[Freeipa-devel] KeyError raised upon replica installation
Ludwig Krispenz
lkrispen at redhat.com
Wed Jun 3 12:21:25 UTC 2015
On 06/03/2015 02:05 PM, Oleg Fayans wrote:
> Update:
>
> The original error occurs ONLY when installing a replica from a gpg
> file prepared on a master running FreeIPA 4.1.2.
but this should be covere with patch 0010
> If The master runs the upstream code, it works.
>
> On 06/02/2015 02:11 PM, Martin Babinsky wrote:
>> On 06/02/2015 02:07 PM, Martin Babinsky wrote:
>>> On 06/02/2015 12:09 PM, Oleg Fayans wrote:
>>>> Hi all,
>>>>
>>>> The following error was caught during replica installation (I used all
>>>> the latest patches from Ludwig and Martin Basti):
>>>>
>>>> root at localhost:/home/ofayans/rpms]$ ipa-replica-install --setup-ca
>>>> --setup-dns --forwarder 10.38.5.26
>>>> /var/lib/ipa/replica-info-replica1.zaeba.li.gpg
>>>> Directory Manager (existing master) password:
>>>>
>>>> Existing BIND configuration detected, overwrite? [no]: yes
>>>> Adding [192.168.122.210 replica1.zaeba.li] to your /etc/hosts file
>>>> Checking forwarders, please wait ...
>>>> Using reverse zone(s) 122.168.192.in-addr.arpa.
>>>> Run connection check to master
>>>> Check connection from replica to remote master
>>>> 'upgrademaster.zaeba.li':
>>>> Directory Service: Unsecure port (389): OK
>>>> Directory Service: Secure port (636): OK
>>>> Kerberos KDC: TCP (88): OK
>>>> Kerberos Kpasswd: TCP (464): OK
>>>> HTTP Server: Unsecure port (80): OK
>>>> HTTP Server: Secure port (443): OK
>>>>
>>>> The following list of ports use UDP protocol and would need to be
>>>> checked manually:
>>>> Kerberos KDC: UDP (88): SKIPPED
>>>> Kerberos Kpasswd: UDP (464): SKIPPED
>>>>
>>>> Connection from replica to master is OK.
>>>> Start listening on required ports for remote master check
>>>> Get credentials to log in to remote master
>>>> admin at ZAEBA.LI password:
>>>>
>>>> Check SSH connection to remote master
>>>> Execute check on remote master
>>>> Check connection from master to remote replica 'replica1.zaeba.li':
>>>> Directory Service: Unsecure port (389): OK
>>>> Directory Service: Secure port (636): OK
>>>> Kerberos KDC: TCP (88): OK
>>>> Kerberos KDC: UDP (88): OK
>>>> Kerberos Kpasswd: TCP (464): OK
>>>> Kerberos Kpasswd: UDP (464): OK
>>>> HTTP Server: Unsecure port (80): OK
>>>> HTTP Server: Secure port (443): OK
>>>>
>>>> Connection from master to replica is OK.
>>>>
>>>> Connection check OK
>>>> Configuring NTP daemon (ntpd)
>>>> [1/4]: stopping ntpd
>>>> [2/4]: writing configuration
>>>> [3/4]: configuring ntpd to start on boot
>>>> [4/4]: starting ntpd
>>>> Done configuring NTP daemon (ntpd).
>>>> Configuring directory server (dirsrv): Estimated time 1 minute
>>>> [1/37]: creating directory server user
>>>> [2/37]: creating directory server instance
>>>> [3/37]: adding default schema
>>>> [4/37]: enabling memberof plugin
>>>> [5/37]: enabling winsync plugin
>>>> [6/37]: configuring replication version plugin
>>>> [7/37]: enabling IPA enrollment plugin
>>>> [8/37]: enabling ldapi
>>>> [9/37]: configuring uniqueness plugin
>>>> [10/37]: configuring uuid plugin
>>>> [11/37]: configuring modrdn plugin
>>>> [12/37]: configuring DNS plugin
>>>> [13/37]: enabling entryUSN plugin
>>>> [14/37]: configuring lockout plugin
>>>> [15/37]: configuring topology plugin
>>>> [16/37]: creating indices
>>>> [17/37]: enabling referential integrity plugin
>>>> [18/37]: configuring ssl for ds instance
>>>> [19/37]: configuring certmap.conf
>>>> [20/37]: configure autobind for root
>>>> [21/37]: configure new location for managed entries
>>>> [22/37]: configure dirsrv ccache
>>>> [23/37]: enable SASL mapping fallback
>>>> [24/37]: restarting directory server
>>>> [25/37]: setting up initial replication
>>>> Starting replication, please wait until this has completed.
>>>> Update in progress, 7 seconds elapsed
>>>> Update succeeded
>>>>
>>>> [26/37]: updating schema
>>>> [27/37]: setting Auto Member configuration
>>>> [28/37]: enabling S4U2Proxy delegation
>>>> [29/37]: importing CA certificates from LDAP
>>>> [30/37]: initializing group membership
>>>> [31/37]: adding master entry
>>>> ipa : CRITICAL Failed to load master-entry.ldif: Command
>>>> ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpFlM3mD' '-H'
>>>> 'ldap://replica1.zaeba.li:389' '-x' '-D' 'cn=Directory Manager' '-y'
>>>> '/tmp/tmpk_R0Lm'' returned non-zero exit status 68
>>>> [32/37]: initializing domain level
>>>> [33/37]: configuring Posix uid/gid generation
>>>> [34/37]: adding replication acis
>>>> [35/37]: enabling compatibility plugin
>>>> [36/37]: tuning directory server
>>>> [37/37]: configuring directory to start on boot
>>>> Done configuring directory server (dirsrv).
>>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
>>>> 30 seconds
>>>> [1/21]: creating certificate server user
>>>> [2/21]: configuring certificate server instance
>>>> [3/21]: stopping certificate server instance to update CS.cfg
>>>> [4/21]: backing up CS.cfg
>>>> [5/21]: disabling nonces
>>>> [6/21]: set up CRL publishing
>>>> [7/21]: enable PKIX certificate path discovery and validation
>>>> [8/21]: starting certificate server instance
>>>> [9/21]: creating RA agent certificate database
>>>> [10/21]: importing CA chain to RA certificate database
>>>> [11/21]: fixing RA database permissions
>>>> [12/21]: setting up signing cert profile
>>>> [13/21]: set certificate subject base
>>>> [14/21]: enabling Subject Key Identifier
>>>> [15/21]: enabling Subject Alternative Name
>>>> [16/21]: enabling CRL and OCSP extensions for certificates
>>>> [17/21]: setting audit signing renewal to 2 years
>>>> [18/21]: configure certmonger for renewals
>>>> [19/21]: configure certificate renewals
>>>> [20/21]: configure Server-Cert certificate renewal
>>>> [21/21]: Configure HTTP to proxy connections
>>>> Done configuring certificate server (pki-tomcatd).
>>>> Restarting the directory and certificate servers
>>>> Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
>>>> [1/8]: adding sasl mappings to the directory
>>>> [2/8]: configuring KDC
>>>> [3/8]: creating a keytab for the directory
>>>> [4/8]: creating a keytab for the machine
>>>> [5/8]: adding the password extension to the directory
>>>> [6/8]: enable GSSAPI for replication
>>>> [error] NO_SUCH_OBJECT: {'desc': 'No such object'}
>>>>
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>
>>>> Traceback (most recent call last):
>>>> File "/sbin/ipa-replica-install", line 162, in <module>
>>>> fail_message=fail_message)
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>>> line 760, in run_script
>>>> message, exitcode = handle_error(error, log_file_name)
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>>> line 799, in handle_error
>>>> type(error).__name__, error.args[0]['info']), 1
>>>> KeyError: 'info'
>>>>
>>>> It needs to be noted, that the replica file was prepared on the master
>>>> running standard 4.1.2 freeipa-server.
>>>>
>>>> The log is attached
>>>>
>>>>
>>>>
>>>>
>>>
>>> Hi Oleg,
>>>
>>> I have encountered a different error during the same step (see
>>> http://pastebin.test.redhat.com/287218) while reviewing pvoborni's
>>> topology API commands. In this case both server and the replica were
>>> from current freeipa-master (HEAD was at commit
>>> e2c2d5967d4dfd219cd6ab5fc6f3bc8094ba28a7).
>>>
>>> I have also noticed that everything works if I run ipa-replica-install
>>> without '--setup-ca' flag and then install CA separately using
>>> 'ipa-ca-install'.
>>>
>>> I will open a ticket for this if you or anyone else will be able to
>>> reproduce this behavior.
>>>
>> Ah seems like I have just hit
>> https://fedorahosted.org/freeipa/ticket/5035. Nevermind.
>>
>
More information about the Freeipa-devel
mailing list