1197838 – realm crash during kickstart

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1197838 - realm crash during kickstart

Summary: realm crash during kickstart

Keywords:
Status:	CLOSED DUPLICATE of bug 1197218
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	freeipa
Sub Component:
Version:	22
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	IPA Maintainers
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:755ef70308544a72015a055eddb...
Depends On:	1197290
Blocks:	F22AlphaBlocker
TreeView+	depends on / blocked

Reported:	2015-03-02 17:26 UTC by Stephen Gallagher
Modified:	2015-03-02 19:26 UTC (History)
CC List:	23 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1197290
Environment:
Last Closed:	2015-03-02 17:34:44 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Stephen Gallagher 2015-03-02 17:26:09 UTC

+++ This bug was initially created as a clone of Bug #1197290 +++

Recent packaging enhancements to SSSD resulted in the 'sssd' metapackage only pulling in the python 3 version of python-sssdconfig, which cannot be used by authconfig/realmd in Fedora 22. Recommendation is to require python-sssdconfig instead of python3-sssdconfig in Fedora 22. In Fedora 23, it is fine to make the switch.




Description of problem:


Version-Release number of selected component:
anaconda-22.20.1-1

The following was filed automatically by anaconda:
anaconda 22.20.1-1 exception report
Traceback (most recent call first):
  File "/usr/lib64/python2.7/site-packages/pyanaconda/kickstart.py", line 569, in execute
    rc = iutil.execWithRedirect("realm", argv)[0]
  File "/usr/lib64/python2.7/site-packages/pyanaconda/install.py", line 112, in doConfiguration
    ksdata.realm.execute(storage, ksdata, instClass)
  File "/usr/lib64/python2.7/threading.py", line 766, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/usr/lib64/python2.7/site-packages/pyanaconda/threads.py", line 238, in run
    threading.Thread.run(self, *args, **kwargs)
TypeError: 'int' object has no attribute '__getitem__'

Additional info:
addons:         com_redhat_kdump
cmdline:        /usr/bin/python2  /sbin/anaconda
cmdline_file:   method=http://dl.fedoraproject.org/pub/alt/stage/22_Alpha_TC7/Server/x86_64/os/ ks=file:/fedora0.ks console=tty0 console=ttyS0,115200
executable:     /sbin/anaconda
hashmarkername: anaconda
kernel:         4.0.0-0.rc1.git0.1.fc22.x86_64
product:        Fedora"
release:        Cannot get release name.
type:           anaconda
version:        Fedora

--- Additional comment from Scott Poore on 2015-02-27 22:24:20 EST ---



--- Additional comment from Scott Poore on 2015-02-27 22:24:21 EST ---



--- Additional comment from Scott Poore on 2015-02-27 22:24:22 EST ---



--- Additional comment from Scott Poore on 2015-02-27 22:24:23 EST ---



--- Additional comment from Scott Poore on 2015-02-27 22:24:24 EST ---



--- Additional comment from Scott Poore on 2015-02-27 22:24:25 EST ---



--- Additional comment from Scott Poore on 2015-02-27 22:24:26 EST ---



--- Additional comment from Scott Poore on 2015-02-27 22:24:27 EST ---



--- Additional comment from Scott Poore on 2015-02-27 22:24:28 EST ---



--- Additional comment from Scott Poore on 2015-02-27 22:24:29 EST ---



--- Additional comment from Scott Poore on 2015-02-27 22:24:31 EST ---



--- Additional comment from Scott Poore on 2015-02-27 22:24:32 EST ---



--- Additional comment from Scott Poore on 2015-02-27 22:24:33 EST ---



--- Additional comment from Scott Poore on 2015-02-27 22:24:34 EST ---



--- Additional comment from Scott Poore on 2015-02-27 23:08:29 EST ---

Failure occurred testing kickstart with realm join.  I am able to join successfully after a kickstart but, not when realm is included in ks.cfg.  

Something to note (not sure if it's related though) is that when I do successfully join an IPA domain using realmd after kickstart, I do have to install python-sssdconfig.

[root@fedora0 ~]# realm join -v --one-time-password=MyPassword example.test
 * Resolving: _ldap._tcp.example.test
 * Performing LDAP DSE lookup on: 192.168.122.201
 * Successfully discovered: example.test
 * Required files: /usr/sbin/ipa-client-install, /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd
 * LANG=C /usr/sbin/ipa-client-install --domain example.test --realm EXAMPLE.TEST --mkhomedir --enable-dns-updates --unattended --force-join --password MyPassword --force-ntpd
There was a problem importing one of the required Python modules. The
error was:

    No module named SSSDConfig

 ! Running ipa-client-install failed
realm: Couldn't join realm: Running ipa-client-install failed

[root@fedora0 ~]# dnf -y install python-sssdconfig
Using metadata from Sat Feb 28 03:46:08 2015
Dependencies resolved.
=======================================================================================================
 Package                     Arch             Version                  Repository                 Size
=======================================================================================================
Installing:
 python-sssdconfig           noarch           1.12.4-2.fc22            updates-testing            96 k

Transaction Summary
=======================================================================================================
Install  1 Package

Total download size: 96 k
Installed size: 219 k
Downloading Packages:
python-sssdconfig-1.12.4-2.fc22.noarch.rpm                              13 kB/s |  96 kB     00:07    
-------------------------------------------------------------------------------------------------------
Total                                                                  1.5 kB/s |  96 kB     01:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : python-sssdconfig-1.12.4-2.fc22.noarch                                             1/1 
  Verifying   : python-sssdconfig-1.12.4-2.fc22.noarch                                             1/1 

Installed:
  python-sssdconfig.noarch 1.12.4-2.fc22                                                               

Complete!

[root@fedora0 ~]# realm join -v --one-time-password=MyPassword example.test
 * Resolving: _ldap._tcp.example.test
 * Performing LDAP DSE lookup on: 192.168.122.201
 * Successfully discovered: example.test
 * Required files: /usr/sbin/ipa-client-install, /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd
 * LANG=C /usr/sbin/ipa-client-install --domain example.test --realm EXAMPLE.TEST --mkhomedir --enable-dns-updates --unattended --force-join --password MyPassword --force-ntpd
Discovery was successful!
Hostname: fedora0.example.test
Realm: EXAMPLE.TEST
DNS Domain: example.test
IPA Server: vm1.example.test
BaseDN: dc=example,dc=test
Synchronizing time with KDC...
Downloading the CA certificate via HTTP, this is INSECURE
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.TEST
    Issuer:      CN=Certificate Authority,O=EXAMPLE.TEST
    Valid From:  Wed Feb 11 23:46:12 2015 UTC
    Valid Until: Sun Feb 11 23:46:12 2035 UTC

Enrolled in IPA realm EXAMPLE.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.TEST
trying https://vm1.example.test/ipa/json
Forwarding 'ping' to json server 'https://vm1.example.test/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://vm1.example.test/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
DNS server record set to: fedora0.example.test -> 192.168.122.30
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://vm1.example.test/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.test as NIS domain.

Client configuration complete.
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
 * Successfully enrolled machine in realm

[root@fedora0 ~]# id admin
uid=252400000(admin) gid=252400000(admins) groups=252400000(admins)

[root@fedora0 ~]#

--- Additional comment from Scott Poore on 2015-03-02 11:19:56 EST ---

I forgot to mention that this was seen running the kickstart via virt-install.  I don't think that affects things but, it's more information.

qemu-img create -f qcow2 -o preallocation=metadata $DISKIMAGE 8G
virt-install --connect=qemu:///system \
    --network=bridge:virbr0 \
    --initrd-inject=/tmp/${VMNAME}.ks \
    --extra-args="ks=file:/${VMNAME}.ks $EXTRAARGS" \
    --name=$VMNAME \
    --disk path=$DISKIMAGE,format=qcow2,size=8 \
    --ram 1024 \
    --vcpus=1 \
    --check-cpu \
    --hvm \
    --location=$OSIMG \
    --nographics

with ${VMNAME}.ks being the ks.cfg included from comment #6.

Comment 1 Lukas Slebodnik 2015-03-02 17:34:10 UTC

(In reply to Stephen Gallagher from comment #0)
> +++ This bug was initially created as a clone of Bug #1197290 +++
> 
> Recent packaging enhancements to SSSD resulted in the 'sssd' metapackage
> only pulling in the python 3 version of python-sssdconfig, which cannot be
> used by authconfig/realmd in Fedora 22. Recommendation is to require
> python-sssdconfig instead of python3-sssdconfig in Fedora 22. In Fedora 23,
> it is fine to make the switch.
> 
> 
> 
> 
> Description of problem:
> 
> 
> Version-Release number of selected component:
> anaconda-22.20.1-1
> 
> The following was filed automatically by anaconda:
> anaconda 22.20.1-1 exception report
> Traceback (most recent call first):
>   File "/usr/lib64/python2.7/site-packages/pyanaconda/kickstart.py", line
> 569, in execute
>     rc = iutil.execWithRedirect("realm", argv)[0]
>   File "/usr/lib64/python2.7/site-packages/pyanaconda/install.py", line 112,
> in doConfiguration
>     ksdata.realm.execute(storage, ksdata, instClass)
>   File "/usr/lib64/python2.7/threading.py", line 766, in run
>     self.__target(*self.__args, **self.__kwargs)
>   File "/usr/lib64/python2.7/site-packages/pyanaconda/threads.py", line 238,
> in run
>     threading.Thread.run(self, *args, **kwargs)
> TypeError: 'int' object has no attribute '__getitem__'
> 
> Additional info:
> addons:         com_redhat_kdump
> cmdline:        /usr/bin/python2  /sbin/anaconda
> cmdline_file:  
> method=http://dl.fedoraproject.org/pub/alt/stage/22_Alpha_TC7/Server/x86_64/
> os/ ks=file:/fedora0.ks console=tty0 console=ttyS0,115200
> executable:     /sbin/anaconda
> hashmarkername: anaconda
> kernel:         4.0.0-0.rc1.git0.1.fc22.x86_64
> product:        Fedora"
> release:        Cannot get release name.
> type:           anaconda
> version:        Fedora
> 
> --- Additional comment from Scott Poore on 2015-02-27 22:24:20 EST ---
> 
> 
> 
> --- Additional comment from Scott Poore on 2015-02-27 22:24:21 EST ---
> 
> 
> 
> --- Additional comment from Scott Poore on 2015-02-27 22:24:22 EST ---
> 
> 
> 
> --- Additional comment from Scott Poore on 2015-02-27 22:24:23 EST ---
> 
> 
> 
> --- Additional comment from Scott Poore on 2015-02-27 22:24:24 EST ---
> 
> 
> 
> --- Additional comment from Scott Poore on 2015-02-27 22:24:25 EST ---
> 
> 
> 
> --- Additional comment from Scott Poore on 2015-02-27 22:24:26 EST ---
> 
> 
> 
> --- Additional comment from Scott Poore on 2015-02-27 22:24:27 EST ---
> 
> 
> 
> --- Additional comment from Scott Poore on 2015-02-27 22:24:28 EST ---
> 
> 
> 
> --- Additional comment from Scott Poore on 2015-02-27 22:24:29 EST ---
> 
> 
> 
> --- Additional comment from Scott Poore on 2015-02-27 22:24:31 EST ---
> 
> 
> 
> --- Additional comment from Scott Poore on 2015-02-27 22:24:32 EST ---
> 
> 
> 
> --- Additional comment from Scott Poore on 2015-02-27 22:24:33 EST ---
> 
> 
> 
> --- Additional comment from Scott Poore on 2015-02-27 22:24:34 EST ---
> 
> 
> 
> --- Additional comment from Scott Poore on 2015-02-27 23:08:29 EST ---
> 
> Failure occurred testing kickstart with realm join.  I am able to join
> successfully after a kickstart but, not when realm is included in ks.cfg.  
> 
> Something to note (not sure if it's related though) is that when I do
> successfully join an IPA domain using realmd after kickstart, I do have to
> install python-sssdconfig.
> 
> [root@fedora0 ~]# realm join -v --one-time-password=MyPassword example.test
>  * Resolving: _ldap._tcp.example.test
>  * Performing LDAP DSE lookup on: 192.168.122.201
>  * Successfully discovered: example.test
>  * Required files: /usr/sbin/ipa-client-install, /usr/sbin/oddjobd,
> /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd
>  * LANG=C /usr/sbin/ipa-client-install --domain example.test --realm
> EXAMPLE.TEST --mkhomedir --enable-dns-updates --unattended --force-join
> --password MyPassword --force-ntpd
> There was a problem importing one of the required Python modules. The
> error was:
> 
>     No module named SSSDConfig
> 
>  ! Running ipa-client-install failed
> realm: Couldn't join realm: Running ipa-client-install failed
FreeIPA will not be ported to python2 very soon therefore package freeipa-client should explicitly require python-sssdconfig.

Comment 2 Lukas Slebodnik 2015-03-02 17:34:44 UTC


*** This bug has been marked as a duplicate of bug 1197218 ***

Comment 3 Scott Poore 2015-03-02 17:46:37 UTC

This is the Fedora Release Alpha Criteria that I think applies to this bug:

https://fedoraproject.org/wiki/Fedora_22_Alpha_Release_Criteria#Remote_authentication

Comment 4 Petr Schindler 2015-03-02 19:26:00 UTC

This is just for keeping things in order and for the case if this bug would be reopened and unduped.

Discussed at today's blocker review meeting [1].

This bug was accepted as Alpha Blocker - This bug is a clear violation of the Alpha criterion: "It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install, and the system must respect the identity, authentication and access control configuration provided by the domain."

http://meetbot.fedoraproject.org/fedora-blocker-review/2015-03-02/

Note You need to log in before you can comment on or make changes to this bug.

abokovoy
anaconda-maint-list
awilliam
dshea
extras-qa
g.kaviyarasu
ipa-maint
jhrozek
jonathan
lslebodn
mkosek
pbrezina
preichl
pschindl
pviktori
pvoborni
rcritten
sbose
sgallagh
spoore
ssorce
stefw
vanmeeuwen+fedora