Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1732620

Summary: FreeIPA enrolment via kickstart fails since Fedora-Rawhide-20190722.n.1 (anaconda-31.20-1.fc31), 'realm join' step not run at all
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: anacondaAssignee: Vendula Poncova <vponcova>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: anaconda-maint-list, jonathan, kellin, robatino, vanmeeuwen+fedora, vponcova, wwoods
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: openqa
Fixed In Version: anaconda-31.21-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-26 21:02:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1644937    

Description Adam Williamson 2019-07-23 22:04:47 UTC 
Since anaconda-31.20 appeared in Fedora-Rawhide-20190722.n.1, the openQA test for enrolling to a FreeIPA domain via kickstart has been failing. The install completes successfully, but the system is not actually enrolled to the FreeIPA domain at all.

From program.log , it looks like anaconda just never actually attempts to run 'realm join'. Here's an extract from program.log from when this tested passed, in the previous compose:

===

21:30:45,876 INF program: Running... realm discover --verbose ipa001.domain.local
21:30:46,063 INF program: domain.local
21:30:46,064 INF program: type: kerberos
21:30:46,064 INF program: realm-name: DOMAIN.LOCAL
21:30:46,064 INF program: domain-name: domain.local
21:30:46,064 INF program: configured: no
21:30:46,064 INF program: server-software: ipa
21:30:46,064 INF program: client-software: sssd
21:30:46,064 INF program: required-package: freeipa-client
21:30:46,064 INF program: required-package: oddjob
21:30:46,064 INF program: required-package: oddjob-mkhomedir
21:30:46,065 INF program: required-package: sssd
21:30:46,065 INF program: * Resolving: _ldap._tcp.ipa001.domain.local
21:30:46,065 INF program: * Resolving: ipa001.domain.local
21:30:46,065 INF program: * Performing LDAP DSE lookup on: 10.0.2.100
21:30:46,065 INF program: * Successfully discovered: domain.local
21:30:46,066 DBG program: Return code: 0
...[later]...
21:36:17,009 INF program: Running... realm join --install /mnt/sysroot --verbose --one-time-password=monkeys ipa001.do
main.local
21:36:36,373 INF program: * Resolving: _ldap._tcp.ipa001.domain.local
21:36:36,374 INF program: * Resolving: ipa001.domain.local
21:36:36,374 INF program: * Performing LDAP DSE lookup on: 10.0.2.100
21:36:36,374 INF program: * Successfully discovered: domain.local
21:36:36,374 INF program: * Assuming packages are installed
21:36:36,374 INF program: * LANG=C /usr/sbin/ipa-client-install --domain domain.local --realm DOMAIN.LOCAL --mkhomedir --enable-dns-updates --unattended --force-join --server ipa001.domain.local --fixed-primary --password monkeys --force-ntpd
21:36:36,375 INF program: Option --force-ntpd has been deprecated and will be removed in a future release.
21:36:36,375 INF program: Client hostname: client001.domain.local
21:36:36,375 INF program: Realm: DOMAIN.LOCAL
21:36:36,375 INF program: DNS Domain: domain.local
21:36:36,375 INF program: IPA Server: ipa001.domain.local
21:36:36,375 INF program: BaseDN: dc=domain,dc=local
21:36:36,375 INF program: Synchronizing time
21:36:36,375 INF program: No SRV records of NTP servers found and no NTP server or pool address was provided.
21:36:36,375 INF program: Attempting to sync time with chronyc.
21:36:36,375 INF program: Time synchronization was successful.
21:36:36,375 INF program: Downloading the CA certificate via HTTP, this is INSECURE
21:36:36,376 INF program: Successfully retrieved CA cert
21:36:36,376 INF program: Subject:     CN=Certificate Authority,O=DOMAIN.LOCAL
21:36:36,376 INF program: Issuer:      CN=Certificate Authority,O=DOMAIN.LOCAL
21:36:36,376 INF program: Valid From:  2019-07-23 01:24:55
21:36:36,376 INF program: Valid Until: 2039-07-23 01:24:55
21:36:36,376 INF program: 
21:36:36,376 INF program: Enrolled in IPA realm DOMAIN.LOCAL
...

===

From the failed 20190722.n.1 test, this part of the log looks the same:

===

17:27:18,605 INF program: Running... realm discover --verbose ipa001.domain.local
17:27:18,692 INF program: domain.local
17:27:18,693 INF program: type: kerberos
17:27:18,693 INF program: realm-name: DOMAIN.LOCAL
17:27:18,693 INF program: domain-name: domain.local
17:27:18,693 INF program: configured: no
17:27:18,693 INF program: server-software: ipa
17:27:18,694 INF program: client-software: sssd
17:27:18,694 INF program: required-package: freeipa-client
17:27:18,694 INF program: required-package: oddjob
17:27:18,695 INF program: required-package: oddjob-mkhomedir
17:27:18,695 INF program: required-package: sssd
17:27:18,695 INF program: * Resolving: _ldap._tcp.ipa001.domain.local
17:27:18,695 INF program: * Resolving: ipa001.domain.local
17:27:18,695 INF program: * Performing LDAP DSE lookup on: 10.0.2.100
17:27:18,697 INF program: * Successfully discovered: domain.local
17:27:18,697 DBG program: Return code: 0

===

i.e. the 'realm discover' step is run...but the later 'realm join' step simply does not appear in the log at all, it doesn't seem to be tried at all.

Proposing as a Beta blocker as a violation of Basic criterion "It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install..." - https://fedoraproject.org/wiki/Basic_Release_Criteria#Remote_authentication
Comment 1 Vendula Poncova 2019-07-24 10:21:30 UTC 
Fixed in a pull request: https://github.com/rhinstaller/anaconda/pull/2052
Comment 2 Adam Williamson 2019-07-26 21:02:34 UTC 
The test passed in most recent compose, so this does indeed seem fixed. Thanks!