View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000411AlmaLinux-8ipapublic2023-07-19 07:482023-08-08 08:11
Reporteradelton Assigned Toalukoshko  
PrioritynormalSeverityblockReproducibilityalways
Status resolvedResolutionfixed 
Summary0000411: ipa-server-install fails with [error] RuntimeError: Failed to initialize kerberos container
DescriptionWhen running ipa-server-install in an AlmaLinux 8-based container, the process stops at

Configuring Kerberos KDC (krb5kdc)
  [1/10]: adding kerberos container to the directory
  [2/10]: configuring KDC
  [3/10]: initialize kerberos container
  [error] RuntimeError: Failed to initialize kerberos container
Failed to initialize kerberos container
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

The /var/log/ipaserver-install.log then ends with

2023-07-19T07:38:22Z DEBUG args=['kdb5_util', 'create', '-s', '-r', 'EXAMPLE.TEST', '-x', 'ipa-setup-override-restrictions']
2023-07-19T07:38:22Z DEBUG Process finished, return code=1
2023-07-19T07:38:22Z DEBUG stdout=Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.TEST',
master key name 'K/M@EXAMPLE.TEST'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

2023-07-19T07:38:22Z DEBUG stderr=kdb5_util: Unable to load requested database module 'ipadb.so': plugin symbol 'kdb_function_table' not found while creating database '/var/kerberos/krb5kdc/principal'

2023-07-19T07:38:22Z DEBUG kdb5_util failed with CalledProcessError(Command ['kdb5_util', 'create', '-s', '-r', 'EXAMPLE.TEST', '-x', 'ipa-setup-override-restrictions'] returned non-zero exit status 1: "kdb5_util: Unable to load requested database module 'ipadb.so': plugin symbol 'kdb_function_table' not found while creating database '/var/kerberos/krb5kdc/principal'\n")
2023-07-19T07:38:22Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/krbinstance.py", line 358, in __init_ipa_kdb
    ipautil.run(args, nolog=(self.master_password,), stdin=''.join(dialogue))
  File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run
    p.returncode, arg_string, output_log, error_log
ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['kdb5_util', 'create', '-s', '-r', 'EXAMPLE.TEST', '-x', 'ipa-setup-override-restrictions'] returned non-zero exit status 1: "kdb5_util: Unable to load requested database module 'ipadb.so': plugin symbol 'kdb_function_table' not found while creating database '/var/kerberos/krb5kdc/principal'\n")

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step
    method()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/krbinstance.py", line 361, in __init_ipa_kdb
    raise RuntimeError("Failed to initialize kerberos container")
RuntimeError: Failed to initialize kerberos container

2023-07-19T07:38:22Z DEBUG [error] RuntimeError: Failed to initialize kerberos container
2023-07-19T07:38:22Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
    return_value = self.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 344, in run
    return cfgr.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
    return self.execute()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
    for rval in self._executor():
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
    next(executor)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 566, in main
    master_install(self)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 278, in decorated
    func(installer)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 890, in install
    subject_base=options.subject_base)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/krbinstance.py", line 215, in create_instance
    self.start_creation()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step
    method()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/krbinstance.py", line 361, in __init_ipa_kdb
    raise RuntimeError("Failed to initialize kerberos container")

2023-07-19T07:38:22Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Failed to initialize kerberos container
2023-07-19T07:38:22Z ERROR Failed to initialize kerberos container
2023-07-19T07:38:22Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

This is with

# rpm -qf /usr/lib64/krb5/plugins/kdb/ipadb.so
ipa-server-4.9.11-6.module_el8.8.0+3588+9db6b15f.alma.x86_64
Steps To ReproduceI believe that even on non-container installation, merely running

ipa-server-install -U -r EXAMPLE.TEST -n example.test -p Secret123 -a Secret123

should trigger the issue.

Alternatively, in a checkout directory of https://github.com/freeipa/freeipa-container, run

tests/run-partial-tests.sh Dockerfile.almalinux-8
Additional InformationFirst reported in https://github.com/freeipa/freeipa-container/actions/runs/5595030145/jobs/10230607540.

The previous run https://github.com/freeipa/freeipa-container/actions/runs/5571782333/jobs/10177165151 which used ipa-server-4.9.11-5.module_el8.8.0+3473+3c8c1b4b worked fine.
TagsNo tags attached.
abrt_hash
URL

Activities

nbrys

2023-08-03 07:28

reporter   ~0000943

Hi,

Yesterday we have hit the same issue with our production IPA setup. On of our servers updated the package to ipa-server-4.9.11-6.module_el8.8.0+3588+9db6b15f.alma.x86_64 after which IPA failed to start with the following error:

[root@ipa4 log]# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other services

without this one starting I cannot do much

Aug 02 11:58:37 ipa4.ipa.internal krb5kdc[21747](Error): Unable to load requested database module 'ipadb.so': plugin symbol 'kdb_function_table' not found - while initializing database for realm IPA.internal

Hitamashi

2023-08-03 07:37

reporter   ~0000944

I have another issue with an installation on VM.
Tried to setup a replica with ipa-replica-install but it says

krb5kdc service failed to start
  [5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin
  [error] CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'restart', 'kadmin.service'] returned non-zero exit status 1: 'Job for kadmin.service failed because the control process exited with error code.\nSee "systemctl status kadmin.service" and "journalctl -xe" for details.\n')

Found an error line:
krb5kdc[10690](Error): Unable to load requested database module 'ipadb.so': plugin symbol 'kdb_function_table' not found - while initializing database for realm ABC

When go back to 4.9.11-5. It works fine

alukoshko

2023-08-03 14:10

administrator   ~0000946

Thanks for pointing this out. I'll check.

alukoshko

2023-08-03 15:16

administrator   ~0000947

latest ipa-server relies on latest krb5 packages and it seems like this run happened without them for some reason:
https://github.com/freeipa/freeipa-container/actions/runs/5595030145/jobs/10230607540
Latest runs look fine.

Please check that you have latest krb5 packages:
# rpm -q krb5-libs
krb5-libs-1.18.2-25.el8_8.x86_64

I can't reproduce issue with latest krb5-libs but immediately got issues with kadmin.service after downgrading.
I'll update ipa package to depend on proper krb5 version so this will not happen with partial updates when ipa is latest and krb5 is not.

Hitamashi

2023-08-04 03:40

reporter   ~0000951

On the server we have the issue:
# rpm -q krb5-libs
krb5-libs-1.18.2-22.el8_7.x86_64

Tested with a fresh installation (on another server) the latest krb5-libs is upgraded to latest
    Upgrade krb5-libs-1.18.2-25.el8_8.x86_64 @baseos
    Upgraded krb5-libs-1.18.2-22.el8_7.x86_64 @@System

Probably it is as you said, krb5-libs is not upgraded in partial update

Issue History

Date Modified Username Field Change
2023-07-19 07:48 adelton New Issue
2023-08-03 07:28 nbrys Note Added: 0000943
2023-08-03 07:37 Hitamashi Note Added: 0000944
2023-08-03 14:10 alukoshko Note Added: 0000946
2023-08-03 15:16 alukoshko Note Added: 0000947
2023-08-03 20:42 alukoshko Assigned To => alukoshko
2023-08-03 20:42 alukoshko Status new => confirmed
2023-08-04 03:40 Hitamashi Note Added: 0000951
2023-08-08 08:11 alukoshko Status confirmed => resolved
2023-08-08 08:11 alukoshko Resolution open => fixed