Re: [Freeipa-devel] [PATCH 0142] Improve LDAP error logging
On 04/09/2013 03:27 PM, Petr Spacek wrote: Hello, Improve LDAP error logging. Diagnostic error message is logged when it is available. Plugin with this patch produces messages like: LDAP error: Server is unwilling to perform: Minimum SSF not met.: bind to LDAP server failed intead of bind to LDAP server failed: Server is unwilling to perform Second example is: LDAP error: Object class violation: attribute mgrecord not allowed : while modifying(add) entry 'idnsName=pspacek, idnsname=example.com,cn=dns,dc=e,dc=test' instead of :-D snip diff --git a/src/log.h b/src/log.h index 312f24322fd0c6f9943c6beb810ac0bcd8f3896c..cbf1a3faaaccea7391d65d018e80d8ec688fc111 100644 --- a/src/log.h +++ b/src/log.h @@ -55,16 +55,30 @@ log_write(GET_LOG_LEVEL(level), format, ##__VA_ARGS__) /* LDAP logging functions */ -#define log_ldap_error(ld) \ - do {\ - int err;\ - char *errmsg = UNKNOWN; \ - if (ldap_get_option(ld, LDAP_OPT_RESULT_CODE, err) \ - == LDAP_OPT_SUCCESS)\ - errmsg = ldap_err2string(err); \ - log_error_position(LDAP error: %s, errmsg); \ - } while (0);\ +#define LOG_LDAP_ERR_PREFIX LDAP error: +#define log_ldap_error(ld, desc, ...) \ + do { \ + int err; \ + char *errmsg = NULL; \ + char *diagmsg = NULL; \ + if (ldap_get_option(ld, LDAP_OPT_RESULT_CODE, err) \ + == LDAP_OPT_SUCCESS) { \ + errmsg = ldap_err2string(err); \ Getting error msg for the first time here. + if (ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, diagmsg) \ + == LDAP_OPT_SUCCESS diagmsg != NULL) { \ + errmsg = ldap_err2string(err); \ Again getting error msg with the same err. Maybe a copy-paste error? + log_error(LOG_LDAP_ERR_PREFIX %s: %s: desc, \ + errmsg, diagmsg, ##__VA_ARGS__);\ + ldap_memfree(diagmsg); \ + } else \ + log_error(LOG_LDAP_ERR_PREFIX %s: desc, \ + errmsg, ##__VA_ARGS__); \ + } else { \ + log_error(LOG_LDAP_ERR_PREFIX \ + unable to obtain LDAP error code: \ + desc, ##__VA_ARGS__); \ + } \ + } while (0); void log_write(int level, const char *format, ...) ISC_FORMAT_PRINTF(2, 3); Regards, Tomas Hozza ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0220 Only require libsss_nss_idmap-python in Fedora 19+
Hello, The patch for resolving SIDs added a dependency on a package that isn't available in Fedora 18. This makes the dependency optional. Obviously the SID resolution won't work in f18, but IPA should be installable. -- PetrĀ³ From 9e9b34d0891bdae22da048d844deb5a293c2d0af Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Tue, 7 May 2013 12:47:29 +0200 Subject: [PATCH] Only require libsss_nss_idmap-python in Fedora 19+ The package is only available in Fedora 19. This means SID resolution in the UI won't work in Fedora 18. --- freeipa.spec.in | 5 + 1 file changed, 5 insertions(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index 78f037ee41ef380bb0cb1ddb2138343124697709..4b42c3597ee953351ab2131aa698cade7ec6bb3c 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -211,7 +211,9 @@ Requires: samba4 Requires: samba4-winbind %endif Requires: libsss_idmap +%if 0%{?fedora} = 19 Requires: libsss_nss_idmap-python +%endif # We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5 # on the installes where server-trust-ad subpackage is installed because # IPA AD trusts cannot be used at the same time with the locator plugin @@ -845,6 +847,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Tue May 7 2013 Petr Viktorin pvikt...@redhat.com - 3.1.99-12 +- Require libsss_nss_idmap-python in Fedora 19+ + * Mon May 6 2013 Petr Vobornik pvobo...@redhat.com - 3.1.99-11 - Web UI plugins -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0220 Only require libsss_nss_idmap-python in Fedora 19+
On Tue, May 07, 2013 at 01:02:02PM +0200, Petr Viktorin wrote: Hello, The patch for resolving SIDs added a dependency on a package that isn't available in Fedora 18. This makes the dependency optional. Obviously the SID resolution won't work in f18, but IPA should be installable. ACK bye, Sumit -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Cyrus SASL problem on Fedora 19? [heads up]
On Mon, 2013-05-06 at 19:56 +0200, Petr Spacek wrote: Hello list, heads up - we have some problems with Cyrus SASL in Fedora 19. SASL connections via Unix socket are failing with weird error: (Note the 'SOCKET' piece.) $ ldapsearch -Y GSSAPI -H 'ldapi://%2fvar%2frun%2fslapd-TESTRELM-COM.socket' SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/soc...@testrelm.com not found in Kerberos database) See https://bugzilla.redhat.com/show_bug.cgi?id=960222 for all the gory details. We moved it to an openldap bug actually, but the bug is there nevertheless. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0146] Disallow all dynamic updates if update policy configuration failed
On 04/16/2013 10:40 AM, Petr Spacek wrote: Hello, Disallow all dynamic updates if update policy configuration failed. Without this patch the old update policy stays in effect when re-configuration failed. ACK. The patch looks good. (I didn't do functional test) Regards, Tomas Hozza ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0026 Do not display success message on failure in web UI
https://fedorahosted.org/freeipa/ticket/3591 -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From 8678fbd3191d143bd6e5ac2e78ec0895002eb706 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Tue, 7 May 2013 17:11:12 +0200 Subject: [PATCH] Do not display success message on failure in web UI https://fedorahosted.org/freeipa/ticket/3591 --- install/ui/src/freeipa/ipa.js | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js index 69d375a4b4e512ebb8cd86f048ea8a43a7cef858..1337368947706dc25e34482b3c6939bd84e8dd03 100644 --- a/install/ui/src/freeipa/ipa.js +++ b/install/ui/src/freeipa/ipa.js @@ -759,7 +759,7 @@ IPA.command = function(spec) { dialog.on_ok = function() { dialog.close(); -if (that.on_success) that.on_success.call(ajax, data, text_status, xhr); +if (that.on_error) that.on_error.call(this, xhr, text_status, failed.errors); }; dialog.open(); @@ -804,6 +804,13 @@ IPA.command = function(spec) { } } } +} else if (result result.results) { +for(i = 0; i result.results.length; i++) { +var r = result.results[i]; +if (r['error_code'] r['error_code'] !== 4001) { +errors.add(command, r['error_name'], r['error'], text_status); +} +} } return errors; }; -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1101 set httpd ccache
On 05/07/2013 04:41 PM, Rob Crittenden wrote: See the commit message for all the gory details but the bottom line is that mod_auth_kerb doesn't work with DIR ccache which is the default in the latest krb5 builds. rob Looks OK (just reading it). This fixes just new server install. What about upgrades? Won't updated FreeIPA servers' mod_auth_kerb crash too? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0027 Prompt for nameserver IP address in dnszone-add
Prompt for nameserver IP address in dnszone-add https://fedorahosted.org/freeipa/ticket/3603 -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From fff763bc0fa4d996b14d9d6298ed7dd79e69255e Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Tue, 7 May 2013 19:37:22 +0200 Subject: [PATCH] Prompt for nameserver IP address in dnszone-add Prompt for nameserver IP address in interactive mode of dnszone-add. Add a corresponding field to dnszone creation dialog in the web UI. Keep this parameter optional. https://fedorahosted.org/freeipa/ticket/3603 --- API.txt | 2 +- VERSION | 2 +- install/ui/src/freeipa/dns.js | 4 install/ui/test/data/ipa_init_commands.json | 11 +++ ipalib/plugins/dns.py | 2 ++ 5 files changed, 19 insertions(+), 2 deletions(-) diff --git a/API.txt b/API.txt index e5bb7beb49c287badecb36ed95451a2561a68976..70618dd11cc682cfc86fc16ae135b1d07a2157dd 100644 --- a/API.txt +++ b/API.txt @@ -1069,7 +1069,7 @@ command: dnszone_add option: Str('idnssoarname', attribute=True, cli_name='admin_email', multivalue=False, required=True) option: Int('idnssoaserial', attribute=True, autofill=True, cli_name='serial', maxvalue=4294967295L, minvalue=1, multivalue=False, required=True) option: Str('idnsupdatepolicy', attribute=True, autofill=True, cli_name='update_policy', multivalue=False, required=False) -option: Str('ip_address?') +option: Str('ip_address?', alwaysask=True) option: Str('name_from_ip', attribute=False, cli_name='name_from_ip', multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('setattr*', cli_name='setattr', exclude='webui') diff --git a/VERSION b/VERSION index 4bee01b981d818de21f0be1b16d5668a7f453baf..b1e01084345ba58b3347e81ccbf3451def5e8fe5 100644 --- a/VERSION +++ b/VERSION @@ -89,4 +89,4 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=58 +IPA_API_VERSION_MINOR=59 diff --git a/install/ui/src/freeipa/dns.js b/install/ui/src/freeipa/dns.js index 5024e8b768ea46c86eb4db5901e71b02866432ff..15d7d66b9cb78006cd41665567cafb96b23bee55 100644 --- a/install/ui/src/freeipa/dns.js +++ b/install/ui/src/freeipa/dns.js @@ -300,6 +300,10 @@ return { fields: [ 'idnssoamname', { +name: 'ip_address', +metadata: '@mc-opt:dnszone_add:ip_address' +}, +{ name: 'idnssoarname', required: false }, diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json index a7e00ba55209a987b9f5684a738c99803ecb7e28..b66ae4dd1338dca3beb68ef4b34125e8c4516145 100644 --- a/install/ui/test/data/ipa_init_commands.json +++ b/install/ui/test/data/ipa_init_commands.json @@ -7654,6 +7654,17 @@ { attribute: true, class: Str, +doc: Add forward record for nameserver located in the created zone, +flags: [], +label: Nameserver IP address, +name: ip_address, +noextrawhitespace: true, +required: true, +type: unicode +}, +{ +attribute: true, +class: Str, doc: Administrator e-mail address, flags: [], label: Administrator e-mail address, diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 3ad03402d5a3b66b0f64545ff8812e9201258d6e..0ee24b1bba6b499336b61d48ad5786df2ca05826 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -1781,6 +1781,8 @@ class dnszone_add(LDAPCreate): ), Str('ip_address?', _validate_ipaddr, doc=_('Add forward record for nameserver located in the created zone'), +label=_('Nameserver IP address'), +alwaysask=True, ), ) -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1101 set httpd ccache
Simo Sorce wrote: On Tue, 2013-05-07 at 18:34 +0200, Martin Kosek wrote: On 05/07/2013 04:41 PM, Rob Crittenden wrote: See the commit message for all the gory details but the bottom line is that mod_auth_kerb doesn't work with DIR ccache which is the default in the latest krb5 builds. rob Looks OK (just reading it). This fixes just new server install. What about upgrades? Won't updated FreeIPA servers' mod_auth_kerb crash too? Indeed we need to fix on upgrade too. Yes, it was an oversight when I did the commit. Updated patch to include the one-liner upgrade call. rob From 0026d1149e44a7fc7feca42f66d69e026ae515cc Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Tue, 7 May 2013 10:33:55 -0400 Subject: [PATCH] Set KRB5CCNAME so httpd s4u2proxy can with with newer krb5-server The DIR ccache format is now the default in krb5-server 1.11.2-4 but /run/user/uid isn't created for Apache by anything so it has no ccache (and it doesn't have SELinux permissions to write here either). Use KRB5CCNAME to set a file path instead in /etc/sysconfig/httpd. https://fedorahosted.org/freeipa/ticket/3607 --- install/tools/ipa-upgradeconfig | 1 + ipaserver/install/httpinstance.py | 18 ++ 2 files changed, 19 insertions(+) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index c9574b961452bb721c6d55344df46852ec565913..8fa9b189a2dc207e2d90ab32131e65fac0f1f9e0 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -916,6 +916,7 @@ def main(): http = httpinstance.HTTPInstance(fstore) http.remove_httpd_ccache() http.configure_selinux_for_httpd() +http.configure_httpd_ccache() ds = dsinstance.DsInstance() diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 6da212ce50de6346d0c3c0a19bf579eedf88655d..375016262a5bdfb6e7f823a4640c4c1fd8f7a9b8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -22,6 +22,7 @@ import os.path import tempfile import pwd import shutil +import stat import service import certs @@ -99,6 +100,7 @@ class HTTPInstance(service.Service): self.step(creating a keytab for httpd, self.__create_http_keytab) self.step(clean up any existing httpd ccache, self.remove_httpd_ccache) self.step(configuring SELinux for httpd, self.configure_selinux_for_httpd) +self.step(configure httpd ccache, self.configure_httpd_ccache) self.step(restarting httpd, self.__start) self.step(configuring httpd to start on boot, self.__enable) @@ -192,6 +194,22 @@ class HTTPInstance(service.Service): pent = pwd.getpwnam(apache) installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid) +def configure_httpd_ccache(self): +pent = pwd.getpwnam(apache) +ccache = '/tmp/krb5cc_%d' % pent.pw_uid +filepath = '/etc/sysconfig/httpd' +if not os.path.exists(filepath): +# file doesn't exist; create it with correct ownership mode +open(filepath, 'a').close() +os.chmod(filepath, +stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) +os.chown(filepath, 0, 0) + +replacevars = {'KRB5CCNAME': ccache} +old_values = ipautil.backup_config_and_replace_variables( +self.fstore, filepath, replacevars=replacevars) +ipaservices.restore_context(filepath) + def __configure_http(self): target_fname = '/etc/httpd/conf.d/ipa.conf' http_txt = ipautil.template_file(ipautil.SHARE_DIR + ipa.conf, self.sub_dict) -- 1.8.2.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] FreeIPA quit working - or, IPA oVirt
I'm running FreeIPA 3.2.0 Beta 1 in Fedora 19 Alpha, and I'm running oVirt 3.3.0 pre-Beta in Fedora 18. In order to get oVirt's JGSS crap to work with FreeIPA, I had to change nsslapd-minssf to 1 (apparently a known issue right now in OpenJDK). But this setting seems to break ipa CLI, and when I change back to nsslapd-minssf: 0 it stays broken, and FreeIPA's XML-RPC service returns a 500 error. Apache error_log says: [Tue May 07 17:06:04.698467 2013] [auth_kerb:error] [pid 705] [client 172.19.10.145:60593] Could not get default Kerberos ccache: No credentials cache found (-1765328189), referer: https://ds1.hackunix.org/ipa/xml [Tue May 07 17:06:04.703070 2013] [auth_kerb:error] [pid 705] [client 172.19.10.145:60593] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Can't find client principal HTTP/ ds1.hackunix@hackunix.org in cache collection), referer: https://ds1.hackunix.org/ipa/xml [Tue May 07 17:19:55.358418 2013] [auth_kerb:error] [pid 701] [client 172.19.10.145:60609] Could not get default Kerberos ccache: No credentials cache found (-1765328189), referer: https://ds1.hackunix.org/ipa/xml [Tue May 07 17:19:55.362419 2013] [auth_kerb:error] [pid 701] [client 172.19.10.145:60609] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Can't find client principal HTTP/ ds1.hackunix@hackunix.org in cache collection), referer: https://ds1.hackunix.org/ipa/xml Since I got FreeIPA up and running, I've only been messing with the nsslapd-minssf value to get oVirt's Java code working against it. Not sure why FreeAPI is permabroke when it is basically stock, and I'm just flipping one minssf bit. Thanks! Derek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA quit working - or, IPA oVirt
On 05/07/2013 07:08 PM, Derek Moore wrote: I'm running FreeIPA 3.2.0 Beta 1 in Fedora 19 Alpha, and I'm running oVirt 3.3.0 pre-Beta in Fedora 18. In order to get oVirt's JGSS crap to work with FreeIPA, I had to change nsslapd-minssf to 1 (apparently a known issue right now in OpenJDK). But this setting seems to break ipa CLI, and when I change back to nsslapd-minssf: 0 it stays broken, and FreeIPA's XML-RPC service returns a 500 error. Apache error_log says: [Tue May 07 17:06:04.698467 2013] [auth_kerb:error] [pid 705] [client 172.19.10.145:60593 http://172.19.10.145:60593] Could not get default Kerberos ccache: No credentials cache found (-1765328189), referer: https://ds1.hackunix.org/ipa/xml [Tue May 07 17:06:04.703070 2013] [auth_kerb:error] [pid 705] [client 172.19.10.145:60593 http://172.19.10.145:60593] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Can't find client principal HTTP/ds1.hackunix@hackunix.org mailto:ds1.hackunix@hackunix.org in cache collection), referer: https://ds1.hackunix.org/ipa/xml [Tue May 07 17:19:55.358418 2013] [auth_kerb:error] [pid 701] [client 172.19.10.145:60609 http://172.19.10.145:60609] Could not get default Kerberos ccache: No credentials cache found (-1765328189), referer: https://ds1.hackunix.org/ipa/xml [Tue May 07 17:19:55.362419 2013] [auth_kerb:error] [pid 701] [client 172.19.10.145:60609 http://172.19.10.145:60609] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Can't find client principal HTTP/ds1.hackunix@hackunix.org mailto:ds1.hackunix@hackunix.org in cache collection), referer: https://ds1.hackunix.org/ipa/xml Since I got FreeIPA up and running, I've only been messing with the nsslapd-minssf value to get oVirt's Java code working against it. Not sure why FreeAPI is permabroke when it is basically stock, and I'm just flipping one minssf bit. Did you restart all IPA services including KDC after you changed the minssf? Thanks! Derek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA quit working - or, IPA oVirt
Did you restart all IPA services including KDC after you changed the minssf? Yes, tried many combinations of restarts and reboots trying to undo the breakage. I found a similar thread on here (sudden ipa errors) where someone spent a lot of time debugging when suddenly RH support came back with an odd fix to krb5kdc.conf that doesn't apply to me since I'm not using a subdomain for the realm. Let me start over documenting the ipa steps better, I had to patch a few things along the way to get it to work (like the .pki to .dogtag problem on install). I'll report back... ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA quit working - or, IPA oVirt
First I'll undo the oVirt/FreeIPA relationship: # engine-manage-domains -action=delete -domain=hackunix.org ... Manage Domains completed successfully # service ovirt-engine restart oVirt works with internal domain and admin user. Now let's uninstall FreeIPA: # pkidestroy -s CA -i pki-tomcat Loading deployment configuration from /var/lib/pki/pki-tomcat/ca/registry/ca/deployment.cfg. Uninstalling CA from /var/lib/pki/pki-tomcat. pkidestroy : WARNING ... this 'CA' entry may not be registered with security domain 'IPA'! pkidestroy : ERROR... updateDomainXML FAILED to delete this 'CA' entry from security domain 'IPA': '' Uninstallation complete. # rm -rf /var/log/pki/pki-tomcat # rm -rf /etc/sysconfig/pki-tomcat # rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat # rm -rf /var/lib/pki/pki-tomcat # rm -rf /etc/pki/pki-tomcat # ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Unconfiguring CA ipa : CRITICAL failed to uninstall CA instance Command '/usr/sbin/pkidestroy -i pki-tomcat -s CA' returned non-zero exit status 255 Unconfiguring named Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring ipa_memcached # ipa-server-install I choose BIND integration, set my hostname, and now I get a new error: Server host name [localhost.localdomain]: ds1.hackunix.org [Errno 1] Unknown host So now I'm thinking that besides mucking with minssf I also turned on DNS for my domain, but everything in DNS should match what I started out with in /etc/hosts... Let me read what the install script is expecting here... brb On Tue, May 7, 2013 at 10:04 PM, Derek Moore derek.p.mo...@gmail.comwrote: Did you restart all IPA services including KDC after you changed the minssf? Yes, tried many combinations of restarts and reboots trying to undo the breakage. I found a similar thread on here (sudden ipa errors) where someone spent a lot of time debugging when suddenly RH support came back with an odd fix to krb5kdc.conf that doesn't apply to me since I'm not using a subdomain for the realm. Let me start over documenting the ipa steps better, I had to patch a few things along the way to get it to work (like the .pki to .dogtag problem on install). I'll report back... ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel