service twice in a row with
very little time in between and this could result in a slew of reported
errors, though the server installed ok.

ticket 1052
---
 install/tools/ipa-replica-install |    1 +
 install/tools/ipa-server-install  |    3 ++-
 ipalib/config.py                  |    4 ----
 ipalib/constants.py               |   12 ++++++++++--
 ipaserver/install/cainstance.py   |   29 ++++++++++++++---------------
 ipaserver/plugins/ldap2.py        |    4 ++++
 tests/test_ipalib/test_config.py  |    1 -
 7 files changed, 31 insertions(+), 23 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index a0bb9d9..b70f36f 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -429,6 +429,7 @@ def main():
     # Note: We must do this before bootstraping and finalizing ipalib.api
     fd = open("/etc/ipa/default.conf", "w")
     fd.write("[global]\n")
+    fd.write("host=" + config.host_name + "\n")
     fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n")
     fd.write("realm=" + config.realm_name + "\n")
     fd.write("domain=" + config.domain_name + "\n")
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 7c81dbe..9487387 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -678,6 +678,7 @@ def main():
     # Create the management framework config file and finalize api
     fd = open("/etc/ipa/default.conf", "w")
     fd.write("[global]\n")
+    fd.write("host=" + host_name + "\n")
     fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
     fd.write("realm=" + realm_name + "\n")
     fd.write("domain=" + domain_name + "\n")
@@ -916,7 +917,7 @@ def main():
 
     # Call client install script
     try:
-        run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name])
+        run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name])
     except Exception, e:
         sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e))
 
diff --git a/ipalib/config.py b/ipalib/config.py
index 888785a..410e5f0 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -447,7 +447,6 @@ class Env(object):
         self.__doing('_bootstrap')
 
         # Set run-time variables (cannot be overridden):
-        self.host = getfqdn()
         self.ipalib = path.dirname(path.abspath(__file__))
         self.site_packages = path.dirname(self.ipalib)
         self.script = path.abspath(sys.argv[0])
@@ -550,9 +549,6 @@ class Env(object):
         if 'log' not in self:
             self.log = self._join('logdir', '%s.log' % self.context)
 
-        # FIXME: move into ca plugin
-        if 'ca_host' not in self:
-            self.ca_host = self.host
         self._merge(**defaults)
 
     def _finalize(self, **lastchance):
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 202f5fa..23e8025 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -21,6 +21,14 @@
 """
 All constants centralised in one file.
 """
+import socket
+try:
+    FQDN = socket.getfqdn()
+except:
+    try:
+        FQDN = socket.gethostname()
+    except:
+        FQDN = None
 
 # The parameter system treats all these values as None:
 NULLS = (None, '', u'', tuple(), [])
@@ -127,7 +135,7 @@ DEFAULT_CONFIG = (
     ('mode', 'production'),
 
     # CA plugin:
-    ('ca_host', object),  # Set in Env._finalize_core()
+    ('ca_host', FQDN),  # Set in Env._finalize_core()
     ('ca_port', 9180),
     ('ca_agent_port', 9443),
     ('ca_ee_port', 9444),
@@ -160,7 +168,7 @@ DEFAULT_CONFIG = (
     # raised.
 
     # Non-overridable vars set in Env._bootstrap():
-    ('host', object),
+    ('host', FQDN),
     ('ipalib', object),  # The directory containing ipalib/__init__.py
     ('site_packages', object),  # The directory contaning ipalib
     ('script', object),  # sys.argv[0]
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 62fce4b..54de10f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -520,7 +520,6 @@ class CAInstance(service.Service):
         # Step 1 of external is getting a CSR so we don't need to do these
         # steps until we get a cert back from the external CA.
         if self.external != 1:
-            self.step("restarting certificate server", self.__restart_instance)
             if not self.clone:
                 self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12)
             if self.create_ra_agent_db:
@@ -559,7 +558,7 @@ class CAInstance(service.Service):
                 '-redirect', 'conf=/etc/pki-ca',
                 '-redirect', 'logs=/var/log/pki-ca',
         ]
-        ipautil.run(args)
+        ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
 
     def __enable(self):
         self.backup_state("enabled", self.is_enabled())
@@ -675,7 +674,7 @@ class CAInstance(service.Service):
             # Define the things we don't want logged
             nolog = (self.admin_password, self.dm_password,)
 
-            ipautil.run(args, nolog=nolog)
+            ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog)
         except ipautil.CalledProcessError, e:
             logging.critical("failed to configure ca instance %s" % e)
             raise RuntimeError('Configuration of CA failed')
@@ -685,11 +684,22 @@ class CAInstance(service.Service):
             print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
             sys.exit(0)
 
+        # Turn off Nonces (again)
+        if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
+            raise RuntimeError("Disabling nonces failed")
+        pent = pwd.getpwnam(PKI_USER)
+        os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
+
+        # pkisilent makes a copy of the CA PKCS#12 file for us but gives
+        # it a lousy name.
+        if ipautil.file_exists("/root/tmp-ca.p12"):
+            shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
+
         try:
             # After configuration the service is running and configured
             # but must be restarted for configuration to take effect.
             # The service status in this case will be 4.
-            self.restart()
+            self.__restart_instance()
         except ipautil.CalledProcessError, e:
             logging.critical("failed to restart ca instance after pkisilent configuration %s" % e)
             raise RuntimeError('Restarting CA after pkisilent configuration failed')
@@ -704,17 +714,6 @@ class CAInstance(service.Service):
 
         logging.debug("completed creating ca instance")
 
-        # Turn off Nonces (again)
-        if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
-            raise RuntimeError("Disabling nonces failed")
-        pent = pwd.getpwnam(PKI_USER)
-        os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
-
-        # pkisilent makes a copy of the CA PKCS#12 file for us but gives
-        # it a lousy name.
-        if ipautil.file_exists("/root/tmp-ca.p12"):
-            shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
-
     def __restart_instance(self):
         try:
             self.restart()
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index e4cc72d..c375252 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -160,6 +160,8 @@ def get_schema(url, conn=None):
 
         if conn is None:
             conn = _ldap.initialize(url)
+            if url.startswith('ldapi://'):
+                conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
             conn.sasl_interactive_bind_s('', SASL_AUTH)
 
         schema_entry = conn.search_s(
@@ -321,6 +323,8 @@ class ldap2(CrudBackend, Encoder):
 
         try:
             conn = _ldap.initialize(self.ldap_uri)
+            if self.ldap_uri.startswith('ldapi://'):
+                conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
             if ccache is not None:
                 os.environ['KRB5CCNAME'] = ccache
                 conn.sasl_interactive_bind_s('', SASL_AUTH)
diff --git a/tests/test_ipalib/test_config.py b/tests/test_ipalib/test_config.py
index 97d7548..e729a62 100644
--- a/tests/test_ipalib/test_config.py
+++ b/tests/test_ipalib/test_config.py
@@ -441,7 +441,6 @@ class test_Env(ClassChecker):
         (o, home) = self.new()
         o._bootstrap()
         ipalib = path.dirname(path.abspath(config.__file__))
-        assert o.host == socket.gethostname()
         assert o.ipalib == ipalib
         assert o.site_packages == path.dirname(ipalib)
         assert o.script == path.abspath(sys.argv[0])
-- 
1.7.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to