Re: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
On Wed, 2011-06-22 at 08:51 -0400, Rob Crittenden wrote: Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2011-05-27 at 15:39 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-05-25 at 11:29 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote: The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. ticket 1052 rob I have to NACK this again. I have a problem communicating with IPA on a master machine. I reproduced in on 2 different machines. Please, correct my steps if I am wrong, I do the following procedure 1) I prepare a fresh minimal F-15 2) Install freeipa-server (current master with your patches) 3) Add custom hostname to /etc/hosts 4) Install IPA server: ipa-server-install -p secret123 -a secret123 --hostname ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2 5) # kinit admin Password for ad...@idm.lab.bos.redhat.com: 6) # ipa user-show admin ipa: ERROR: cannot connect to 'any of the configured servers': https://ipa.idm.lab.bos.redhat.com/ipa/xml, https://ipa.idm.lab.bos.redhat.com/ipa/xml # ping -c 1 ipa.idm.lab.bos.redhat.com PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data. 64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1 ttl=64 time=0.049 ms Apache error_log shows relevant errors: [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied) [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied) [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down [Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd running as context system_u:system_r:kernel_t:s0 [Wed May 25 06:43:57 2011] [notice] Digest: generating secret for digest authentication ... [Wed May 25 06:43:57 2011] [notice] Digest: done [Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.7.1 configured -- resuming normal operations [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5192): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback (most recent call last): [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File /usr/share/ipa/wsgi.py, line 48, in application [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return api.Backend.session(environ, start_response) [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 141, in __call__ [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]
Re: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
Martin Kosek wrote:
On Wed, 2011-06-22 at 08:51 -0400, Rob Crittenden wrote:
Rob Crittenden wrote:
Haven't had a chance to explore this one yet. It sure would be nice if
dogtag would tell us what the two differing base DNs are though...
This patch should resolve the remaining issues. It requires a patch to
bind-dyndb-ldap, I have a candidate patch in
https://bugzilla.redhat.com/show_bug.cgi?id=710261
rob
Hmm, good work there. Bind, SSSD on custom-hostname IPA master is
working now. IPA client and CA-powered replica too.
I found only one issue - ipactl is not working because it uses
socket.gethostname() instead of api.env.host. So if you fix this
one-liner its ACK from me.
Martin
Fixed
rob
From 54155dc5862c13155722aa2ec791fd07f0459131 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Wed, 22 Jun 2011 08:46:25 -0400
Subject: [PATCH] Let the framework be able to override the hostname.
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.
Important changes:
- configure ipa_hostname in sssd on masters
- set PKI_HOSTNAME so the hostname is passed to dogtag installer
- set the hostname when doing ldapi binds
This also reorders some things in the dogtag installer to eliminate an
unnecessary restart. We were restarting the service twice in a row with
very little time in between and this could result in a slew of reported
errors, though the server installed ok.
ticket 1052
---
install/tools/ipa-replica-install |1 +
install/tools/ipa-server-install |3 ++-
install/tools/ipactl |2 +-
ipalib/config.py |4
ipalib/constants.py | 12 ++--
ipaserver/install/cainstance.py | 29 ++---
ipaserver/plugins/ldap2.py|4
tests/test_ipalib/test_config.py |1 -
8 files changed, 32 insertions(+), 24 deletions(-)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index a0bb9d9..b70f36f 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -429,6 +429,7 @@ def main():
# Note: We must do this before bootstraping and finalizing ipalib.api
fd = open(/etc/ipa/default.conf, w)
fd.write([global]\n)
+fd.write(host= + config.host_name + \n)
fd.write(basedn= + util.realm_to_suffix(config.realm_name) + \n)
fd.write(realm= + config.realm_name + \n)
fd.write(domain= + config.domain_name + \n)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 7c81dbe..9487387 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -678,6 +678,7 @@ def main():
# Create the management framework config file and finalize api
fd = open(/etc/ipa/default.conf, w)
fd.write([global]\n)
+fd.write(host= + host_name + \n)
fd.write(basedn= + util.realm_to_suffix(realm_name) + \n)
fd.write(realm= + realm_name + \n)
fd.write(domain= + domain_name + \n)
@@ -916,7 +917,7 @@ def main():
# Call client install script
try:
-run([/usr/sbin/ipa-client-install, --on-master, --unattended, --domain, domain_name, --server, host_name, --realm, realm_name])
+run([/usr/sbin/ipa-client-install, --on-master, --unattended, --domain, domain_name, --server, host_name, --realm, realm_name, --hostname, host_name])
except Exception, e:
sys.exit(Configuration of client side components failed!\nipa-client-install returned: + str(e))
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 4ce2606..01b88a5 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -71,7 +71,7 @@ def emit_err(err):
sys.stderr.write(err + '\n')
def get_config():
-base = cn=%s,cn=masters,cn=ipa,cn=etc,%s % (socket.gethostname(),
+base = cn=%s,cn=masters,cn=ipa,cn=etc,%s % (api.env.host,
api.env.basedn)
srcfilter = '(ipaConfigString=enabledService)'
attrs = ['cn', 'ipaConfigString']
diff --git a/ipalib/config.py b/ipalib/config.py
index 888785a..410e5f0 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -447,7 +447,6 @@ class Env(object):
self.__doing('_bootstrap')
# Set run-time variables (cannot be overridden):
-self.host = getfqdn()
self.ipalib = path.dirname(path.abspath(__file__))
self.site_packages = path.dirname(self.ipalib)
self.script = path.abspath(sys.argv[0])
@@ -550,9 +549,6 @@ class Env(object):
if 'log' not in self:
self.log = self._join('logdir', '%s.log' % self.context)
-# FIXME: move into ca plugin
-if 'ca_host' not in self:
-self.ca_host = self.host
self._merge(**defaults)
def _finalize(self, **lastchance):
diff --git a/ipalib/constants.py
Re: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
On Thu, 2011-06-23 at 09:26 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-06-22 at 08:51 -0400, Rob Crittenden wrote: Rob Crittenden wrote: Haven't had a chance to explore this one yet. It sure would be nice if dogtag would tell us what the two differing base DNs are though... This patch should resolve the remaining issues. It requires a patch to bind-dyndb-ldap, I have a candidate patch in https://bugzilla.redhat.com/show_bug.cgi?id=710261 rob Hmm, good work there. Bind, SSSD on custom-hostname IPA master is working now. IPA client and CA-powered replica too. I found only one issue - ipactl is not working because it uses socket.gethostname() instead of api.env.host. So if you fix this one-liner its ACK from me. Martin Fixed rob Great, ACK from me. I think we can push it to our tree and do some small bugfixes if we find some more custom hostname related issues. However, the nameserver portion won't work until a new version of bind-dyndb-ldap with your patch included is released. We may want to bump up bind-dyndb-ldap version in our spec then. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
Martin Kosek wrote: On Thu, 2011-06-23 at 09:26 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-06-22 at 08:51 -0400, Rob Crittenden wrote: Rob Crittenden wrote: Haven't had a chance to explore this one yet. It sure would be nice if dogtag would tell us what the two differing base DNs are though... This patch should resolve the remaining issues. It requires a patch to bind-dyndb-ldap, I have a candidate patch in https://bugzilla.redhat.com/show_bug.cgi?id=710261 rob Hmm, good work there. Bind, SSSD on custom-hostname IPA master is working now. IPA client and CA-powered replica too. I found only one issue - ipactl is not working because it uses socket.gethostname() instead of api.env.host. So if you fix this one-liner its ACK from me. Martin Fixed rob Great, ACK from me. I think we can push it to our tree and do some small bugfixes if we find some more custom hostname related issues. However, the nameserver portion won't work until a new version of bind-dyndb-ldap with your patch included is released. We may want to bump up bind-dyndb-ldap version in our spec then. Martin pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
On Fri, 2011-05-27 at 15:39 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Wed, 2011-05-25 at 11:29 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote:
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.
ticket 1052
rob
I have to NACK this again. I have a problem communicating with IPA on a
master machine. I reproduced in on 2 different machines. Please, correct
my steps if I am wrong, I do the following procedure
1) I prepare a fresh minimal F-15
2) Install freeipa-server (current master with your patches)
3) Add custom hostname to /etc/hosts
4) Install IPA server:
ipa-server-install -p secret123 -a secret123 --hostname
ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2
5) # kinit admin
Password for ad...@idm.lab.bos.redhat.com:
6) # ipa user-show admin
ipa: ERROR: cannot connect to 'any of the configured servers':
https://ipa.idm.lab.bos.redhat.com/ipa/xml,
https://ipa.idm.lab.bos.redhat.com/ipa/xml
# ping -c 1 ipa.idm.lab.bos.redhat.com
PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data.
64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1
ttl=64 time=0.049 ms
Apache error_log shows relevant errors:
[Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA:
Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more information (Permission denied)
[Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA:
Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more information (Permission denied)
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down
[Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd running
as context system_u:system_r:kernel_t:s0
[Wed May 25 06:43:57 2011] [notice] Digest: generating secret for digest
authentication ...
[Wed May 25 06:43:57 2011] [notice] Digest: done
[Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2
mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.7.1
configured -- resuming normal operations
[Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START ***
[Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START ***
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi
(pid=5192): Exception occurred processing WSGI script
'/usr/share/ipa/wsgi.py'.
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback (most
recent call last):
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
/usr/share/ipa/wsgi.py, line 48, in application
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return
api.Backend.session(environ, start_response)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 141, in
__call__
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]
self.create_context(ccache=environ.get('KRB5CCNAME'))
Re: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
Martin Kosek wrote:
On Wed, 2011-05-25 at 11:29 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote:
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.
ticket 1052
rob
I have to NACK this again. I have a problem communicating with IPA on a
master machine. I reproduced in on 2 different machines. Please, correct
my steps if I am wrong, I do the following procedure
1) I prepare a fresh minimal F-15
2) Install freeipa-server (current master with your patches)
3) Add custom hostname to /etc/hosts
4) Install IPA server:
ipa-server-install -p secret123 -a secret123 --hostname
ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2
5) # kinit admin
Password for ad...@idm.lab.bos.redhat.com:
6) # ipa user-show admin
ipa: ERROR: cannot connect to 'any of the configured servers':
https://ipa.idm.lab.bos.redhat.com/ipa/xml,
https://ipa.idm.lab.bos.redhat.com/ipa/xml
# ping -c 1 ipa.idm.lab.bos.redhat.com
PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data.
64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1
ttl=64 time=0.049 ms
Apache error_log shows relevant errors:
[Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to
retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information
(Permission denied)
[Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to
retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information
(Permission denied)
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down
[Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd running as
context system_u:system_r:kernel_t:s0
[Wed May 25 06:43:57 2011] [notice] Digest: generating secret for digest
authentication ...
[Wed May 25 06:43:57 2011] [notice] Digest: done
[Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2
mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.7.1
configured -- resuming normal operations
[Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START ***
[Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START ***
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5192):
Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback (most recent
call last):
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
/usr/share/ipa/wsgi.py, line 48, in application
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return
api.Backend.session(environ, start_response)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 141, in __call__
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]
self.create_context(ccache=environ.get('KRB5CCNAME'))
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
/usr/lib/python2.7/site-packages/ipalib/backend.py, line 110, in
create_context
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]
self.Backend.ldap2.connect(ccache=ccache)
[Wed
Re: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
On Wed, 2011-05-25 at 11:29 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote:
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.
ticket 1052
rob
I have to NACK this again. I have a problem communicating with IPA on a
master machine. I reproduced in on 2 different machines. Please, correct
my steps if I am wrong, I do the following procedure
1) I prepare a fresh minimal F-15
2) Install freeipa-server (current master with your patches)
3) Add custom hostname to /etc/hosts
4) Install IPA server:
ipa-server-install -p secret123 -a secret123 --hostname
ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2
5) # kinit admin
Password for ad...@idm.lab.bos.redhat.com:
6) # ipa user-show admin
ipa: ERROR: cannot connect to 'any of the configured servers':
https://ipa.idm.lab.bos.redhat.com/ipa/xml,
https://ipa.idm.lab.bos.redhat.com/ipa/xml
# ping -c 1 ipa.idm.lab.bos.redhat.com
PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data.
64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1
ttl=64 time=0.049 ms
Apache error_log shows relevant errors:
[Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable
to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (Permission denied)
[Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable
to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (Permission denied)
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) inmodule 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down
[Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd running
as context system_u:system_r:kernel_t:s0
[Wed May 25 06:43:57 2011] [notice] Digest: generating secret for digest
authentication ...
[Wed May 25 06:43:57 2011] [notice] Digest: done
[Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2
mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.7.1
configured -- resuming normal operations
[Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START ***
[Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START ***
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi
(pid=5192): Exception occurred processing WSGI script
'/usr/share/ipa/wsgi.py'.
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback (most
recent call last):
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
/usr/share/ipa/wsgi.py, line 48, in application
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return
api.Backend.session(environ, start_response)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 141, in
__call__
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]
self.create_context(ccache=environ.get('KRB5CCNAME'))
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
Re: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote:
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.
ticket 1052
rob
I have to NACK this again. I have a problem communicating with IPA on a
master machine. I reproduced in on 2 different machines. Please, correct
my steps if I am wrong, I do the following procedure
1) I prepare a fresh minimal F-15
2) Install freeipa-server (current master with your patches)
3) Add custom hostname to /etc/hosts
4) Install IPA server:
ipa-server-install -p secret123 -a secret123 --hostname
ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2
5) # kinit admin
Password for ad...@idm.lab.bos.redhat.com:
6) # ipa user-show admin
ipa: ERROR: cannot connect to 'any of the configured servers':
https://ipa.idm.lab.bos.redhat.com/ipa/xml,
https://ipa.idm.lab.bos.redhat.com/ipa/xml
# ping -c 1 ipa.idm.lab.bos.redhat.com
PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data.
64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1
ttl=64 time=0.049 ms
Apache error_log shows relevant errors:
[Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to
retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information
(Permission denied)
[Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to
retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information
(Permission denied)
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in module 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in module 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in module 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in module 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in module 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in module 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in module 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in module 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in module 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError:
KeyError(140250828974112,) in module 'threading' from
'/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down
[Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd running as
context system_u:system_r:kernel_t:s0
[Wed May 25 06:43:57 2011] [notice] Digest: generating secret for digest
authentication ...
[Wed May 25 06:43:57 2011] [notice] Digest: done
[Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2
mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.7.1
configured -- resuming normal operations
[Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START ***
[Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START ***
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5192):
Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback (most recent
call last):
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
/usr/share/ipa/wsgi.py, line 48, in application
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return
api.Backend.session(environ, start_response)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 141, in __call__
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]
self.create_context(ccache=environ.get('KRB5CCNAME'))
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
/usr/lib/python2.7/site-packages/ipalib/backend.py, line 110, in
create_context
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]
self.Backend.ldap2.connect(ccache=ccache)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
Re: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
Martin Kosek wrote:
On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote:
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.
ticket 1052
rob
I have to NACK this again. I have a problem communicating with IPA on a
master machine. I reproduced in on 2 different machines. Please, correct
my steps if I am wrong, I do the following procedure
1) I prepare a fresh minimal F-15
2) Install freeipa-server (current master with your patches)
3) Add custom hostname to /etc/hosts
4) Install IPA server:
ipa-server-install -p secret123 -a secret123 --hostname
ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2
5) # kinit admin
Password for ad...@idm.lab.bos.redhat.com:
6) # ipa user-show admin
ipa: ERROR: cannot connect to 'any of the configured servers':
https://ipa.idm.lab.bos.redhat.com/ipa/xml,
https://ipa.idm.lab.bos.redhat.com/ipa/xml
# ping -c 1 ipa.idm.lab.bos.redhat.com
PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data.
64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1
ttl=64 time=0.049 ms
Apache error_log shows relevant errors:
[Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to
retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information
(Permission denied)
[Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to
retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information
(Permission denied)
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,)
inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored
[Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down
[Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd running as
context system_u:system_r:kernel_t:s0
[Wed May 25 06:43:57 2011] [notice] Digest: generating secret for digest
authentication ...
[Wed May 25 06:43:57 2011] [notice] Digest: done
[Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2
mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.7.1
configured -- resuming normal operations
[Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START ***
[Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START ***
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5192):
Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback (most recent
call last):
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
/usr/share/ipa/wsgi.py, line 48, in application
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return
api.Backend.session(environ, start_response)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 141, in __call__
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]
self.create_context(ccache=environ.get('KRB5CCNAME'))
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
/usr/lib/python2.7/site-packages/ipalib/backend.py, line 110, in
create_context
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140]
self.Backend.ldap2.connect(ccache=ccache)
[Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File
Re: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
On 11.5.2011 22:58, Rob Crittenden wrote: Jan Cholasta wrote: On 10.5.2011 15:51, Rob Crittenden wrote: Jan Cholasta wrote: On 1.4.2011 17:47, Rob Crittenden wrote: The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. ticket 1052 rob It would be nice to use the saved hostname everywhere, instead of socket.gethostname and similar. That would fix ticket 1035 too. If you know of places this doesn't cover please let me know. 1035 is a bit of a different case in that it doesn't validate that the hostname is a FQDN. rob Nevermind, I thought for a moment that api.env.host is set to the value from /etc/ipa/default.conf. In fact that is what this patch allows. rob Strange, it didn't work for me yesterday but it does now. I must have missed something. Anyway, when you s/socket.gethostname()/api.env.host/ in ipactl after applying your patch, IPA starts fine even when the hostname is changed to non-FQDN after the install, which I believe fixes the aforementioned ticket 1035. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
On Tue, 2011-05-10 at 09:48 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote: The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. ticket 1052 rob Looks good for both server and a client install with a custom hostname. However, I was unable to install a CA-powered replica, when a master was configured with custom hostname: ipareplica-install.log: ... # Attempting to connect to: vm-102.idm.lab.bos.redhat.com:9445 Connected. Posting Query = https://vm-102.idm.lab.bos.redhat.com:9445//ca/admin/console/config/wizard?p=5subsystem=CAsession_id=6792677911037453899xml=true RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: text/html;charset=UTF-8 RESPONSE HEADER: Date: Mon, 09 May 2011 14:17:46 GMT RESPONSE HEADER: Connection: close Exception in SecurityDomainLoginPanel(): java.lang.Exception: Invalid clone_uri ERROR: ConfigureSubCA: SecurityDomainLoginPanel() failure ERROR: unable to create CA ### 2011-05-09 10:17:47,039 DEBUG stderr=java.lang.Exception: Invalid clone_uri at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:384) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1239) at ConfigureCA.main(ConfigureCA.java:1761) 2011-05-09 10:17:47,040 CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname vm-102.idm.lab.bos.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-Ou9Wd4 -client_certdb_pwd '' -preop_pin qTFTDIjO9j9LdtvjLCz1 -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM -ldap_host vm-102.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=IDM.LAB.BOS.REDHAT.COM -ca_server_cert_subject_name CN=vm-102.idm.lab.bos.redhat! .co m,O=IDM.LAB.BOS.REDHAT.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=IDM.LAB.BOS.REDHAT.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password '' -sd_hostname ipa.idm.lab.bos.redhat.com -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password '' -clone_start_tls true -clone_uri https://ipa.idm.lab.bos.redhat.com:9444' returned non-zero exit status 255 2011-05-09 10:17:47,070 DEBUG Configuration of CA failed File /usr/sbin/ipa-replica-install, line 543, inmodule main() File /usr/sbin/ipa-replica-install, line 486, in main (CA, cs) = install_ca(config) File /usr/sbin/ipa-replica-install, line 186, in install_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 539, in configure_instance self.start_creation(Configuring certificate server, 360) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 289, in start_creation method() ... Did that worked for you? It worked for me, I remember testing both. Ade, do you know what would cause dogtag to throw Invalid clone_uri? rob I can provide a VM with reproduced problem if that would help. However, the reproduction scenario is simple (I tried that again just right now): 1) Install IPA server with CA,DNS support with custom --hostname 2) Try to install replica on another F-15 - installation fails My dogtag version: pki-ca-9.0.7-1.fc15.noarch Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
On 10.5.2011 15:51, Rob Crittenden wrote: Jan Cholasta wrote: On 1.4.2011 17:47, Rob Crittenden wrote: The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. ticket 1052 rob It would be nice to use the saved hostname everywhere, instead of socket.gethostname and similar. That would fix ticket 1035 too. If you know of places this doesn't cover please let me know. 1035 is a bit of a different case in that it doesn't validate that the hostname is a FQDN. rob Nevermind, I thought for a moment that api.env.host is set to the value from /etc/ipa/default.conf. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
Jan Cholasta wrote: On 10.5.2011 15:51, Rob Crittenden wrote: Jan Cholasta wrote: On 1.4.2011 17:47, Rob Crittenden wrote: The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. ticket 1052 rob It would be nice to use the saved hostname everywhere, instead of socket.gethostname and similar. That would fix ticket 1035 too. If you know of places this doesn't cover please let me know. 1035 is a bit of a different case in that it doesn't validate that the hostname is a FQDN. rob Nevermind, I thought for a moment that api.env.host is set to the value from /etc/ipa/default.conf. In fact that is what this patch allows. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
On 1.4.2011 17:47, Rob Crittenden wrote: The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. ticket 1052 rob It would be nice to use the saved hostname everywhere, instead of socket.gethostname and similar. That would fix ticket 1035 too. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
Jan Cholasta wrote: On 1.4.2011 17:47, Rob Crittenden wrote: The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. ticket 1052 rob It would be nice to use the saved hostname everywhere, instead of socket.gethostname and similar. That would fix ticket 1035 too. If you know of places this doesn't cover please let me know. 1035 is a bit of a different case in that it doesn't validate that the hostname is a FQDN. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
Martin Kosek wrote: On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote: The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. ticket 1052 rob Looks good for both server and a client install with a custom hostname. However, I was unable to install a CA-powered replica, when a master was configured with custom hostname: ipareplica-install.log: ... # Attempting to connect to: vm-102.idm.lab.bos.redhat.com:9445 Connected. Posting Query = https://vm-102.idm.lab.bos.redhat.com:9445//ca/admin/console/config/wizard?p=5subsystem=CAsession_id=6792677911037453899xml=true RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: text/html;charset=UTF-8 RESPONSE HEADER: Date: Mon, 09 May 2011 14:17:46 GMT RESPONSE HEADER: Connection: close Exception in SecurityDomainLoginPanel(): java.lang.Exception: Invalid clone_uri ERROR: ConfigureSubCA: SecurityDomainLoginPanel() failure ERROR: unable to create CA ### 2011-05-09 10:17:47,039 DEBUG stderr=java.lang.Exception: Invalid clone_uri at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:384) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1239) at ConfigureCA.main(ConfigureCA.java:1761) 2011-05-09 10:17:47,040 CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname vm-102.idm.lab.bos.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-Ou9Wd4 -client_certdb_pwd '' -preop_pin qTFTDIjO9j9LdtvjLCz1 -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM -ldap_host vm-102.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=IDM.LAB.BOS.REDHAT.COM -ca_server_cert_subject_name CN=vm-102.idm.lab.bos.redhat.co m,O=IDM.LAB.BOS.REDHAT.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=IDM.LAB.BOS.REDHAT.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password '' -sd_hostname ipa.idm.lab.bos.redhat.com -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password '' -clone_start_tls true -clone_uri https://ipa.idm.lab.bos.redhat.com:9444' returned non-zero exit status 255 2011-05-09 10:17:47,070 DEBUG Configuration of CA failed File /usr/sbin/ipa-replica-install, line 543, inmodule main() File /usr/sbin/ipa-replica-install, line 486, in main (CA, cs) = install_ca(config) File /usr/sbin/ipa-replica-install, line 186, in install_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 539, in configure_instance self.start_creation(Configuring certificate server, 360) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 289, in start_creation method() ... Did that worked for you? It worked for me, I remember testing both. Ade, do you know what would cause dogtag to throw Invalid clone_uri? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. ticket 1052 rob freeipa-rcrit-762-host.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
