Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1859177

Summary: Running ipa-server-install fails on machine where libsss_sudo is not installed
Product: [Fedora] Fedora Reporter: Jan Pazdziora <jpazdziora>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: abokovoy, fdc, ipa-maint, jcholast, jhrozek, jpazdziora, mhjacks, pvoborni, rcritten, ssorce, twoerner
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1859185 (view as bug list) Environment:
Last Closed: 2020-07-21 12:07:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora 2020-07-21 11:52:09 UTC 
Description of problem:

In environment where libsss_sudo is not installed, like in container but on host alike, ipa-server-install now fails to finish properly.

Version-Release number of selected component (if applicable):

pki-server-10.9.0-0.2.fc33.noarch
freeipa-server-4.8.7-1.fc33.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf remove -y /usr/lib64/libsss_sudo.so
2. dnf install -y --setopt=install_weak_deps=False freeipa-server
3. ipa-server-install -U -r EXAMPLE.TEST -p Secret123 -a Secret123

Actual results:

  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/30]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpag8a3qe6'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nERROR: Exception: CA subsystem did not start after 60s\n  File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 569, in main\n    scriptlet.spawn(deployer)\n  File "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py", line 886, in spawn\n    deployer.instance.wait_for_startup(\n  File "/usr/lib/python3.9/site-packages/pki/server/deployment/pkihelper.py", line 891, in wait_for_startup\n    raise Exception(\'%s subsystem did not start after %ds\' %\n\n')
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected results:

  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/30]: configuring certificate server instance
  [2/30]: Add ipa-pki-wait-running
  [3/30]: secure AJP connector
  [4/30]: reindex attributes
  [5/30]: exporting Dogtag certificate store pin
  [6/30]: stopping certificate server instance to update CS.cfg
[...]
The ipa-server-install command was successful

Additional info:

Either whatever component that requires / configures libsss_sudo to be present should hard-require it, or ideally sudo shouldn't be used by the installer.

This is a regression against Fedora 32.
Comment 1 Jan Pazdziora 2020-07-21 12:07:49 UTC 
I put in the wrong traceback (the one from bug 1857043), so I've now filed better bug 1859185.

*** This bug has been marked as a duplicate of bug 1859185 ***