ipareplica - AttributeError: 'Env' object has no attribute 'realm'

[marcosjl31]

Hi I've successfully deployed the IPA server, but I'm struggling on the IPA replica installation. I'm using freeipa version 0.3.5 on "CentOS 7 latest" machines.

Error is : AttributeError: 'Env' object has no attribute 'realm'; full message :

TASK [freeipa.ansible_freeipa.ipareplica : Install - Replica preparation] *** Tuesday 01 June 2021 11:30:04 +0200 (0:00:00.612) 0:00:07.166 ** An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AttributeError: 'Env' object has no attribute 'realm' fatal: [tu-ipa2-p01.robotics.cst.cnes.fr]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"\", line 102, in \n File \"\", line 94, in _ansiballz_main\n File \"\", line 40, in invoke_module\n File \"/usr/lib64/python2.7/runpy.py\", line 176, in run_module\n fname, loader, pkg_name)\n File \"/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code\n mod_name, mod_fname, mod_loader, pkg_name)\n File \"/usr/lib64/python2.7/runpy.py\", line 72, in _run_code\n exec code in run_globals\n File \"/tmp/ansible_freeipa.ansible_freeipa.ipareplica_prepare_payload_VYpNWj/ansible_freeipa.ansible_freeipa.ipareplica_prepare_payload.zip/ansible_collections/freeipa/ansible_freeipa/plugins/modules/ipareplica_prepare.py\", line 856, in \n File \"/tmp/ansible_freeipa.ansible_freeipa.ipareplica_prepare_payload_VYpNWj/ansible_freeipa.ansible_freeipa.ipareplica_prepare_payload.zip/ansible_collections/freeipa/ansible_freeipa/plugins/modules/ipareplica_prepare.py\", line 393, in main\nAttributeError: 'Env' object has no attribute 'realm'\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

Here's the content of my inventory file that configures : 1 server (ipa1) , 1 replica (ipa2) and 1 client (ubu2004) :

[ipaserver]
ipa1.robotics.com ansible_host=10.160.7.50

[ipaserver:vars]
# No DNS managed by IPA.
ipaserver_setup_dns=no
ipaserver_auto_forwarders=no
# (AC !) Network firewall rules managed by ansible-freeipa (yes) or via iptables mechanism (no) ?
ipaserver_setup_firewalld=yes

[ipareplicas]
#ipa2.robotics.com ansible_host=10.160.7.51 ipareplica_servers=ipa1.robotics.com
ipa2.robotics.com ansible_host=10.160.7.51 

[ipareplicas:vars]
ipaclient_force_join=yes
ipareplica_domain=robotics.com
ipareplica_realm=ROBOTICS.COM
#ipaserver_realm=ROBOTICS.COM
#ipaserver_hostname=ipa1.robotics.com

[ipaclients]
ubu2004.robotics.com ansible_host=10.160.7.100 ipaclient_servers=ipa1.robotics.com,ipa2.robotics.com

[ipaclients:vars]
#ipaclient_use_otp=yes
ipaclient_allow_repair=yes
ipaadmin_principal=admin

[ipa:children]
ipaserver
ipareplicas
ipaclients

[ipa:vars]
ipaserver_domain=robotics.com
ipaserver_realm=ROBOTICS.COM

Any help appreciated,

[marcosjl31]

Note that when I run the PB with -vvv option, I don't see any issue as at step "Install - Replica installation test", realm is correctly set :

TASK [freeipa.ansible_freeipa.ipareplica : Install - Replica installation test] ***
task path: /usr/local/home/deploy/.ansible/collections/ansible_collections/freeipa/ansible_freeipa/roles/ipareplica/tasks/install.yml:65
Tuesday 01 June 2021  15:25:34 +0200 (0:00:00.069)       0:00:06.818 **********
Using module file /usr/local/home/deploy/.ansible/collections/ansible_collections/freeipa/ansible_freeipa/plugins/modules/ipareplica_test.py
Pipelining is enabled.
<10.160.7.51> ESTABLISH SSH CONNECTION FOR USER: admin_socle
<10.160.7.51> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="admin_socle"' -o ConnectTimeout=10 -o ControlPath=/usr/local/home/deploy/.ansible/cp/76cdccf1ee 10.160.7.51 '/bin/sh -c '"'"'sudo -H -S -n  -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-wodzzjuednuzpndkhlmpfhalivrrvkly ; /usr/bin/python'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation succeeded
<10.160.7.51> (0, b'\n{"setup_adtrust": false, "domain": "robotics.com", "changed": false, "realm": "ROBOTICS.COM", "ipa_python_version": 40608, "setup_kra": false, "hostname": "ipa2.robotics.com", "server": null, "client_enrolled": true, "invocation": {"module_args": {"domain": "robotics.com", "setup_ca": false, "hidden_replica": false, "ip_addresses": [], "servers": [], "http_cert_files": [], "no_ntp": false, "no_forwarders": false, "realm": "ROBOTICS.COM", "no_pkinit": false, "hostname": "ipa2.robotics.com", "no_dnssec_validation": false, "setup_adtrust": false, "dirsrv_cert_files": [], "no_reverse": false, "pkinit_cert_files": [], "ca_cert_files": [], "ntp_pool": null, "auto_reverse": false, "ntp_servers": [], "auto_forwarders": false, "dirsrv_config_file": null, "forwarders": [], "skip_mem_check": false, "forward_policy": null, "setup_dns": false, "setup_kra": false}}, "change_master_for_certmonger": true}\n', b'')
ok: [ipa2.robotics.com] => {
    "change_master_for_certmonger": true,
    "changed": false,
    "client_enrolled": true,
    "domain": "robotics.com",
    "hostname": "ipa2.robotics.com",
    "invocation": {
        "module_args": {
            "auto_forwarders": false,
            "auto_reverse": false,
            "ca_cert_files": [],
            "dirsrv_cert_files": [],
            "dirsrv_config_file": null,
            "domain": "robotics.com",
            "forward_policy": null,
            "forwarders": [],
            "hidden_replica": false,
            "hostname": "ipa2.robotics.com",
            "http_cert_files": [],
            "ip_addresses": [],
            "no_dnssec_validation": false,
            "no_forwarders": false,
            "no_ntp": false,
            "no_pkinit": false,
            "no_reverse": false,
            "ntp_pool": null,
            "ntp_servers": [],
            "pkinit_cert_files": [],
            "realm": "ROBOTICS.COM",
            "servers": [],
            "setup_adtrust": false,
            "setup_ca": false,
            "setup_dns": false,
            "setup_kra": false,
            "skip_mem_check": false
        }
    },
    "ipa_python_version": 40608,
    "realm": "ROBOTICS.COM",
    "server": null,
    "setup_adtrust": false,
    "setup_kra": false
}

[dsroark]

I am getting this same error. Addresing the suggested solution here , verified similarly through -vvv that ipareplica_realmand ipareplica_domain are set properly.

[marcosjl31]

Hi I double check my DNS configuration and it's ok. IP adress and hostnames of both ipa server and replica machine are resolved. I'm stuck so far. José

[t-woerner]

The verbose option in Ansible may not have any effect on the code in the modules of the replica role in ansible-freeipa.

[t-woerner]

Please add a link to the ipareplica-install.log file of ipa2.robotics.com if possible. It is needed to have a closer look at the log output to understand what is going on.

[t-woerner]

Are ipa2.robotics.com and also ipa1.robotics.com able to resolve both names correctly?

[marcosjl31]

Here's the log for ipa2 :

ipareplica-install.log

[marcosjl31]

Are ipa2.robotics.com and also ipa1.robotics.com able to resolve both names correctly?

Yes. I triple checked my DNS configuration (I don't want IPA to configure / manage my DNS local subdomain. Both forward and reverse resolutions work.

[t-woerner]

There is no error in the file, do you have the log of the failure case?

[Cronus89]

I've joined this crowd with this same error. Have verified and tried everything in all issues related to this error.

[marcosjl31]

Ok. I started to deploy the replica on a freshly new VM, and started to install the replica server from scratch... It seems thar error message are different when I play the install-replica.yml playbook several times ! Not omnipotent ?

Here are ipaclient/ipareplica and typescript for the 1st run of install_replica.yml playboot. The error is related to CA certificate that cannot be dowloaded to the ipa2 machine

ipaclient-install_run1.log ipareplica-install_run1.log typescript_run1.log

[marcosjl31]

And this are the ipareplica_install.log and the typescript log for run2. On this iteration, the error is the one for which I opened this issue : AttributeError: 'Env' object has no attribute 'realm'

ipareplica-install_run2.log typescript_run2.log

[abbra]

@marcosjl31 you have improperly set up your IPA deployment. You are using Kerberos realm different to your base DN. You should have for Kerberos realm EXAMPLE.COM a base DN dc=example,dc=com, while in your case it is something different. IPA expects that Kerberos realm and base DN are tightly connected and these expectations are everywhere. In short, this is unsupported configuration in IPA, regardless how you deploy it.

[marcosjl31]

Hello, I tried to avoid putting the actual information I used and discovered that I miss some changes before uploading the files... That's why you can see: dc=robotics,dc=cst,dc=cnes,dc=fr instead of dc=robotics,dc=com ! Sorry for the annoyance.

[abbra]

So you mean that in

2021-06-08T13:11:29Z DEBUG get_ca_certs_from_ldap() error: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server ldap/ipa1.robotics.com@ROBOTICS.COM not found in Kerberos database)

both ipa1.robotics.com and ROBOTICS.COM are obfuscated?

If so, please look into LDAP server's logs on your IPA server to see what LDAP query came from the KDC at this time. It should be searching for ldap/ipa1.....@REALM.

[marcosjl31]

Ok. Took the time to start things all over again for both ipa1 server and ipa2 replica, after doing small modification in /etc/resolv.conf (in order that each Dns server uses the local machine first). Installation was successfull this time... I assume the issue was basically related to this DNS mis configuration.