Description of problem: On Fedora 19, ipa-client-install fails unless /etc/ipa is created (either manually or by freeipa-server installed). First yum -y remove freeipa-server if it's installed Second remove /etc/ipa if it exists [root@f19-2 repo]# ipa-client-install --domain testrelm2.com --realm IPA.EXAMPLE.ORG --mkhomedir --enable-dns-updates --unattended --principal admin -w PASSWORD ... Synchronizing time with KDC... Cannot obtain CA certificate 'ldap://f19-1.testrelm2.com' doesn't have a certificate. Installation failed. Rolling back changes. IPA client is not configured on this system. Version-Release number of selected component (if applicable): freeipa-client-3.2.0-0.3.beta1.fc19.x86_64 How reproducible: always Steps to Reproduce: 1. Setup IPA server and a client machine on which to run everything else below 2. yum -y remove freeipa-server 3. rm -rf /etc/ipa 4. ipa-client-install Actual results: fails with error listed above Expected results: does not fail Additional info: In Log during failure: 2013-05-09T17:06:24Z DEBUG trying to retrieve CA cert via LDAP from f19-1.testrelm2.com 2013-05-09T17:06:24Z DEBUG flushing ldap://f19-1.testrelm2.com:389 from SchemaCache 2013-05-09T17:06:24Z DEBUG retrieving schema for SchemaCache url=ldap://f19-1.testrelm2.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x3033758> 2013-05-09T17:06:24Z DEBUG cannot write certificate file '/etc/ipa/ca.crt.new': [Errno 2] No such file or directory: '/etc/ipa/ca.crt.new' 2013-05-09T17:06:24Z ERROR Cannot obtain CA certificate 'ldap://f19-1.testrelm2.com' doesn't have a certificate. 2013-05-09T17:06:24Z ERROR Installation failed. Rolling back changes. 2013-05-09T17:06:24Z ERROR IPA client is not configured on this system. If I create /etc/ipa, it works: [root@f19-2 repo]# mkdir /etc/ipa [root@f19-2 repo]# ipa-client-install --domain testrelm2.com --realm IPA.EXAMPLE.ORG --mkhomedir --enable-dns-updates --unattended --principal admin -w PASSWORD WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd DNS domain 'ipa.example.org' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: f19-2.example.com Realm: IPA.EXAMPLE.ORG DNS Domain: testrelm2.com IPA Server: f19-1.testrelm2.com BaseDN: dc=ipa,dc=example,dc=org Synchronizing time with KDC... Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.EXAMPLE.ORG Issuer: CN=Certificate Authority,O=IPA.EXAMPLE.ORG Valid From: Thu May 09 14:52:05 2013 UTC Valid Until: Mon May 09 14:52:05 2033 UTC Enrolled in IPA realm IPA.EXAMPLE.ORG Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IPA.EXAMPLE.ORG trying https://f19-1.testrelm2.com/ipa/xml Forwarding 'env' to server u'https://f19-1.testrelm2.com/ipa/xml' Hostname (f19-2.example.com) not found in DNS Failed to update DNS records. Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u'https://f19-1.testrelm2.com/ipa/xml' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Installed OpenSSH server does not support dynamically loading authorized user keys. Public key authentication of IPA users will not be available. Configured /etc/ssh/sshd_config Client configuration complete. [root@f19-2 repo]#
*** This bug has been marked as a duplicate of bug 952686 ***
Rather than marking as a dup of a different distro, lets show it in the bohdi update. Setting to POST. Fixed upstream. master: https://fedorahosted.org/freeipa/changeset/cc3c54326502ab90d37cae58ccee719f227f1156 ipa-3-1: https://fedorahosted.org/freeipa/changeset/6e443eb0d1673d6ffe2c3cd638108d5769916d29
*** Bug 953905 has been marked as a duplicate of this bug. ***
freeipa-3.2.0-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/freeipa-3.2.0-1.fc19
/etc/ipa now owned/created by freeipa-python so re-install may be necessary if manually attempting to reproduce. [root@f19-3 repo]# rm -rf /etc/ipa [root@f19-3 repo]# yum -y reinstall freeipa-client-3.2.0-1.fc19.x86_64 freeipa-python-3.2.0-1.fc19.x86_64 freeipa-admintools-3.2.0-1.fc19.x86_64 Resolving Dependencies --> Running transaction check ---> Package freeipa-admintools.x86_64 0:3.2.0-1.fc19 will be reinstalled ---> Package freeipa-client.x86_64 0:3.2.0-1.fc19 will be reinstalled ---> Package freeipa-python.x86_64 0:3.2.0-1.fc19 will be reinstalled --> Finished Dependency Resolution Dependencies Resolved ================================================================================================================= Package Arch Version Repository Size ================================================================================================================= Reinstalling: freeipa-admintools x86_64 3.2.0-1.fc19 local-repo 44 k freeipa-client x86_64 3.2.0-1.fc19 local-repo 129 k freeipa-python x86_64 3.2.0-1.fc19 local-repo 934 k Transaction Summary ================================================================================================================= Reinstall 3 Packages Total download size: 1.1 M Installed size: 5.4 M Downloading packages: ----------------------------------------------------------------------------------------------------------------- Total 76 MB/s | 1.1 MB 00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : freeipa-python-3.2.0-1.fc19.x86_64 1/3 Installing : freeipa-client-3.2.0-1.fc19.x86_64 2/3 Installing : freeipa-admintools-3.2.0-1.fc19.x86_64 3/3 Verifying : freeipa-admintools-3.2.0-1.fc19.x86_64 1/3 Verifying : freeipa-client-3.2.0-1.fc19.x86_64 2/3 Verifying : freeipa-python-3.2.0-1.fc19.x86_64 3/3 Installed: freeipa-admintools.x86_64 0:3.2.0-1.fc19 freeipa-client.x86_64 0:3.2.0-1.fc19 freeipa-python.x86_64 0:3.2.0-1.fc19 Complete! [root@f19-3 repo]# ls -ld /etc/ipa drwxr-xr-x. 2 root root 4096 May 10 11:44 /etc/ipa [root@f19-3 repo]# rpm -qf /etc/ipa freeipa-python-3.2.0-1.fc19.x86_64 [root@f19-3 repo]# ipa-client-install --domain=ipa.example.org --server=f19-1.ipa.example.org -p admin -w PASSWORD -U WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Hostname: f19-3.ipa.example.org Realm: IPA.EXAMPLE.ORG DNS Domain: ipa.example.org IPA Server: f19-1.ipa.example.org BaseDN: dc=ipa,dc=example,dc=org Synchronizing time with KDC... Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.EXAMPLE.ORG Issuer: CN=Certificate Authority,O=IPA.EXAMPLE.ORG Valid From: Sat May 11 01:28:00 2013 UTC Valid Until: Wed May 11 01:28:00 2033 UTC Enrolled in IPA realm IPA.EXAMPLE.ORG Created /etc/ipa/default.conf Unable to parse existing SSSD config. As option --preserve-sssd was not specified, new config will override the old one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IPA.EXAMPLE.ORG trying https://f19-1.ipa.example.org/ipa/xml Forwarding 'env' to server u'https://f19-1.ipa.example.org/ipa/xml' Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u'https://f19-1.ipa.example.org/ipa/xml' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete.
Package freeipa-3.2.0-1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.2.0-1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7911/freeipa-3.2.0-1.fc19 then log in and leave karma (feedback).
freeipa-3.2.0-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.