Ticket #3570 (assigned defect)

Opened 12 months ago

Last modified 2 months ago

Installation fails when server hostname = domain

Reported by: mkosek Owned by: tbabej
Priority: major Milestone: Future Releases
Component: Installation Version:
Keywords: Cc:
Blocked By: Blocking:
Affects Documentation: no Patch posted for review: no
Red Hat Bugzilla: todo Patch review by:
External tracker: Design link:
Needs UI design: Fedora test page:
Feature: Source:
Expertise:
Release Notes:

Description

# ipa-server-install -a secret123 -p secret123 --domain=ipa1.example.org --realm=IPA1.EXAMPLE.ORG --setup-dns --no-forwarders -U --hostname=ipa1.example.org --ip-address $IP_ADDRESS

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host ipa1.example.org

Warning: hostname ipa1.example.org does not match system hostname vm-037.idm.lab.bos.redhat.com.
System hostname will be updated during the installation process
to prevent service failures.

Adding [IP_ADDRESS ipa1.example.org] to your /etc/hosts file
Using reverse zone xx.xx.xx.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      ipa1.example.org
IP address:    IP_ADDRESS
Domain name:   ipa1.example.org
Realm name:    IPA1.EXAMPLE.ORG
...
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

# host `hostname`
Host ipa1.example.org.ipa1.example.org not found: 2(SERVFAIL)

# service named status
Redirecting to /bin/systemctl status  named.service
named.service - Berkeley Internet Name Domain (DNS)
	  Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
	  Active: active (running) since Wed 2013-04-17 10:11:31 EDT; 7min ago
	Main PID: 31878 (named)
	  CGroup: name=systemd:/system/named.service
		  `-31878 /usr/sbin/named -u named

Apr 17 10:12:42 ipa1.example.org named[31878]: ldap_psearch_watcher failed to handle LDAP connecti...60s
Apr 17 10:12:46 ipa1.example.org systemd[1]: Started Berkeley Internet Name Domain (DNS).
Apr 17 10:13:42 ipa1.example.org named[31878]: connection to the LDAP server was lost
Apr 17 10:13:42 ipa1.example.org named[31878]: successfully reconnected to LDAP server
Apr 17 10:13:42 ipa1.example.org named[31878]: LDAP error: Can't contact LDAP server
Apr 17 10:13:42 ipa1.example.org named[31878]: connection to the LDAP server was lost
Apr 17 10:13:42 ipa1.example.org named[31878]: successfully reconnected to LDAP server
Apr 17 10:13:42 ipa1.example.org named[31878]: zone ipa1.example.org/IN: NS 'ipa1.example.org' has...AA)
Apr 17 10:13:42 ipa1.example.org named[31878]: zone ipa1.example.org/IN: not loaded due to errors.
Apr 17 10:13:42 ipa1.example.org named[31878]: update_zone (psearch) failed for 'idnsname=ipa1.exa...one

The problem is, that A record is missing:

# ipa dnsrecord-find ipa1.example.org
  Record name: @
  NS record: ipa1.example.org.
  SSHFP record: 2 1 0604E5B13A08F88E93F4CC1496E99648F7C45232, 2 2
                7472D615267A207B3EAA2A5B8CCB82A0D36EA1836EA4539F87E3D6FA 27F3914F, 1 1
                0383AEA3FA5C8626F0AD8370E7BDD74F61D3B41D, 1 2
                98DC7D67058FF6CE2D1A61A9C6281787315BA21A8DB6764526272C60 6E2FA929

  Record name: _kerberos
  TXT record: IPA1.EXAMPLE.ORG

  Record name: _kerberos-master._tcp
  SRV record: 0 100 88 ipa1.example.org.

  Record name: _kerberos-master._udp
  SRV record: 0 100 88 ipa1.example.org.

  Record name: _kerberos._tcp
  SRV record: 0 100 88 ipa1.example.org.

  Record name: _kerberos._udp
  SRV record: 0 100 88 ipa1.example.org.

  Record name: _kpasswd._tcp
  SRV record: 0 100 464 ipa1.example.org.

  Record name: _kpasswd._udp
  SRV record: 0 100 464 ipa1.example.org.

  Record name: _ldap._tcp
  SRV record: 0 100 389 ipa1.example.org.

  Record name: _ntp._udp
  SRV record: 0 100 123 ipa1.example.org.

  Record name: ipa-ca
  A record: IP_ADDRESS
-----------------------------
Number of entries returned 11
-----------------------------

Change History

comment:1 Changed 12 months ago by tbabej

  • Owner changed from someone to tbabej

comment:2 Changed 12 months ago by tbabej

  • Status changed from new to assigned

comment:3 Changed 12 months ago by dpal

  • Milestone changed from 0.0 NEEDS_TRIAGE to Pilsner barrel
  • Red Hat Bugzilla set to todo

comment:4 Changed 2 months ago by mkosek

  • Component changed from IPA to Installation
Note: See TracTickets for help on using tickets.