Bug 961447 - Can not re-install IPA client
Can not re-install IPA client
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: freeipa (Show other bugs)
18
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-09 12:10 EDT by Dean Hunter
Modified: 2013-05-09 14:24 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-09 13:59:19 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dean Hunter 2013-05-09 12:10:50 EDT
Description of problem:

I rebuilt my FreeIPA server to test 3.1.4-1. I can build new clients but I can not re-install FreeIPA client on existing machines. Did I forget something?


Version-Release number of selected component (if applicable):

Installed Packages
freeipa-client.x86_64               3.1.4-1.fc18                @updates-testing


How reproducible: Consistent


Steps to Reproduce:

1. ipa-client-install --uninstall
2. reboot
3. yum update --enablerepo updates-testing freeipa-client
4. ipa-client-install \
    --domain hunter.org \
    --enable-dns-updates \
    --force-ntpd \
    --mkhomedir \
    --password adminpassword \
    --principal admin \
    --realm HUNTER.ORG \
    --ssh-trust-dns \
    --unattended

  
Actual results:

[root@developer ~]#   ipa-client-install \
>     --domain hunter.org \
>     --enable-dns-updates \
>     --force-ntpd \
>     --mkhomedir \
>     --password adminpassword \
>     --principal admin \
>     --realm HUNTER.ORG \
>     --ssh-trust-dns \
>     --unattended
Skip ipa.hunter.org: cannot verify if this is an IPA server
Unable to find IPA Server to join
Installation failed. Rolling back changes.
IPA client is not configured on this system.

[root@developer ~]# 


Expected results:

Successful installation


Additional info:

[root@developer ~]# nslookup ipa.hunter.org
Server:		192.168.1.11
Address:	192.168.1.11#53

Name:	ipa.hunter.org
Address: 192.168.1.11

[root@developer ~]#
Comment 1 Dean Hunter 2013-05-09 12:13:53 EDT
ipaclient-install.log

2013-05-09T15:53:32Z DEBUG /sbin/ipa-client-install was invoked with options: {'domain': 'hunter.org', 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'realm_name': 'HUNTER.ORG', 'force_ntpd': True, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': 'admin', 'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': True, 'dns_updates': True, 'mkhomedir': True, 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False}
2013-05-09T15:53:32Z DEBUG missing options might be asked for interactively later
2013-05-09T15:53:32Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2013-05-09T15:53:32Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2013-05-09T15:53:32Z DEBUG [IPA Discovery]
2013-05-09T15:53:32Z DEBUG Starting IPA discovery with domain=hunter.org, servers=None, hostname=developer.hunter.org
2013-05-09T15:53:32Z DEBUG Search for LDAP SRV record in hunter.org
2013-05-09T15:53:32Z DEBUG Search DNS for SRV record of _ldap._tcp.hunter.org
2013-05-09T15:53:32Z DEBUG DNS record found: 0 100 389 ipa.hunter.org.
2013-05-09T15:53:32Z DEBUG [Kerberos realm search]
2013-05-09T15:53:32Z DEBUG Search DNS for TXT record of _kerberos.hunter.org
2013-05-09T15:53:32Z DEBUG DNS record found: "HUNTER.ORG"
2013-05-09T15:53:32Z DEBUG Search DNS for SRV record of _kerberos._udp.hunter.org
2013-05-09T15:53:32Z DEBUG DNS record found: 0 100 88 ipa.hunter.org.
2013-05-09T15:53:32Z DEBUG [LDAP server check]
2013-05-09T15:53:32Z DEBUG Verifying that ipa.hunter.org (realm HUNTER.ORG) is an IPA server
2013-05-09T15:53:32Z DEBUG Init LDAP connection with: ldap://ipa.hunter.org:389
2013-05-09T15:53:32Z DEBUG LDAP Error: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
2013-05-09T15:53:32Z WARNING Skip ipa.hunter.org: cannot verify if this is an IPA server
2013-05-09T15:53:32Z DEBUG Discovery result: UNKNOWN_ERROR; server=None, domain=hunter.org, kdc=ipa.hunter.org, basedn=None
2013-05-09T15:53:32Z DEBUG Validated servers: 
2013-05-09T15:53:32Z DEBUG will use discovered domain: hunter.org
2013-05-09T15:53:32Z DEBUG IPA Server not found
2013-05-09T15:53:32Z ERROR Unable to find IPA Server to join
2013-05-09T15:53:32Z ERROR Installation failed. Rolling back changes.
2013-05-09T15:53:32Z ERROR IPA client is not configured on this system.
Comment 2 Rob Crittenden 2013-05-09 13:59:19 EDT
The problem is /etc/ipa/ca.crt is not removed when a client is uninstalled.

This will be fixed in the next release. The upstream ticket is https://fedorahosted.org/freeipa/ticket/3537
Comment 3 Dean Hunter 2013-05-09 14:16:54 EDT
Ah! Thank you.
Comment 4 Dean Hunter 2013-05-09 14:24:46 EDT
I verified that freeipa-client.3.1.4-1.fc18.x86_64 corrects this problem.

Note You need to log in before you can comment on or make changes to this bug.