On 23/09/15 10:35, Michael Lasevich wrote:
Ok, I just went through process of migrating our IPA setup from 4.1.2
running on Fedora 20 (?? may have been 21) to 4.1.4 on CentOS 7 (MKosek
Copr version) and run into a nasty bug. The replica-install crashes during
CA configuration with something like:

''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpXXXXXX'' returned non-zero
exit status 1

Skipping CA works, but I needed the CA.

Upon digging into this, I found the issue appears to be in pki python, in


It looks like it makes a call to "/ca/rest/securityDomain/domainInfo" and
gets an XML doc which it converts to JSON. Somehow it gets mangled before
it looks at it. XML has outermost tag of "DomainInfo" - but JSON starts
with "Subsystem" (one layer lower) - I am guessing JSON converted strips
the "root" tag.

I bypassed this by hardcoding id as "IPA" - but obviously that is

Looking at Fedora box, it looks like the difference is in the  version of
PKI package that provides the lib - on Centos you get pki-base 10.1.2
(pki-base-10.1.2-7.1.el7.centos.noarch) - while on Fedore it was a 10.2
branch (and significantly different content in that file)

Anyway, I saw some reports of this bug in searches and no answers - so I
figured I would offer this pointer in (hopefully) the right direction.


Hello Michael!
Thanks for notifying us. Martin just updated the copr repository (https://copr.fedoraproject.org/coprs/mkosek/freeipa/) with newer version of PKI packages and I tested replication between Fedora 21 and CentOS 7.1 (both FreeIPA 4.1.4) and it works for me as expected.
Could you please try it again?

David Kupka

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to