Re: [Freeipa-users] freeipa-server from copr repo
Hi Marin, I was able to install from the copr repo now as well. Thank you! However I wasn't able to finish the install: [23/27]: configure certmonger for renewals [24/27]: configure certificate renewals [error] DBusException: org.fedorahosted.certmonger.bad_arg: The location /etc/pki/pki-tomcat/alias could not be accessed due to insufficient permissions. Don't know if you need the command for how I was installing ipa. But here is the line from my anseible playbook. shell: ipa-server-install -a {{ adminpassword }} --hostname={{ servername }} -r {{ realm }} -p {{ directorypassword }} -n {{ domain }} --setup-dns --forwarder={{ dnsforwarder }} -U creates={{ slapd }} On Wed, Nov 19, 2014 at 11:23 AM, Martin Kosek mko...@redhat.com wrote: On 11/19/2014 11:57 AM, Tamas Papp wrote: I am good in waiting;) Thanks for the prompt reply. Ok Tamas, I think we *finally* got somewhere. Can you please try the mkosek/freeipa Copr repo now? I was able to install upstream freeipa-server 4.1.1 package on my RHEL-7.0 machine (should be the same for CentOS) and run ipa-server-install: # yum install freeipa-server --enablerepo=mkosek-freeipa ... Resolving Dependencies -- Running transaction check --- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be installed ... Transaction Summary Install 1 Package (+338 Dependent packages) Upgrade ( 11 Dependent packages) Total download size: 146 M ... # rpm -q freeipa-server freeipa-server-4.1.1-1.2.el7.centos.x86_64 # ipa-server-install --setup-dns # kinit admin Password for ad...@example.com: Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
Hi Martin, Yes, setting selinux to permissive allowed me to install and configure IPA 4.1 on CentOS 7. :-) On Wed, Nov 19, 2014 at 11:41 AM, Martin Kosek mko...@redhat.com wrote: It is highly probable the issue is caused by SELinux (check for AVCs in /var/log/audit/audit.log). Can you try with SELinux permissive? We specifically did not build selinux-policy as we do not think we should be the ones maintaining it for CentOS. HTH, Martin - Original Message - From: Bill Peck b...@pecknet.com To: Martin Kosek mko...@redhat.com Cc: Tamas Papp tom...@martos.bme.hu, freeipa-users@redhat.com Sent: Wednesday, November 19, 2014 5:34:10 PM Subject: Re: [Freeipa-users] freeipa-server from copr repo Hi Marin, I was able to install from the copr repo now as well. Thank you! However I wasn't able to finish the install: [23/27]: configure certmonger for renewals [24/27]: configure certificate renewals [error] DBusException: org.fedorahosted.certmonger.bad_arg: The location /etc/pki/pki-tomcat/alias could not be accessed due to insufficient permissions. Don't know if you need the command for how I was installing ipa. But here is the line from my anseible playbook. shell: ipa-server-install -a {{ adminpassword }} --hostname={{ servername }} -r {{ realm }} -p {{ directorypassword }} -n {{ domain }} --setup-dns --forwarder={{ dnsforwarder }} -U creates={{ slapd }} On Wed, Nov 19, 2014 at 11:23 AM, Martin Kosek mko...@redhat.com wrote: On 11/19/2014 11:57 AM, Tamas Papp wrote: I am good in waiting;) Thanks for the prompt reply. Ok Tamas, I think we *finally* got somewhere. Can you please try the mkosek/freeipa Copr repo now? I was able to install upstream freeipa-server 4.1.1 package on my RHEL-7.0 machine (should be the same for CentOS) and run ipa-server-install: # yum install freeipa-server --enablerepo=mkosek-freeipa ... Resolving Dependencies -- Running transaction check --- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be installed ... Transaction Summary Install 1 Package (+338 Dependent packages) Upgrade ( 11 Dependent packages) Total download size: 146 M ... # rpm -q freeipa-server freeipa-server-4.1.1-1.2.el7.centos.x86_64 # ipa-server-install --setup-dns # kinit admin Password for ad...@example.com: Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] missing package in 4.1.1 repo
I'm still not able to install freeipa-server-4.1.1 on centos7.. Error: Package: pki-base-10.2.0-3.el7.centos.noarch (mkosek-freeipa) Requires: jackson-jaxrs-json-provider Any ideas? Thanks for providing this. On Thu, Nov 6, 2014 at 11:56 AM, Alexander Bokovoy aboko...@redhat.com wrote: On Thu, 06 Nov 2014, Alexander Bokovoy wrote: On Thu, 06 Nov 2014, Rob Verduijn wrote: Hi, There is a dependency error in the updated repo. I did a yum clean all then a yum update. I got this error: Error: Package: freeipa-server-4.1.1-1.fc20.x86_64 (mkosek-freeipa) Requires: slapi-nis = 0.54.1-1 Removing: slapi-nis-0.52-1.fc20.x86_64 (@private.updates) slapi-nis = 0.52-1.fc20 Updated By: slapi-nis-0.54-1.fc20.x86_64 (mkosek-freeipa) slapi-nis = 0.54-1.fc20 Available: slapi-nis-0.50-1.fc20.x86_64 (fedora) slapi-nis = 0.50-1.fc20 yum list --show-duplicates slapi-nis Installed Packages slapi-nis.x86_64 0.54-1.fc20 @mkosek-freeipa Available Packages slapi-nis.x86_64 0.50-1.fc20 private.base slapi-nis.x86_64 0.52-1.fc20 private.updates slapi-nis.x86_64 0.54-1.fc20 mkosek-freeipa there is no 0.54.1-1.fc20 version of slapi-nis It is being rebuilt as we speak. https://copr.fedoraproject.org/coprs/mkosek/freeipa/build/57344/ Done and should be available. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Difference between Masters and Replicas?
On Wed, Jul 16, 2014 at 9:03 AM, Petr Viktorin pvikt...@redhat.com wrote: On 07/16/2014 02:34 PM, Choudhury, Suhail wrote: Hi, I'd like some clarification on what a master and replica is please. Once installed, all masters are identical (except some might have a CA and some not). The distinction is useful when installing a replica, where master and replica generally mean existing master and new master, respectively. This doc suggests you start with 1 master and a replica can be promoted to a master by changing /var/lib/pki-ca/conf/CS.cfg: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_ Guide/promoting-replica.html That doc is ancient (Fedora 15), don't use it. However IPA is supposed to be multi-master replication, and replication agreements appears to be two ways when checking ipa-replica-manage list hostname on a given IPA server. So when creating a replica using: ipa-replica-install --setup-ca --setup-dns --forwarder=172.20.220.25 --forwarder=172.20.220.27 /root/replica-info-ipa01.domain.com.gpg am I creating another master replica? Yes, you're creating a new master; since you gave --setup-ca the two masters will be equivalent. So you no longer need to do anything to promote a replica to be a CA master? Another way to ask the question, can I remove the original master and everything will still work? -- PetrĀ³ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't use ipa commands on brand new ipa server instance
Let me guess, ipa logs you out so you can go have a beer? On Mon, Apr 28, 2014 at 2:10 PM, Simo Sorce s...@redhat.com wrote: On Mon, 2014-04-28 at 14:05 -0400, Bret Wortman wrote: On 04/28/2014 01:53 PM, Simo Sorce wrote: On 04/28/2014 01:32 PM, Simo Sorce wrote: On Mon, 2014-04-28 at 13:25 -0400, Bret Wortman wrote: On 04/28/2014 01:19 PM, Bret Wortman wrote: I just got a new ipa server instantiated and haven't actually installed any users or hosts on it yet. No replicas. No migrated data. Yet when I run any ipa commands from the command line, it behaves exactly as our older, troubled servers do and exits the login session immediately, whether I'm connected at the console or via ssh. Further, when I run strace to try to capture what might be going on, the behavior stops. Script also prevents commands from exiting, but this is really disconcerting. I was chalking this up to the fact that our database had become corrupted by our replication problems, but now I'm thinking it might be environmental, though our original IPA servers are running F18 and this new instance is F20. I need some stability here, and CLI is part of that. What might be causing the CLI to not work at all when coupled to a TTY device, as that seems to be the critical piece? Could this be related to the servers being VMs? BTW, we have this running on F20 on a different network and it works just fine. The network on which the failures are occurring isn't internet-connected; is there something that's trying to connect back to redhat? no. What shell do you use ? On Mon, 2014-04-28 at 13:43 -0400, Bret Wortman wrote: bash. Does it make any difference if you redirect stdin before calling the command ? Simo. No, I found the problem. A power user had written a bash function that redefined ipa and dropped it into /etc/profile.d. We're about to have a little chat. lol! glad you found it :) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] service not starting after reboot
Could be this bug? https://bugzilla.redhat.com/show_bug.cgi?id=996716 On Fri, Oct 4, 2013 at 11:25 AM, Martin Kosek mko...@redhat.com wrote: On 10/04/2013 05:21 PM, Tamas Papp wrote: hi All, I installed freeipa on F19 by yum and ipa-server-install. It works fine until I reboot the machine, then it's not starting anymore: # ipactl start Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Failed to data from service file: Failed to get list of services to probe status: Directory Server is stopped Shutting down I'm not really familiar with systemd. Is there something I missed? # systemctl status dirsrv.target dirsrv.target - 389 Directory Server Loaded: loaded (/usr/lib/systemd/system/dirsrv.target; enabled) Active: inactive (dead) since Fri 2013-10-04 19:14:45 CEST; 2min 23s ago Oct 04 19:14:45 ipa12.bpo.cxn systemd[1]: Starting 389 Directory Server. Oct 04 19:14:45 ipa12.bpo.cxn systemd[1]: Reached target 389 Directory Server. Oct 04 19:14:45 ipa12.bpo.cxn systemd[1]: Stopping 389 Directory Server. Oct 04 19:14:45 ipa12.bpo.cxn systemd[1]: Stopped target 389 Directory Server. Thank you, tamas It seems that dirsrv fails to start or ipactl is unable to read from it. Can you please: 1) Check /var/log/dirsrv/slapd-MARTINOVO-TEST/errors for start errors? 2) Check if there were not AVCs logged by FreeIPA installation or start? # ausearch -m avc -ts today That should help us start investigating your issue. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users