Description of problem:
[root@jennyv2 yum.repos.d]# ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log
This program will setup the IPA Server.
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure TurboGears
To accept the default shown in brackets, press the Enter key.
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
Server host name [jennyv2.bos.redhat.com]:
The domain name has been calculated based on the host name.
Please confirm the domain name [bos.redhat.com]:
The IPA Master Server will be configured with
IP address: 10.16.0.47
Domain name: bos.redhat.com
The server must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user). The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [BOS.REDHAT.COM]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password:
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
done configuring ntpd.
Configuring directory server:
[1/18]: creating directory server user
[2/18]: creating directory server instance
[3/18]: adding default schema
[4/18]: enabling memberof plugin
[5/18]: enabling referential integrity plugin
[6/18]: enabling winsync plugin
[7/18]: enabling ldapi
[8/18]: configuring uniqueness plugin
[9/18]: creating indices
[10/18]: configuring ssl for ds instance
Unexpected error - see ipaserver-install.log for details:
File contains no section headers.
file: /var/lib/ipa/ca_serialno, line: 1
2009-09-18 16:34:29,684 DEBUG File contains no section headers.
file: /var/lib/ipa/ca_serialno, line: 1
File "/usr/sbin/ipa-server-install", line 775, in ?
File "/usr/sbin/ipa-server-install", line 655, in main
ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, self_signed_ca=not options.ca, uidstart=options.uidstart, gidstart=options.
File "/usr/lib/python2.4/site-packages/ipaserver/install/dsinstance.py", line 192, in create_instance
self.start_creation("Configuring directory server:")
File "/usr/lib/python2.4/site-packages/ipaserver/install/service.py", line 171, in start_creation
File "/usr/lib/python2.4/site-packages/ipaserver/install/dsinstance.py", line 334, in __enable_ssl
File "/usr/lib/python2.4/site-packages/ipaserver/install/certs.py", line 834, in create_self_signed
File "/usr/lib/python2.4/site-packages/ipaserver/install/certs.py", line 344, in create_ca_cert
p = subprocess.Popen(["/usr/bin/certutil",
File "/usr/lib/python2.4/site-packages/ipaserver/install/certs.py", line 120, in next_serial
File "/usr/lib/python2.4/ConfigParser.py", line 286, in readfp
File "/usr/lib/python2.4/ConfigParser.py", line 462, in _read
raise MissingSectionHeaderError(fpname, lineno, line)
Version-Release number of selected component (if applicable):
Steps to Reproduce:
It seems that the reason is that you had an old /var/lib/ipa/ca_serialno file on your machine. A recent patch changed the format of this file and ipa-server-install --uninstall didn't delete it, therefore the installation failed because it didn't recognize the file.
I will address the issue, but for now I'm lowering the priority and severity, as this bug has an easy work-around.
I guess ideally we'll handle both formats and initialize the new format with the old CA serial number.
The reason that the file isn't deleted on uninstall is so if you install again you get new serial numbers for all the certs and avoid errors where you have the same cert (and serial number) but different keys.
In that case this is NOTABUG. The error Jenny encountered was there because the format of that file changed. Rob, do you think it would at least be worth it marking the file a %ghost?
Well, I think we should handle it a bit more gracefully than a backtrace in any case.
Yes, probably worth making this a %ghost file.
Fixed in a67b524510f66ce112192261f60adf88d07fa96c.