freeipa

Clone
Source Code
GIT

#5071 testing ipa-restore on fresh system install fails
Closed: Fixed None Opened 8 years ago by pvoborni.

Closed: Fixed
Reopen Issue

there is additional info in the bugzilla

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1232819

Description of problem:

I did an ipa-server-install, added a few users, then did a full ipa-backup.  I
then did an ipa-server-install --uninstall followed by an ipa-restore.  It
worked.  I re-kickstarted the system ensuring that the ipa-server package was
installed.  I then ran the ipa-restore again.  This time, the restore failed
because /var/log/dirsrv did not exist. In fact, just to point out that directly
after kickstart, the dirsrv user and dirsrv group didn't exist yet.  They seem
to get added when running ipa-restore.   I created /var/log/dirsrv, and made it
owned by dirsrv:dirsrv but then there was an issue because
/var/log/dirsrv/slapd-EECS-YORKU-CA (domain dir) didn't exist.  I created it,
but then there was an additional issue because the server had a permission
denied error when writing to /var/log/dirsrv/slapd-EECS-YORKU-CA (even though
they were all owned by dirsrv:dirsrv).  This is most certainly an SELinux
issue. I rekickstarted the system with SELinux permissive.  Again after running
ipa-restore, there was the error about /var/log/dirsrv not existing.  Again, I
created it, and the internal slapd and everything worked.  I would certainly
expect that ipa-restore is able to complete the restore process without
assistance running SELinux in permissive or enforcing mode.

(It's surprising because I did notice some SELinux fixes made not that long
ago.  I would have thought that with the fixes, everything would work.)

How reproducible:

ipa-server-install
ipa-backup
re-kickstart
ipa-restore

So it seems that the authconfig needs to be run during restore so that PAM changes are applied. This is strange, however. I thought that in the previous Fedoras, SSSD was added to nsswitch and PAM by default. I do not see it there now.

Raising priority.

named-pkcs11 failed to start as well.

(gdb) bt
#0  0x00007fae5f665a98 in raise () from /lib64/libc.so.6
#1  0x00007fae5f66772a in abort () from /lib64/libc.so.6
#2  0x00007fae62d6e459 in assertion_failed ()
#3  0x00007fae622aad6a in isc_assertion_failed () from /lib64/libisc-pkcs11.so.148
#4  0x00007fae622d7d3d in isc_entropy_getdata () from /lib64/libisc-pkcs11.so.148
#5  0x00007fae62d53825 in create_view ()
#6  0x00007fae62d89735 in load_configuration ()
#7  0x00007fae62d8b158 in run_server ()
#8  0x00007fae622cd030 in run () from /lib64/libisc-pkcs11.so.148
#9  0x00007fae60480555 in start_thread () from /lib64/libpthread.so.0
#10 0x00007fae5f732f3d in clone () from /lib64/libc.so.6

master:

  • db88985 Backup/resore authentication control configuration

ipa-4-2:

  • 4fe994b Backup/resore authentication control configuration

Metadata Update from @pvoborni:
- Issue assigned to dkupka
- Issue set to the milestone: FreeIPA 4.2.1
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
Backup
None
0
None
None
jcholast, mbabinsk
None
https://bugzilla.redhat.com/show_bug.cgi?id=1232819
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.