Doesn't really address the core issue, but wanted to chime in that we
ended up having to manually configure our Debian 8 instances to work
with our RHEL IPA servers.
We use ansible to automate the entire process, the playbook contents
below should be descriptive enough to know what is being done. We got
the config files from other RHEL IPA clients and tweaked as necessary
for platform differences (PAM was kinda tricky):
- name: apt - update base image
apt: upgrade=dist update_cache=yes
- name: apt - install packages
apt: name={{ item }} update_cache=yes state=latest
with_items:
- curl
- krb5-user
- libpam-ccreds
- libpam-krb5
- libselinux1
- ntpdate
- openssl
- policycoreutils
- sssd
- name: ntp - run ntpdate
action: command ntpdate 10.xxx.xxx.123
- name: kerberos - add krb5.keytab
copy: src=krb5.keytab.production dest=/etc/krb5.keytab owner=root
group=root mode=0600
notify: sssd_restart
- name: sssd - add sssd.conf
copy: src=sssd.conf dest=/etc/sssd/sssd.conf owner=root group=root
mode=0600
notify: sssd_restart
- name: kerberos - create config directory
file: path=/etc/krb5.conf.d state=directory mode=0755
notify: sssd_restart
- name: kerberos - create ipa directory
file: path=/etc/ipa state=directory mode=0755
notify: sssd_restart
- name: kerberos - add ca.crt
copy: src=ca.crt-production dest=/etc/ipa/ca.crt owner=root
group=root mode=0600
notify: sssd_restart
- name: kerberos - add krb5.conf
copy: src=krb5.conf dest=/etc/krb5.conf owner=root group=root mode=0644
notify: sssd_restart
- name: systemd - enable and start sssd
service: name=sssd state=started enabled=yes
- name: pam - add modified config files
copy: src={{ item }} dest=/etc/pam.d/{{ item }} owner=root group=root
mode=0644
with_items:
- common-account
- common-auth
- common-password
- common-session
- name: ssh - add sshd_config
copy: src=sshd_config dest=/etc/ssh/sshd_config owner=root group=root
mode=0644
notify: ssh_restart
- name: sudo - add sudoers-custom
copy: src=sudoers-custom dest=/etc/sudoers.d/sudoers-custom
owner=root group=root mode=0644
On 01/02/2018 04:03 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
On 12/21/2017 01:49 PM, Andrew Radygin via FreeIPA-users wrote:
Hello!
I have freeipa server 4.5 on Centos 7.
And want to enroll host on Debian 8 to domain.
I've found freeipa-client 4.4 in the sid repo, installing of it was
almost successful...
apt-get cannot complete configuring for certmonger, and I've got
following error:
======
# journalctl -u certmonger
-- Logs begin at Thu 2017-07-20 18:27:15 MSK, end at Thu 2017-12-21
15:39:01 MSK. --
Dec 21 13:25:36 HOSTNAME systemd[1]: Starting Certificate monitoring
and PKI enrollment...
Dec 21 13:25:36 HOSTNAME certmonger[18411]: 2017-12-21 13:25:36
[18411] Unable to set well-known bus name
"org.fedorahosted.certmonger": Connection ":1.4" is not allowed to
own the service "org.fedora
Dec 21 13:25:36 HOSTNAME certmonger[18411]: Error connecting to D-Bus.
Dec 21 13:25:36 HOSTNAME systemd[1]: certmonger.service: main process
exited, code=exited, status=1/FAILURE
Dec 21 13:25:36 HOSTNAME systemd[1]: Failed to start Certificate
monitoring and PKI enrollment.
Dec 21 13:25:36 HOSTNAME systemd[1]: Unit certmonger.service entered
failed state.
========
Does anyone know how to deal with it?
Thanks!
--
Best regards, Andrew.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Hi,
you are not the first one seeing this issue (see BZ 1504688 [1]) but
it was not investigated because we were not able to reproduce.
The config file for certmonger/dbus is stored in
/etc/dbus-1/system.d/certmonger.conf, so I would start by checking
that its content is OK.
The bus name seems to be already owned by another process, you may try
to restart the dbus service in case some internal data were not
properly cleaned: sudo systemctl restart dbus
Flo
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1504688
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
