[Freeipa-users] ipa-server-install fails
How do I add the updates-devel repo to fedora. I'm having issues with fedora 14 and ipa 2.0 beta 1 installing. I added the bleeding edge repo for ipa and updates-testing for fedora but I still get errors during the ca authority portion of the install. Corey On Jan 18, 2011, at 11:00 AM, freeipa-users-requ...@redhat.com freeipa-users-requ...@redhat.com wrote: Send Freeipa-users mailing list submissions to freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-requ...@redhat.com You can reach the person managing the list at freeipa-users-ow...@redhat.com When replying, please edit your Subject line so it is more specific than Re: Contents of Freeipa-users digest... Today's Topics: 1. Re: Unable to change Admin password (Simo Sorce) 2. Re: certificate verify failed - WinSync strangeness - ipa-server-1.2.2-0 (Simo Sorce) 3. Re: ipa-server-install fails (Geerten Schram) -- Message: 1 Date: Mon, 17 Jan 2011 14:10:37 -0500 From: Simo Sorce sso...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to change Admin password Message-ID: 20110117141037.2d899...@willson.li.ssimo.org Content-Type: text/plain; charset=US-ASCII On Wed, 12 Jan 2011 20:02:14 + ide4...@gmail.com wrote: Yes ipa_kpasswd is running. Sent on the TELUS Mobility network with BlackBerry Can you check it was able to bind to udp ports ? I just noticed it wasn't able to in my fedora 14, and posted a patch. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Message: 2 Date: Mon, 17 Jan 2011 14:13:14 -0500 From: Simo Sorce sso...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] certificate verify failed - WinSync strangeness - ipa-server-1.2.2-0 Message-ID: 20110117141314.2a80a...@willson.li.ssimo.org Content-Type: text/plain; charset=US-ASCII On Wed, 12 Jan 2011 12:03:59 -0600 d...@killbrad.com d...@killbrad.com wrote: Ok, so the ipa-server-certinstall script seems to be where things did not work as I perhaps expected them to. I manually put the certificates in the dirsrv cert db, and the web interface cert db. The ipa-replica-manage uses replication.py, which is declaring CACERT=/usr/share/ipa/html/ca.crt It looks like this is where the error is being caused. The certification there is still the original IPA Test Certificate Authority. If I point it to the DigiCertCA.crt (which should work), OR the AD-ca.crt file, I get the same error as originally mentioned when running 'ipa-replica-manage list'. If I comment out the CACERT variable it does as expected: unexpected error: global name 'CACERT' is not defined So, can someone give me some advice about where else it may be reading the certificate from, or how I can do things the proper way for IPA? /etc/ipa/ca.crt is another place where the cert can be found. but for winsync you can pass the cacert on the command line, have you tried that ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Message: 3 Date: Tue, 18 Jan 2011 00:47:33 +0100 From: Geerten Schram geer...@schram.name To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-server-install fails Message-ID: 201101180047.34231.geer...@schram.name Content-Type: Text/Plain; charset=iso-8859-1 On Thursday 13 January 2011 04:17:11 Dmitri Pal wrote: Dmitri Pal wrote: Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Yes it installed fine with all defaults. I will play with it more later today. Indeed it does. Works very nicely with the ipa-devel +
Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems
Thanks so much you've been a big help. I'll give it a whack tomorrow morning. Thanks again. Corey On Aug 17, 2010, at 3:06 PM, Rob Crittenden rcrit...@redhat.com wrote: Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote: ok I did the updates, and edited the python files. Now when I try to run the replica install I get: [r...@earth bcrl]# ipa-replica-install /var/lib/ipa/replica-info-earth.bcrl.stcloudstate.edu.gpg -N --setup-dns --no-forwarder Directory Manager (existing master) password: root: ERRORCannot find Reverse Address for earth.bcrl.stcloudstate.edu (3.2.0.10.in-addr.arpa.) I had this when installing the ipa-server and there was a --no-dns-lookup option but not with the replica. Before the testing updates, i did get a warning about the server not working for DNS lookup but still went ahead with install. I'm looking to set these two up and make them the DNS servers and currently have a simple dns setup that will get replaced by this setup. How do I get around the reverse address lookup on the replica install side. Thanks again for all the help. You'll need to modify /usr/sbin/ipa-replica-install. Look for the function get_host_name(). You'll want to comment out the 5 lines starting with try:. The comment character in python is the hash #. This will cause it to skip the call to verify_fqdn() and your install should proceed. I've opened a ticket to add this functionality to ipa-replica-install: https://fedorahosted.org/freeipa/ticket/146 rob Corey- From: Rob Crittenden [rcrit...@redhat.com] Sent: Monday, August 16, 2010 2:49 PM To: Hemminger, Corey Lee. [heco0...@stcloudstate.edu] Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote: I'm using fedora 13 amd-64 version. I added the developers repo from freeIPA.com for V2.0 and then did a yum install ipa-server so which ever version it installed. I'm looking at dogtag and one of the packages says 1.3.1-2.fc13 and the other 2 packages for dogtag say 1.3.2-2.fc13 for the pki dogtag package it says 1.3.7-1.fc13 all the packages read 1.3.something the pki-silent-1.3.3-1.fc13 package if that helps. I also attached the two files you asked to check. I attached the ipa-serv_deplist that i created from running yum deplist ipa-server and it has all the packages and version numbers. Sorry for the choppy e-mail I'm writing and looking up the stuff in pieces. Can you update the pki-* and dogtag-* packages from the updates-testing repo? There are a number of important fixes there. It is also going to break your replica install because a new required option has been added to pkisilent. You'll need to modify /usr/lib/python*/site-packages/ipaserver/install/cainstance.py Search for pkisilent. We create a python list of the command to execute. You want to patch it like this (the numbers might not exactly line up): @@ -535,6 +524,7 @@ class CAInstance(service.Service): -db_name, ipaca, -key_size, 2048, -key_type, rsa, +-key_algorithm, SHA256withRSA, -save_p12, true, -backup_pwd, self.admin_password, -subsystem_name, self.service_name, You *might* be able to get away with just updating dogtag on the replica, I'm not sure. rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Monday, August 16, 2010 12:35 PM To: Hemminger, Corey Lee. [heco0...@stcloudstate.edu] Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote: Hi, I'm a student admin for St. Cloud State University's Business Computing Research Lab, and we run our own seperate network inside the campus network with dedicated internet feeds and hardware for professors research as well as masters and bachelors student research and labs. We have many computers setup for workstations, clusters, clouds, etc... and I'm trying to set up a redundant FreeIPA v2.0 in virtual box to help manage the systems and control access to machines. I have setup the master with no problems, but when creating the replica I run the command ipa-replica-install -N --setup-dns /var/lib/ipa/replica-file-from-master and I get this error output. It created the directory fine but is having trouble with the certs. I have disabled the firewalls on both and selinux hoping they would help but still same problem. [r...@earth bcrl]# ipa-replica-install /var/lib/ipa/replica-info-earth.bcrl.stcloudstate.edu.gpg -N --setup-dns --no-forwarders An existing Directory Server has been detected. Do you wish to remove it and create a new