Description of problem: Error during ipa-server-install: CRITICAL Failed to load upload-cacert.ldif: Version-Release number of selected component (if applicable): Installed Packages freeipa-admintools.x86_64 3.1.2-1.fc18 @updates freeipa-client.x86_64 3.1.2-1.fc18 @updates freeipa-python.x86_64 3.1.2-1.fc18 @updates freeipa-server.x86_64 3.1.2-1.fc18 @updates freeipa-server-selinux.x86_64 3.1.2-1.fc18 @updates How reproducible: Consistent Actual results: [root@ipa ~]# ipa-server-install \ > --admin-password=adminpassword \ > --domain=hunter.org \ > --ds-password=dspassword \ > --hostname=ipa.hunter.org \ > --no-forwarders \ > --no-ntp \ > --realm=fHUNTER.ORG \ > --setup-dns \ > --unattended The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) Excluded by options: * Configure the Network Time Daemon (ntpd) To accept the default shown in brackets, press the Enter key. Warning: skipping DNS resolution of host ipa.hunter.org Using reverse zone 1.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: ipa.hunter.org IP address: 192.168.1.11 Domain name: hunter.org Realm name: FHUNTER.ORG BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Reverse zone: 1.168.192.in-addr.arpa. Configuring directory server (dirsrv): Estimated time 1 minute [1/36]: creating directory server user [2/36]: creating directory server instance [3/36]: adding default schema [4/36]: enabling memberof plugin [5/36]: enabling winsync plugin [6/36]: configuring replication version plugin [7/36]: enabling IPA enrollment plugin [8/36]: enabling ldapi [9/36]: configuring uniqueness plugin [10/36]: configuring uuid plugin [11/36]: configuring modrdn plugin [12/36]: enabling entryUSN plugin [13/36]: configuring lockout plugin [14/36]: creating indices [15/36]: enabling referential integrity plugin [16/36]: configuring certmap.conf [17/36]: configure autobind for root [18/36]: configure new location for managed entries [19/36]: restarting directory server [20/36]: adding default layout [21/36]: adding delegation layout [22/36]: adding replication acis [23/36]: creating container for managed entries [24/36]: configuring user private groups [25/36]: configuring netgroups from hostgroups [26/36]: creating default Sudo bind user [27/36]: creating default Auto Member layout [28/36]: adding range check plugin [29/36]: creating default HBAC rule allow_all [30/36]: Upload CA cert to the directory ipa : CRITICAL Failed to load upload-cacert.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmpCiewYf -H ldap://ipa.hunter.org:389 -x -D cn=Directory Manager -y /tmp/tmpUlmjzf' returned non-zero exit status 247 [31/36]: initializing group membership [32/36]: adding master entry [33/36]: configuring Posix uid/gid generation [34/36]: enabling compatibility plugin [35/36]: tuning directory server [36/36]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance [3/20]: disabling nonces [4/20]: creating RA agent certificate database [5/20]: importing CA chain to RA certificate database [6/20]: fixing RA database permissions [7/20]: setting up signing cert profile [8/20]: set up CRL publishing [9/20]: set certificate subject base [10/20]: enabling Subject Key Identifier [11/20]: enabling CRL and OCSP extensions for certificates [12/20]: setting audit signing renewal to 2 years [13/20]: configuring certificate server to start on boot [14/20]: restarting certificate server [15/20]: requesting RA certificate from CA [16/20]: issuing RA agent certificate [17/20]: adding RA agent as a trusted user [18/20]: configure certificate renewals [19/20]: configure Server-Cert certificate renewal [20/20]: Configure HTTP to proxy connections Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd): Estimated time 1 minute [1/14]: disabling mod_ssl in httpd [2/14]: setting mod_nss port to 443 [3/14]: setting mod_nss password file [4/14]: enabling mod_nss renegotiate [5/14]: adding URL rewriting rules [6/14]: configuring httpd [7/14]: setting up ssl [8/14]: setting up browser autoconfig [9/14]: publish CA cert [10/14]: creating a keytab for httpd [11/14]: clean up any existing httpd ccache [12/14]: configuring SELinux for httpd [13/14]: restarting httpd [14/14]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Configuring DNS (named) [1/10]: adding DNS container [2/10]: setting up our zone [3/10]: setting up reverse zone [4/10]: setting up our own record [5/10]: setting up CA CNAME record [6/10]: setting up kerberos principal [7/10]: setting up named.conf [8/10]: restarting named [9/10]: configuring named to start on boot [10/10]: changing resolv.conf to point to ourselves Done configuring DNS (named). Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. 3. Kerberos requires time synchronization between clients and servers for correct operation. You should consider enabling ntpd. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password [root@ipa ~]# [root@ipa ~]#
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3375
This message is actually benign, the CA does get eventually added successfully. Fixed upstream. master: b382a77fc393a078ebbba8000284dd9abe75a3d5 ipa-3-1: 253140ed59fed21ecbda8c795484935173e9da05
Is this client install complaining about the absence of the same certificate? [root@fedora18 ~]# ipa-client-install \ > --domain=hunter.org \ > --enable-dns-updates \ > --force-ntp \ > --password=adminpassword \ > --principal=admin \ > --realm=HUNTER.ORG \ > --ssh-trust-dns \ > --unattended Discovery was successful! Hostname: fedora18.hunter.org Realm: HUNTER.ORG DNS Domain: hunter.org IPA Server: ipa.hunter.org BaseDN: dc=hunter,dc=org Synchronizing time with KDC... Cannot obtain CA certificate 'ldap://ipa.hunter.org' doesn't have a certificate. Installation failed. Rolling back changes. IPA client is not configured on this system. [root@fedora18 ~]#
The client should fail over to another mechanism if the certificate isn't available in LDAP. The client installer log should have more details on what happened.
2013-03-12T14:16:01Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': 'hunter.org', 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'realm_name': 'HUNTER.ORG', 'force_ntpd': True, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': 'admin', 'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': True, 'dns_updates': True, 'mkhomedir': False, 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False} 2013-03-12T14:16:01Z DEBUG missing options might be asked for interactively later 2013-03-12T14:16:01Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2013-03-12T14:16:01Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2013-03-12T14:16:01Z DEBUG [IPA Discovery] 2013-03-12T14:16:01Z DEBUG Starting IPA discovery with domain=hunter.org, server=None, hostname=fedora18.hunter.org 2013-03-12T14:16:01Z DEBUG Search for LDAP SRV record in hunter.org 2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of _ldap._tcp.hunter.org 2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 389 ipa.hunter.org. 2013-03-12T14:16:01Z DEBUG [Kerberos realm search] 2013-03-12T14:16:01Z DEBUG Search DNS for TXT record of _kerberos.hunter.org 2013-03-12T14:16:01Z DEBUG DNS record found: "HUNTER.ORG" 2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of _kerberos._udp.hunter.org 2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 88 ipa.hunter.org. 2013-03-12T14:16:01Z DEBUG [LDAP server check] 2013-03-12T14:16:01Z DEBUG Verifying that ipa.hunter.org (realm HUNTER.ORG) is an IPA server 2013-03-12T14:16:01Z DEBUG Init LDAP connection with: ldap://ipa.hunter.org:389 2013-03-12T14:16:01Z DEBUG Search LDAP server for IPA base DN 2013-03-12T14:16:01Z DEBUG Check if naming context 'dc=hunter,dc=org' is for IPA 2013-03-12T14:16:01Z DEBUG Naming context 'dc=hunter,dc=org' is a valid IPA context 2013-03-12T14:16:01Z DEBUG Search for (objectClass=krbRealmContainer) in dc=hunter,dc=org (sub) 2013-03-12T14:16:01Z DEBUG Found: cn=HUNTER.ORG,cn=kerberos,dc=hunter,dc=org 2013-03-12T14:16:01Z DEBUG Discovery result: Success; server=ipa.hunter.org, domain=hunter.org, kdc=ipa.hunter.org, basedn=dc=hunter,dc=org 2013-03-12T14:16:01Z DEBUG will use discovered domain: hunter.org 2013-03-12T14:16:01Z DEBUG Start searching for LDAP SRV record in "hunter.org" (Validating DNS Discovery) and its sub-domains 2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of _ldap._tcp.hunter.org 2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 389 ipa.hunter.org. 2013-03-12T14:16:01Z DEBUG DNS validated, enabling discovery 2013-03-12T14:16:01Z DEBUG will use discovered server: ipa.hunter.org 2013-03-12T14:16:01Z INFO Discovery was successful! 2013-03-12T14:16:01Z DEBUG will use discovered realm: HUNTER.ORG 2013-03-12T14:16:01Z DEBUG will use discovered basedn: dc=hunter,dc=org 2013-03-12T14:16:01Z INFO Hostname: fedora18.hunter.org 2013-03-12T14:16:01Z DEBUG Hostname source: Machine's FQDN 2013-03-12T14:16:01Z INFO Realm: HUNTER.ORG 2013-03-12T14:16:01Z DEBUG Realm source: Discovered from LDAP DNS records in ipa.hunter.org 2013-03-12T14:16:01Z INFO DNS Domain: hunter.org 2013-03-12T14:16:01Z DEBUG DNS Domain source: Discovered LDAP SRV records from hunter.org 2013-03-12T14:16:01Z INFO IPA Server: ipa.hunter.org 2013-03-12T14:16:01Z DEBUG IPA Server source: Discovered from LDAP DNS records in ipa.hunter.org 2013-03-12T14:16:01Z INFO BaseDN: dc=hunter,dc=org 2013-03-12T14:16:01Z DEBUG BaseDN source: From IPA server ldap://ipa.hunter.org:389 2013-03-12T14:16:01Z DEBUG Starting external process 2013-03-12T14:16:01Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r HUNTER.ORG 2013-03-12T14:16:01Z DEBUG Process finished, return code=3 2013-03-12T14:16:01Z DEBUG stdout= 2013-03-12T14:16:01Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory 2013-03-12T14:16:01Z INFO Synchronizing time with KDC... 2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of _ntp._udp.hunter.org 2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 123 ipa.hunter.org. 2013-03-12T14:16:01Z DEBUG Starting external process 2013-03-12T14:16:01Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.hunter.org 2013-03-12T14:16:08Z DEBUG Process finished, return code=0 2013-03-12T14:16:08Z DEBUG stdout= 2013-03-12T14:16:08Z DEBUG stderr= 2013-03-12T14:16:08Z DEBUG Writing Kerberos configuration to /tmp/tmpGow23H: 2013-03-12T14:16:08Z DEBUG #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = HUNTER.ORG dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] HUNTER.ORG = { kdc = ipa.hunter.org:88 master_kdc = ipa.hunter.org:88 admin_server = ipa.hunter.org:749 default_domain = hunter.org pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .hunter.org = HUNTER.ORG hunter.org = HUNTER.ORG 2013-03-12T14:16:08Z DEBUG Starting external process 2013-03-12T14:16:08Z DEBUG args=kinit admin 2013-03-12T14:16:09Z DEBUG Process finished, return code=0 2013-03-12T14:16:09Z DEBUG stdout=Password for admin: 2013-03-12T14:16:09Z DEBUG stderr= 2013-03-12T14:16:09Z DEBUG trying to retrieve CA cert via LDAP from ldap://ipa.hunter.org 2013-03-12T14:16:09Z DEBUG get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/run/user/0/krb5cc_c7425795554d90f87ddd1bf2513f37ab/tkt' not found) 2013-03-12T14:16:09Z DEBUG {'info': "SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/run/user/0/krb5cc_c7425795554d90f87ddd1bf2513f37ab/tkt' not found)", 'desc': 'Local error'} 2013-03-12T14:16:09Z ERROR Cannot obtain CA certificate 'ldap://ipa.hunter.org' doesn't have a certificate. 2013-03-12T14:16:09Z ERROR Installation failed. Rolling back changes. 2013-03-12T14:16:09Z ERROR IPA client is not configured on this system.
For some reason the ticket we are obtaining isn't available to the user. This is a different issue. Can you open a new bug?
OK.
freeipa-3.1.3-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/freeipa-3.1.3-1.fc18
Package freeipa-3.1.3-1.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.1.3-1.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-4460/freeipa-3.1.3-1.fc18 then log in and leave karma (feedback).
This update reports an error during yum install, but ipa-server-install completes without the error during: [30/36]: Upload CA cert to the directory [root@ipa ~]# koji download-build --arch=x86_64 --arch=noarch 406589 freeipa-server-strict-3.1.3-1.fc18.x86_64.rpm | 73 kB 00:00 !!! freeipa-server-selinux-3.1.3-1.fc18.x86_64.rpm | 80 kB 00:00 !!! freeipa-admintools-3.1.3-1.fc18.x86_64.rpm | 84 kB 00:00 !!! freeipa-client-3.1.3-1.fc18.x86_64.rpm | 248 kB 00:00 !!! freeipa-server-3.1.3-1.fc18.x86_64.rpm | 2.2 MB 00:06 !!! freeipa-server-trust-ad-3.1.3-1.fc18.x86_64.rpm | 229 kB 00:00 !!! freeipa-python-3.1.3-1.fc18.x86_64.rpm | 1.7 MB 00:03 !!! [root@ipa ~]# rm -f freeipa*strict*.rpm [root@ipa ~]# rm -f freeipa*trust*.rpm [root@ipa ~]# ls -l total 2220 -rw-------. 1 root root 1710 Mar 26 16:47 anaconda-ks.cfg -rw-r--r--. 1 root root 42760 Mar 26 19:40 freeipa-admintools-3.1.3-1.fc18.x86_64.rpm -rw-r--r--. 1 root root 127192 Mar 26 19:40 freeipa-client-3.1.3-1.fc18.x86_64.rpm -rw-r--r--. 1 root root 885492 Mar 26 19:41 freeipa-python-3.1.3-1.fc18.x86_64.rpm -rw-r--r--. 1 root root 1155152 Mar 26 19:41 freeipa-server-3.1.3-1.fc18.x86_64.rpm -rw-r--r--. 1 root root 41208 Mar 26 19:40 freeipa-server-selinux-3.1.3-1.fc18.x86_64.rpm [root@ipa ~]# yum install --assumeyes freeipa*.rpm ... Installing : freeipa-server-selinux-3.1.3-1.fc18.x86_64 295/417 libsepol.scope_copy_callback: systemd: Duplicate declaration in module: type/attribute gnomeclock_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! ... Complete! [root@ipa ~]# yum install --assumeyes bind bind-dyndb-ldap ... Complete! [root@ipa ~]# authconfig --enablemkhomedir --update # Bug Report 921707 [root@ipa ~]# [root@ipa ~]# ipa-server-install \ > --admin-password=adminpassword \ > --domain=hunter.org \ > --ds-password=dspassword \ > --forwarder=75.75.76.76 \ > --forwarder=75.75.75.75 \ > --hostname=ipa.hunter.org \ > --realm=HUNTER.ORG \ > --setup-dns \ > --unattended The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. ... Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password [root@ipa ~]#
(In reply to comment #11) > ... > [root@ipa ~]# yum install --assumeyes freeipa*.rpm > ... > Installing : freeipa-server-selinux-3.1.3-1.fc18.x86_64 > 295/417 > libsepol.scope_copy_callback: systemd: Duplicate declaration in module: > type/attribute gnomeclock_t (No such file or directory). > libsemanage.semanage_link_sandbox: Link packages failed (No such file or > directory). > semodule: Failed! > ... > Complete! > ... Thanks Dean for testing this build! But this does not look like an error caused by FreeIPA. Adding Mirek (SELinux guru) to CC confirm this one. This is what we have in our Fedora spec file - can this error be caused by some of these scriptlets? %pre server-selinux if [ -s /etc/selinux/config ]; then . %{_sysconfdir}/selinux/config FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts if [ "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT} ]; then \ cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name} fi fi %post server-selinux semodule -s targeted -i /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag. pp . %{_sysconfdir}/selinux/config FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts selinuxenabled if [ $? == 0 -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; then fixfiles -C ${FILE_CONTEXT}.%{name} restore rm -f ${FILE_CONTEXT}.%name fi %preun server-selinux if [ $1 = 0 ]; then if [ -s /etc/selinux/config ]; then . %{_sysconfdir}/selinux/config FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts if [ "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT} ]; then \ cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name} fi fi fi %postun server-selinux if [ $1 = 0 ]; then semodule -s targeted -r ipa_httpd ipa_dogtag . %{_sysconfdir}/selinux/config FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts selinuxenabled if [ $? == 0 -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; then fixfiles -C ${FILE_CONTEXT}.%{name} restore rm -f ${FILE_CONTEXT}.%name fi fi
This is an update issue related to selinux-policy. Could you try to run # rpm -q selinux-policy # yum reinstall selinux-policy-targeted # yum reinstall freeipa-server-selinux
[root@ipa ~]# rpm -q selinux-policy selinux-policy-3.11.1-86.fc18.noarch [root@ipa ~]# yum reinstall selinux-policy-targeted ... ================================================================================ Package Arch Version Repository Size ================================================================================ Reinstalling: selinux-policy-targeted noarch 3.11.1-86.fc18 updates 3.9 M Updating for dependencies: libselinux x86_64 2.1.12-7.3.fc18 updates 136 k libselinux-python x86_64 2.1.12-7.3.fc18 updates 231 k libselinux-utils x86_64 2.1.12-7.3.fc18 updates 126 k openldap x86_64 2.4.34-1.fc18 updates 328 k openldap-clients x86_64 2.4.34-1.fc18 updates 182 k ... Complete! [root@ipa ~]# yum reinstall freeipa-server-selinux*.rpm ... ================================================================================ Package Arch Version Repository Size ================================================================================ Updating: mdadm x86_64 3.2.6-14.fc18 updates 353 k Reinstalling: freeipa-server-selinux x86_64 3.1.3-1.fc18 /freeipa-server-selinux-3.1.3-1.fc18.x86_64 53 k Installing for dependencies: graphite2 x86_64 1.1.1-4.fc18 updates 80 k kernel x86_64 3.8.4-202.fc18 updates 28 M Updating for dependencies: binutils x86_64 2.23.51.0.1-6.fc18 updates 3.8 M cairo x86_64 1.12.14-1.fc18 updates 679 k dracut x86_64 024-25.git20130205.fc18 updates 236 k emacs-filesystem noarch 1:24.2-6.fc18 updates 55 k fedora-logos noarch 17.0.3-3.fc18 updates 4.8 M fontconfig x86_64 2.10.2-2.fc18 updates 213 k freetype x86_64 2.4.10-3.fc18 updates 379 k ghostscript x86_64 9.06-4.fc18 updates 4.2 M ghostscript-cups x86_64 9.06-4.fc18 updates 52 k groff-base x86_64 1.22.1-2.fc18 updates 929 k grubby x86_64 8.22-1.fc18 updates 56 k gtk2 x86_64 2.24.16-1.fc18 updates 3.4 M gtk2-immodule-xim x86_64 2.24.16-1.fc18 updates 65 k harfbuzz x86_64 0.9.12-2.fc18 updates 474 k java-1.7.0-openjdk x86_64 1:1.7.0.9-2.3.8.0.fc18 updates 25 M javapackages-tools noarch 0.9.1-1.fc18 updates 22 k jpackage-utils x86_64 1.7.5-21.fc18 updates 62 k kbd x86_64 1.15.3-7.fc18 updates 325 k kbd-misc noarch 1.15.3-7.fc18 updates 923 k libXi x86_64 1.6.2-1.fc18 updates 36 k libdrm x86_64 2.4.42-1.fc18 updates 112 k libicu x86_64 49.1.1-8.fc18 updates 5.3 M libuser x86_64 0.58-2.fc18 updates 391 k libuser-python x86_64 0.58-2.fc18 updates 50 k libwayland-client x86_64 1.0.5-1.fc18 updates 23 k libwayland-server x86_64 1.0.5-1.fc18 updates 31 k linux-firmware noarch 20121218-0.2.gitbda53ca.fc18 updates 15 M logrotate x86_64 3.8.3-1.fc18 updates 62 k mesa-libEGL x86_64 9.1-3.fc18 updates 79 k mesa-libGL x86_64 9.1-3.fc18 updates 162 k mesa-libgbm x86_64 9.1-3.fc18 updates 37 k mesa-libglapi x86_64 9.1-3.fc18 updates 62 k net-snmp x86_64 1:5.7.2-5.fc18.1 updates 324 k net-snmp-agent-libs x86_64 1:5.7.2-5.fc18.1 updates 688 k net-snmp-libs x86_64 1:5.7.2-5.fc18.1 updates 743 k pixman x86_64 0.28.0-1.fc18 updates 226 k poppler x86_64 0.20.2-11.fc18 updates 715 k poppler-data noarch 0.4.6-2.fc18 updates 2.2 M poppler-glib x86_64 0.20.2-11.fc18 updates 103 k poppler-utils x86_64 0.20.2-11.fc18 updates 155 k pulseaudio x86_64 2.1-6.fc18 updates 818 k pulseaudio-libs x86_64 2.1-6.fc18 updates 451 k pulseaudio-libs-glib2 x86_64 2.1-6.fc18 updates 25 k pulseaudio-module-bluetooth x86_64 2.1-6.fc18 updates 89 k pulseaudio-module-x11 x86_64 2.1-6.fc18 updates 37 k pulseaudio-utils x86_64 2.1-6.fc18 updates 86 k setools-libs x86_64 3.3.7-34.fc18 updates 424 k setools-libs-python x86_64 3.3.7-34.fc18 updates 402 k tzdata-java noarch 2013b-1.fc18 updates 157 k urw-fonts noarch 2.4-14.fc18 updates 3.0 M xorg-x11-font-utils x86_64 1:7.5-10.fc18 updates 85 k ... Complete! [root@ipa ~]#
Package freeipa-3.1.3-2.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.1.3-2.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-4460/freeipa-3.1.3-2.fc18 then log in and leave karma (feedback).
I rebuilt my IPA server using 3.1.3.2. Everything looked good. I can use an IPA user name to login through gdm to the IPA server. [root@host ~]# ssh ipa.hunter.org Last login: Fri Mar 29 11:02:55 2013 [root@ipa ~]# yum list installed freeipa* Loaded plugins: fastestmirror, langpacks, presto, refresh-packagekit Loading mirror speeds from cached hostfile * fedora: fedora.mirror.lstn.net * updates: fedora.mirror.lstn.net Installed Packages freeipa-admintools.x86_64 3.1.3-2.fc18 @updates-testing freeipa-client.x86_64 3.1.3-2.fc18 @updates-testing freeipa-python.x86_64 3.1.3-2.fc18 @updates-testing freeipa-server.x86_64 3.1.3-2.fc18 @updates-testing freeipa-server-selinux.x86_64 3.1.3-2.fc18 @updates-testing [root@ipa ~]# logout Connection to ipa.hunter.org closed. The IPA server is a VM. When I try to update and re-install the IPA client on the VM host it fails to validate the IPA server: [root@host ~]# yum list installed freeipa* Loaded plugins: fastestmirror, langpacks, presto, refresh-packagekit Loading mirror speeds from cached hostfile * fedora: kdeforge.unl.edu * updates: kdeforge.unl.edu Installed Packages freeipa-client.x86_64 3.1.3-2.fc18 @updates-testing freeipa-python.x86_64 3.1.3-2.fc18 @updates-testing [root@host ~]# nslookup ipa.hunter.org Server: 192.168.1.11 Address: 192.168.1.11#53 Name: ipa.hunter.org Address: 192.168.1.11 [root@host ~]# ipa-client-install \ > --domain=hunter.org \ > --enable-dns-updates \ > --force-ntp \ > --mkhomedir \ > --password=adminpassword \ > --principal=admin \ > --realm=HUNTER.ORG \ > --ssh-trust-dns \ > --unattended Skip ipa.hunter.org: cannot verify if this is an IPA server Unable to find IPA Server to join Installation failed. Rolling back changes. IPA client is not configured on this system.
VM ipa.hunter.org was rebuilt successfully: --yum install --assumeyes bind bind-dyndb-ldap - yum install --assumeyes --enablerepo=updates-testing freeipa-server - ipa-server-install .... Three client VMs were rebuilt successfully: - yum install --assumeyes --enablerepo=updates-testing freeipa-client - ipa-client-install .... One client physical machine was updated successfully: - yum update --assumeyes --enablerepo=updates-testing freeipa-client - ipa-client-install .... One client physical machine was not reinstalled successfully: - ipa-client-install --uninstall - yum update --assumeyes --enablerepo=updates-testing freeipa-client - ipa-client-install .... /var/log/ipaclient-install.log: 2013-03-29T22:16:14Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': 'hunter.org', 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'realm_name': 'HUNTER.ORG', 'force_ntpd': True, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': 'admin', 'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': True, 'dns_updates': True, 'mkhomedir': True, 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False} 2013-03-29T22:16:14Z DEBUG missing options might be asked for interactively later 2013-03-29T22:16:14Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2013-03-29T22:16:14Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2013-03-29T22:16:14Z DEBUG [IPA Discovery] 2013-03-29T22:16:14Z DEBUG Starting IPA discovery with domain=hunter.org, servers=None, hostname=host.hunter.org 2013-03-29T22:16:14Z DEBUG Search for LDAP SRV record in hunter.org 2013-03-29T22:16:14Z DEBUG Search DNS for SRV record of _ldap._tcp.hunter.org 2013-03-29T22:16:14Z DEBUG DNS record found: 0 100 389 ipa.hunter.org. 2013-03-29T22:16:14Z DEBUG [Kerberos realm search] 2013-03-29T22:16:14Z DEBUG Search DNS for TXT record of _kerberos.hunter.org 2013-03-29T22:16:14Z DEBUG DNS record found: "HUNTER.ORG" 2013-03-29T22:16:14Z DEBUG Search DNS for SRV record of _kerberos._udp.hunter.org 2013-03-29T22:16:14Z DEBUG DNS record found: 0 100 88 ipa.hunter.org. 2013-03-29T22:16:14Z DEBUG [LDAP server check] 2013-03-29T22:16:14Z DEBUG Verifying that ipa.hunter.org (realm HUNTER.ORG) is an IPA server 2013-03-29T22:16:14Z DEBUG Init LDAP connection with: ldap://ipa.hunter.org:389 2013-03-29T22:16:14Z DEBUG LDAP Error: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. 2013-03-29T22:16:14Z WARNING Skip ipa.hunter.org: cannot verify if this is an IPA server 2013-03-29T22:16:14Z DEBUG Discovery result: UNKNOWN_ERROR; server=None, domain=hunter.org, kdc=ipa.hunter.org, basedn=None 2013-03-29T22:16:14Z DEBUG Validated servers: 2013-03-29T22:16:14Z DEBUG will use discovered domain: hunter.org 2013-03-29T22:16:14Z DEBUG IPA Server not found 2013-03-29T22:16:14Z ERROR Unable to find IPA Server to join 2013-03-29T22:16:14Z ERROR Installation failed. Rolling back changes. 2013-03-29T22:16:14Z ERROR IPA client is not configured on this system. What certificate is causing the problem? Should the certificate have been removed during the uninstall?
Uninstalling ipa client is not enough. AFATU you also need to remove the certificate from the certificate store and make sure that certmonger is not tracking any certs. This is a usual case with the test reinstalls. Also see https://fedorahosted.org/freeipa/ticket/2854 and related BZ. We can't remove the cert ourselves on the uninstall. Rob Crittenden will have more details on the matter.
AFATU?
Thank you. Removing the file resolved the problem. All clients have now been successfully re-installed. I am updating the karma. I read the upstream ticket. The solution seems simple enough. Why was it deferred? If IPA creates the certificate, why shouldn't it remove the ticket when it is uninstalled?
(In reply to comment #19) > AFATU? Typo AFAIU (I understand)
The ticket is a different issue (server vs client). We attempt to clean up the NSS database on uninstall Leaving /etc/ipa/ca.crt is messy but in itself should not cause issues on a server. The client is another matter, especially if the IPA server has changed, such as your case. We are going to change the handling of this file in future releases to utilize https://fedoraproject.org/wiki/Features/SharedSystemCertificates I opened a ticket to track removing the file on clients, https://fedorahosted.org/freeipa/ticket/3537
Ah, thank you. Using freeipa 3.1.3.3 I have successfully rebuilt: - 1 VM IPA server - 2 VM IPA clients and I have reinstalled: - 2 PM IPA clients I have updated the karma verifying the correction for 916399 and 920716.
Package freeipa-3.1.3-4.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.1.3-4.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-4460/freeipa-3.1.3-4.fc18 then log in and leave karma (feedback).
Using: Installed Packages freeipa-admintools.x86_64 3.1.3-4.fc18 @updates-testing freeipa-client.x86_64 3.1.3-4.fc18 @updates-testing freeipa-python.x86_64 3.1.3-4.fc18 @updates-testing freeipa-server.x86_64 3.1.3-4.fc18 @updates-testing freeipa-server-selinux.x86_64 3.1.3-4.fc18 @updates-testing this script: # Install the IPA server yum install --assumeyes bind bind-dyndb-ldap yum install --assumeyes --enablerepo=updates-testing freeipa-server # freeipa 3375 cat >/etc/hosts <<EOD 127.0.0.1 localhost.localdomain localhost 192.168.1.11 ipa.hunter.org ipa EOD authconfig --enablemkhomedir --update # freeipa 3515 ipa-server-install \ --admin-password=adminpassword \ --domain=hunter.org \ --ds-password=dspassword \ --forwarder=75.75.76.76 \ --forwarder=75.75.75.75 \ --hostname=ipa.hunter.org \ --realm=HUNTER.ORG \ --setup-dns \ --unattended successfully installed the IPA server without this error message: [30/36]: Upload CA cert to the directory ipa : CRITICAL Failed to load upload-cacert.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmpCiewYf -H ldap://ipa.hunter.org:389 -x -D cn=Directory Manager -y /tmp/tmpUlmjzf' returned non-zero exit status 247 [31/36]: initializing group membership
freeipa-3.1.3-4.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.