On 01/04/2018 11:48 AM, Andrew Radygin via FreeIPA-users wrote:
Flo,
I've checked certmonger dbus config - it's okay and identical to another
one working.
But after restart dbus - certmoner configured and installed successful.
Although I have another problem error now:
============
# apt-get install freeipa-client
Reading package lists... Done
Building dependency tree
Reading state information... Done
freeipa-client is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 427 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n]
Setting up freeipa-client (4.4.4-4) ...
dpkg: error processing package freeipa-client (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
freeipa-client
E: Sub-process /usr/bin/dpkg returned an error code (1)
===============
# ps auxf |grep cert
root 11868 0.0 0.0 12772 980 pts/0 S+ 13:35
0:00 \_ grep cert
root 11781 0.0 0.1 70728 5072 ? Ss 13:31 0:00
/usr/sbin/certmonger -S -p /var/run/certmonger.pid -n
# cat /var/log/dpkg.log
2018-01-04 13:31:26 startup packages configure
2018-01-04 13:31:26 configure certmonger:amd64 0.79.3-1 <none>
2018-01-04 13:31:26 status half-configured certmonger:amd64 0.79.3-1
2018-01-04 13:31:26 status installed certmonger:amd64 0.79.3-1
2018-01-04 13:31:27 configure freeipa-client:amd64 4.4.4-4 <none>
2018-01-04 13:31:27 status unpacked freeipa-client:amd64 4.4.4-4
2018-01-04 13:31:27 status half-configured freeipa-client:amd64 4.4.4-4
2018-01-04 13:32:03 startup packages configure
2018-01-04 13:32:03 configure freeipa-client:amd64 4.4.4-4 <none>
2018-01-04 13:32:03 status half-configured freeipa-client:amd64 4.4.4-4
=======
From /var/lib/dpkg/info/freeipa-client.postinst I've found following
log file - /var/log/ipaclient-upgrade.log
And there is such messages:
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 31,
in <module>
from ipalib import x509
File "/usr/lib/python2.7/dist-packages/ipalib/__init__.py", line 885,
in <module>
from ipalib import plugable
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 41,
in <module>
from ipalib import errors
File "/usr/lib/python2.7/dist-packages/ipalib/errors.py", line 109,
in <module>
from ipalib.text import ngettext as ungettext
File "/usr/lib/python2.7/dist-packages/ipalib/text.py", line 193, in
<module>
@six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute
'python_2_unicode_compatible'
============
It's obviously error from this code:
#!/bin/sh
set -e
LOGFILE=/var/log/ipaclient-upgrade.log
if [ "$1" = configure ]; then
python2 -c 'from ipapython.certdb import update_ipa_nssdb;
update_ipa_nssdb()' \
> $LOGFILE 2>&1
fi
=============
And executing it manually:
# python2 -c 'from ipapython.certdb import update_ipa_nssdb;
update_ipa_nssdb()'
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 31,
in <module>
from ipalib import x509
File "/usr/lib/python2.7/dist-packages/ipalib/__init__.py", line 885,
in <module>
from ipalib import plugable
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 41,
in <module>
from ipalib import errors
File "/usr/lib/python2.7/dist-packages/ipalib/errors.py", line 109,
in <module>
from ipalib.text import ngettext as ungettext
File "/usr/lib/python2.7/dist-packages/ipalib/text.py", line 193, in
<module>
@six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute
'python_2_unicode_compatible'
Hi,
the error seems familiar, it may be linked to ticket 7299 [1]. Is
python2 installed on your machine?
Flo.
[1] https://pagure.io/freeipa/issue/7299
2018-01-03 18:30 GMT+03:00 Lee Wiscovitch via FreeIPA-users
<freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>:
Doesn't really address the core issue, but wanted to chime in that
we ended up having to manually configure our Debian 8 instances to
work with our RHEL IPA servers.
We use ansible to automate the entire process, the playbook contents
below should be descriptive enough to know what is being done. We
got the config files from other RHEL IPA clients and tweaked as
necessary for platform differences (PAM was kinda tricky):
- name: apt - update base image
apt: upgrade=dist update_cache=yes
- name: apt - install packages
apt: name={{ item }} update_cache=yes state=latest
with_items:
- curl
- krb5-user
- libpam-ccreds
- libpam-krb5
- libselinux1
- ntpdate
- openssl
- policycoreutils
- sssd
- name: ntp - run ntpdate
action: command ntpdate 10.xxx.xxx.123
- name: kerberos - add krb5.keytab
copy: src=krb5.keytab.production dest=/etc/krb5.keytab owner=root
group=root mode=0600
notify: sssd_restart
- name: sssd - add sssd.conf
copy: src=sssd.conf dest=/etc/sssd/sssd.conf owner=root
group=root mode=0600
notify: sssd_restart
- name: kerberos - create config directory
file: path=/etc/krb5.conf.d state=directory mode=0755
notify: sssd_restart
- name: kerberos - create ipa directory
file: path=/etc/ipa state=directory mode=0755
notify: sssd_restart
- name: kerberos - add ca.crt
copy: src=ca.crt-production dest=/etc/ipa/ca.crt owner=root
group=root mode=0600
notify: sssd_restart
- name: kerberos - add krb5.conf
copy: src=krb5.conf dest=/etc/krb5.conf owner=root group=root
mode=0644
notify: sssd_restart
- name: systemd - enable and start sssd
service: name=sssd state=started enabled=yes
- name: pam - add modified config files
copy: src={{ item }} dest=/etc/pam.d/{{ item }} owner=root
group=root mode=0644
with_items:
- common-account
- common-auth
- common-password
- common-session
- name: ssh - add sshd_config
copy: src=sshd_config dest=/etc/ssh/sshd_config owner=root
group=root mode=0644
notify: ssh_restart
- name: sudo - add sudoers-custom
copy: src=sudoers-custom dest=/etc/sudoers.d/sudoers-custom
owner=root group=root mode=0644
On 01/02/2018 04:03 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
On 12/21/2017 01:49 PM, Andrew Radygin via FreeIPA-users wrote:
Hello!
I have freeipa server 4.5 on Centos 7.
And want to enroll host on Debian 8 to domain.
I've found freeipa-client 4.4 in the sid repo, installing of
it was almost successful...
apt-get cannot complete configuring for certmonger, and I've
got following error:
======
# journalctl -u certmonger
-- Logs begin at Thu 2017-07-20 18:27:15 MSK, end at Thu
2017-12-21 15:39:01 MSK. --
Dec 21 13:25:36 HOSTNAME systemd[1]: Starting Certificate
monitoring and PKI enrollment...
Dec 21 13:25:36 HOSTNAME certmonger[18411]: 2017-12-21
13:25:36 [18411] Unable to set well-known bus name
"org.fedorahosted.certmonger": Connection ":1.4" is not
allowed to own the service "org.fedora
Dec 21 13:25:36 HOSTNAME certmonger[18411]: Error connecting
to D-Bus.
Dec 21 13:25:36 HOSTNAME systemd[1]: certmonger.service:
main process exited, code=exited, status=1/FAILURE
Dec 21 13:25:36 HOSTNAME systemd[1]: Failed to start
Certificate monitoring and PKI enrollment.
Dec 21 13:25:36 HOSTNAME systemd[1]: Unit certmonger.service
entered failed state.
========
Does anyone know how to deal with it?
Thanks!
--
Best regards, Andrew.
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
Hi,
you are not the first one seeing this issue (see BZ 1504688 [1])
but it was not investigated because we were not able to reproduce.
The config file for certmonger/dbus is stored in
/etc/dbus-1/system.d/certmonger.conf, so I would start by
checking that its content is OK.
The bus name seems to be already owned by another process, you
may try to restart the dbus service in case some internal data
were not properly cleaned: sudo systemctl restart dbus
Flo
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1504688
<https://bugzilla.redhat.com/show_bug.cgi?id=1504688>
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
--
Best regards, Andrew.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org