ipa-replica-install with principal set fails to install.

[chesty]

I can't get ipa-replica-install to work as I understand the documentation, I'm not sure if I'm understanding it correctly.

ipa-replica-install --help
...
    -p PASSWORD, --password=PASSWORD
                        Password to join the IPA realm. Assumes bulk password
                        unless principal is also set. (domain level 1+)
                        Directory Manager (existing master) password. (domain
                        level 0)
...

I set principal with either -P admin or --principal=admin but it doesn't pass either one to ipa-client-install and so ipa-client-install uses the password as a bulk password and the install fails.

[adelton]

It works in our tests with the ipa-replica-install-options file approach. Can you show the full ipa-replica-install-options content and the docker run options that you use?

[chesty]

I wasn't aware of the replica-install-options file, maybe there's documentation I haven't found yet?

I'm using docker compose, but this is the command:

ipa-replica-install --setup-ca --setup-dns --ip-address=192.168.1.51 --no-ntp --no-forwarders --unattended --password=blah --principal=admin

I'm not setting the principal any other way.

what about?

Assumes bulk password unless principal is also set in the replica-install-options file.``

[adelton]

Actually, it's noted in the README at https://github.com/freeipa/freeipa-container.

Specifying the option as parameters to docker run and in the ipa-replica-install-options file is equivalent and both should work.

[stlaz]

I assume the problem was sorted out, closing.

[triluch]

@stlaz Looks like this issue still exists, just tried to set up replica in container today. I have set up ipa master in docker and installing replica with --principal option fails. I am using ipa-replica-install-options with following contents (just replaced some hostnames/passwords).

--password=ADMIN_PASSWORD
--admin-password=ADMIN_PASSWORD
--domain=ipa-domain
--realm=IPA-DOMAIN
--hostname=replica-hostname.ipa-domain
--server=docker-ipa-1.ipa-domain
--ip-address=10.32.A.B
--server=docker-ipa-1.ipa-domain
--principal=admin
--no-ntp
--no-sshd
--no-ssh
--unattended
--no-pkinit
--dirsrv-cert-file=/data/ssl/replica-hostname.ipa-domain.key
--http-cert-file=/data/ssl/replica-hostname.ipa-domain.key
--dirsrv-cert-file=/data/ssl/replica-hostname.ipa-domain.crt
--http-cert-file=/data/ssl/replica-hostname.ipa-domain.crt
--dirsrv-pin=XXXX
--http-pin=XXXX

In /var/log/ipareplica-install.log in container I see that --principal is not passed to ipa-client-install:

2018-06-13T15:57:10Z DEBUG args=/usr/sbin/ipa-client-install --unattended --no-ntp --domain ipa-domain --server docker-ipa-1.ipa-domain --realm IPA-DOMAIN --hostname replica-hostname.ipa-domain --password XXXXXXXX --no-ssh --no-sshd --ip-address 10.32.A.B

Full replica install log: ipareplica-install.log

Executing ipa-client-install manually in container with the same parameters, with adding --principal=admin results in successful join. I am not sure if this problem exists only in container version or should it be reported elsewhere?

[stlaz]

@triluch weird. Do you have the /var/log/ipaclient-install.log log from the same installation? Says there it failed to configure client components, unfortunately logs for that are to be found in this other file.

[chesty]

@stlaz when I had a look at the script that calls /usr/sbin/ipa-client-install --unattended ...etc (I've forgotten the details) --principal wasn't anywhere in or near that block of code so there's no circumstance where it would ever call /usr/sbin/ipa-client-install --unattended --principal

[stlaz]

Ah, never mind, I see what the problem is. Just remove the line that reads --password=ADMIN_PASSWORD and you should be fine. An excerpt from the man page for ipa-replica-install that should explain what you're seeing:

   DOMAIN LEVEL 1 OPTIONS
       -P, --principal
              The user principal which will be used to promote the client to the replica and enroll the  client  itself,
              if necessary.

       -w, --admin-password
              The Kerberos password for the given principal.
   DOMAIN LEVEL 1 CLIENT ENROLLMENT OPTIONS
   <...>
       -p PASSWORD, --password=PASSWORD
              One Time Password for joining a machine to the IPA realm.

I'll check with the implementation to make sure, the docs seem to be quite ambiguous.

[stlaz]

It may be a bug 😨 edit: anyway, what I said previously still applies - remove the line setting --password and you should be fine

[triluch]

Looks like that was exactly the problem, after removing --password I got: The ipa-client-install command was successful, and host was properly created. Thanks very much for spoting that - so not a bug, just my blindness ;)

[stlaz]

There's an ongoing fight with the --password option and there is a small bug in there (fixed in the PR linked above), but this should hopefully work for you now :slightly_smiling_face: Glad to help!

[chesty]

Thanks @stlaz, I think when I reported the bug it was a shell script? I don't remember any python. Anyway thanks for your work.

[stlaz]

Actually, it was really working correctly, it's just that --password is a very magical option of the ipa-replica-install script. I added a couple of test in the above mentioned PR explaining what and why it works as such.

Closing as fixed.