Flo,
I've checked certmonger dbus config - it's okay and identical to another
one working.
But after restart dbus - certmoner configured and installed successful.
Although I have another problem error now:
============
# apt-get install freeipa-client
Reading package lists... Done
Building dependency tree
Reading state information... Done
freeipa-client is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 427 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n]
Setting up freeipa-client (4.4.4-4) ...
dpkg: error processing package freeipa-client (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
freeipa-client
E: Sub-process /usr/bin/dpkg returned an error code (1)
===============
# ps auxf |grep cert
root 11868 0.0 0.0 12772 980 pts/0 S+ 13:35 0:00
\_ grep cert
root 11781 0.0 0.1 70728 5072 ? Ss 13:31 0:00
/usr/sbin/certmonger -S -p /var/run/certmonger.pid -n
# cat /var/log/dpkg.log
2018-01-04 13:31:26 startup packages configure
2018-01-04 13:31:26 configure certmonger:amd64 0.79.3-1 <none>
2018-01-04 13:31:26 status half-configured certmonger:amd64 0.79.3-1
2018-01-04 13:31:26 status installed certmonger:amd64 0.79.3-1
2018-01-04 13:31:27 configure freeipa-client:amd64 4.4.4-4 <none>
2018-01-04 13:31:27 status unpacked freeipa-client:amd64 4.4.4-4
2018-01-04 13:31:27 status half-configured freeipa-client:amd64 4.4.4-4
2018-01-04 13:32:03 startup packages configure
2018-01-04 13:32:03 configure freeipa-client:amd64 4.4.4-4 <none>
2018-01-04 13:32:03 status half-configured freeipa-client:amd64 4.4.4-4
=======
>From /var/lib/dpkg/info/freeipa-client.postinst I've found following log
file - /var/log/ipaclient-upgrade.log
And there is such messages:
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 31, in
<module>
from ipalib import x509
File "/usr/lib/python2.7/dist-packages/ipalib/__init__.py", line 885, in
<module>
from ipalib import plugable
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 41, in
<module>
from ipalib import errors
File "/usr/lib/python2.7/dist-packages/ipalib/errors.py", line 109, in
<module>
from ipalib.text import ngettext as ungettext
File "/usr/lib/python2.7/dist-packages/ipalib/text.py", line 193, in
<module>
@six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute
'python_2_unicode_compatible'
============
It's obviously error from this code:
#!/bin/sh
set -e
LOGFILE=/var/log/ipaclient-upgrade.log
if [ "$1" = configure ]; then
python2 -c 'from ipapython.certdb import update_ipa_nssdb;
update_ipa_nssdb()' \
> $LOGFILE 2>&1
fi
=============
And executing it manually:
# python2 -c 'from ipapython.certdb import update_ipa_nssdb;
update_ipa_nssdb()'
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 31, in
<module>
from ipalib import x509
File "/usr/lib/python2.7/dist-packages/ipalib/__init__.py", line 885, in
<module>
from ipalib import plugable
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 41, in
<module>
from ipalib import errors
File "/usr/lib/python2.7/dist-packages/ipalib/errors.py", line 109, in
<module>
from ipalib.text import ngettext as ungettext
File "/usr/lib/python2.7/dist-packages/ipalib/text.py", line 193, in
<module>
@six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute
'python_2_unicode_compatible'
2018-01-03 18:30 GMT+03:00 Lee Wiscovitch via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:
> Doesn't really address the core issue, but wanted to chime in that we
> ended up having to manually configure our Debian 8 instances to work with
> our RHEL IPA servers.
>
> We use ansible to automate the entire process, the playbook contents below
> should be descriptive enough to know what is being done. We got the config
> files from other RHEL IPA clients and tweaked as necessary for platform
> differences (PAM was kinda tricky):
>
> - name: apt - update base image
> apt: upgrade=dist update_cache=yes
>
> - name: apt - install packages
> apt: name={{ item }} update_cache=yes state=latest
> with_items:
> - curl
> - krb5-user
> - libpam-ccreds
> - libpam-krb5
> - libselinux1
> - ntpdate
> - openssl
> - policycoreutils
> - sssd
>
> - name: ntp - run ntpdate
> action: command ntpdate 10.xxx.xxx.123
>
> - name: kerberos - add krb5.keytab
> copy: src=krb5.keytab.production dest=/etc/krb5.keytab owner=root
> group=root mode=0600
> notify: sssd_restart
>
> - name: sssd - add sssd.conf
> copy: src=sssd.conf dest=/etc/sssd/sssd.conf owner=root group=root
> mode=0600
> notify: sssd_restart
>
> - name: kerberos - create config directory
> file: path=/etc/krb5.conf.d state=directory mode=0755
> notify: sssd_restart
>
> - name: kerberos - create ipa directory
> file: path=/etc/ipa state=directory mode=0755
> notify: sssd_restart
>
> - name: kerberos - add ca.crt
> copy: src=ca.crt-production dest=/etc/ipa/ca.crt owner=root group=root
> mode=0600
> notify: sssd_restart
>
> - name: kerberos - add krb5.conf
> copy: src=krb5.conf dest=/etc/krb5.conf owner=root group=root mode=0644
> notify: sssd_restart
>
> - name: systemd - enable and start sssd
> service: name=sssd state=started enabled=yes
>
> - name: pam - add modified config files
> copy: src={{ item }} dest=/etc/pam.d/{{ item }} owner=root group=root
> mode=0644
> with_items:
> - common-account
> - common-auth
> - common-password
> - common-session
>
> - name: ssh - add sshd_config
> copy: src=sshd_config dest=/etc/ssh/sshd_config owner=root group=root
> mode=0644
> notify: ssh_restart
>
> - name: sudo - add sudoers-custom
> copy: src=sudoers-custom dest=/etc/sudoers.d/sudoers-custom owner=root
> group=root mode=0644
>
>
>
> On 01/02/2018 04:03 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
>
>> On 12/21/2017 01:49 PM, Andrew Radygin via FreeIPA-users wrote:
>>
>>> Hello!
>>> I have freeipa server 4.5 on Centos 7.
>>> And want to enroll host on Debian 8 to domain.
>>> I've found freeipa-client 4.4 in the sid repo, installing of it was
>>> almost successful...
>>>
>>> apt-get cannot complete configuring for certmonger, and I've got
>>> following error:
>>>
>>> ======
>>> # journalctl -u certmonger
>>> -- Logs begin at Thu 2017-07-20 18:27:15 MSK, end at Thu 2017-12-21
>>> 15:39:01 MSK. --
>>> Dec 21 13:25:36 HOSTNAME systemd[1]: Starting Certificate monitoring and
>>> PKI enrollment...
>>> Dec 21 13:25:36 HOSTNAME certmonger[18411]: 2017-12-21 13:25:36 [18411]
>>> Unable to set well-known bus name "org.fedorahosted.certmonger": Connection
>>> ":1.4" is not allowed to own the service "org.fedora
>>> Dec 21 13:25:36 HOSTNAME certmonger[18411]: Error connecting to D-Bus.
>>> Dec 21 13:25:36 HOSTNAME systemd[1]: certmonger.service: main process
>>> exited, code=exited, status=1/FAILURE
>>> Dec 21 13:25:36 HOSTNAME systemd[1]: Failed to start Certificate
>>> monitoring and PKI enrollment.
>>> Dec 21 13:25:36 HOSTNAME systemd[1]: Unit certmonger.service entered
>>> failed state.
>>> ========
>>>
>>> Does anyone know how to deal with it?
>>> Thanks!
>>>
>>> --
>>> Best regards, Andrew.
>>>
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>>> rahosted.org
>>>
>>> Hi,
>>
>> you are not the first one seeing this issue (see BZ 1504688 [1]) but it
>> was not investigated because we were not able to reproduce.
>>
>> The config file for certmonger/dbus is stored in
>> /etc/dbus-1/system.d/certmonger.conf, so I would start by checking that
>> its content is OK.
>>
>> The bus name seems to be already owned by another process, you may try to
>> restart the dbus service in case some internal data were not properly
>> cleaned: sudo systemctl restart dbus
>>
>> Flo
>>
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1504688
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>> rahosted.org
>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
--
Best regards, Andrew.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
