Undercloud installation with FreeIPA (IDM) failed:

Solution Verified - Updated -

Environment

RHEL-8.2 + OSP-16.1 environment.

Issue

Undercloud installation with FreeIPA failing with below Error. UC installation with FreeIPA should complete without errors.

TASK [Enroll to FreeIPA] *******************************************************************************************************************************************
Saturday 31 October 2020  14:12:45 -0400 (0:00:00.344)       0:02:08.616 ******
ok: [osp16]

TASK [Request kerberos keytab] *************************************************************************************************************************************
Saturday 31 October 2020  14:12:45 -0400 (0:00:00.296)       0:02:08.912 ******
fatal: [osp16]: FAILED! => {"changed": true, "cmd": "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s $(grep xmlrpc_uri /etc/ipa/default.conf  | cut -d/ -f3)
 -p nova/osp16.nodei21.local -k /etc/novajoin/krb5.keytab", "delta": "0:00:00.337789", "end": "2020-10-31 14:12:46.209928", "msg": "non-zero return code", "rc": 11,
 "start": "2020-10-31 14:12:45.872139", "stderr": "Failed to add key to the keytab", "stderr_lines": ["Failed to add key to the keytab"], "stdout": "", "stdout_line
s": []}

Command '['sudo', '--preserve-env', 'openstack', 'tripleo', 'deploy', '--standalone', '--standalone-role', 'Undercloud', '--stack', 'undercloud', '--local-domain=nodei21.local', '--local-ip=192.168.24.1/24', '--templates=/usr/share/openstack-tripleo-heat-templates/', '--networks-file=network_data_undercloud.yaml', '--heat-native', '-e', '/usr/share/openstack-tripleo-heat-templates/environments/undercloud.yaml', '-e', '/usr/share/openstack-tripleo-heat-templates/environments/use-dns-for-vips.yaml', '-e', '/usr/share/openstack-tripleo-heat-templates/environments/podman.yaml', '-e', 'containers-prepare-parameter.yaml', '-e', '/usr/share/openstack-tripleo-heat-templates/environments/services/ironic.yaml', '-e', '/usr/share/openstack-tripleo-heat-templates/environments/services/ironic-inspector.yaml', '-e', '/usr/share/openstack-tripleo-heat-templates/environments/services/mistral.yaml', '-e', '/usr/share/openstack-tripleo-heat-templates/environments/services/novajoin.yaml', '-e', '/usr/share/openstack-tripleo-heat-templates/environments/services/zaqar-swift-backend.yaml', '-e', '/usr/share/openstack-tripleo-heat-templates/environments/disable-telemetry.yaml', '-e', '/usr/share/openstack-tripleo-heat-templates/environments/services/tempest.yaml', '-e', '/usr/share/openstack-tripleo-heat-templates/environments/public-tls-undercloud.yaml', '--public-virtual-ip', '192.168.24.26', '--control-virtual-ip', '192.168.24.25', '-e', '/usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml', '-e', '/usr/share/openstack-tripleo-heat-templates/environments/services/undercloud-haproxy.yaml', '-e', '/usr/share/openstack-tripleo-heat-templates/environments/services/undercloud-keepalived.yaml', '--deployment-user', 'stack', '--output-dir=/home/stack', '--cleanup', '-e', '/home/stack/tripleo-config-generated-env-files/undercloud_parameters.yaml', '-e', '/usr/share/openstack-tripleo-heat-templates/environments/tripleo-validations.yaml', '--log-file=install-undercloud.log', '-e', '/usr/share/openstack-tripleo-heat-templates/undercloud-stack-vstate-dropin.yaml']' returned non-zero exit status 1.
[stack@osp16 ~]$

Resolution

As workaround, from the Director run:

ipa-client-install --uninstall -U
ipa-client-install
kinit admin
ipa host-find
ipa-keygentab -p nova/osp16.5c5s.local@5C5S.LOCAL -k /etc/novajoin/krb5.keytab
klist -kt /etc/novajoin/krb5.keytab
podman restart novajoin_server

Root Cause

  1. The ipa-client installation didnt happen as it should which is been investigated in RHBZ#1941799
  2. copy the krb5.keytab was the wrong procedure to try to fix it
  3. Puppet using "/etc/pki/CA/certs/vnc.crt", instead of /etc/ipa/ca.crt. RHBZ#1956152

Diagnostic Steps

TASK [Request kerberos keytab] *****************************************************************************************************************************************************
Friday 19 March 2021  19:23:42 -0400 (0:00:00.286)       0:01:58.254 **********
fatal: [osp16]: FAILED! => {"changed": true, "cmd": "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s $(grep xmlrpc_uri /etc/ipa/default.conf  | cut -d/ -f3) -p nova/osp16.5
c5s.local -k /etc/novajoin/krb5.keytab", "delta": "0:00:00.356700", "end": "2021-03-19 19:23:43.534849", "msg": "non-zero return code", "rc": 11, "start": "2021-03-19 19:23:43.1781
49", "stderr": "Failed to add key to the keytab", "stderr_lines": ["Failed to add key to the keytab"], "stdout": "", "stdout_lines": []}
  • After creating novajoin directory manually. I did the below changed to complete the undercloud install
[stack@osp16 etc]$ sudo mkdir novajoin
[stack@osp16 etc]$ sudo cp -r krb5.keytab novajoin/
[stack@osp16 etc]$ chmod 777 novajoin
chmod: changing permissions of 'novajoin': Operation not permitted
[stack@osp16 etc]$ sudo chmod 777 novajoin
[stack@osp16 etc]$ 

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.