Re: [Freeipa-users] freeipa-server from copr repo
Ok :) Thank you for the response. 2014-11-21 10:39 GMT+02:00 Martin Kosek mko...@redhat.com: On 11/21/2014 09:30 AM, Genadi Postrilko wrote: Actually no, FreeIPA 4.1 is planned to be included in RHEL-7.1 release - so you can look forward to that :-) Martin Will it be included as a tech preview or fully supported? You mean if whole IPA will be Tech Preview or Fully Supported? The functionality that was present and supported in RHEL-7.0 of course cannot be suddenly put to Tech Preview. I cannot disclose at this moment which *new* features would be supported and which would be TP, wait and see - but I think this information will be publicly available even in RHEL-7.1 Beta :-) On 11/19/2014 10:24 PM, Tamas Papp wrote: On 11/19/2014 09:29 PM, Martin Kosek wrote: Ah, yes. This one is not a problem with the CentOS port, but rather existing problem in FreeIPA 4.1.1 which will be fixed in FreeIPA 4.1.2 on all platforms, including Fedora 21 and CentOS. See upstream ticket: https://fedorahosted.org/freeipa/ticket/4716 Until this is fixed, correct workaround is to chown this directory by named:named and chmod rights to 0770. I will with the team when 4.1.2 is about to be released, if it is not soon, I can just add the patch to the 4.1.1 in Copr repo. Thanks for all. Just a question. My understanding is that 4.x will not hit RH 7 ever. So for IPA 4.x we have to wait until RH8, am I correct? Thanks, tamas Actually no, FreeIPA 4.1 is planned to be included in RHEL-7.1 release - so you can look forward to that :-) Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] freeipa-server from copr repo
hi All, -- Finished Dependency Resolution Error: Package: freeipa-server-4.1.1-1.1.el7.centos.x86_64 (mkosek-freeipa) Requires: pki-ca = 10.2.0-3 Available: pki-ca-10.0.5-3.el7.noarch (base) pki-ca = 10.0.5-3.el7 Available: pki-ca-10.1.2-3.el7.centos.noarch (mkosek-freeipa) pki-ca = 10.1.2-3.el7.centos You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest Ho can I fix this? 10x tamas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
On 11/19/2014 11:37 AM, Tamas Papp wrote: hi All, -- Finished Dependency Resolution Error: Package: freeipa-server-4.1.1-1.1.el7.centos.x86_64 (mkosek-freeipa) Requires: pki-ca = 10.2.0-3 Available: pki-ca-10.0.5-3.el7.noarch (base) pki-ca = 10.0.5-3.el7 Available: pki-ca-10.1.2-3.el7.centos.noarch (mkosek-freeipa) pki-ca = 10.1.2-3.el7.centos You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest We are working on a fix right now. So hopefully, the fixed CentOS repo would be available during today. Ho can I fix this? Waiting a bit and then trying to install again :-) 10x tamas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
I am good in waiting;) Thanks for the prompt reply. -- Sent from mobile On November 19, 2014 11:54:40 AM Martin Kosek mko...@redhat.com wrote: On 11/19/2014 11:37 AM, Tamas Papp wrote: hi All, -- Finished Dependency Resolution Error: Package: freeipa-server-4.1.1-1.1.el7.centos.x86_64 (mkosek-freeipa) Requires: pki-ca = 10.2.0-3 Available: pki-ca-10.0.5-3.el7.noarch (base) pki-ca = 10.0.5-3.el7 Available: pki-ca-10.1.2-3.el7.centos.noarch (mkosek-freeipa) pki-ca = 10.1.2-3.el7.centos You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest We are working on a fix right now. So hopefully, the fixed CentOS repo would be available during today. Ho can I fix this? Waiting a bit and then trying to install again :-) 10x tamas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
On 11/19/2014 11:57 AM, Tamas Papp wrote: I am good in waiting;) Thanks for the prompt reply. Ok Tamas, I think we *finally* got somewhere. Can you please try the mkosek/freeipa Copr repo now? I was able to install upstream freeipa-server 4.1.1 package on my RHEL-7.0 machine (should be the same for CentOS) and run ipa-server-install: # yum install freeipa-server --enablerepo=mkosek-freeipa ... Resolving Dependencies -- Running transaction check --- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be installed ... Transaction Summary Install 1 Package (+338 Dependent packages) Upgrade ( 11 Dependent packages) Total download size: 146 M ... # rpm -q freeipa-server freeipa-server-4.1.1-1.2.el7.centos.x86_64 # ipa-server-install --setup-dns # kinit admin Password for ad...@example.com: Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
Hi Marin, I was able to install from the copr repo now as well. Thank you! However I wasn't able to finish the install: [23/27]: configure certmonger for renewals [24/27]: configure certificate renewals [error] DBusException: org.fedorahosted.certmonger.bad_arg: The location /etc/pki/pki-tomcat/alias could not be accessed due to insufficient permissions. Don't know if you need the command for how I was installing ipa. But here is the line from my anseible playbook. shell: ipa-server-install -a {{ adminpassword }} --hostname={{ servername }} -r {{ realm }} -p {{ directorypassword }} -n {{ domain }} --setup-dns --forwarder={{ dnsforwarder }} -U creates={{ slapd }} On Wed, Nov 19, 2014 at 11:23 AM, Martin Kosek mko...@redhat.com wrote: On 11/19/2014 11:57 AM, Tamas Papp wrote: I am good in waiting;) Thanks for the prompt reply. Ok Tamas, I think we *finally* got somewhere. Can you please try the mkosek/freeipa Copr repo now? I was able to install upstream freeipa-server 4.1.1 package on my RHEL-7.0 machine (should be the same for CentOS) and run ipa-server-install: # yum install freeipa-server --enablerepo=mkosek-freeipa ... Resolving Dependencies -- Running transaction check --- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be installed ... Transaction Summary Install 1 Package (+338 Dependent packages) Upgrade ( 11 Dependent packages) Total download size: 146 M ... # rpm -q freeipa-server freeipa-server-4.1.1-1.2.el7.centos.x86_64 # ipa-server-install --setup-dns # kinit admin Password for ad...@example.com: Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
It is highly probable the issue is caused by SELinux (check for AVCs in /var/log/audit/audit.log). Can you try with SELinux permissive? We specifically did not build selinux-policy as we do not think we should be the ones maintaining it for CentOS. HTH, Martin - Original Message - From: Bill Peck b...@pecknet.com To: Martin Kosek mko...@redhat.com Cc: Tamas Papp tom...@martos.bme.hu, freeipa-users@redhat.com Sent: Wednesday, November 19, 2014 5:34:10 PM Subject: Re: [Freeipa-users] freeipa-server from copr repo Hi Marin, I was able to install from the copr repo now as well. Thank you! However I wasn't able to finish the install: [23/27]: configure certmonger for renewals [24/27]: configure certificate renewals [error] DBusException: org.fedorahosted.certmonger.bad_arg: The location /etc/pki/pki-tomcat/alias could not be accessed due to insufficient permissions. Don't know if you need the command for how I was installing ipa. But here is the line from my anseible playbook. shell: ipa-server-install -a {{ adminpassword }} --hostname={{ servername }} -r {{ realm }} -p {{ directorypassword }} -n {{ domain }} --setup-dns --forwarder={{ dnsforwarder }} -U creates={{ slapd }} On Wed, Nov 19, 2014 at 11:23 AM, Martin Kosek mko...@redhat.com wrote: On 11/19/2014 11:57 AM, Tamas Papp wrote: I am good in waiting;) Thanks for the prompt reply. Ok Tamas, I think we *finally* got somewhere. Can you please try the mkosek/freeipa Copr repo now? I was able to install upstream freeipa-server 4.1.1 package on my RHEL-7.0 machine (should be the same for CentOS) and run ipa-server-install: # yum install freeipa-server --enablerepo=mkosek-freeipa ... Resolving Dependencies -- Running transaction check --- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be installed ... Transaction Summary Install 1 Package (+338 Dependent packages) Upgrade ( 11 Dependent packages) Total download size: 146 M ... # rpm -q freeipa-server freeipa-server-4.1.1-1.2.el7.centos.x86_64 # ipa-server-install --setup-dns # kinit admin Password for ad...@example.com: Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
Hi Martin, Yes, setting selinux to permissive allowed me to install and configure IPA 4.1 on CentOS 7. :-) On Wed, Nov 19, 2014 at 11:41 AM, Martin Kosek mko...@redhat.com wrote: It is highly probable the issue is caused by SELinux (check for AVCs in /var/log/audit/audit.log). Can you try with SELinux permissive? We specifically did not build selinux-policy as we do not think we should be the ones maintaining it for CentOS. HTH, Martin - Original Message - From: Bill Peck b...@pecknet.com To: Martin Kosek mko...@redhat.com Cc: Tamas Papp tom...@martos.bme.hu, freeipa-users@redhat.com Sent: Wednesday, November 19, 2014 5:34:10 PM Subject: Re: [Freeipa-users] freeipa-server from copr repo Hi Marin, I was able to install from the copr repo now as well. Thank you! However I wasn't able to finish the install: [23/27]: configure certmonger for renewals [24/27]: configure certificate renewals [error] DBusException: org.fedorahosted.certmonger.bad_arg: The location /etc/pki/pki-tomcat/alias could not be accessed due to insufficient permissions. Don't know if you need the command for how I was installing ipa. But here is the line from my anseible playbook. shell: ipa-server-install -a {{ adminpassword }} --hostname={{ servername }} -r {{ realm }} -p {{ directorypassword }} -n {{ domain }} --setup-dns --forwarder={{ dnsforwarder }} -U creates={{ slapd }} On Wed, Nov 19, 2014 at 11:23 AM, Martin Kosek mko...@redhat.com wrote: On 11/19/2014 11:57 AM, Tamas Papp wrote: I am good in waiting;) Thanks for the prompt reply. Ok Tamas, I think we *finally* got somewhere. Can you please try the mkosek/freeipa Copr repo now? I was able to install upstream freeipa-server 4.1.1 package on my RHEL-7.0 machine (should be the same for CentOS) and run ipa-server-install: # yum install freeipa-server --enablerepo=mkosek-freeipa ... Resolving Dependencies -- Running transaction check --- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be installed ... Transaction Summary Install 1 Package (+338 Dependent packages) Upgrade ( 11 Dependent packages) Total download size: 146 M ... # rpm -q freeipa-server freeipa-server-4.1.1-1.2.el7.centos.x86_64 # ipa-server-install --setup-dns # kinit admin Password for ad...@example.com: Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
Good news! To clarify on the selinux-policy side. By not maintaining it for the CentOS I meant that FreeIPA Copr should not maintain system policy for any system, not just SELinux. Ideally, it should have a SELinux policy module that would be compiled for SELinux only and that would only contain the additional policy required by IPA on top of 7.0. But this is not a priority for now we do not have enough capacity for it ATM. But if anyone wishes to contribute that part, doors are open :-) Martin On 11/19/2014 05:56 PM, Bill Peck wrote: Hi Martin, Yes, setting selinux to permissive allowed me to install and configure IPA 4.1 on CentOS 7. :-) On Wed, Nov 19, 2014 at 11:41 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: It is highly probable the issue is caused by SELinux (check for AVCs in /var/log/audit/audit.log). Can you try with SELinux permissive? We specifically did not build selinux-policy as we do not think we should be the ones maintaining it for CentOS. HTH, Martin - Original Message - From: Bill Peck b...@pecknet.com mailto:b...@pecknet.com To: Martin Kosek mko...@redhat.com mailto:mko...@redhat.com Cc: Tamas Papp tom...@martos.bme.hu mailto:tom...@martos.bme.hu, freeipa-users@redhat.com mailto:freeipa-users@redhat.com Sent: Wednesday, November 19, 2014 5:34:10 PM Subject: Re: [Freeipa-users] freeipa-server from copr repo Hi Marin, I was able to install from the copr repo now as well. Thank you! However I wasn't able to finish the install: [23/27]: configure certmonger for renewals [24/27]: configure certificate renewals [error] DBusException: org.fedorahosted.certmonger.bad_arg: The location /etc/pki/pki-tomcat/alias could not be accessed due to insufficient permissions. Don't know if you need the command for how I was installing ipa. But here is the line from my anseible playbook. shell: ipa-server-install -a {{ adminpassword }} --hostname={{ servername }} -r {{ realm }} -p {{ directorypassword }} -n {{ domain }} --setup-dns --forwarder={{ dnsforwarder }} -U creates={{ slapd }} On Wed, Nov 19, 2014 at 11:23 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 11/19/2014 11:57 AM, Tamas Papp wrote: I am good in waiting;) Thanks for the prompt reply. Ok Tamas, I think we *finally* got somewhere. Can you please try the mkosek/freeipa Copr repo now? I was able to install upstream freeipa-server 4.1.1 package on my RHEL-7.0 machine (should be the same for CentOS) and run ipa-server-install: # yum install freeipa-server --enablerepo=mkosek-freeipa ... Resolving Dependencies -- Running transaction check --- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be installed ... Transaction Summary Install 1 Package (+338 Dependent packages) Upgrade ( 11 Dependent packages) Total download size: 146 M ... # rpm -q freeipa-server freeipa-server-4.1.1-1.2.el7.centos.x86_64 # ipa-server-install --setup-dns # kinit admin Password for ad...@example.com mailto:ad...@example.com: Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
hi Martin, Much better:) Unfortunately not perfect yet. [...] Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named ipa : ERRORNamed service failed to start (Command ''/bin/systemctl' 'restart' 'named-pkcs11.service'' returned non-zero exit status 1) named service failed to start Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command ''/bin/systemctl' 'restart' 'ipa.service'' returned non-zero exit status 1 This helped: chmod 777 /var/named/dyndb-ldap/ipa/ Probably chown or chgrp named would be just enough. Cheers, tamas On 11/19/2014 05:41 PM, Martin Kosek wrote: It is highly probable the issue is caused by SELinux (check for AVCs in /var/log/audit/audit.log). Can you try with SELinux permissive? We specifically did not build selinux-policy as we do not think we should be the ones maintaining it for CentOS. HTH, Martin - Original Message - From: Bill Peck b...@pecknet.com To: Martin Kosek mko...@redhat.com Cc: Tamas Papp tom...@martos.bme.hu, freeipa-users@redhat.com Sent: Wednesday, November 19, 2014 5:34:10 PM Subject: Re: [Freeipa-users] freeipa-server from copr repo Hi Marin, I was able to install from the copr repo now as well. Thank you! However I wasn't able to finish the install: [23/27]: configure certmonger for renewals [24/27]: configure certificate renewals [error] DBusException: org.fedorahosted.certmonger.bad_arg: The location /etc/pki/pki-tomcat/alias could not be accessed due to insufficient permissions. Don't know if you need the command for how I was installing ipa. But here is the line from my anseible playbook. shell: ipa-server-install -a {{ adminpassword }} --hostname={{ servername }} -r {{ realm }} -p {{ directorypassword }} -n {{ domain }} --setup-dns --forwarder={{ dnsforwarder }} -U creates={{ slapd }} On Wed, Nov 19, 2014 at 11:23 AM, Martin Kosek mko...@redhat.com wrote: On 11/19/2014 11:57 AM, Tamas Papp wrote: I am good in waiting;) Thanks for the prompt reply. Ok Tamas, I think we *finally* got somewhere. Can you please try the mkosek/freeipa Copr repo now? I was able to install upstream freeipa-server 4.1.1 package on my RHEL-7.0 machine (should be the same for CentOS) and run ipa-server-install: # yum install freeipa-server --enablerepo=mkosek-freeipa ... Resolving Dependencies -- Running transaction check --- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be installed ... Transaction Summary Install 1 Package (+338 Dependent packages) Upgrade ( 11 Dependent packages) Total download size: 146 M ... # rpm -q freeipa-server freeipa-server-4.1.1-1.2.el7.centos.x86_64 # ipa-server-install --setup-dns # kinit admin Password for ad...@example.com: Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
On 11/19/2014 09:23 PM, Tamas Papp wrote: hi Martin, Much better:) Unfortunately not perfect yet. [...] Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named ipa : ERRORNamed service failed to start (Command ''/bin/systemctl' 'restart' 'named-pkcs11.service'' returned non-zero exit status 1) named service failed to start Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command ''/bin/systemctl' 'restart' 'ipa.service'' returned non-zero exit status 1 This helped: chmod 777 /var/named/dyndb-ldap/ipa/ Probably chown or chgrp named would be just enough. Cheers, tamas Ah, yes. This one is not a problem with the CentOS port, but rather existing problem in FreeIPA 4.1.1 which will be fixed in FreeIPA 4.1.2 on all platforms, including Fedora 21 and CentOS. See upstream ticket: https://fedorahosted.org/freeipa/ticket/4716 Until this is fixed, correct workaround is to chown this directory by named:named and chmod rights to 0770. I will with the team when 4.1.2 is about to be released, if it is not soon, I can just add the patch to the 4.1.1 in Copr repo. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
On 11/19/2014 09:29 PM, Martin Kosek wrote: Ah, yes. This one is not a problem with the CentOS port, but rather existing problem in FreeIPA 4.1.1 which will be fixed in FreeIPA 4.1.2 on all platforms, including Fedora 21 and CentOS. See upstream ticket: https://fedorahosted.org/freeipa/ticket/4716 Until this is fixed, correct workaround is to chown this directory by named:named and chmod rights to 0770. I will with the team when 4.1.2 is about to be released, if it is not soon, I can just add the patch to the 4.1.1 in Copr repo. Thanks for all. Just a question. My understanding is that 4.x will not hit RH 7 ever. So for IPA 4.x we have to wait until RH8, am I correct? Thanks, tamas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
On 11/19/2014 10:24 PM, Tamas Papp wrote: On 11/19/2014 09:29 PM, Martin Kosek wrote: Ah, yes. This one is not a problem with the CentOS port, but rather existing problem in FreeIPA 4.1.1 which will be fixed in FreeIPA 4.1.2 on all platforms, including Fedora 21 and CentOS. See upstream ticket: https://fedorahosted.org/freeipa/ticket/4716 Until this is fixed, correct workaround is to chown this directory by named:named and chmod rights to 0770. I will with the team when 4.1.2 is about to be released, if it is not soon, I can just add the patch to the 4.1.1 in Copr repo. Thanks for all. Just a question. My understanding is that 4.x will not hit RH 7 ever. So for IPA 4.x we have to wait until RH8, am I correct? Thanks, tamas Actually no, FreeIPA 4.1 is planned to be included in RHEL-7.1 release - so you can look forward to that :-) Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
On 11/19/2014 10:27 PM, Martin Kosek wrote: Actually no, FreeIPA 4.1 is planned to be included in RHEL-7.1 release - so you can look forward to that :-) Very good! Then everything is good for testing:) t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project