Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 952686

Summary: ipa-client-install fails when /etc/ipa/ is missing
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED CURRENTRELEASE QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: ksiddiqu, mkosek, nsoman, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.2.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:46:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2013-04-16 13:11:22 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3551

When /etc/ipa doesn't exist, ipa-client-install fails with a misleading error:
{{{
Discovery was successful!
Hostname: vm-059.idm.lab.eng.brq.redhat.com
Realm: IDM.LAB.ENG.BRQ.REDHAT.COM
DNS Domain: idm.lab.eng.brq.redhat.com
IPA Server: vm-089.idm.lab.eng.brq.redhat.com
BaseDN: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
 
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin.ENG.BRQ.REDHAT.COM:
Cannot obtain CA certificate
'ldap://vm-089.idm.lab.eng.brq.redhat.com' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.
}}}

The client installer should create the directory if it doesn't exist.

The freeipa-python RPM has /etc/ipa/ca.crt and /etc/ipa/default.conf ghost entries. It should also own the directory itself.
Comment 1 Rob Crittenden 2013-04-19 14:59:34 UTC 
Fixed upstream.

master: 2a8f1b0b16bb1a0af3906c06cffcd96bf152227a

ipa-3-1: 69332d943f39dadf26bd6851b2e4cda6c794dcbd
Comment 2 Martin Kosek 2013-04-22 09:51:13 UTC 
/etc/ipa directory owner group fixed upstream:

master: https://fedorahosted.org/freeipa/changeset/cc3c54326502ab90d37cae58ccee719f227f1156
ipa-3-1: https://fedorahosted.org/freeipa/changeset/6e443eb0d1673d6ffe2c3cd638108d5769916d29
Comment 3 Rob Crittenden 2013-05-09 18:09:37 UTC 
*** Bug 961483 has been marked as a duplicate of this bug. ***
Comment 6 Kaleem 2014-01-06 12:11:43 UTC 
Seems that still not fixed completely. 

[root@rhel70-client2 ~]# ls /etc/ipa/
ls: cannot access /etc/ipa/: No such file or directory
[root@rhel70-client2 ~]#

[root@rhel70-client2 ~]# ipa-client-install -U --domain=testrelm.com --realm=TESTRELM.COM -p admin -w xxxxxxxx --server=rhel70-master.testrelm.com
Hostname: rhel70-client2.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: rhel70-master.testrelm.com
BaseDN: dc=testrelm,dc=com

Synchronizing time with KDC...
cannot write certificate file '/etc/ipa/ca.crt.new': [Errno 2] No such file or directory: '/etc/ipa/ca.crt.new'
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root@rhel70-client2 ~]# 

[root@rhel70-client2 ~]# rpm -q ipa-client
ipa-client-3.3.3-8.el7.x86_64
[root@rhel70-client2 ~]#
Comment 7 Martin Kosek 2014-01-06 12:23:50 UTC 
I think that the bug description may be misleading. What this fix does is that it moves /etc/ipa/ directory ownership from ipa-server to ipa-python which is installed both on client and server.

The original reproduction in Fedora was following (https://fedorahosted.org/freeipa/ticket/3551#comment:3):
1. Install a clean VM
2. Install ipa-client and ipa-python --> /etc/ipa/ was not created
3. Run ipa-client-install --> crashed

I do not think that a package is supposed to work correctly when some of it's owned files or directories are removed. In your case above, of you reinstalled ipa-* packages, the directory should be created again.

Moving back to ON_QA for reconsideration.
Comment 8 Kaleem 2014-01-15 12:53:32 UTC 
Verified.

IPA client version:
===================
-------------[RPMs & OS: [RedHat - x86_64]---------------------------
|       ipa-client-3.3.3-11.el7.x86_64
|       sssd-ipa-1.11.2-19.el7.x86_64
---------------------------------------------------------------------

Snip from automation log:
=========================

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: BZ952686  ipa-client-install fails when /etc/ipa/ is missing
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Removing ipa-python (Expected 0, got 0)
:: [   PASS   ] :: Removing directory /etc/ipa/ (Expected 0, got 0)
:: [   PASS   ] :: Installing ipa-client (Expected 0, got 0)
:: [   PASS   ] :: Listing /etc/ipa (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/bz-952686.txt' should contain 'root root' 
:: [   PASS   ] :: File '/tmp/bz-952686.txt' should not contain 'root apache' 
:: [   PASS   ] :: Installing ipa-client (Expected 0, got 0)
:: [   PASS   ] :: permission on /etc/ipa/ is correct and ipa client installation is successful 
:: [   PASS   ] :: uninstall ipa client success 
:: [   LOG    ] :: Duration: 40s
:: [   LOG    ] :: Assertions: 9 good, 0 bad
:: [   PASS   ] :: RESULT: BZ952686  ipa-client-install fails when /etc/ipa/ is missing

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Comment 9 Ludek Smid 2014-06-13 12:46:08 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.