On 12/01/18 12:32, Alexander Bokovoy wrote:
On pe, 12 tammi 2018, lejeczek via FreeIPA-users wrote:

On 11/01/18 18:55, Florence Blanc-Renaud wrote:
then the problem you are seeing is probably BZ 14852017 [RFE] If the umask is too restrictive the installation won't work [1]

Did you install the master with a umask different from 022? In this case, some configuration files are probably not accessible by non-root user, and the httpd server - running as apache - cannot read files needed to establish the secure connection to dogtag.

You can try to change the permissions for /etc/ipa/ca.crt and /var/lib/ipa/ra-agent.{key|pem} on the master:
$ chmod 444 /etc/ipa/ca.crt
$ chmod 440 /var/lib/ipa/ra-agent.*

and re-try the replica installation.


I'm double posting.. beware
Jesus freaking Christ.. (this comes after I produced a whole litany of of bad words in my own language), sorry.
It almost drove me insane! no, really!

all these problems, all these errors, all because of my root's umask 027 Now having replica installed, I'll see how two servers behave in my simple domain.

Guys, make it a very first check in installer code and make that installer fail, and.. push out a new release with that little fix like... yesterday(do not wait till it's properly fixed) You can still save lives!
There is https://pagure.io/freeipa/issue/7193 for that. Unfortunately, it is not going to get into next RHEL update due to timing issues.

A patch is welcomed.

I'm sure for you guys @devel it won't take more than a blink of an eye - just fail that installer for "non-regular" umasks(for now at least) - myself? I'd have to learn python ;) I've struggled, I've wasted a week, and would have given in if it wasn't for Flo's help.
Seriously, I'm sure this will save many lives.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to