[Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
Martin Kosek
mkosek at redhat.com
Thu May 26 07:45:57 UTC 2011
On Wed, 2011-05-25 at 11:29 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote:
> >> The hostname is passed in during the server installation. We should use
> >> this hostname for the resulting server as well. It was being discarded
> >> and we always used the system hostname value.
> >>
> >> ticket 1052
> >>
> >> rob
> >
> > I have to NACK this again. I have a problem communicating with IPA on a
> > master machine. I reproduced in on 2 different machines. Please, correct
> > my steps if I am wrong, I do the following procedure
> >
> > 1) I prepare a fresh minimal F-15
> > 2) Install freeipa-server (current master with your patches)
> > 3) Add custom hostname to /etc/hosts
> > 4) Install IPA server:
> > ipa-server-install -p secret123 -a secret123 --hostname ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2
> > 5) # kinit admin
> > Password for admin at IDM.LAB.BOS.REDHAT.COM:
> > 6) # ipa user-show admin
> > ipa: ERROR: cannot connect to 'any of the configured servers':
> > https://ipa.idm.lab.bos.redhat.com/ipa/xml,
> > https://ipa.idm.lab.bos.redhat.com/ipa/xml
> >
> > # ping -c 1 ipa.idm.lab.bos.redhat.com
> > PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data.
> > 64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1
> > ttl=64 time=0.049 ms
> >
> > Apache error_log shows relevant errors:
> >
> > [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied)
> > [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied)
> > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'> ignored
> > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'> ignored
> > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'> ignored
> > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'> ignored
> > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'> ignored
> > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'> ignored
> > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'> ignored
> > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'> ignored
> > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'> ignored
> > [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in<module 'threading' from '/usr/lib64/python2.7/threading.pyc'> ignored
> > [Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down
> > [Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd running as context system_u:system_r:kernel_t:s0
> > [Wed May 25 06:43:57 2011] [notice] Digest: generating secret for digest authentication ...
> > [Wed May 25 06:43:57 2011] [notice] Digest: done
> > [Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.7.1 configured -- resuming normal operations
> > [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START ***
> > [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START ***
> > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5192): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
> > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback (most recent call last):
> > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/share/ipa/wsgi.py", line 48, in application
> > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return api.Backend.session(environ, start_response)
> > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 141, in __call__
> > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] self.create_context(ccache=environ.get('KRB5CCNAME'))
> > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 110, in create_context
> > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] self.Backend.ldap2.connect(ccache=ccache)
> > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 62, in connect
> > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] conn = self.create_connection(*args, **kw)
> > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 188, in new_f
> > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return f(*new_args, **kwargs)
> > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 337, in create_connection
> > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] _handle_errors(e, **{})
> > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 118, in _handle_errors
> > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] raise errors.DatabaseError(desc=desc, info=info)
> > [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] DatabaseError: Local error: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Hostname cannot be canonicalized)
> > [Wed May 25 06:45:26 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5193): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
> >
> >
> > You can check the problem on vm-140.idm.lab.bos.redhat.com if you want to.
> >
> > Martin
> >
>
> The LDAP connection was still using the system hostname value. I added a
> conn.set_option(_ldap.OPT_HOST_NAME, api.env.host) in the two places we
> initialize an LDAP connection and that seems to have fixed it.
>
> Updated patch attached
>
> rob
NACK. The problem on a master is gone. However, now ipa-replica-install
is failing:
# ipa-replica-install /home/mkosek/replica-info-vm-027.idm.lab.bos.redhat.com.gpg
Directory Manager (existing master) password:
creation of replica failed: Can't contact LDAP server:
I found out that the root cause of the failure is in the change you just
made in ldap2.py:
def create_connection(self, ccache=None, bind_dn='', bind_pw='',
tls_cacertfile=None, tls_certfile=None, tls_keyfile=None,
debug_level=0):
...
try:
conn = _ldap.initialize(self.ldap_uri)
conn.set_option(_ldap.OPT_HOST_NAME, api.env.host) <--
if ccache is not None:
os.environ['KRB5CCNAME'] = ccache
...
because api.env.host points to the local host and not the remote master.
When I commented this line out, installation continued OK. Then, it
crashed again with our "favorite" dogtag's "invalid clone_uri"
exception.
Since we see this error also in other scenarios (not only custom
--hostname) and the root cause is not in your patch I can ACK you patch
762 once the replica install bug is fixed.
Martin
More information about the Freeipa-devel
mailing list