freeipa team mailing list archive

Thread
Date
[Bug 1861755] Re: Freeipa functionality in wrong location on Ubuntu

To: freeipa@xxxxxxxxxxxxxxxxxxx
From: Timo Aaltonen <tjaalton@xxxxxxxxxx>
Date: Fri, 07 Feb 2020 07:04:35 -0000
Reply-to: Bug 1861755 <1861755@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
fixed in debian unstable and would be fixed in focal if it still had
freeipa

** Changed in: freeipa (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1861755

Title:
  Freeipa functionality in wrong location on Ubuntu

Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  Brand new fresh install of FreeIPA on Ubuntu 19.10

  This condition is not an issue when I build FreeIPA on RPM-based
  distros, so it's localized to Ubuntu builds.

  
  Install first server in IPA cluster.
  ==========
  # ipa --version
  VERSION: 4.8.1, API_VERSION: 2.233


  Attempt to Setup first replica server fails:
  =====
  Command Issued:
  ----------
  ipa-replica-install -v -d --setup-ca --force-join --skip-conncheck 

  (I have to supply '--skip-conncheck' because the ipa-replica-install
  command fails every single time when the conncheck is run, even if all
  firewall rules are completely disabled and the nodes are even located
  in the same subnet...but that's a separate issue to debug)

  
  Error on the node attempting to become replica:
  ==========
  The ipa-replica-install command failed, exception: HTTPError: 404 Client Error: Not Found for url: https://ipa-1.ipa.XXX.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.WF6_JpSmLmD4hWxd0ZUneqFKH429f-oLZcolWrBQXXp-RvET-EcmSzoHmIEhB3Y1X8EH4ox0VEwePNFrUlikcyKnNpEaAQ9tGQBSqIJXxU5KACSB2JMmN60OYTRncV6_ImHrgeRpFuUcC_dweVnTtrvaaKUxpTcaJfBlPETqlJnbUuNJc5wS_1ig6OHhmuTANshTz4tsu8hYdRCCWccQVhvi9HbCvKBsY0KcCNMspZ9rAbeEGbuB9M9W5V-1D1e__r1ZUSOJfC_l75QTLL5hWMAgb-WYyDB9yXbClV_b5Fjc_WXPqqjCCZufHJkHZSAjvqLtacyhUJt0kf2XWUzJvA.JBLCYHxovRdYlL8Q5RuMWw.fiAXbi4f_YcsxAAAdygE5k_9cSdsBtW57tlUIumYQarVG2TV6Q7Bp5uhXq3Pyj7IfEXrhJm4OL0JMF85SZci73rOHKt-ksTH5ITBgXc4sNrtPTEMF01zxswsIys7rPTsmN9li0z3kerx4AjY9cvWRFmV9WR6wbhr7BA_qFdYCzYcsomXzcZxfVl20VIfwUXStrgZ-XiFq3v3cWNo_X_h9u2O2PgHsxFqo-K0fpmoYzuVDawNiTTI9K-oA3rXzvDRjvUDeYta625D7Zmqw2vHOgPNqeQqmBrIq024OV5oz0IWvvTPeMilUV_fy2eVHHNOrrBPZoL3NFilK-VGblx3ikFD_3wPTrxfc_1qdNF_m4U3X4c4RJ98V738bJzYPr35BKMUZ-L1GNafClQc7Gzhysrgnj6Z3JJ90T9ajXT2QYym0rHFKbaJFITLbkdkIerMtU38i8L19ZNQVFPrxxj9_9E3P-0PRL_0GxKjRSFFb5dM_5aXqw_J_06TbbQ7CKwtRO5Jmh-O4MpJfNDjdFtuqNRkyxmjiscRbvL0Nwb1rABfRUpuMNyzb3PXbLF0VY25vcnvOrp8fo3X81NZclQ-V1ZIoLhaPZ9Qqot4HDFjaDSnngkuCqABFv1JVvKKli-SLV1OIX8NvxN6MIT4fEuwQfvtSiQ4XQz_b0wYYN2OL8jgRjheCUUhuU52M5J4A8B3.2e1Ycq-0ebBSAUDSUXZHAoq7RzpDTcK5LAgmezM6Uio
  ==========

  
  After some slogging through logs, I found the following error on the brand new master explaining why a 404 was thrown when the replica was trying to pull keys:
  ==========
  Feb 03 17:53:23 ipa-1.ipa.XXX.com krb5kdc[15561]: closing down fd 12
  Feb 03 17:53:24 ipa-1.ipa.XXX.com ipa-custodia[15594]: 2020-02-03 17:53:24 - SimpleCredsAuth-[auth:simple]    - PASS: '16490' authenticated as '33, 33'
  Feb 03 17:53:24 ipa-1.ipa.XXX.com ipa-custodia[15594]: 2020-02-03 17:53:24 - SimpleHeaderAuth-[auth:header]   - PASS: '16490' authenticated as '(null)'
  Feb 03 17:53:24 ipa-1.ipa.XXX.com ipa-custodia[15594]: 2020-02-03 17:53:24 - IPAKEMKeys-[authz:kemkeys]       - PASS: '16490' authorized for '/keys'
  Feb 03 17:53:24 ipa-1.ipa.XXX.com ipa-custodia[15594]: Error retrieving key "keys/ca/caSigningCert cert-pki-ca": [Errno 2] No such file or directory: '/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat': '/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat'
  Feb 03 17:53:24 ipa-1.ipa.XXX.com ipa-custodia[15594]: 2020-02-03 17:53:24 - Secrets-[/keys]                  - DENIED: '(null)' requested key 'ca/caSigningCert cert-pki-ca'
  Feb 03 17:53:24 ipa-1.ipa.XXX.com ipa-custodia[15594]: 2020-02-03 17:53:24 - server                           - code 404, message Not Found
  ==========

  
  I was able to rectify the broken functionality by simply symlinking to the expected directory.

  ==========
  ln -s /usr/lib/ipa /usr/libexec/ipa
  ========== 

  
  Upon symlinking all nodes to have the missing directory available, re-issuance of the ipa-replica-install succeeds.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1861755/+subscriptions
References

[Bug 1861755] [NEW] Freeipa functionality in wrong location on Ubuntu
From: Chris Moody, 2020-02-04