Re: [Freeipa-users] Host certificate issue problem
When I check the host certificate I see a ca-error saying it cannot find a suitable key. # ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20130719035440': status: CA_UNCONFIGURED ca-error: Error setting up ccache for local host service using default keytab: Keytab contains no suitable keys for host/det-webdl01@. stuck: yes key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes What is the version of ipa-server , is the above error on ipa client , if so what is the version of ipa-client Both client and server are version 3.0; the error is on the client There was similar bug in earlier versions, I would suggest you to update the ipa server and clients to ipa-3.0 Yes the bug in earlier versions is here, https://bugzilla.redhat.com/show_bug.cgi?id=747443 I have double checked to see if the workaround applies after the bug fix, it does not When I check my keytab # kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example@example.com No error If I list my keytab, # klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal - 2 07/18/13 13:14:06 host/det-webdl01.sub.example@example.com 2 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com 2 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com 2 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com 1 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com 1 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com 1 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com 1 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com My /etc/krb5.conf file looks like: [libdefaults] default_keytab_name = FILE:/etc/krb5.keytab default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] EXAMPLE.COM = { kdc = det-ldmpl01.sub.example.com:88 master_kdc = det-ldmpl01.sub.example.com:88 admin_server = det-ldmpl01.sub.example.com:749 default_domain = example.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM .sub.example.com = EXAMPLE.COM sub.example.com = EXAMPLE.COM It seems the error from ipa-getcert list shows: ca-error: Error setting up ccache for local host service using default keytab: Keytab contains no suitable keys for host/det-webdl01@. where it is trunking the hostname and not including the realm name after @ seems to be the problem, but I cannot figure out why. If I run `hostname` on this host it prints det-webdl01.sub.example.com. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users - -- Regards M.R.Niranjan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlHo0soACgkQLu3FX2BHx8dl4gCaAp6QG9fSN5Op6f7V4cb05Tc0 MtQAnR0vhh7kPNZ/GTmdYzYacDgsE97m =J4fC -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa-client on Debian Wheezy
On 07/19/2013 02:59 AM, Alexandre Ellert wrote: Hi, I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64): = certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' There is no such file even on RHEL 6. What is this file ? This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the /var/run/ipa/ directory is there (or update debian platform file to override PlatformService class in ipapython/platform/base/__init__.py). = host_mod: KerbTransport instance has no attribute '_conn' What does that mean ? This means that there was some issue with XMLRPC call to IPA server (the error message is indeed unfortunate) - does ipaclient-install.log contain more details? = Failed to upload host SSH public keys. This is strange because SSH key are correctly uploaded ! Here is the complete stack trace : ... HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa-client on Debian Wheezy
Le 19 juil. 2013 à 10:20, Martin Kosek mko...@redhat.com a écrit : On 07/19/2013 02:59 AM, Alexandre Ellert wrote: Hi, I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64): = certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' There is no such file even on RHEL 6. What is this file ? This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the /var/run/ipa/ directory is there (or update debian platform file to override PlatformService class in ipapython/platform/base/__init__.py). I managed to fix that and will update soon my repo with a new package version. Thanks for the information. = host_mod: KerbTransport instance has no attribute '_conn' What does that mean ? This means that there was some issue with XMLRPC call to IPA server (the error message is indeed unfortunate) - does ipaclient-install.log contain more details? Unfortunately there is no more details in ipaclient-install.log, here is the relevant part : 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute '_conn' 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys. Is there any way to get more debug log ? In my opinion, warning about ssh keys should not trigger here, because I can see them on my IPA server. = Failed to upload host SSH public keys. This is strange because SSH key are correctly uploaded ! Here is the complete stack trace : ... HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa-client on Debian Wheezy
On 07/19/2013 03:28 PM, Alexandre Ellert wrote: Le 19 juil. 2013 à 10:20, Martin Kosek mko...@redhat.com a écrit : On 07/19/2013 02:59 AM, Alexandre Ellert wrote: Hi, I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64): = certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' There is no such file even on RHEL 6. What is this file ? This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the /var/run/ipa/ directory is there (or update debian platform file to override PlatformService class in ipapython/platform/base/__init__.py). I managed to fix that and will update soon my repo with a new package version. Thanks for the information. = host_mod: KerbTransport instance has no attribute '_conn' What does that mean ? This means that there was some issue with XMLRPC call to IPA server (the error message is indeed unfortunate) - does ipaclient-install.log contain more details? Unfortunately there is no more details in ipaclient-install.log, here is the relevant part : 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute '_conn' 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys. Is there any way to get more debug log ? In my opinion, warning about ssh keys should not trigger here, because I can see them on my IPA server. Are you sure the SSH keys aren't there from previous installation attempt or similar? The _conn generally means there was some problem with the connection to server in the xmlrpclib python library. We need to find out what and why triggers it, a change in ipa-client-install script like below may shed more light on what is the source of the error: diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 280edd7..f82b9f6 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1450,6 +1450,8 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): pass except StandardError, e: root_logger.info(host_mod: %s, str(e)) +import traceback +traceback.print_exc() root_logger.warning(Failed to upload host SSH public keys.) return Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa-client on Debian Wheezy
Le 19 juil. 2013 à 16:24, Martin Kosek mko...@redhat.com a écrit : On 07/19/2013 03:28 PM, Alexandre Ellert wrote: Le 19 juil. 2013 à 10:20, Martin Kosek mko...@redhat.com a écrit : On 07/19/2013 02:59 AM, Alexandre Ellert wrote: Hi, I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64): = certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' There is no such file even on RHEL 6. What is this file ? This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the /var/run/ipa/ directory is there (or update debian platform file to override PlatformService class in ipapython/platform/base/__init__.py). I managed to fix that and will update soon my repo with a new package version. Thanks for the information. = host_mod: KerbTransport instance has no attribute '_conn' What does that mean ? This means that there was some issue with XMLRPC call to IPA server (the error message is indeed unfortunate) - does ipaclient-install.log contain more details? Unfortunately there is no more details in ipaclient-install.log, here is the relevant part : 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute '_conn' 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys. Is there any way to get more debug log ? In my opinion, warning about ssh keys should not trigger here, because I can see them on my IPA server. Are you sure the SSH keys aren't there from previous installation attempt or similar? The _conn generally means there was some problem with the connection to server in the xmlrpclib python library. I can confirm you that SSH key upload is successful. I've done tests with a fresh install of Debian. To be sure, I will create a new VM and try an ipa-client-install with modifications you give me. We need to find out what and why triggers it, a change in ipa-client-install script like below may shed more light on what is the source of the error: diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 280edd7..f82b9f6 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1450,6 +1450,8 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): pass except StandardError, e: root_logger.info(host_mod: %s, str(e)) +import traceback +traceback.print_exc() root_logger.warning(Failed to upload host SSH public keys.) return Martin Thanks Alexandre ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] F18 - F19 upgrade
Ian, Sorry for the late response. Just saw this email. I'm surprised that you were able to update your machine to F19. We explicitly put in spec file logic to do a pre-trans check to see if you had dogtag 9 system instances before updating to f19. This was to prevent people from getting into a situation where there installation was broken. The issue is that dogtag 9 instances use tomcat 6, and tomcat 6 is no longer in fedora 19. Dogtag 10 instances, on the other hand, use tomcat 7. The two instance types are therefore incompatible. The suggestion therefore would have been to create a replica of the ipa master prior to doing the upgrade to F19. In fact, you could have just installed a brand new f19 machine and then created a replica (and then shut down the old machine). Seeing as you have somehow upgraded your machine to F19, we need to try and get your system back up. For that, you need to follow the instructions in Workaround ie. installing tomcat6 and downgrading tomcatjss to the version in f18. That will hopefully get your CA up and running. At that point, it is highly recommended that you use ipa utilities to create a replica and use that instead. Ade On Mon, 2013-07-15 at 17:47 +0200, Martin Kosek wrote: On 07/13/2013 05:28 AM, Ian Chapman wrote: Hi, I've just recently upgrade my F18 server to F19 and IPA is failing to start: Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Aborting ipactl Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting Directory Service Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting krb5kdc Service Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting kadmin Service Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting ipa_memcached Service Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting httpd Service Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting pki-cad Service Jul 13 10:52:30 rex.homenet.lan systemd[1]: ipa.service: main process exited, code=exited, status=1/FAILURE Jul 13 10:52:30 rex.homenet.lan systemd[1]: Failed to start Identity, Policy, Audit. Jul 13 10:52:30 rex.homenet.lan systemd[1]: Unit ipa.service entered failed state. It seems that the pki-cad service fails to start. Is that in relation to dogtag upgrade of 9 to 10 or possibly another problem? There is of course this page: http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag_10 but frankly I don't really understand it. Well I get that the idea is to create a new pki cloned instance which would be dogtag 10 compatible and then delete the old one - I'm really don't know what I'm supposed to put in the configuration file. Has anybody else done this? Is there some more examples? Thanks. The status of pki-cad is: systemctl status pki-cad@pki-ca.service pki-cad@pki-ca.service - PKI Certificate Authority Server pki-ca Loaded: loaded (/usr/lib/systemd/system/pki-cad@.service; enabled) Active: failed (Result: exit-code) since Sat 2013-07-13 10:54:23 WST; 30min ago Process: 98170 ExecStart=/usr/bin/pkicontrol start ca %i (code=exited, status=1/FAILURE) Jul 13 10:54:23 rex.homenet.lan systemd[1]: Starting PKI Certificate Authority Server pki-ca... Jul 13 10:54:23 rex.homenet.lan pkicontrol[98170]: WARNING: Symbolic link '/var/lib/pki-ca/pki-ca' does NOT exist! Jul 13 10:54:23 rex.homenet.lan pkicontrol[98170]: INFO: Attempting to create '/var/lib/pki-ca/pki-ca' - '/usr/sbin/tomcat6-sysd' . . . Jul 13 10:54:23 rex.homenet.lan pkicontrol[98170]: ERROR: Failed making '/var/lib/pki-ca/pki-ca' - '/usr/sbin/tomcat6-sysd' since target '/usr/sb...T exist! Jul 13 10:54:23 rex.homenet.lan systemd[1]: pki-cad@pki-ca.service: control process exited, code=exited status=1 Jul 13 10:54:23 rex.homenet.lan systemd[1]: Failed to start PKI Certificate Authority Server pki-ca. Jul 13 10:54:23 rex.homenet.lan systemd[1]: Unit pki-cad@pki-ca.service entered failed state. Adding PKI/Dogtag developers to CC to advise. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa-client on Debian Wheezy
Thanks, this should help. Maybe the IPA just tries to close the connection twice _after_ keys were uploaded to the server. Anyway, what version of IPA software is the Debian package based on? I cannot find line self._conn.close() in ipalib/rpc.py in any of our active branches. Martin On 07/19/2013 05:03 PM, Alexandre Ellert wrote: Here is the traceback : Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'https://inf-ipa.numeezy.fr/ipa/xml' host_mod: KerbTransport instance has no attribute '_conn' Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1234, in update_ssh_keys updatedns=False File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 435, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 748, in run return self.forward(*args, **options) File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 769, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 748, in forward response = command(*xml_wrap(params)) File /usr/lib/python2.7/xmlrpclib.py, line 1224, in __call__ return self.__send(self.__name, args) File /usr/lib/python2.7/xmlrpclib.py, line 1578, in __request verbose=self.__verbose File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 490, in request self.close() File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 457, in close self._conn.close() AttributeError: KerbTransport instance has no attribute '_conn' Failed to upload host SSH public keys. - Key are correctly uploaded on the new VM. Le 19 juil. 2013 à 16:30, Alexandre Ellert aell...@numeezy.com a écrit : Le 19 juil. 2013 à 16:24, Martin Kosek mko...@redhat.com a écrit : On 07/19/2013 03:28 PM, Alexandre Ellert wrote: Le 19 juil. 2013 à 10:20, Martin Kosek mko...@redhat.com a écrit : On 07/19/2013 02:59 AM, Alexandre Ellert wrote: Hi, I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64): = certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' There is no such file even on RHEL 6. What is this file ? This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the /var/run/ipa/ directory is there (or update debian platform file to override PlatformService class in ipapython/platform/base/__init__.py). I managed to fix that and will update soon my repo with a new package version. Thanks for the information. = host_mod: KerbTransport instance has no attribute '_conn' What does that mean ? This means that there was some issue with XMLRPC call to IPA server (the error message is indeed unfortunate) - does ipaclient-install.log contain more details? Unfortunately there is no more details in ipaclient-install.log, here is the relevant part : 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute '_conn' 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys. Is there any way to get more debug log ? In my opinion, warning about ssh keys should not trigger here, because I can see them on my IPA server. Are you sure the SSH keys aren't there from previous installation attempt or similar? The _conn generally means there was some problem with the connection to server in the xmlrpclib python library. I can confirm you that SSH key upload is successful. I've done tests with a fresh install of Debian. To be sure, I will create a new VM and try an ipa-client-install with modifications you give me. We need to find out what and why triggers it, a change in ipa-client-install script like below may shed more light on what is the source of the error: diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 280edd7..f82b9f6 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1450,6 +1450,8 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): pass except StandardError, e: root_logger.info(host_mod: %s, str(e)) +import traceback +traceback.print_exc() root_logger.warning(Failed to upload host SSH public keys.) return Martin Thanks Alexandre ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa-client on Debian Wheezy
Here is the traceback : Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'https://inf-ipa.numeezy.fr/ipa/xml' host_mod: KerbTransport instance has no attribute '_conn' Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1234, in update_ssh_keys updatedns=False File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 435, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 748, in run return self.forward(*args, **options) File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 769, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 748, in forward response = command(*xml_wrap(params)) File /usr/lib/python2.7/xmlrpclib.py, line 1224, in __call__ return self.__send(self.__name, args) File /usr/lib/python2.7/xmlrpclib.py, line 1578, in __request verbose=self.__verbose File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 490, in request self.close() File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 457, in close self._conn.close() AttributeError: KerbTransport instance has no attribute '_conn' Failed to upload host SSH public keys. - Key are correctly uploaded on the new VM. Le 19 juil. 2013 à 16:30, Alexandre Ellert aell...@numeezy.com a écrit : Le 19 juil. 2013 à 16:24, Martin Kosek mko...@redhat.com a écrit : On 07/19/2013 03:28 PM, Alexandre Ellert wrote: Le 19 juil. 2013 à 10:20, Martin Kosek mko...@redhat.com a écrit : On 07/19/2013 02:59 AM, Alexandre Ellert wrote: Hi, I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64): = certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' There is no such file even on RHEL 6. What is this file ? This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the /var/run/ipa/ directory is there (or update debian platform file to override PlatformService class in ipapython/platform/base/__init__.py). I managed to fix that and will update soon my repo with a new package version. Thanks for the information. = host_mod: KerbTransport instance has no attribute '_conn' What does that mean ? This means that there was some issue with XMLRPC call to IPA server (the error message is indeed unfortunate) - does ipaclient-install.log contain more details? Unfortunately there is no more details in ipaclient-install.log, here is the relevant part : 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute '_conn' 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys. Is there any way to get more debug log ? In my opinion, warning about ssh keys should not trigger here, because I can see them on my IPA server. Are you sure the SSH keys aren't there from previous installation attempt or similar? The _conn generally means there was some problem with the connection to server in the xmlrpclib python library. I can confirm you that SSH key upload is successful. I've done tests with a fresh install of Debian. To be sure, I will create a new VM and try an ipa-client-install with modifications you give me. We need to find out what and why triggers it, a change in ipa-client-install script like below may shed more light on what is the source of the error: diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 280edd7..f82b9f6 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1450,6 +1450,8 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): pass except StandardError, e: root_logger.info(host_mod: %s, str(e)) +import traceback +traceback.print_exc() root_logger.warning(Failed to upload host SSH public keys.) return Martin Thanks Alexandre ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa-client on Debian Wheezy
Sorry, mistake from me. I remove all patch from RHEL and just keep 0053-Cookie-Expires-date-should-be-locale-insensitive.patch. Everything seems fine now. I'm going to test. Thanks for you help Le 19 juil. 2013 à 17:53, Alexandre Ellert aell...@numeezy.com a écrit : It's based on 3.0.2 with 1011-xmlrpc_response.patch (found in ipa-3.0.0-26.el6_4.4.src.rpm) and self._conn.close() is added by this patch. I included it because it correct this problem : unable to parse cookie header 'ipa_session=83701130bf434d20cf8c5a3fe2a0ac56; Domain=inf-ipa.numeezy.fr; Path=/ipa; Expires=Fri, 19 Jul 2013 16:08:31 GMT; Secure; HttpOnly': unable to parse expires datetime 'Fri, 19 Jul 2013 16:08:31' Le 19 juil. 2013 à 17:08, Martin Kosek mko...@redhat.com a écrit : Thanks, this should help. Maybe the IPA just tries to close the connection twice _after_ keys were uploaded to the server. Anyway, what version of IPA software is the Debian package based on? I cannot find line self._conn.close() in ipalib/rpc.py in any of our active branches. Martin On 07/19/2013 05:03 PM, Alexandre Ellert wrote: Here is the traceback : Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'https://inf-ipa.numeezy.fr/ipa/xml' host_mod: KerbTransport instance has no attribute '_conn' Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1234, in update_ssh_keys updatedns=False File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 435, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 748, in run return self.forward(*args, **options) File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 769, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 748, in forward response = command(*xml_wrap(params)) File /usr/lib/python2.7/xmlrpclib.py, line 1224, in __call__ return self.__send(self.__name, args) File /usr/lib/python2.7/xmlrpclib.py, line 1578, in __request verbose=self.__verbose File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 490, in request self.close() File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 457, in close self._conn.close() AttributeError: KerbTransport instance has no attribute '_conn' Failed to upload host SSH public keys. - Key are correctly uploaded on the new VM. Le 19 juil. 2013 à 16:30, Alexandre Ellert aell...@numeezy.com a écrit : Le 19 juil. 2013 à 16:24, Martin Kosek mko...@redhat.com a écrit : On 07/19/2013 03:28 PM, Alexandre Ellert wrote: Le 19 juil. 2013 à 10:20, Martin Kosek mko...@redhat.com a écrit : On 07/19/2013 02:59 AM, Alexandre Ellert wrote: Hi, I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64): = certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' There is no such file even on RHEL 6. What is this file ? This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the /var/run/ipa/ directory is there (or update debian platform file to override PlatformService class in ipapython/platform/base/__init__.py). I managed to fix that and will update soon my repo with a new package version. Thanks for the information. = host_mod: KerbTransport instance has no attribute '_conn' What does that mean ? This means that there was some issue with XMLRPC call to IPA server (the error message is indeed unfortunate) - does ipaclient-install.log contain more details? Unfortunately there is no more details in ipaclient-install.log, here is the relevant part : 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute '_conn' 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys. Is there any way to get more debug log ? In my opinion, warning about ssh keys should not trigger here, because I can see them on my IPA server. Are you sure the SSH keys aren't there from previous installation attempt or similar? The _conn generally means there was some problem with the connection to server in the xmlrpclib python library. I can confirm you that SSH key upload is successful. I've done tests with a fresh install of Debian. To be sure, I will create a new VM and try an ipa-client-install with modifications you give me. We need to find out what and why triggers it, a change in ipa-client-install script like below may shed more light on what is the source of the error: diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 280edd7..f82b9f6