stable

freeipa-4.7.90.pre1-3.fc30

FEDORA-2019-4b1fc0c4b9 created by abbra 4 years ago for Fedora 30

First release candidate for FreeIPA 4.8.0.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2019-4b1fc0c4b9

This update has been submitted for testing by abbra.

4 years ago
User Icon adamwill commented & provided feedback 4 years ago
karma

Fails openQA testing - see links on Automated Tests tab. I haven't investigated the cause yet.

User Icon adamwill commented 4 years ago

The server claims to be running fine, but the client claims not to be able to register with it. Someone's lying! Client logs show this:

Apr 29 17:00:52 client003.domain.local systemd[1]: Started Realm and Domain Configuration.
Apr 29 17:00:52 client003.domain.local realmd[900]: claimed name on bus: org.freedesktop.realmd
Apr 29 17:00:52 client003.domain.local realmd[900]: client using service: :1.19
Apr 29 17:00:52 client003.domain.local realmd[900]: holding daemon: :1.19
Apr 29 17:00:52 client003.domain.local realmd[900]: Using 'r477.897' operation for method 'Discover' invocation on 'org.freedesktop.realmd.Provider' interface
Apr 29 17:00:52 client003.domain.local realmd[900]: Registered cancellable for operation 'r477.897'
Apr 29 17:00:52 client003.domain.local realmd[900]:  * Resolving: _ldap._tcp.ipa001.domain.local
Apr 29 17:00:52 client003.domain.local realmd[900]:  * Resolving: _ldap._tcp.ipa001.domain.local
Apr 29 17:00:52 client003.domain.local realmd[900]: Resolving ipa001.domain.local failed: No DNS record of the requested type for “_kerberos._udp.ipa001.domain.local”
Apr 29 17:00:52 client003.domain.local realmd[900]: No DNS record of the requested type for “_ldap._tcp.ipa001.domain.local”
Apr 29 17:00:52 client003.domain.local realmd[900]:  * Resolving: ipa001.domain.local
Apr 29 17:00:52 client003.domain.local realmd[900]:  * Resolving: ipa001.domain.local
Apr 29 17:00:52 client003.domain.local realmd[900]: Resolving ipa001.domain.local failed: No DNS record of the requested type for “_kerberos._tcp.ipa001.domain.local”
Apr 29 17:00:52 client003.domain.local realmd[900]:  * Performing LDAP DSE lookup on: 10.0.2.100
Apr 29 17:00:52 client003.domain.local realmd[900]:  * Performing LDAP DSE lookup on: 10.0.2.100
Apr 29 17:00:52 client003.domain.local realmd[900]: Searching  for (objectClass=*)
Apr 29 17:00:52 client003.domain.local realmd[900]: Got defaultNamingContext: dc=domain,dc=local
Apr 29 17:00:52 client003.domain.local realmd[900]: Searching dc=domain,dc=local for (objectClass=*)
Apr 29 17:00:52 client003.domain.local realmd[900]: Couldn't read default naming context
Apr 29 17:00:52 client003.domain.local realmd[900]:  ! Couldn't lookup domain name on LDAP server
Apr 29 17:00:52 client003.domain.local realmd[900]:  ! Couldn't lookup domain name on LDAP server
Apr 29 17:00:52 client003.domain.local realmd[900]: client gone away: :1.19
Apr 29 17:00:52 client003.domain.local realmd[900]: released daemon: :1.19

Server logs show more or less a successful server deployment, but also these errors...

Apr 29 16:59:42 ipa001.domain.local named-pkcs11[8441]: unsupported operation: object class in resource record template DN 'idnsname=_ldap._tcp,idnsname=domain.local.,cn=dns,dc=domain,dc=local' changed: rndc reload might be necessary
Apr 29 16:59:42 ipa001.domain.local named-pkcs11[8441]: dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
Apr 29 16:59:42 ipa001.domain.local named-pkcs11[8441]: unsupported operation: object class in resource record template DN 'idnsname=_kerberos._tcp,idnsname=domain.local.,cn=dns,dc=domain,dc=local' changed: rndc reload might be necessary
Apr 29 16:59:42 ipa001.domain.local named-pkcs11[8441]: dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
Apr 29 16:59:42 ipa001.domain.local named-pkcs11[8441]: unsupported operation: object class in resource record template DN 'idnsname=_kerberos._udp,idnsname=domain.local.,cn=dns,dc=domain,dc=local' changed: rndc reload might be necessary
Apr 29 16:59:42 ipa001.domain.local named-pkcs11[8441]: dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
Apr 29 16:59:42 ipa001.domain.local named-pkcs11[8441]: unsupported operation: object class in resource record template DN 'idnsname=_kerberos-master._tcp,idnsname=domain.local.,cn=dns,dc=domain,dc=local' changed: rndc reload might be necessary
Apr 29 16:59:42 ipa001.domain.local named-pkcs11[8441]: dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
Apr 29 16:59:42 ipa001.domain.local named-pkcs11[8441]: unsupported operation: object class in resource record template DN 'idnsname=_kerberos-master._udp,idnsname=domain.local.,cn=dns,dc=domain,dc=local' changed: rndc reload might be necessary
Apr 29 16:59:42 ipa001.domain.local named-pkcs11[8441]: dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
Apr 29 16:59:42 ipa001.domain.local named-pkcs11[8441]: unsupported operation: object class in resource record template DN 'idnsname=_kpasswd._tcp,idnsname=domain.local.,cn=dns,dc=domain,dc=local' changed: rndc reload might be necessary
Apr 29 16:59:42 ipa001.domain.local named-pkcs11[8441]: dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
Apr 29 16:59:42 ipa001.domain.local named-pkcs11[8441]: unsupported operation: object class in resource record template DN 'idnsname=_kpasswd._udp,idnsname=domain.local.,cn=dns,dc=domain,dc=local' changed: rndc reload might be necessary
Apr 29 16:59:42 ipa001.domain.local named-pkcs11[8441]: dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
Apr 29 16:59:42 ipa001.domain.local systemd[1]: Reloading.
...
Apr 29 16:59:44 ipa001.domain.local generate-rndc-key.sh[8691]: /usr/libexec/generate-rndc-key.sh: line 3: /etc/rc.d/init.d/functions: No such file or directory
Apr 29 16:59:44 ipa001.domain.local systemd[1]: named-setup-rndc.service: Succeeded.
Apr 29 16:59:44 ipa001.domain.local systemd[1]: Started Generate rndc key for BIND (DNS).

which I guess may be related here? It does seem like some kind of DNS problem.

This update has been pushed to testing.

4 years ago

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

4 years ago
User Icon abbra commented 4 years ago

I think this failure is due to the test running with DNSSEC validation but named-pkcs11 failing to validate the path to root nameservers and disabling it: 

Apr 29 17:02:26 ipa001 named-pkcs11[1071]: insecurity proof failed resolving 'arm.fedoraproject.org/A/IN': 10.5.126.21#53
Apr 29 17:02:26 ipa001 named-pkcs11[1071]: insecurity proof failed resolving 'arm.fedoraproject.org/AAAA/IN': 10.5.126.21#53
Apr 29 17:02:26 ipa001 named-pkcs11[1071]: insecurity proof failed resolving 'arm.fedoraproject.org/A/IN': 10.5.126.22#53
Apr 29 17:02:26 ipa001 named-pkcs11[1071]: insecurity proof failed resolving 'arm.fedoraproject.org/AAAA/IN': 10.5.126.22#53
Apr 29 17:02:26 ipa001 named-pkcs11[1071]: validating fedoramagazine.org/A: no valid signature found
Apr 29 17:02:26 ipa001 named-pkcs11[1071]: validating fedoramagazine.org/AAAA: no valid signature found
Apr 29 17:02:26 ipa001 named-pkcs11[1071]:  validating getfedora.org/SOA: no valid signature found
Apr 29 17:02:26 ipa001 named-pkcs11[1071]: validating getfedora.org/A: no valid signature found
Apr 29 17:02:26 ipa001 named-pkcs11[1071]:  validating getfedora.org/NSEC: no valid signature found
Apr 29 17:02:26 ipa001 named-pkcs11[1071]: validating creativecommons.org/A: no valid signature found
Apr 29 17:02:26 ipa001 named-pkcs11[1071]: validating creativecommons.org/AAAA: no valid signature found
Apr 29 17:06:17 ipa001 named-pkcs11[1071]: validating getfedora.org/A: no valid signature found

It doesn't allow external clients to resolve through itself then. You need to add --no-dnssec-validation to ipa-server-install to disable DNSSEC validation.

User Icon abbra commented 4 years ago

In order to get more insights what happens, we need /var/named/data/named.run log. It is not included into artifacts, unfortunately.

User Icon adamwill commented 4 years ago

because why put log files into /var/log, that would be so boring and conventional...sigh

Adding --no-dnssec-validation does not seem to help. Exact command tested was ipa-server-install -U --realm=DOMAIN.LOCAL --domain=domain.local --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --reverse-zone=2.0.10.in-addr.arpa --allow-zone-overlap --forwarder=10.5.126.21 --forwarder=10.5.126.22 --no-dnssec-validation. Client tests still failed. Will get that log file.

User Icon adamwill commented 4 years ago

https://openqa.stg.fedoraproject.org/tests/533861/file/role_deploy_domain_controller_check-named.run is a named.run from a run of this test, not sure if it contains what you need. Note that the server logs are being uploaded sort of while the client tests are running; for boring openQA implementation reasons it is difficult to get the logs after the client tests fail. The logs may be from just after one of the clients tries to enrol, or just before; I'll check timestamps and figure out which this was in a bit.

abbra edited this update.

New build(s):

  • freeipa-4.7.90.pre1-2.fc30

Removed build(s):

  • freeipa-4.7.90.pre1-1.fc30

Karma has been reset.

4 years ago

This update has been submitted for testing by abbra.

4 years ago
User Icon abbra commented 4 years ago

I backed off the change that set default for minimum SSF value to 56. With it, realmd was unable to validate IPA server discovery as it uses only anonymous LDAP connection.

adamwill edited this update.

New build(s):

  • freeipa-4.7.90.pre1-3.fc30

Removed build(s):

  • freeipa-4.7.90.pre1-2.fc30

Karma has been reset.

4 years ago
User Icon adamwill commented 4 years ago

With my web font fix in -3, the openQA tests now pass. Still, is it really appropriate to send a 4.8 pre-release as an update to F30, now F30 is a stable release?

This update has been pushed to testing.

4 years ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

4 years ago
User Icon abbra commented 4 years ago

FreeIPA 4.8 pre-release went through extensive testing in past three months in upstream PR-CI. The tests we saw failing here were the only ones we didn't test. We had intention to add FreeIPA 4.8 to Fedora 30 since the very beginning.

This update has been submitted for batched by abbra.

4 years ago

This update has been submitted for stable by abbra.

4 years ago

This update has been pushed to stable.

4 years ago

Please login to add feedback.

Metadata
Type
enhancement
Karma
0
Signed
Content Type
RPM
Test Gating
Builds
1
freeipa-4.7.90.pre1-3.fc30
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
4 years ago
in testing
4 years ago
in stable
4 years ago
modified
4 years ago
freeipa-4.7.90.pre1-3.fc30

Automated Test Results

Copyright © 2007-2023 Red Hat, Inc. and others.

Running bodhi-server 7.2.1^202309080750gitab9cc47 on bodhi-web-111-vskbv.

bodhi is Free Software. Please file issues if you have any problems. Read the documentation.

Composes Legal Privacy policy