New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ipaserver installation failed #1200
Comments
Can you share what's on ipaserver-install.log? |
Hi, |
I had same issue, enabling setup of kra solved the issue |
This does fix it for me. I started seeing this issue Jan 9 or 10. What changed then? FWIW, I noticed a working version we have used |
Can you provide the output of the command Note that this command need to be executed on the target node, not on the controller. |
Great! |
$ rpm -q ipa-server ipa-client 389-ds-base idm-pki-ca krb5-server
ipa-server-4.9.12-11.module+el8.9.0+1652+4ee71f6a.x86_64
ipa-client-4.9.12-11.module+el8.9.0+1652+4ee71f6a.x86_64
389-ds-base-1.4.3.37-2.module+el8.9.0+1655+39468843.x86_64
idm-pki-ca-10.14.3-1.module+el8.8.0+1160+940e4769.noarch
krb5-server-1.18.2-26.el8.x86_64 |
I confirmed that "there is an issue", I'm still not sure what's going on, but plan to fix it on |
Hi, any news here? Can we help in any way? :) |
Hi, |
The SID/MS-PAC issue may have impacted ansible-freeipa, but it is a different issue. We are facing problems to deploy the first server on CentOS 8 (and its derivatives), so there's no user yet. I'm still looking into it, but it will take some time, as I'll have very little time next week (due to vacations). |
BTW... you should NOT be using |
Sorry if I was unclear, I was talking about different, completely separate environments. We have a few existing environments that just got updated to 4.9.12-11. I'm also are currently working on setting up a new environment where I walked into this issue. Hope you have nice holidays :) Thanks for the hint @talleno, I will have a look |
No need to be sorry, you guys uncovered a big issue we haven't seen before. Thank you for that. My comment was just to set the proper use of the roles, in case someone misunderstand what is going on. |
Do you still have logs from the failed target? If so, can you provide krb5kdc.log? If not, can you for a new install attempt and get those installer logs and krb5kdc.log? |
of course, here you go: |
Thanks, so this is a timing issue.
KDC driver doesn't see yet that a SID generation task ran by the installer was completed and used old view (SIDs not yet available). I think we would fix this by restarting KDC after sidgen step in IPA installer. @rjeffman, I remember @jrisc was looking in a similar issue recently, but I don't see that change merged anywhere. |
As FreeIPA now requires MS-PAC to be set in ipaKrbAuthzData to trigger PAC generation, there's a timing issue that causes API malfunction which is long enough to cause the client part insallation to fail. By restarting KDC after DS password is set, we force cached values to be refreshed, allowing the API to work correctly. Fixes freeipa#1200
As FreeIPA now requires MS-PAC to be set in ipaKrbAuthzData to trigger PAC generation, there's a timing issue that causes API malfunction which is long enough to cause the client part insallation to fail. By restarting KDC after DS password is set, we force cached values to be refreshed, allowing the API to work correctly. Resolves: freeipa#1200
PR #1206 was proposed as a fix to this issue. It would be really nice if anyone having this issue can test the patch and report back the results on your environment. As it is related to a timing issue, none of the proposed workarounds worked on my labs. |
Using the PR #1206 the playbook runs without error, and the FreeIPA installation seems to work :D |
As FreeIPA now requires MS-PAC to be set in ipaKrbAuthzData to trigger PAC generation, there's a timing issue that causes API malfunction which is long enough to cause the client part insallation to fail. By restarting KDC after DS password is set, we force cached values to be refreshed, allowing the API to work correctly. Resolves: freeipa#1200
Will you release a new version to ansible galaxy containing the fix in the near future, or should we use the master branch? |
We expect to release a new version soon. |
Hi,
I install freeipa using ansible collection(v1.12.0) on rocky 8 OS.
I noticed that for a few days installation of server failed with the following error.
After some investigation, i found that installation is ok with this version of package "ipa-server-4.9.12-9.module+el8.9.0+1534+4fa0f2bf.x86_64" but failed with the latest "ipa-server-4.9.12-11.module+el8.9.0+1652+4ee71f6a.x86_64".
Installation is ok when i install ipa-server manually using ipa-server-install command.
I've done a lot of tests but I haven't been able to identify the exact cause of the problem.
Regards.
Thierry
The text was updated successfully, but these errors were encountered: