On 23/09/15 10:35, Michael Lasevich wrote:
Ok, I just went through process of migrating our IPA setup from 4.1.2
running on Fedora 20 (?? may have been 21) to 4.1.4 on CentOS 7 (MKosek
Copr version) and run into a nasty bug. The replica-install crashes during
CA configuration with something like:
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpXXXXXX'' returned non-zero
exit status 1
Skipping CA works, but I needed the CA.
Upon digging into this, I found the issue appears to be in pki python, in
It looks like it makes a call to "/ca/rest/securityDomain/domainInfo" and
gets an XML doc which it converts to JSON. Somehow it gets mangled before
it looks at it. XML has outermost tag of "DomainInfo" - but JSON starts
with "Subsystem" (one layer lower) - I am guessing JSON converted strips
the "root" tag.
I bypassed this by hardcoding id as "IPA" - but obviously that is
Looking at Fedora box, it looks like the difference is in the version of
PKI package that provides the lib - on Centos you get pki-base 10.1.2
(pki-base-10.1.2-7.1.el7.centos.noarch) - while on Fedore it was a 10.2
branch (and significantly different content in that file)
Anyway, I saw some reports of this bug in searches and no answers - so I
figured I would offer this pointer in (hopefully) the right direction.
Thanks for notifying us. Martin just updated the copr repository
(https://copr.fedoraproject.org/coprs/mkosek/freeipa/) with newer
version of PKI packages and I tested replication between Fedora 21 and
CentOS 7.1 (both FreeIPA 4.1.4) and it works for me as expected.
Could you please try it again?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project