Flo, I've checked certmonger dbus config - it's okay and identical to another one working. But after restart dbus - certmoner configured and installed successful.
Although I have another problem error now: ============ # apt-get install freeipa-client Reading package lists... Done Building dependency tree Reading state information... Done freeipa-client is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 427 not upgraded. 1 not fully installed or removed. After this operation, 0 B of additional disk space will be used. Do you want to continue? [Y/n] Setting up freeipa-client (4.4.4-4) ... dpkg: error processing package freeipa-client (--configure): subprocess installed post-installation script returned error exit status 1 Errors were encountered while processing: freeipa-client E: Sub-process /usr/bin/dpkg returned an error code (1) =============== # ps auxf |grep cert root 11868 0.0 0.0 12772 980 pts/0 S+ 13:35 0:00 \_ grep cert root 11781 0.0 0.1 70728 5072 ? Ss 13:31 0:00 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n # cat /var/log/dpkg.log 2018-01-04 13:31:26 startup packages configure 2018-01-04 13:31:26 configure certmonger:amd64 0.79.3-1 <none> 2018-01-04 13:31:26 status half-configured certmonger:amd64 0.79.3-1 2018-01-04 13:31:26 status installed certmonger:amd64 0.79.3-1 2018-01-04 13:31:27 configure freeipa-client:amd64 4.4.4-4 <none> 2018-01-04 13:31:27 status unpacked freeipa-client:amd64 4.4.4-4 2018-01-04 13:31:27 status half-configured freeipa-client:amd64 4.4.4-4 2018-01-04 13:32:03 startup packages configure 2018-01-04 13:32:03 configure freeipa-client:amd64 4.4.4-4 <none> 2018-01-04 13:32:03 status half-configured freeipa-client:amd64 4.4.4-4 ======= >From /var/lib/dpkg/info/freeipa-client.postinst I've found following log file - /var/log/ipaclient-upgrade.log And there is such messages: Traceback (most recent call last): File "<string>", line 1, in <module> File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 31, in <module> from ipalib import x509 File "/usr/lib/python2.7/dist-packages/ipalib/__init__.py", line 885, in <module> from ipalib import plugable File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 41, in <module> from ipalib import errors File "/usr/lib/python2.7/dist-packages/ipalib/errors.py", line 109, in <module> from ipalib.text import ngettext as ungettext File "/usr/lib/python2.7/dist-packages/ipalib/text.py", line 193, in <module> @six.python_2_unicode_compatible AttributeError: 'module' object has no attribute 'python_2_unicode_compatible' ============ It's obviously error from this code: #!/bin/sh set -e LOGFILE=/var/log/ipaclient-upgrade.log if [ "$1" = configure ]; then python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' \ > $LOGFILE 2>&1 fi ============= And executing it manually: # python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' Traceback (most recent call last): File "<string>", line 1, in <module> File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 31, in <module> from ipalib import x509 File "/usr/lib/python2.7/dist-packages/ipalib/__init__.py", line 885, in <module> from ipalib import plugable File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 41, in <module> from ipalib import errors File "/usr/lib/python2.7/dist-packages/ipalib/errors.py", line 109, in <module> from ipalib.text import ngettext as ungettext File "/usr/lib/python2.7/dist-packages/ipalib/text.py", line 193, in <module> @six.python_2_unicode_compatible AttributeError: 'module' object has no attribute 'python_2_unicode_compatible' 2018-01-03 18:30 GMT+03:00 Lee Wiscovitch via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: > Doesn't really address the core issue, but wanted to chime in that we > ended up having to manually configure our Debian 8 instances to work with > our RHEL IPA servers. > > We use ansible to automate the entire process, the playbook contents below > should be descriptive enough to know what is being done. We got the config > files from other RHEL IPA clients and tweaked as necessary for platform > differences (PAM was kinda tricky): > > - name: apt - update base image > apt: upgrade=dist update_cache=yes > > - name: apt - install packages > apt: name={{ item }} update_cache=yes state=latest > with_items: > - curl > - krb5-user > - libpam-ccreds > - libpam-krb5 > - libselinux1 > - ntpdate > - openssl > - policycoreutils > - sssd > > - name: ntp - run ntpdate > action: command ntpdate 10.xxx.xxx.123 > > - name: kerberos - add krb5.keytab > copy: src=krb5.keytab.production dest=/etc/krb5.keytab owner=root > group=root mode=0600 > notify: sssd_restart > > - name: sssd - add sssd.conf > copy: src=sssd.conf dest=/etc/sssd/sssd.conf owner=root group=root > mode=0600 > notify: sssd_restart > > - name: kerberos - create config directory > file: path=/etc/krb5.conf.d state=directory mode=0755 > notify: sssd_restart > > - name: kerberos - create ipa directory > file: path=/etc/ipa state=directory mode=0755 > notify: sssd_restart > > - name: kerberos - add ca.crt > copy: src=ca.crt-production dest=/etc/ipa/ca.crt owner=root group=root > mode=0600 > notify: sssd_restart > > - name: kerberos - add krb5.conf > copy: src=krb5.conf dest=/etc/krb5.conf owner=root group=root mode=0644 > notify: sssd_restart > > - name: systemd - enable and start sssd > service: name=sssd state=started enabled=yes > > - name: pam - add modified config files > copy: src={{ item }} dest=/etc/pam.d/{{ item }} owner=root group=root > mode=0644 > with_items: > - common-account > - common-auth > - common-password > - common-session > > - name: ssh - add sshd_config > copy: src=sshd_config dest=/etc/ssh/sshd_config owner=root group=root > mode=0644 > notify: ssh_restart > > - name: sudo - add sudoers-custom > copy: src=sudoers-custom dest=/etc/sudoers.d/sudoers-custom owner=root > group=root mode=0644 > > > > On 01/02/2018 04:03 AM, Florence Blanc-Renaud via FreeIPA-users wrote: > >> On 12/21/2017 01:49 PM, Andrew Radygin via FreeIPA-users wrote: >> >>> Hello! >>> I have freeipa server 4.5 on Centos 7. >>> And want to enroll host on Debian 8 to domain. >>> I've found freeipa-client 4.4 in the sid repo, installing of it was >>> almost successful... >>> >>> apt-get cannot complete configuring for certmonger, and I've got >>> following error: >>> >>> ====== >>> # journalctl -u certmonger >>> -- Logs begin at Thu 2017-07-20 18:27:15 MSK, end at Thu 2017-12-21 >>> 15:39:01 MSK. -- >>> Dec 21 13:25:36 HOSTNAME systemd[1]: Starting Certificate monitoring and >>> PKI enrollment... >>> Dec 21 13:25:36 HOSTNAME certmonger[18411]: 2017-12-21 13:25:36 [18411] >>> Unable to set well-known bus name "org.fedorahosted.certmonger": Connection >>> ":1.4" is not allowed to own the service "org.fedora >>> Dec 21 13:25:36 HOSTNAME certmonger[18411]: Error connecting to D-Bus. >>> Dec 21 13:25:36 HOSTNAME systemd[1]: certmonger.service: main process >>> exited, code=exited, status=1/FAILURE >>> Dec 21 13:25:36 HOSTNAME systemd[1]: Failed to start Certificate >>> monitoring and PKI enrollment. >>> Dec 21 13:25:36 HOSTNAME systemd[1]: Unit certmonger.service entered >>> failed state. >>> ======== >>> >>> Does anyone know how to deal with it? >>> Thanks! >>> >>> -- >>> Best regards, Andrew. >>> >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-le...@lists.fedo >>> rahosted.org >>> >>> Hi, >> >> you are not the first one seeing this issue (see BZ 1504688 [1]) but it >> was not investigated because we were not able to reproduce. >> >> The config file for certmonger/dbus is stored in >> /etc/dbus-1/system.d/certmonger.conf, so I would start by checking that >> its content is OK. >> >> The bus name seems to be already owned by another process, you may try to >> restart the dbus service in case some internal data were not properly >> cleaned: sudo systemctl restart dbus >> >> Flo >> >> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1504688 >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedo >> rahosted.org >> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > -- Best regards, Andrew.
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org