[Freeipa-devel] KeyError raised upon replica installation

Oleg Fayans ofayans at redhat.com
Wed Jun 3 12:57:08 UTC 2015 

BTW, Ludwig, it seems you forgot to attach the 0010 patch to your email.
At least, your first letter from 06/02/2015 05:08 PM, containing PATCH 
0010 does not have the actual patch

On 06/03/2015 02:53 PM, Oleg Fayans wrote:
> Hi Ludwig,
>
> I'll rebuild the packages again with the whole set of patches 
> including 0010 and 0011 and try again. Thanks!
>
> On 06/03/2015 02:21 PM, Ludwig Krispenz wrote:
>>
>> On 06/03/2015 02:05 PM, Oleg Fayans wrote:
>>> Update:
>>>
>>> The original error occurs ONLY when installing a replica from a gpg 
>>> file prepared on a master running FreeIPA 4.1.2.
>> but this should be covere with patch 0010
>>> If The master runs the upstream code, it works.
>>>
>>> On 06/02/2015 02:11 PM, Martin Babinsky wrote:
>>>> On 06/02/2015 02:07 PM, Martin Babinsky wrote:
>>>>> On 06/02/2015 12:09 PM, Oleg Fayans wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> The following error was caught during replica installation (I 
>>>>>> used all
>>>>>> the latest patches from Ludwig and Martin Basti):
>>>>>>
>>>>>> root at localhost:/home/ofayans/rpms]$ ipa-replica-install --setup-ca
>>>>>> --setup-dns --forwarder 10.38.5.26
>>>>>> /var/lib/ipa/replica-info-replica1.zaeba.li.gpg
>>>>>> Directory Manager (existing master) password:
>>>>>>
>>>>>> Existing BIND configuration detected, overwrite? [no]: yes
>>>>>> Adding [192.168.122.210 replica1.zaeba.li] to your /etc/hosts file
>>>>>> Checking forwarders, please wait ...
>>>>>> Using reverse zone(s) 122.168.192.in-addr.arpa.
>>>>>> Run connection check to master
>>>>>> Check connection from replica to remote master 
>>>>>> 'upgrademaster.zaeba.li':
>>>>>>     Directory Service: Unsecure port (389): OK
>>>>>>     Directory Service: Secure port (636): OK
>>>>>>     Kerberos KDC: TCP (88): OK
>>>>>>     Kerberos Kpasswd: TCP (464): OK
>>>>>>     HTTP Server: Unsecure port (80): OK
>>>>>>     HTTP Server: Secure port (443): OK
>>>>>>
>>>>>> The following list of ports use UDP protocol and would need to be
>>>>>> checked manually:
>>>>>>     Kerberos KDC: UDP (88): SKIPPED
>>>>>>     Kerberos Kpasswd: UDP (464): SKIPPED
>>>>>>
>>>>>> Connection from replica to master is OK.
>>>>>> Start listening on required ports for remote master check
>>>>>> Get credentials to log in to remote master
>>>>>> admin at ZAEBA.LI password:
>>>>>>
>>>>>> Check SSH connection to remote master
>>>>>> Execute check on remote master
>>>>>> Check connection from master to remote replica 'replica1.zaeba.li':
>>>>>>     Directory Service: Unsecure port (389): OK
>>>>>>     Directory Service: Secure port (636): OK
>>>>>>     Kerberos KDC: TCP (88): OK
>>>>>>     Kerberos KDC: UDP (88): OK
>>>>>>     Kerberos Kpasswd: TCP (464): OK
>>>>>>     Kerberos Kpasswd: UDP (464): OK
>>>>>>     HTTP Server: Unsecure port (80): OK
>>>>>>     HTTP Server: Secure port (443): OK
>>>>>>
>>>>>> Connection from master to replica is OK.
>>>>>>
>>>>>> Connection check OK
>>>>>> Configuring NTP daemon (ntpd)
>>>>>>    [1/4]: stopping ntpd
>>>>>>    [2/4]: writing configuration
>>>>>>    [3/4]: configuring ntpd to start on boot
>>>>>>    [4/4]: starting ntpd
>>>>>> Done configuring NTP daemon (ntpd).
>>>>>> Configuring directory server (dirsrv): Estimated time 1 minute
>>>>>>    [1/37]: creating directory server user
>>>>>>    [2/37]: creating directory server instance
>>>>>>    [3/37]: adding default schema
>>>>>>    [4/37]: enabling memberof plugin
>>>>>>    [5/37]: enabling winsync plugin
>>>>>>    [6/37]: configuring replication version plugin
>>>>>>    [7/37]: enabling IPA enrollment plugin
>>>>>>    [8/37]: enabling ldapi
>>>>>>    [9/37]: configuring uniqueness plugin
>>>>>>    [10/37]: configuring uuid plugin
>>>>>>    [11/37]: configuring modrdn plugin
>>>>>>    [12/37]: configuring DNS plugin
>>>>>>    [13/37]: enabling entryUSN plugin
>>>>>>    [14/37]: configuring lockout plugin
>>>>>>    [15/37]: configuring topology plugin
>>>>>>    [16/37]: creating indices
>>>>>>    [17/37]: enabling referential integrity plugin
>>>>>>    [18/37]: configuring ssl for ds instance
>>>>>>    [19/37]: configuring certmap.conf
>>>>>>    [20/37]: configure autobind for root
>>>>>>    [21/37]: configure new location for managed entries
>>>>>>    [22/37]: configure dirsrv ccache
>>>>>>    [23/37]: enable SASL mapping fallback
>>>>>>    [24/37]: restarting directory server
>>>>>>    [25/37]: setting up initial replication
>>>>>> Starting replication, please wait until this has completed.
>>>>>> Update in progress, 7 seconds elapsed
>>>>>> Update succeeded
>>>>>>
>>>>>>    [26/37]: updating schema
>>>>>>    [27/37]: setting Auto Member configuration
>>>>>>    [28/37]: enabling S4U2Proxy delegation
>>>>>>    [29/37]: importing CA certificates from LDAP
>>>>>>    [30/37]: initializing group membership
>>>>>>    [31/37]: adding master entry
>>>>>> ipa         : CRITICAL Failed to load master-entry.ldif: Command
>>>>>> ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpFlM3mD' '-H'
>>>>>> 'ldap://replica1.zaeba.li:389' '-x' '-D' 'cn=Directory Manager' '-y'
>>>>>> '/tmp/tmpk_R0Lm'' returned non-zero exit status 68
>>>>>>    [32/37]: initializing domain level
>>>>>>    [33/37]: configuring Posix uid/gid generation
>>>>>>    [34/37]: adding replication acis
>>>>>>    [35/37]: enabling compatibility plugin
>>>>>>    [36/37]: tuning directory server
>>>>>>    [37/37]: configuring directory to start on boot
>>>>>> Done configuring directory server (dirsrv).
>>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3 
>>>>>> minutes
>>>>>> 30 seconds
>>>>>>    [1/21]: creating certificate server user
>>>>>>    [2/21]: configuring certificate server instance
>>>>>>    [3/21]: stopping certificate server instance to update CS.cfg
>>>>>>    [4/21]: backing up CS.cfg
>>>>>>    [5/21]: disabling nonces
>>>>>>    [6/21]: set up CRL publishing
>>>>>>    [7/21]: enable PKIX certificate path discovery and validation
>>>>>>    [8/21]: starting certificate server instance
>>>>>>    [9/21]: creating RA agent certificate database
>>>>>>    [10/21]: importing CA chain to RA certificate database
>>>>>>    [11/21]: fixing RA database permissions
>>>>>>    [12/21]: setting up signing cert profile
>>>>>>    [13/21]: set certificate subject base
>>>>>>    [14/21]: enabling Subject Key Identifier
>>>>>>    [15/21]: enabling Subject Alternative Name
>>>>>>    [16/21]: enabling CRL and OCSP extensions for certificates
>>>>>>    [17/21]: setting audit signing renewal to 2 years
>>>>>>    [18/21]: configure certmonger for renewals
>>>>>>    [19/21]: configure certificate renewals
>>>>>>    [20/21]: configure Server-Cert certificate renewal
>>>>>>    [21/21]: Configure HTTP to proxy connections
>>>>>> Done configuring certificate server (pki-tomcatd).
>>>>>> Restarting the directory and certificate servers
>>>>>> Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
>>>>>>    [1/8]: adding sasl mappings to the directory
>>>>>>    [2/8]: configuring KDC
>>>>>>    [3/8]: creating a keytab for the directory
>>>>>>    [4/8]: creating a keytab for the machine
>>>>>>    [5/8]: adding the password extension to the directory
>>>>>>    [6/8]: enable GSSAPI for replication
>>>>>>    [error] NO_SUCH_OBJECT: {'desc': 'No such object'}
>>>>>>
>>>>>> Your system may be partly configured.
>>>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>>>
>>>>>> Traceback (most recent call last):
>>>>>>    File "/sbin/ipa-replica-install", line 162, in <module>
>>>>>>      fail_message=fail_message)
>>>>>>    File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
>>>>>>
>>>>>> line 760, in run_script
>>>>>>      message, exitcode = handle_error(error, log_file_name)
>>>>>>    File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
>>>>>>
>>>>>> line 799, in handle_error
>>>>>>      type(error).__name__, error.args[0]['info']), 1
>>>>>> KeyError: 'info'
>>>>>>
>>>>>> It needs to be noted, that the replica file was prepared on the 
>>>>>> master
>>>>>> running standard 4.1.2 freeipa-server.
>>>>>>
>>>>>> The log is attached
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Hi Oleg,
>>>>>
>>>>> I have encountered a different error during the same step (see
>>>>> http://pastebin.test.redhat.com/287218) while reviewing pvoborni's
>>>>> topology API commands. In this case both server and the replica were
>>>>> from current freeipa-master (HEAD was at commit
>>>>> e2c2d5967d4dfd219cd6ab5fc6f3bc8094ba28a7).
>>>>>
>>>>> I have also noticed that everything works if I run 
>>>>> ipa-replica-install
>>>>> without '--setup-ca' flag and then install CA separately using
>>>>> 'ipa-ca-install'.
>>>>>
>>>>> I will open a ticket for this if you or anyone else will be able to
>>>>> reproduce this behavior.
>>>>>
>>>> Ah seems like I have just hit 
>>>> https://fedorahosted.org/freeipa/ticket/5035. Nevermind.
>>>>
>>>
>>
>

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

More information about the Freeipa-devel mailing list